分享
 
 
 

RFC3225 - Indicating Resolver Support of DNSSEC

王朝other·作者佚名  2008-05-31
窄屏简体版  字體: |||超大  

Network Working Group D. Conrad

Request for Comments: 3225 Nominum, Inc.

Category: Standards Track December 2001

Indicating Resolver Support of DNSSEC

Status of this Memo

This document specifies an Internet standards track protocol for the

Internet community, and requests discussion and suggestions for

improvements. Please refer to the current edition of the "Internet

Official Protocol Standards" (STD 1) for the standardization state

and status of this protocol. Distribution of this memo is unlimited.

Copyright Notice

Copyright (C) The Internet Society (2001). All Rights Reserved.

Abstract

In order to deploy DNSSEC (Domain Name System Security Extensions)

operationally, DNSSEC aware servers should only perform automatic

inclusion of DNSSEC RRs when there is an eXPlicit indication that the

resolver can understand those RRs. This document proposes the use of

a bit in the EDNS0 header to provide that explicit indication and

describes the necessary protocol changes to implement that

notification.

1. IntrodUCtion

DNSSEC [RFC2535] has been specified to provide data integrity and

authentication to security aware resolvers and applications through

the use of cryptographic digital signatures. However, as DNSSEC is

deployed, non-DNSSEC-aware clients will likely query DNSSEC-aware

servers. In such situations, the DNSSEC-aware server (responding to

a request for data in a signed zone) will respond with SIG, KEY,

and/or NXT records. For reasons described in the subsequent section,

such responses can have significant negative operational impacts for

the DNS infrastructure.

This document discusses a method to avoid these negative impacts,

namely DNSSEC-aware servers should only respond with SIG, KEY, and/or

NXT RRs when there is an explicit indication from the resolver that

it can understand those RRs.

For the purposes of this document, "DNSSEC security RRs" are

considered RRs of type SIG, KEY, or NXT.

The key Words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",

"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this

document are to be interpreted as described in [RFC2119].

2. Rationale

Initially, as DNSSEC is deployed, the vast majority of queries will

be from resolvers that are not DNSSEC aware and thus do not

understand or support the DNSSEC security RRs. When a query from

such a resolver is received for a DNSSEC signed zone, the DNSSEC

specification indicates the nameserver must respond with the

appropriate DNSSEC security RRs. As DNS UDP datagrams are limited to

512 bytes [RFC1035], responses including DNSSEC security RRs have a

high probability of resulting in a truncated response being returned

and the resolver retrying the query using TCP.

TCP DNS queries result in significant overhead due to connection

setup and teardown. Operationally, the impact of these TCP queries

will likely be quite detrimental in terms of increased network

traffic (typically five packets for a single query/response instead

of two), increased latency resulting from the additional round trip

times, increased incidences of queries failing due to timeouts, and

significantly increased load on nameservers.

In addition, in preliminary and experimental deployment of DNSSEC,

there have been reports of non-DNSSEC aware resolvers being unable to

handle responses which contain DNSSEC security RRs, resulting in the

resolver failing (in the worst case) or entire responses being

ignored (in the better case).

Given these operational implications, explicitly notifying the

nameserver that the client is prepared to receive (if not understand)

DNSSEC security RRs would be prudent.

Client-side support of DNSSEC is assumed to be binary -- either the

client is willing to receive all DNSSEC security RRs or it is not

willing to accept any. As such, a single bit is sufficient to

indicate client-side DNSSEC support. As effective use of DNSSEC

implies the need of EDNS0 [RFC2671], bits in the "classic" (non-EDNS

enhanced DNS header) are scarce, and there may be situations in which

non-compliant caching or forwarding servers inappropriately copy data

from classic headers as queries are passed on to authoritative

servers, the use of a bit from the EDNS0 header is proposed.

An alternative approach would be to use the existence of an EDNS0

header as an implicit indication of client-side support of DNSSEC.

This approach was not chosen as there may be applications in which

EDNS0 is supported but in which the use of DNSSEC is inappropriate.

3. Protocol Changes

The mechanism chosen for the explicit notification of the ability of

the client to accept (if not understand) DNSSEC security RRs is using

the most significant bit of the Z field on the EDNS0 OPT header in

the query. This bit is referred to as the "DNSSEC OK" (DO) bit. In

the context of the EDNS0 OPT meta-RR, the DO bit is the first bit of

the third and fourth bytes of the "extended RCODE and flags" portion

of the EDNS0 OPT meta-RR, structured as follows:

+0 (MSB) +1 (LSB)

+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+

0: EXTENDED-RCODE VERSION

+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+

2: DO Z

+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+

Setting the DO bit to one in a query indicates to the server that the

resolver is able to accept DNSSEC security RRs. The DO bit cleared

(set to zero) indicates the resolver is unprepared to handle DNSSEC

security RRs and those RRs MUST NOT be returned in the response

(unless DNSSEC security RRs are explicitly queried for). The DO bit

of the query MUST be copied in the response.

More explicitly, DNSSEC-aware nameservers MUST NOT insert SIG, KEY,

or NXT RRs to authenticate a response as specified in [RFC2535]

unless the DO bit was set on the request. Security records that

match an explicit SIG, KEY, NXT, or ANY query, or are part of the

zone data for an AXFR or IXFR query, are included whether or not the

DO bit was set.

A recursive DNSSEC-aware server MUST set the DO bit on recursive

requests, regardless of the status of the DO bit on the initiating

resolver request. If the initiating resolver request does not have

the DO bit set, the recursive DNSSEC-aware server MUST remove DNSSEC

security RRs before returning the data to the client, however cached

data MUST NOT be modified.

In the event a server returns a NOTIMP, FORMERR or SERVFAIL response

to a query that has the DO bit set, the resolver SHOULD NOT expect

DNSSEC security RRs and SHOULD retry the query without EDNS0 in

accordance with section 5.3 of [RFC2671].

Security Considerations

The absence of DNSSEC data in response to a query with the DO bit set

MUST NOT be taken to mean no security information is available for

that zone as the response may be forged or a non-forged response of

an altered (DO bit cleared) query.

IANA Considerations

EDNS0 [RFC2671] defines 16 bits as extended flags in the OPT record,

these bits are encoded into the TTL field of the OPT record (RFC2671

section 4.6).

This document reserves one of these bits as the OK bit. It is

requested that the left most bit be allocated. Thus the USE of the

OPT record TTL field would look like

+0 (MSB) +1 (LSB)

+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+

0: EXTENDED-RCODE VERSION

+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+

2: DO Z

+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+

Acknowledgements

This document is based on a rough draft by Bob Halley with input from

Olafur Gudmundsson, Andreas Gustafsson, Brian Wellington, Randy Bush,

Rob Austein, Steve Bellovin, and Erik Nordmark.

References

[RFC1034] Mockapetris, P., "Domain Names - Concepts and Facilities",

STD 13, RFC1034, November 1987.

[RFC1035] Mockapetris, P., "Domain Names - Implementation and

Specifications", STD 13, RFC1035, November 1987.

[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate

Requirement Levels", BCP 14, RFC2119, March 1997.

[RFC2535] Eastlake, D., "Domain Name System Security Extensions", RFC

2535, March 1999.

[RFC2671] Vixie, P., "Extension Mechanisms for DNS (EDNS0)", RFC

2671, August 1999.

Author's Address

David Conrad

Nominum Inc.

950 Charter Street

Redwood City, CA 94063

USA

Phone: +1 650 381 6003

EMail: david.conrad@nominum.com

Full Copyright Statement

Copyright (C) The Internet Society (2001). All Rights Reserved.

This document and translations of it may be copied and furnished to

others, and derivative works that comment on or otherwise explain it

or assist in its implementation may be prepared, copied, published

and distributed, in whole or in part, without restriction of any

kind, provided that the above copyright notice and this paragraph are

included on all such copies and derivative works. However, this

document itself may not be modified in any way, such as by removing

the copyright notice or references to the Internet Society or other

Internet organizations, except as needed for the purpose of

developing Internet standards in which case the procedures for

copyrights defined in the Internet Standards process must be

followed, or as required to translate it into languages other than

English.

The limited permissions granted above are perpetual and will not be

revoked by the Internet Society or its successors or assigns.

This document and the information contained herein is provided on an

"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING

TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING

BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION

HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF

MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Acknowledgement

Funding for the RFCEditor function is currently provided by the

Internet Society.

 
 
 
免责声明:本文为网络用户发布,其观点仅代表作者个人观点,与本站无关,本站仅提供信息存储服务。文中陈述内容未经本站证实,其真实性、完整性、及时性本站不作任何保证或承诺,请读者仅作参考,并请自行核实相关内容。
2023年上半年GDP全球前十五强
 百态   2023-10-24
美众议院议长启动对拜登的弹劾调查
 百态   2023-09-13
上海、济南、武汉等多地出现不明坠落物
 探索   2023-09-06
印度或要将国名改为“巴拉特”
 百态   2023-09-06
男子为女友送行,买票不登机被捕
 百态   2023-08-20
手机地震预警功能怎么开?
 干货   2023-08-06
女子4年卖2套房花700多万做美容:不但没变美脸,面部还出现变形
 百态   2023-08-04
住户一楼被水淹 还冲来8头猪
 百态   2023-07-31
女子体内爬出大量瓜子状活虫
 百态   2023-07-25
地球连续35年收到神秘规律性信号,网友:不要回答!
 探索   2023-07-21
全球镓价格本周大涨27%
 探索   2023-07-09
钱都流向了那些不缺钱的人,苦都留给了能吃苦的人
 探索   2023-07-02
倩女手游刀客魅者强控制(强混乱强眩晕强睡眠)和对应控制抗性的关系
 百态   2020-08-20
美国5月9日最新疫情:美国确诊人数突破131万
 百态   2020-05-09
荷兰政府宣布将集体辞职
 干货   2020-04-30
倩女幽魂手游师徒任务情义春秋猜成语答案逍遥观:鹏程万里
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案神机营:射石饮羽
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案昆仑山:拔刀相助
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案天工阁:鬼斧神工
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案丝路古道:单枪匹马
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:与虎谋皮
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:李代桃僵
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:指鹿为马
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案金陵:小鸟依人
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案金陵:千金买邻
 干货   2019-11-12
 
推荐阅读
 
 
 
>>返回首頁<<
 
靜靜地坐在廢墟上,四周的荒凉一望無際,忽然覺得,淒涼也很美
© 2005- 王朝網路 版權所有