rfc9609xml2.original.xml   rfc9609.xml 
<?xml version='1.0'?> <?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd" []>
<?rfc comments='yes'?>
<?rfc inline='no'?>
<?rfc compact='yes'?>
<?rfc editing='no'?>
<?rfc linkmailto='no'?>
<?rfc symrefs='yes'?>
<?rfc sortrefs='yes'?>
<?rfc subcompact='no'?>
<?rfc toc='yes'?>
<?rfc tocindent='no'?>
<rfc docName="draft-ietf-dnsop-rfc8109bis-07" ipr="trust200902" category="bcp" o
bsoletes="8109" consensus="yes"
xmlns:xi="http://www.w3.org/2001/XInclude">
<front> <!-- pre-edited by ST 09/04/24 -->
<!-- formatted by MC 09/12/24 -->
<title abbrev="DNS Priming Queries">Initializing a DNS Resolver with Priming Que ries</title> <!-- reference review by TH 10/01/24 -->
<author initials='P.' surname='Koch' fullname='Peter Koch'> <!DOCTYPE rfc [
<organization>DENIC eG</organization> <!ENTITY nbsp "&#160;">
<address> <!ENTITY zwsp "&#8203;">
<postal> <!ENTITY nbhy "&#8209;">
<street>Kaiserstrasse 75-77</street> <!ENTITY wj "&#8288;">
<city>Frankfurt</city> <code>60329</code> ]>
<country>Germany</country>
</postal>
<phone>+49 69 27235 0</phone>
<email>pk@DENIC.DE</email>
</address>
</author>
<author initials='M.' surname='Larson' fullname='Matt Larson'> <rfc xmlns:xi="http://www.w3.org/2001/XInclude" docName="draft-ietf-dnsop-rfc810
<organization>ICANN</organization> 9bis-07" number="9609" ipr="trust200902" category="bcp" obsoletes="8109" consens
<address> us="true" updates="" submissionType="IETF" xml:lang="en" symRefs="true" sortRefs
<email>matt.larson@icann.org</email> ="true" tocInclude="true" version="3">
</address>
</author>
<author initials='P.' surname='Hoffman' fullname='Paul Hoffman'> <front>
<organization>ICANN</organization> <title abbrev="DNS Priming Queries">Initializing a DNS Resolver with Priming
<address> Queries</title>
<email>paul.hoffman@icann.org</email> <seriesInfo name="RFC" value="9609"/>
</address> <seriesInfo name="BCP" value="209"/>
</author> <author initials="P." surname="Koch" fullname="Peter Koch">
<organization>DENIC eG</organization>
<address>
<postal>
<street>Kaiserstrasse 75-77</street>
<city>Frankfurt</city>
<code>60329</code>
<country>Germany</country>
</postal>
<phone>+49 69 27235 0</phone>
<email>pk@DENIC.DE</email>
</address>
</author>
<author initials="M." surname="Larson" fullname="Matt Larson">
<organization>ICANN</organization>
<address>
<email>matt.larson@icann.org</email>
</address>
</author>
<author initials="P." surname="Hoffman" fullname="Paul Hoffman">
<organization>ICANN</organization>
<address>
<email>paul.hoffman@icann.org</email>
</address>
</author>
<date month="November" year="2024"/>
<area>OPS</area>
<workgroup>dnsop</workgroup>
<date /> <!-- [rfced] Please insert any keywords (beyond those that appear in the
title) for use on <https://www.rfc-editor.org/search>. -->
<abstract> <!-- [rfced] Please note that because this document is obsoleting
RFC 8109, it will replace RFC 8109 as BCP 209. Please let us know
any concerns. -->
<t>This document describes the queries that a DNS resolver should emit to initia <abstract>
lize its <t>This document describes the queries that a DNS resolver should emit to
initialize its
cache. The result is that the resolver gets both a current NS resource record se t (RRset) for the root cache. The result is that the resolver gets both a current NS resource record se t (RRset) for the root
zone and the necessary address information for reaching the root servers.</t> zone and the necessary address information for reaching the root servers.</t>
<t>This document obsoletes RFC 8109.</t>
<t>This document, when published, obsoletes RFC 8109. <!-- [rfced] Abstract: As Abstracts should be self-contained per
See <xref target="changes"/> for the list of changes from RFC 8109.</t> Section 4.3 of RFC 7322 (https://www.rfc-editor.org/info/rfc7322) and
not contain internal citations, we moved this sentence to the end of
</abstract> the Introduction section. Please let us know any objections.
</front> Original:
See Appendix A
for the list of changes from RFC 8109.
...
This document only deals with recursive name servers (recursive
resolvers, resolvers) for the IN class.
<middle> Currently:
...
This document only deals with recursive name servers (recursive
resolvers, resolvers) for the IN class.
<section title='Introduction'> See Appendix A for the list of changes from [RFC8109]. -->
<t>Recursive DNS resolvers need a starting point to resolve queries. <xref </abstract>
target='RFC1034'/> describes a common scenario for recursive resolvers: they </front>
<middle>
<section numbered="true" toc="default">
<name>Introduction</name>
<t>Recursive DNS resolvers need a starting point to resolve queries. <xref
target="RFC1034" format="default"/> describes a common scenario for recursive r
esolvers: They
begin with an empty cache and some configuration for finding the names and begin with an empty cache and some configuration for finding the names and
addresses of the DNS root servers. <xref target='RFC1034'/> describes that addresses of the DNS root servers. <xref target="RFC1034" format="default"/> des cribes that
configuration as a list of servers that will give authoritative answers to queri es configuration as a list of servers that will give authoritative answers to queri es
about the root. This has become a common implementation choice for recursive about the root. This has become a common implementation choice for recursive
resolvers, and is the topic of this document. </t> resolvers and is the topic of this document. </t>
<t>This document describes the steps needed for this common implementation
<t>This document describes the steps needed for this common implementation
choice. Note that this is not the only way to start a recursive name server with choice. Note that this is not the only way to start a recursive name server with
an empty cache, but it is the only one described in <xref target='RFC1034'/>. an empty cache, but it is the only one described in <xref target="RFC1034" forma t="default"/>.
Some implementers have chosen other directions, some of which work well and Some implementers have chosen other directions, some of which work well and
others of which fail (sometimes disastrously) under different conditions. others of which fail (sometimes disastrously) under different conditions.
For example, an implementation that only gets the addresses of the root name For example, an implementation that only gets the addresses of the root name
servers from configuration, not from the DNS as described in this document, servers from configuration, not from the DNS as described in this document,
will have stale data that could cause slower resolution.</t> will have stale data that could cause slower resolution.</t>
<t>This document only deals with recursive name servers (recursive resolve
rs,
resolvers) for the IN class.
<t>This document only deals with recursive name servers (recursive resolvers, <!-- [rfced] Section 1: Does '(recursive resolvers, resolvers)' mean
resolvers) for the IN class.</t> '(referred to in this document as "recursive resolvers" or simply
"resolvers")' or something else? Please let us know how/if this text
<section title='Terminology'> should be clarified.
<t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", Original:
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", This document only deals with recursive name servers (recursive
and "OPTIONAL" in this document are to be interpreted as described in resolvers, resolvers) for the IN class. -->
BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, th
ey
appear in all capitals, as shown here.</t>
<t>
See <xref target="RSSAC026v2"/> for terminology that relates to the root server
system.
See <xref target="RFC9499"/> for terminology that relates to the DNS in general.
</t> </t>
</section> <t>See <xref target="changes" format="default"/> for the list of changes from
<xref target="RFC8109"/>.</t>
</section>
<section title="Description of Priming">
<t>Priming is the act of finding the list of root <section numbered="true" toc="default">
<name>Terminology</name>
<t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>",
"<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>",
"<bcp14>SHALL NOT</bcp14>", "<bcp14>SHOULD</bcp14>",
"<bcp14>SHOULD NOT</bcp14>",
"<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document
are to be interpreted as described in BCP&nbsp;14
<xref target="RFC2119"/> <xref target="RFC8174"/> when, and only
when, they appear in all capitals, as shown here.</t>
<t>
See <xref target="RSSAC026v2" format="default"/> for terminology that relates to
the root server system.
See <xref target="RFC9499" format="default"/> for terminology that relates to th
e DNS in general.
</t>
</section>
</section>
<section numbered="true" toc="default">
<name>Description of Priming</name>
<t>Priming is the act of finding the list of root
servers from a configuration that lists some or all of the purported IP servers from a configuration that lists some or all of the purported IP
addresses of some or all of those root servers. addresses of some or all of those root servers.
In priming, a recursive resolver starts with no cached information about the roo t servers, In priming, a recursive resolver starts with no cached information about the roo t servers,
and finishes with a full list of their names and their addresses in its cache.</ and it finishes with a full list of their names and addresses in its cache.</t>
t> <t>Priming is described in Sections&nbsp;<xref target="RFC1034" section="5
.3.2" sectionFormat="bare"/> and <xref target="RFC1034" section="5.3.3" sectionF
<t>Priming is described in Sections 5.3.2 and 5.3.3 of <xref target='RFC1034'/>. ormat="bare"/> of <xref target="RFC1034" format="default"/>. (It is called "SBEL
(It is called "SBELT", a "safety belt" structure, in that document.) T", a "safety belt" structure, in that document.)
The scenario used in that description, that of a recursive server that is also The scenario used in that description, that of a recursive server that is also
authoritative, is no longer as common.</t> authoritative, is no longer as common.</t>
<t>The configured list of IP addresses for the root servers usually comes
<t>The configured list of IP addresses for the root servers usually comes from t from the
he
vendor or distributor of the recursive server software. vendor or distributor of the recursive server software.
Although this list is generally accurate and complete at the time of distributio n, Although this list is generally accurate and complete at the time of distributio n,
it may become outdated over time.</t> it may become outdated over time.</t>
<t>The domain names for the root servers are called the
<t>The domain names for the root servers are called the
"root server identifiers". "root server identifiers".
Although this list has remained stable since 1997, the associated IPv4 and IPv6 addresses for these root server identifiers occasionally change. Although this list has remained stable since 1997, the associated IPv4 and IPv6 addresses for these root server identifiers occasionally change.
Research indicates that, following such changes, certain resolvers fail to updat Research indicates that, following such changes, certain resolvers fail to updat
e to the new addresses; for further details, refer to <xref target="OLD-J"/>.</t e to the new addresses; for further details, refer to <xref target="OLD-J" forma
> t="default"/>.</t>
<t>Therefore, it is important that resolvers are able to cope with change,
<t>Therefore, it is important that resolvers are able to cope with change,
even without relying upon configuration updates to be applied by their operator. even without relying upon configuration updates to be applied by their operator.
Root server identifier and address changes are the main reasons that resolvers Root server identifier and address changes are the main reasons that resolvers
need to use priming to get a full and accurate list of root servers, need to use priming to get a full and accurate list of root servers,
instead of just using a statically configured list. instead of just using a statically configured list.
</t> </t>
<t>
<t> See <xref target="RSSAC023v2" format="default"/> for a history of the root serve
See <xref target="RSSAC023v2"/> for a history of the root server system. r system.
</t> </t>
<t>Although this document is targeted at the global DNS, it could apply to
<t>Although this document is targeted at the global DNS, it also could apply to a private
a private DNS as well. These terms are defined in <xref target="RFC9499" format="default"/
DNS as well. These terms are defined in <xref target="RFC9499"/>.</t> >.</t>
<t>Some systems serve a copy of the full root zone on the same server as t
<t>Some systems serve a copy of the full root zone on the same server as the res he resolver,
olver, e.g., as described in <xref target="RFC8806" format="default"/>.
such as is described in <xref target="RFC8806"/>. In such a setup, the resolver primes its cache using the same methods as those
In such a setup, the resolver primes its cache using the same methods as describ described in the rest of this document.</t>
ed in the rest of this document.</t> <section numbered="true" toc="default">
<name>Content of Priming Information</name>
<section title="Content of Priming Information"> <t>As described above, the configuration for priming is a list of IP add
resses.
<t>As described above, the configuration for priming is a list of IP addresses.
The priming information in software may be in any format that gives the software the The priming information in software may be in any format that gives the software the
addresses associated with at least some of the root server identifiers.</t> addresses associated with at least some of the root server identifiers.</t>
<t>Some software has configuration that also contains the root server id
<t>Some software has configuration that also contains the root server identifier entifiers (such as "L.ROOT-SERVERS.NET"),
s (such as "L.ROOT-SERVERS.NET"),
sometimes as comments and sometimes as data consumed by the software. sometimes as comments and sometimes as data consumed by the software.
For example, the "root hints file" published by IANA at <https://www.internic .net/domain/named.root&gt; For example, the "root hints file" published by IANA at <eref target="https://ww w.internic.net/domain/named.root" brackets="angle"/&gt;
is derived directly from the root zone and contains all of the addresses is derived directly from the root zone and contains all of the addresses
of the root server identifiers found in the root zone. of the root server identifiers found in the root zone.
It is in DNS zone file presentation format, and includes the root server identif It is in DNS zone file presentation format and includes the root server identifi
iers. ers.
Although there is no harm to adding these names, they are not useful in Although there is no harm in adding these names, they are not useful in
the priming process.</t> the priming process.</t>
</section>
</section> </section>
<section numbered="true" toc="default">
</section> <name>Priming Queries</name>
<t>A priming query is a DNS query whose response provides root server iden
<section title='Priming Queries'> tifiers and addresses.
<t>A priming query is a DNS query whose response provides root server identifier
s and addresses.
It has a QNAME of ".", a QTYPE of NS, and a QCLASS of IN; It has a QNAME of ".", a QTYPE of NS, and a QCLASS of IN;
it is sent to one of the addresses in the configuration for the recursive resolv er. it is sent to one of the addresses in the configuration for the recursive resolv er.
The priming query can be sent over either UDP or TCP. If the query is sent over UDP, The priming query can be sent over either UDP or TCP. If the query is sent over UDP,
the source port SHOULD be randomly selected (see <xref target='RFC5452'/>) to ha the source port <bcp14>SHOULD</bcp14> be randomly selected (see <xref target="RF
mper on-path attacks. C5452" format="default"/>) to hamper on-path attacks.
DNS cookies <xref target='RFC7873'/> can also be used to hamper on-path attacks. DNS Cookies <xref target="RFC7873" format="default"/> can also be used to hamper
The Recursion Desired (RD) bit SHOULD be set to 0. The meaning when RD is set on-path attacks.
to 1 is undefined for priming queries and outside the scope of this document.</t The Recursion Desired (RD) bit <bcp14>SHOULD</bcp14> be set to 0. The meaning wh
> en RD is set
to 1 is undefined for priming queries and is outside the scope of this document.
<t>The recursive resolver SHOULD use EDNS0 <xref target='RFC6891'/> for priming </t>
queries and SHOULD announce and handle a reassembly size of at least 1024 octets <t>The recursive resolver <bcp14>SHOULD</bcp14> use EDNS0 <xref target="RF
<xref target='RFC3226'/>. Doing so allows responses that cover the size of a C6891" format="default"/> for priming
full priming response (see <xref target='primrespsize'/>) for the current queries and <bcp14>SHOULD</bcp14> announce and handle a reassembly size of at le
ast 1024 octets
<xref target="RFC3226" format="default"/>. Doing so allows responses that cover
the size of a
full priming response (see <xref target="primrespsize" format="default"/>) for t
he current
set of root servers. set of root servers.
See <xref target="dnssec_prime"/> for discussion of setting the See <xref target="dnssec_prime" format="default"/> for discussion of setting the
DNSSEC OK (DO) bit (defined in <xref target='RFC4033'/>).</t> DNSSEC OK (DO) bit (defined in <xref target="RFC4033" format="default"/>).
<section title='Repeating Priming Queries'> <!-- [rfced] Section 3: We see that "EDNS(0) [RFC6891]" in RFC 8109
was changed to "EDNS0 [RFC6891]" in this document. We also see that
RFC 6891 uses "EDNS(0)", except for "DNS EDNS0 Options registry"
in its Section 9. Will the reason for this change be clear to
readers?
<t>The recursive resolver SHOULD send a priming query only when it is needed, Original:
such as when the resolver starts with an empty cache or when the NS RRset for The recursive resolver SHOULD use EDNS0 [RFC6891] for priming queries
and SHOULD announce and handle a reassembly size of at least 1024
octets [RFC3226]. -->
</t>
<section numbered="true" toc="default">
<name>Repeating Priming Queries</name>
<t>The recursive resolver <bcp14>SHOULD</bcp14> send a priming query onl
y when it is needed,
such as when the resolver starts with an empty cache or when the NS resource rec
ord set (RRset) for
the root zone has expired. the root zone has expired.
Because the NS records for the root zone are not special, the recursive resolver Because the NS records for the root zone are not special, the recursive resolver
expires those NS records according to their TTL values. expires those NS records according to their TTL values.
(Note that a recursive resolver MAY (Note that a recursive resolver <bcp14>MAY</bcp14>
pre-fetch the NS RRset before it expires.)</t> pre-fetch the NS RRset before it expires.)</t>
<t>If a resolver chooses to pre-fetch the root NS RRset before that RRse
<t>If a resolver chooses to pre-fetch the root NS RRset before that RRset has ex t has expired in its cache,
pired in its cache,
it needs to choose whether to use the addresses for the root NS RRset that it al ready has in its cache it needs to choose whether to use the addresses for the root NS RRset that it al ready has in its cache
or to use the addresses it has in its configuration. or to use the addresses it has in its configuration.
Such a resolver SHOULD send queries to the addresses in its cache in order to re duce the chance of delay Such a resolver <bcp14>SHOULD</bcp14> send queries to the addresses in its cache in order to reduce the chance of delay
due to out-of-date addresses in its configuration.</t> due to out-of-date addresses in its configuration.</t>
<t>If a priming query does not get a response, the recursive
<t>If a priming query does not get a response, the recursive resolver <bcp14>MUST</bcp14> retry the query with a different target address fro
resolver MUST retry the query with a different target address from the m the
configuration.</t> configuration.</t>
</section>
</section> <section numbered="true" toc="default">
<name>Target Selection</name>
<section title='Target Selection'> <t>In order to spread the load across all the root server identifiers, t
he
<t>In order to spread the load across all the root server identifiers, the recursive resolver <bcp14>SHOULD</bcp14> select the target for a priming query r
recursive resolver SHOULD select the target for a priming query randomly from andomly from
the list of addresses. The recursive resolver might choose either IPv4 or IPv6 the list of addresses. The recursive resolver might choose either IPv4 or IPv6
addresses based on its knowledge of whether the system on which it is running addresses based on its knowledge of whether the system on which it is running
has adequate connectivity on either type of address.</t> has adequate connectivity on either type of address.</t>
<t>Note that this recommended method is not the only way to choose from
<t>Note that this recommended method is not the only way to choose from the list the list
in a recursive resolver's configuration. Two other common methods include in a recursive resolver's configuration. Two other common methods include
picking the first from the list, and remembering which address in the list gave picking the first from the list, and remembering which address in the list gave
the fastest response earlier and using that one. There are probably other the fastest response earlier and using that one. There are probably other
methods in use today. However, the random method listed above methods in use today. However, the random method listed above
SHOULD be used for priming.</t> <bcp14>SHOULD</bcp14> be used for priming.
</section> <!-- [rfced] Section 3.2: We could not tell which method is "the
random method listed above". Will this text be clear to readers?
<section title='DNSSEC with Priming Queries' anchor="dnssec_prime"> Original:
However,
the random method listed above SHOULD be used for priming. -->
<t>The root NS RRset is signed and can be validated by a DNSSEC validating resol </t>
ver. </section>
At the time this document is published, the addresses for the names in the root <section anchor="dnssec_prime" numbered="true" toc="default">
NS RRset are in the "root-servers.net" zone. <name>DNSSEC with Priming Queries</name>
<t>The root NS RRset is signed and can be validated by a DNSSEC validati
ng resolver.
At the time this document was published, the addresses for the names in the root
NS RRset are in the "root-servers.net" zone.
All root servers are also authoritative for the "root-servers.net" zone, All root servers are also authoritative for the "root-servers.net" zone,
which allows priming responses to include the appropriate root name server A and AAAA RRsets. which allows priming responses to include the appropriate root name server A and AAAA RRsets.
However, because at the time this document is published the "root-servers.net" z one is not signed, However, because at the time this document was published the "root-servers.net" zone is not signed,
the root name server A and AAAA RRsets cannot be validated. the root name server A and AAAA RRsets cannot be validated.
An attacker that is able to provide a spoofed priming response can provide alter native A and AAAA RRsets An attacker that is able to provide a spoofed priming response can provide alter native A and AAAA RRsets
and thus fool a resolver into considering addresses under the control of the att acker to be authoritative for the root zone.</t> and thus fool a resolver into considering addresses under the control of the att acker to be authoritative for the root zone.</t>
<t>A rogue root name server can view all queries from the resolver to th
e root and alter all unsigned parts of responses,
such as the parent-side NS RRsets and glue in referral responses.
A resolver can be fooled into trusting child (Top-Level Domain (TLD)) NS address
es that are under the control of the attacker as being authoritative if the reso
lver:
<t>A rogue root name server can view all queries from the resolver to the root a </t>
nd alter all unsigned parts of responses, <ul>
such as the parent side NS RRsets and glue in referral responses. <li>follows referrals from a rogue root server,</li>
A resolver can be fooled into trusting child (TLD) NS addresses that are under t <li>does not explicitly query the authoritative NS RRset at the apex o
he control of the attacker as being authoritative if the resolver: f the child (TLD) zone, and</li>
<li>does not explicitly query for the authoritative A and AAAA RRsets
<ul> for the child (TLD) NS RRsets.</li>
<li>follows referrals from a rogue root server,</li> </ul>
<li>and does not explicitly query the authoritative NS RRset at the apex of the <t>
child (TLD) zone,</li>
<li>and does not explicitly query for the authoritative A and AAAA RRsets for th
e child (TLD) NS RRsets.</li>
</ul>
With such resolvers, an attacker that controls a rogue root server effectively c ontrols the entire domain name space With such resolvers, an attacker that controls a rogue root server effectively c ontrols the entire domain name space
and can view all queries and alter all unsigned data undetected unless other pro tections are configured at the resolver.</t> and can view all queries and alter all unsigned data undetected unless other pro tections are configured at the resolver.</t>
<t>An attacker controlling a rogue root name server also has complete co
<t>An attacker controlling a rogue root name server also has complete control ov ntrol over all unsigned delegations
er all unsigned delegations, and over the entire domain name space in the case of non-DNSSEC validating resol
and over the entire domain name space in case of non DNSSEC validating resolvers vers.</t>
.</t> <t>If the "root-servers.net" zone is later signed or if the root servers
are named in a
<t>If the "root-servers.net" zone is later signed, or if the root servers are na
med in a
different zone and that zone is signed, having DNSSEC validation for the priming queries different zone and that zone is signed, having DNSSEC validation for the priming queries
might be valuable. might be valuable.
The benefits and costs of resolvers validating the responses will depend heavily on The benefits and costs of resolvers validating the responses will depend heavily on
the naming scheme used.</t> the naming scheme used.</t>
</section>
</section> </section>
<section numbered="true" toc="default">
</section> <name>Priming Responses</name>
<t>A priming query is a normal DNS query. Thus, a root server cannot
<section title='Priming Responses'>
<t>A priming query is a normal DNS query. Thus, a root server cannot
distinguish a priming query from any other query for the root NS RRset. Thus, distinguish a priming query from any other query for the root NS RRset. Thus,
the root server's response will also be a normal DNS response.</t> the root server's response will also be a normal DNS response.</t>
<section numbered="true" toc="default" anchor="expected-prop-priming">
<section title='Expected Properties of the Priming Response'> <name>Expected Properties of the Priming Response</name>
<t>The priming response <bcp14>MUST</bcp14> have an RCODE of NOERROR and
<t>The priming response MUST have an RCODE of NOERROR, and MUST have the <bcp14>MUST</bcp14> have the
Authoritative Answer (AA) bit set. Also, it MUST have an NS RRset in the Answer Authoritative Answer (AA) bit set. Also, it <bcp14>MUST</bcp14> have an NS RRset
section (because the in the Answer section (because the
NS RRset originates from the root zone), and an empty Authority section (because NS RRset originates from the root zone) and an empty Authority section (because
the the
NS RRset already appears in the Answer section). There will also be an Additiona l section with A NS RRset already appears in the Answer section). There will also be an Additiona l section with A
and/or AAAA RRsets for the root servers pointed at by the NS RRset.</t> and/or AAAA RRsets for the root servers pointed at by the NS RRset.</t>
<t>Resolver software <bcp14>SHOULD</bcp14> treat the response to the pri
<t>Resolver software SHOULD treat the response to the priming query as a normal ming query as a normal
DNS response, just as it would use any other data fed to its cache. Resolver DNS response, just as it would use any other data fed to its cache. Resolver
software SHOULD NOT expect 13 NS RRs software <bcp14>SHOULD NOT</bcp14> expect 13 NS RRs
because, historically, some root servers have returned fewer.</t> because, historically, some root servers have returned fewer.</t>
</section>
</section> <section anchor="primrespsize" numbered="true" toc="default">
<name>Completeness of the Response</name>
<section title='Completeness of the Response' anchor='primrespsize'> <t>At the time this document was published,
there are 13 root server operators operating a total of more than 1500 root serv
<t>At the time this document is published, er instances.
there are 13 root server operators operating a total of more than 1,500 root ser
ver instances.
Each instance has one IPv4 address and one IPv6 address. Each instance has one IPv4 address and one IPv6 address.
The combined size of all the A and AAAA RRsets The combined size of all the A and AAAA RRsets
exceeds the original 512-octet payload limit from <xref target="RFC1035"/>.</t> exceeds the original 512-octet payload limit specified in <xref target="RFC1035"
format="default"/>.</t>
<t>In the event of a response where the Additional section omits certain root se <t>In the event of a response where the Additional section omits certain
rver root server
address information, re-issuing of the priming query does not help with those ro address information, reissuing of the priming query does not help with those roo
ot name t name
servers that respond with a fixed order of addresses in the Additional section. Instead, servers that respond with a fixed order of addresses in the Additional section. Instead,
the recursive resolver needs to issue direct queries for A and AAAA RRsets for t he the recursive resolver needs to issue direct queries for A and AAAA RRsets for t he
remaining names. At the time this document is published, these RRsets would be a uthoritatively available from the root remaining names. At the time this document was published, these RRsets would be authoritatively available from the root
name servers.</t> name servers.</t>
<t>If some root server addresses are omitted from the Additional section
<t>If some root server addresses are omitted from the Additional section, there , there is no expectation that the TC (Truncated) bit in the
is no expectation that the TC bit in the response will be set to 1. At the time this document was published, many of the
response will be set to 1. At the time that this document is written, many of th
e
root servers are not setting the TC bit when omitting addresses from the Additio nal section.</t> root servers are not setting the TC bit when omitting addresses from the Additio nal section.</t>
<t>Note that <xref target="RFC9471"/> updates <xref target="RFC1035"/> with resp <!-- DNE text (set off by blockquotes). Verified to the extent
ect to the use of the TC bit. possible, but it's confusing; AQed -->
It says "If message size constraints prevent the inclusion of all glue records f <t>Note that <xref target="RFC9471" format="default"/> updates <xref tar
or in-domain name servers, get="RFC1035" format="default"/> with respect to the use of the TC bit.
It says</t>
<blockquote>If message size constraints prevent the inclusion of all glue record
s for in-domain name servers,
the server must set the TC (Truncated) flag to inform the client that the respon se is incomplete the server must set the TC (Truncated) flag to inform the client that the respon se is incomplete
and that the client should use another transport to retrieve the full response." and that the client should use another transport to retrieve the full response.<
Because the priming response is not a referral, root server addresses in the pri /blockquote>
ming response are not considered glue records.
Thus, <xref target="RFC9471"/> does not apply to the priming response and root s
ervers are not required to set the TC bit if not all root server addresses fit w
ithin message size constraints.
There are no requirements on the number of root server addresses that a root ser
ver must include in a priming response.</t>
</section> <!-- [rfced] Section 4.2: Regarding this text:
</section> Original:
Note that [RFC9471] updates [RFC1035] with respect to the use of the
TC bit. It says "If message size constraints prevent the inclusion
of all glue records for in-domain name servers, the server must set
the TC (Truncated) flag to inform the client that the response is
incomplete and that the client should use another transport to
retrieve the full response."
<section title='Post-Priming Strategies'> We found "[RFC9471] updates [RFC1035]" confusing, because RFC 9471 is
listed as updating RFC 1034 only. Should different wording be used
in place of "updates", to avoid confusion? For example, would
"[RFC9471] could be said to update [RFC1035]" be appropriate?
<t>When a resolver has a zone's NS RRset in cache, and it receives a query Also, when verifying this quoted text from RFC 9471, we found that
two very similar variations of this text appear in RFC 9471:
one in its Abstract and one in its Introduction section.
Which text is preferred for this document - the text from RFC 9471's
Abstract or its Introduction section? In other words, are
"over the chosen transport", "MUST" vs. "must", and "SHOULD" vs.
"should" of any significance here? If yes, please let us know
whether this citation and text should point to the Abstract of
RFC 9471 or its Introduction section; we suggest specifying where the
quoted text comes from.
RFC 9471's Abstract:
If
message size constraints prevent the inclusion of all glue records
for in-domain name servers, the server must set the TC (Truncated)
flag to inform the client that the response is incomplete and that
the client should use another transport to retrieve the full
response.
RFC 9471's Introduction section:
If message size constraints prevent
the inclusion of all glue records for in-domain name servers over the
chosen transport, the server MUST set the TC (Truncated) flag to
inform the client that the response is incomplete and that the client
SHOULD use another transport to retrieve the full response. -->
<t>Because the priming response is not a referral, root server addresses in the
priming response are not considered glue records.
Thus, <xref target="RFC9471" format="default"/> does not apply to the priming re
sponse and root servers are not required to set the TC bit if not all root serve
r addresses fit within message size constraints.
There are no requirements on the number of root server addresses that a root ser
ver must include in a priming response.</t>
</section>
</section>
<section numbered="true" toc="default">
<name>Post-Priming Strategies</name>
<t>When a resolver has a zone's NS RRset in its cache and it receives a qu
ery
for a domain in that zone that cannot be answered from its cache, for a domain in that zone that cannot be answered from its cache,
the resolver has to choose which NS to send queries to. the resolver has to choose which NS to send queries to.
(This statement is as true for the root zone as for any other zone in the DNS.) (This statement is as true for the root zone as for any other zone in the DNS.)
Two common strategies for choosing are "determine the fastest name server and al ways use it" and Two common strategies for choosing are "determine the fastest name server and al ways use it" and
"create buckets of fastness and pick randomly in the buckets". "create buckets of fastness and pick randomly in the buckets".
This document gives no preference to any particular strategy other than to sugge st that This document does not specify a preference for any particular strategy other th an to suggest that
resolvers not treat the root zone as special for this decision.</t> resolvers not treat the root zone as special for this decision.</t>
</section>
</section> <section numbered="true" toc="default">
<name>Security Considerations</name>
<section title='Security Considerations'> <t>Spoofing a response to a priming query can be used to redirect all
<t>Spoofing a response to a priming query can be used to redirect all
of the queries originating from a victim recursive resolver to one of the queries originating from a victim recursive resolver to one
or more servers for the attacker. Until the responses to priming queries or more servers for the attacker. Until the responses to priming queries
are protected with DNSSEC, there is no definitive way to prevent such are protected with DNSSEC, there is no definitive way to prevent such
redirection.</t> redirection.</t>
<t>An on-path attacker who sees a priming query coming from a resolver can
<t>An on-path attacker who sees a priming query coming from a resolver can injec inject false
t false
answers before a root server can give correct answers. If the attacker's answers are answers before a root server can give correct answers. If the attacker's answers are
accepted, this can set up the ability to give further false answers for future q ueries to accepted, this can set up the ability to give further false answers for future q ueries to
the resolver. False answers for root servers are more dangerous than, say, false answers the resolver. False answers for root servers are more dangerous than, say, false answers
for Top-Level Domains (TLDs), because the root is the highest node of the DNS. S for TLDs, because the root is the highest node of the DNS. See
ee <xref target="dnssec_prime" format="default"/> for more discussion.</t>
<xref target="dnssec_prime"/> for more discussion.</t> <t>In both of the scenarios above, a validating resolver will be able to d
etect the attack
<t>In both of the scenarios above, a validating resolver will be able to detect if its chain of queries comes to a zone that is signed, but not for those that a
the attack re unsigned.
if its chain of queries comes to a zone that is signed, but not for those that a
re unsigned.</t>
</section>
<section title='IANA Considerations'>
<t>This document does not require any IANA actions.</t>
</section>
</middle>
<back>
<references title="Normative References">
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.1034.x
ml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.1035.x
ml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2119.x
ml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.3226.x
ml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.4033.x
ml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5452.x
ml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6891.x
ml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7873.x
ml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8109.x
ml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8174.x
ml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9471.x
ml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9499.x
ml"/>
</references>
<references title="Informative References">
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8806.xml"
/>
<reference anchor="OLD-J"
target="https://indico.dns-oarc.net/event/24/contributions/378/">
<front>
<title>Thirteen Years of 'Old J Root'</title>
<author initials='D.' surname='Wessels' fullname='Duane Wessels'>
<organization/>
</author>
<date year="2015"/></front>
</reference>
<reference anchor="RSSAC023v2"
target="https://www.icann.org/en/system/files/files/rssac-023-17jun20-en.pdf">
<front>
<title>History of the Root Server System</title>
<author/>
<date year="2016"/></front>
</reference>
<reference anchor="RSSAC026v2" <!-- [rfced] Section 6: We had trouble parsing this sentence. We
target="https://www.icann.org/en/system/files/files/rssac-026-lexicon-12mar20-en only see one scenario, and we could not decipher "comes to a zone"
.pdf"> and "but not for those". Should "to" and "for" be "from"?
<front>
<title>RSSAC Lexicon</title>
<author/>
<date year="2020"/></front>
</reference>
</references> Original:
In both of the scenarios above, a validating resolver will be able to
detect the attack if its chain of queries comes to a zone that is
signed, but not for those that are unsigned. -->
<section title='Changes from RFC 8109' anchor='changes'> </t>
</section>
<section numbered="true" toc="default">
<name>IANA Considerations</name>
<t>This document has no IANA actions.</t>
</section>
</middle>
<back>
<references>
<name>References</name>
<references>
<name>Normative References</name>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.1
034.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.1
035.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2
119.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.3
226.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.4
033.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5
452.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6
891.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7
873.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8
109.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8
174.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9
471.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9
499.xml"/>
</references>
<references>
<name>Informative References</name>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8
806.xml"/>
<t>This document obsoletes <xref target="RFC8109"/>. The significant changes fro <reference anchor="OLD-J" target="https://indico.dns-oarc.net/event/24/c
m RFC 8109 ontributions/378/">
are: <front>
<title>Thirteen Years of 'Old J Root'</title>
<author initials="D." surname="Wessels" fullname="Duane Wessels">
<organization/>
</author>
<author initials="J." surname="Castonguay" fullname="Jason Castongua
y">
<organization/>
</author>
<author initials="P." surname="Barber" fullname="Piet Barber">
<organization/>
</author>
<date month="October" year="2015"/>
</front>
<refcontent>DNS-OARC Fall 2015 Workshop</refcontent>
</reference>
<list style="symbols"> <reference anchor="RSSAC023v2" target="https://www.icann.org/en/system/f
iles/files/rssac-023-17jun20-en.pdf">
<front>
<title>History of the Root Server System</title>
<author/>
<date month="June" year="2020"/>
</front>
<refcontent>A Report from the ICANN Root Server System Advisory Commit
tee (RSSAC)</refcontent>
<refcontent>RSSAC023v2</refcontent>
</reference>
<t>Added section on the content of priming information.</t> <reference anchor="RSSAC026v2" target="https://www.icann.org/en/system/f
iles/files/rssac-026-lexicon-12mar20-en.pdf">
<front>
<title>RSSAC Lexicon</title>
<author/>
<date month="March" year="2020"/>
</front>
<refcontent>An Advisory from the ICANN Root Server System Advisory Com
mittee (RSSAC)</refcontent>
<refcontent>RSSAC026v2</refcontent>
</reference>
<t>Added paragraph about no expectation that the TC bit in responses will be set </references>
.</t> </references>
<section anchor="changes" numbered="true" toc="default">
<name>Changes from RFC 8109</name>
<t>This document obsoletes <xref target="RFC8109" format="default"/>. The
significant changes from RFC 8109
are as follows:
<t>Added paragraph about RFC 9471 and requirements on authoritative servers and </t>
the TC bit. <ul spacing="normal">
<li>
<t>Added section on the content of priming information.</t>
</li>
<li>
<t>Added paragraph about no expectation that the TC bit in responses w
ill be set.</t>
</li>
<li>
<t>Added paragraph about RFC 9471 and requirements on authoritative se
rvers and the TC bit.
This clarified the role of glue records and truncation for responses from the ro ot zone.</t> This clarified the role of glue records and truncation for responses from the ro ot zone.</t>
</li>
<t>Changed "man-in-the-middle" to "machine-in-the-middle" to be both <li>
<t>Changed "man-in-the-middle" to "machine-in-the-middle" to be both
more inclusive and more technically accurate.</t> more inclusive and more technically accurate.</t>
</li>
<li>
<t>Clarified that there are other effects of machine-in-the-middle att
acks.</t>
</li>
<li>
<t>Clarified language for root server domain names as "root server ide
ntifiers".</t>
</li>
<li>
<t>Added short discussion of post-priming strategies.</t>
</li>
<li>
<t>Added informative references to Root Server System Advisory Committ
ee (RSSAC) documents.</t>
</li>
<li>
<t>Added short discussion about this document and private DNS.</t>
</li>
<li>
<t>Clarified that machine-in-the-middle attacks could be successful fo
r non-signed TLDs.</t>
</li>
<li>
<t>Added discussion of where resolvers that pre-fetch should get the r
oot NS addresses.</t>
</li>
<li>
<t>Elevated the expectations in <xref target="expected-prop-priming"/>
("<xref target="expected-prop-priming" format="title"/>") to <bcp14>MUST</bcp14
>-level.</t>
</li>
<li>
<t>Clarified that "currently" means "at the time this document was pub
lished".</t>
</li>
<li>
<t>Added a note about priming and RFC 8806.</t>
</li>
<li>
<t>Added a reference to research about discontinued root server addres
ses.</t>
</li>
</ul>
</section>
<section numbered="false" toc="default">
<name>Acknowledgements</name>
<t>RFC 8109 was the product of the DNSOP WG and benefited from the reviews
done there.
This document also benefited from review by <contact fullname="Duane Wessels"/>.
</t>
</section>
</back>
<t>Clarified that there are other effects of machine-in-the-middle attacks.</t> <!-- [rfced] Please review the "Inclusive Language" portion of the
online Style Guide at
<t>Clarified language for root server domain names as "root server identifiers". <https://www.rfc-editor.org/styleguide/part2/#inclusive_language>,
</t> and let us know if any changes are needed. Updates of this nature
typically result in more precise language, which is helpful for
<t>Added short discussion of post-priming strategies.</t> readers.
<t>Added informative references to RSSAC documents.</t>
<t>Added short discussion about this document and private DNS.</t>
<t>Clarified that machine-in-the-middle attacks could be successful for non-sign
ed TLDs.</t>
<t>Added discussion of where resolvers that pre-fetch should get the root NS add
resses.</t>
<t>Elevated the expectations in "Expected Properties of the Priming Response" to
MUST-level.</t>
<t>Clarified that "currently" means at the time that this document is published.
</t>
<t>Added a note about priming and RFC 8806.</t>
<t>Added a reference to research about discontinued root server addresses.</t>
</list></t>
</section>
<section title='Acknowledgements'>
<t>RFC 8109 was the product of the DNSOP WG and benefitted from the reviews done
there.
This document also benefitted from review by Duane Wessels.</t>
</section> Note that our script did not flag any words in particular, but this
should still be reviewed as a best practice. -->
</back>
</rfc> </rfc>
 End of changes. 83 change blocks. 
385 lines changed or deleted 522 lines changed or added

This html diff was produced by rfcdiff 1.48.