| rfc9715.original | rfc9715.txt | |||
|---|---|---|---|---|
| Network Working Group K. Fujiwara | Internet Engineering Task Force (IETF) K. Fujiwara | |||
| Internet-Draft JPRS | Request for Comments: 9715 JPRS | |||
| Intended status: Informational P. Vixie | Category: Informational P. Vixie | |||
| Expires: 30 March 2025 AWS Security | ISSN: 2070-1721 AWS Security | |||
| 26 September 2024 | January 2025 | |||
| IP Fragmentation Avoidance in DNS over UDP | IP Fragmentation Avoidance in DNS over UDP | |||
| draft-ietf-dnsop-avoid-fragmentation-20 | ||||
| Abstract | Abstract | |||
| The widely deployed EDNS0 feature in the DNS enables a DNS receiver | The widely deployed Extension Mechanisms for DNS (EDNS0) feature in | |||
| to indicate its received UDP message size capacity, which supports | the DNS enables a DNS receiver to indicate its received UDP message | |||
| the sending of large UDP responses by a DNS server. Large DNS/UDP | size capacity, which supports the sending of large UDP responses by a | |||
| messages are more likely to be fragmented and IP fragmentation has | DNS server. Large DNS/UDP messages are more likely to be fragmented, | |||
| exposed weaknesses in application protocols. It is possible to avoid | and IP fragmentation has exposed weaknesses in application protocols. | |||
| IP fragmentation in DNS by limiting the response size where possible, | It is possible to avoid IP fragmentation in DNS by limiting the | |||
| and signaling the need to upgrade from UDP to TCP transport where | response size where possible and signaling the need to upgrade from | |||
| necessary. This document describes techniques to avoid IP | UDP to TCP transport where necessary. This document describes | |||
| fragmentation in DNS. | techniques to avoid IP fragmentation in DNS. | |||
| Status of This Memo | Status of This Memo | |||
| This Internet-Draft is submitted in full conformance with the | This document is not an Internet Standards Track specification; it is | |||
| provisions of BCP 78 and BCP 79. | published for informational purposes. | |||
| Internet-Drafts are working documents of the Internet Engineering | ||||
| Task Force (IETF). Note that other groups may also distribute | ||||
| working documents as Internet-Drafts. The list of current Internet- | ||||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | ||||
| Internet-Drafts are draft documents valid for a maximum of six months | This document is a product of the Internet Engineering Task Force | |||
| and may be updated, replaced, or obsoleted by other documents at any | (IETF). It represents the consensus of the IETF community. It has | |||
| time. It is inappropriate to use Internet-Drafts as reference | received public review and has been approved for publication by the | |||
| material or to cite them other than as "work in progress." | Internet Engineering Steering Group (IESG). Not all documents | |||
| approved by the IESG are candidates for any level of Internet | ||||
| Standard; see Section 2 of RFC 7841. | ||||
| This Internet-Draft will expire on 30 March 2025. | Information about the current status of this document, any errata, | |||
| and how to provide feedback on it may be obtained at | ||||
| https://www.rfc-editor.org/info/rfc9715. | ||||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2024 IETF Trust and the persons identified as the | Copyright (c) 2025 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents (https://trustee.ietf.org/ | Provisions Relating to IETF Documents | |||
| license-info) in effect on the date of publication of this document. | (https://trustee.ietf.org/license-info) in effect on the date of | |||
| Please review these documents carefully, as they describe your rights | publication of this document. Please review these documents | |||
| and restrictions with respect to this document. Code Components | carefully, as they describe your rights and restrictions with respect | |||
| extracted from this document must include Revised BSD License text as | to this document. Code Components extracted from this document must | |||
| described in Section 4.e of the Trust Legal Provisions and are | include Revised BSD License text as described in Section 4.e of the | |||
| provided without warranty as described in the Revised BSD License. | Trust Legal Provisions and are provided without warranty as described | |||
| in the Revised BSD License. | ||||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Introduction | |||
| 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 | 2. Terminology | |||
| 3. How to avoid IP fragmentation in DNS . . . . . . . . . . . . 4 | 3. How to Avoid IP Fragmentation in DNS | |||
| 3.1. Proposed Recommendations for UDP responders . . . . . . . 4 | 3.1. Proposed Recommendations for UDP Responders | |||
| 3.2. Proposed Recommendations for UDP requestors . . . . . . . 5 | 3.2. Proposed Recommendations for UDP Requestors | |||
| 4. Proposed Recommendations for DNS operators . . . . . . . . . 5 | 4. Proposed Recommendations for DNS Operators | |||
| 5. Protocol compliance considerations . . . . . . . . . . . . . 6 | 5. Protocol Compliance Considerations | |||
| 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6 | 6. IANA Considerations | |||
| 7. Security Considerations . . . . . . . . . . . . . . . . . . . 6 | 7. Security Considerations | |||
| 7.1. On-path fragmentation on IPv4 . . . . . . . . . . . . . . 6 | 7.1. On-Path Fragmentation on IPv4 | |||
| 7.2. Small MTU network . . . . . . . . . . . . . . . . . . . . 6 | 7.2. Small MTU Network | |||
| 7.3. Weaknesses of IP fragmentation . . . . . . . . . . . . . 7 | 7.3. Weaknesses of IP Fragmentation | |||
| 7.4. DNS Security Protections . . . . . . . . . . . . . . . . 7 | 7.4. DNS Security Protections | |||
| 7.5. Possible actions for resolver operators . . . . . . . . . 7 | 7.5. Possible Actions for Resolver Operators | |||
| 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 8 | 8. References | |||
| 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 8 | 8.1. Normative References | |||
| 9.1. Normative References . . . . . . . . . . . . . . . . . . 8 | 8.2. Informative References | |||
| 9.2. Informative References . . . . . . . . . . . . . . . . . 9 | Appendix A. Details of Requestor's Maximum UDP Payload Size | |||
| Appendix A. Details of requestor's maximum UDP payload size | Discussions | |||
| discussions . . . . . . . . . . . . . . . . . . . . . . . 11 | Appendix B. Minimal Responses | |||
| Appendix B. Minimal-responses . . . . . . . . . . . . . . . . . 12 | Appendix C. Known Implementations | |||
| Appendix C. Known Implementations . . . . . . . . . . . . . . . 12 | C.1. BIND 9 | |||
| C.1. BIND 9 . . . . . . . . . . . . . . . . . . . . . . . . . 12 | C.2. Knot DNS and Knot Resolver | |||
| C.2. Knot DNS and Knot Resolver . . . . . . . . . . . . . . . 13 | C.3. PowerDNS Authoritative Server, PowerDNS Recursor, and | |||
| C.3. PowerDNS Authoritative Server, PowerDNS Recursor, PowerDNS | PowerDNS dnsdist | |||
| dnsdist . . . . . . . . . . . . . . . . . . . . . . . . . 13 | C.4. PowerDNS Authoritative Server | |||
| C.4. PowerDNS Authoritative Server . . . . . . . . . . . . . . 14 | C.5. Unbound | |||
| C.5. Unbound . . . . . . . . . . . . . . . . . . . . . . . . . 14 | Acknowledgments | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 14 | Authors' Addresses | |||
| 1. Introduction | 1. Introduction | |||
| This document was originally intended to be a BCP, but due to | This document was originally intended to be a Best Current Practice, | |||
| operating system and socket option limitations, some of the | but due to operating system and socket option limitations, some of | |||
| recommendations have not yet gained real-world experience and | the recommendations have not yet gained real-world experience; | |||
| therefore the document is published as Informational. It is hoped | therefore, this document is Informational. It is expected that, as | |||
| and expected that, as operating systems and implementations evolve, | operating systems and implementations evolve, we will gain more | |||
| we will gain more experience with the recommendations, and plan to | experience with the recommendations and will publish an updated | |||
| publish an updated document as a Best Current Practice. | document as a Best Current Practice in the future. | |||
| DNS has an EDNS0 [RFC6891] mechanism. The widely deployed EDNS0 | DNS has an EDNS0 mechanism [RFC6891]. The widely deployed EDNS0 | |||
| feature in the DNS enables a DNS receiver to indicate its received | feature in the DNS enables a DNS receiver to indicate its received | |||
| UDP message size capacity which supports the sending of large UDP | UDP message size capacity, which supports the sending of large UDP | |||
| responses by a DNS server. DNS over UDP invites IP fragmentation | responses by a DNS server. DNS over UDP invites IP fragmentation | |||
| when a packet is larger than the MTU of some network in the packet's | when a packet is larger than the Maximum Transmission Unit (MTU) of | |||
| path. | some network in the packet's path. | |||
| Fragmented DNS UDP responses have systemic weaknesses, which expose | Fragmented DNS UDP responses have systemic weaknesses, which expose | |||
| the requestor to DNS cache poisoning from off-path attackers. (See | the requestor to DNS cache poisoning from off-path attackers (see | |||
| Section 7.3 for references and details.) | Section 7.3 for references and details). | |||
| [RFC8900] states that IP fragmentation introduces fragility to | [RFC8900] states that IP fragmentation introduces fragility to | |||
| Internet communication. The transport of DNS messages over UDP | Internet communication. The transport of DNS messages over UDP | |||
| should take account of the observations stated in that document. | should take account of the observations stated in that document. | |||
| TCP avoids fragmentation by segmenting data into packets that are | TCP avoids fragmentation by segmenting data into packets that are | |||
| smaller than or equal to the Maximum Segment Size (MSS). For each | smaller than or equal to the Maximum Segment Size (MSS). For each | |||
| transmitted segment, the size of the IP and TCP headers is known, and | transmitted segment, the size of the IP and TCP headers is known, and | |||
| the IP packet size can be chosen to keep it within the estimated MTU | the IP packet size can be chosen to keep it within the estimated MTU | |||
| and the other end's MSS. This takes advantage of the elasticity of | and the other end's MSS. This takes advantage of the elasticity of | |||
| TCP's packetizing process as to how much queued data will fit into | TCP's packetizing process as to how much queued data will fit into | |||
| the next segment. In contrast, DNS over UDP has little datagram size | the next segment. In contrast, DNS over UDP has little datagram size | |||
| elasticity and lacks insight into IP header and option size, so we | elasticity and lacks insight into IP header and option size, so we | |||
| must make more conservative estimates about available UDP payload | must make more conservative estimates about available UDP payload | |||
| space. | space. | |||
| [RFC7766] states that all general-purpose DNS implementations MUST | [RFC7766] states that all general-purpose DNS implementations MUST | |||
| support both UDP and TCP transport. | support both UDP and TCP transport. | |||
| DNS transaction security [RFC8945] [RFC2931] does protect against the | DNS transaction security [RFC8945] [RFC2931] does protect against the | |||
| security risks of fragmentation, including protecting delegation | security risks of fragmentation, and it protects delegation | |||
| responses. But [RFC8945] has limited applicability due to key | responses. But [RFC8945] has limited applicability due to key | |||
| distribution requirements and there is little if any deployment of | distribution requirements, and there is little if any deployment of | |||
| [RFC2931]. | [RFC2931]. | |||
| This document describes various techniques to avoid IP fragmentation | This document describes various techniques to avoid IP fragmentation | |||
| of UDP packets in DNS. This document is primarily applicable to DNS | of UDP packets in DNS. This document is primarily applicable to DNS | |||
| use on the global Internet. | use on the global Internet. | |||
| In contrast, a path MTU that deviates from the recommended value | In contrast, a path MTU that deviates from the recommended value | |||
| might be obtained through static configuration, server routing hints, | might be obtained through static configuration, server routing hints, | |||
| or a future discovery protocol. However, addressing this falls | or a future discovery protocol. However, addressing this falls | |||
| outside the scope of this document and may be the subject of future | outside the scope of this document and may be the subject of future | |||
| specifications. | specifications. | |||
| 2. Terminology | 2. Terminology | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | |||
| "OPTIONAL" in this document are to be interpreted as described in | "OPTIONAL" in this document are to be interpreted as described in | |||
| BCP14 [RFC2119] [RFC8174] when, and only when, they appear in all | BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all | |||
| capitals, as shown here. | capitals, as shown here. | |||
| "Requestor" refers to the side that sends a request. "Responder" | The definitions of "requestor" and "responder" are per [RFC6891]: | |||
| refers to an authoritative server, recursive resolver or other DNS | ||||
| component that responds to questions. (Quoted from EDNS0 [RFC6891]) | ||||
| "Path MTU" is the minimum link MTU of all the links in a path between | | "Requestor" refers to the side that sends a request. "Responder" | |||
| a source node and a destination node. (Quoted from [RFC8201]) | | refers to an authoritative, recursive resolver or other DNS | |||
| | component that responds to questions. | ||||
| In this document, the term "Path MTU discovery" includes both | The definition of "path MTU" is per [RFC8201]: | |||
| Classical Path MTU discovery [RFC1191], [RFC8201], and Packetization | ||||
| Layer Path MTU discovery [RFC8899]. | | path MTU [is] the minimum link MTU of all the links in a path | |||
| | between a source node and a destination node. | ||||
| In this document, the term "Path MTU Discovery" includes both | ||||
| Classical Path MTU Discovery [RFC1191] [RFC8201] and Packetization | ||||
| Layer Path MTU Discovery [RFC8899]. | ||||
| Many of the specialized terms used in this document are defined in | Many of the specialized terms used in this document are defined in | |||
| DNS Terminology [RFC8499]. | "DNS Terminology" [RFC9499]. | |||
| 3. How to avoid IP fragmentation in DNS | 3. How to Avoid IP Fragmentation in DNS | |||
| These recommendations are intended for nodes with global IP addresses | These recommendations are intended for nodes with global IP addresses | |||
| on the Internet. Private networks or local networks are out of the | on the Internet. Private networks or local networks are out of the | |||
| scope of this document. | scope of this document. | |||
| The methods to avoid IP fragmentation in DNS are described below: | The methods to avoid IP fragmentation in DNS are described below: | |||
| 3.1. Proposed Recommendations for UDP responders | 3.1. Proposed Recommendations for UDP Responders | |||
| R1. UDP responders should not use IPv6 fragmentation [RFC8200]. | R1. UDP responders should not use IPv6 fragmentation [RFC8200]. | |||
| R2. UDP responders should configure their systems to prevent | R2. UDP responders should configure their systems to prevent | |||
| fragmentation of UDP packets when sending replies, provided it can be | fragmentation of UDP packets when sending replies, provided it | |||
| done safely. The mechanisms to achieve this vary across different | can be done safely. The mechanisms to achieve this vary | |||
| operating systems. | across different operating systems. | |||
| For BSD-like operating systems, the IP "Don't Fragment flag (DF) bit" | For BSD-like operating systems, the IP Don't Fragment flag | |||
| [RFC0791] can be used to prevent fragmentation. In contrast, Linux | (DF) bit [RFC0791] can be used to prevent fragmentation. In | |||
| systems do not expose a direct API for this purpose and require the | contrast, Linux systems do not expose a direct API for this | |||
| use of Path MTU socket options (IP_MTU_DISCOVER) to manage | purpose and require the use of Path MTU socket options | |||
| fragmentation settings. However, it is important to note that | (IP_MTU_DISCOVER) to manage fragmentation settings. However, | |||
| enabling IPv4 Path MTU Discovery for UDP in current Linux versions is | it is important to note that enabling IPv4 Path MTU Discovery | |||
| considered harmful and dangerous. For more details, refer to | for UDP in current Linux versions is considered harmful and | |||
| Appendix C. | dangerous. For more details, see Appendix C. | |||
| R3. UDP responders should compose response packets that fit in the | R3. UDP responders should compose response packets that fit in the | |||
| minimum of the offered requestor's maximum UDP payload size | minimum of the offered requestor's maximum UDP payload size | |||
| [RFC6891], the interface MTU, the network MTU value configured by the | [RFC6891], the interface MTU, the network MTU value configured | |||
| knowledge of the network operators, and the RECOMMENDED maximum DNS/ | by the knowledge of the network operators, and the RECOMMENDED | |||
| UDP payload size 1400. (See Appendix A for more information.) | maximum DNS/UDP payload size 1400. For more details, see | |||
| Appendix A. | ||||
| R4. If the UDP responder detects an immediate error indicating that | R4. If the UDP responder detects an immediate error indicating | |||
| the UDP packet exceeds the path MTU size, the UDP responder may | that the UDP packet exceeds the path MTU size, the UDP | |||
| recreate response packets that fit in the path MTU size, or with the | responder may recreate response packets that fit in the path | |||
| TC bit set. | MTU size or with the TC bit set. | |||
| The cause and effect of the TC bit are unchanged [RFC1035]. | The cause and effect of the TC bit are unchanged [RFC1035]. | |||
| 3.2. Proposed Recommendations for UDP requestors | 3.2. Proposed Recommendations for UDP Requestors | |||
| R5. UDP requestors should limit the requestor's maximum UDP payload | R5. UDP requestors should limit the requestor's maximum UDP | |||
| size to fit in the minimum of the interface MTU, the network MTU | payload size to fit in the minimum of the interface MTU, the | |||
| value configured by the network operators, and the RECOMMENDED | network MTU value configured by the network operators, and the | |||
| maximum DNS/UDP payload size 1400. A smaller limit may be allowed. | RECOMMENDED maximum DNS/UDP payload size 1400. A smaller | |||
| (See Appendix A for more information.) | limit may be allowed. For more details, see Appendix A. | |||
| R6. UDP requestors should/may drop fragmented DNS/UDP responses | R6. UDP requestors should/may drop fragmented DNS/UDP responses | |||
| without IP reassembly to avoid cache poisoning attacks (at firewall | without IP reassembly to avoid cache poisoning attacks (at the | |||
| function). | firewall function). | |||
| R7. DNS responses may be dropped by IP fragmentation. Requestors | R7. DNS responses may be dropped by IP fragmentation. It is | |||
| are recommended to try alternative transport protocols eventually. | recommended that requestors eventually try alternative | |||
| transport protocols. | ||||
| 4. Proposed Recommendations for DNS operators | 4. Proposed Recommendations for DNS Operators | |||
| Large DNS responses are typically the result of zone configuration. | Large DNS responses are typically the result of zone configuration. | |||
| People who publish information in the DNS should seek configurations | People who publish information in the DNS should seek configurations | |||
| resulting in small responses. For example, | resulting in small responses. For example: | |||
| R8. Use a smaller number of name servers. | R8. Use a smaller number of name servers. | |||
| R9. Use a smaller number of A/AAAA RRs for a domain name. | R9. Use a smaller number of A/AAAA RRs for a domain name. | |||
| R10. Use minimal-responses configuration: Some implementations have | R10. Use minimal-responses configuration: Some implementations have | |||
| a 'minimal responses' configuration option that causes DNS servers to | a 'minimal responses' configuration option that causes DNS | |||
| make response packets smaller, containing only mandatory and required | servers to make response packets smaller by containing only | |||
| data (Appendix B). | mandatory and required data (Appendix B). | |||
| R11. Use a smaller signature / public key size algorithm for DNSSEC. | R11. Use a smaller signature / public key size algorithm for | |||
| Notably, the signature sizes of ECDSA and EdDSA are smaller than | DNSSEC. Notably, the signature sizes of the Elliptic Curve | |||
| those of equivalent cryptographic strength using RSA. | Digital Signature Algorithm (ECDSA) and Edwards-curve Digital | |||
| Signature Algorithm (EdDSA) are smaller than those of | ||||
| equivalent cryptographic strength using RSA. | ||||
| It is difficult to determine a specific upper limit for R8, R9, and | It is difficult to determine a specific upper limit for R8, R9, and | |||
| R11, but it is sufficient if all responses from the DNS servers are | R11, but it is sufficient if all responses from the DNS servers are | |||
| below the size of R3 and R5. | below the size of R3 and R5. | |||
| 5. Protocol compliance considerations | 5. Protocol Compliance Considerations | |||
| Some authoritative servers deviate from the DNS standard as follows: | Some authoritative servers deviate from the DNS standard as follows: | |||
| * Some authoritative servers ignore the EDNS0 requestor's maximum | * Some authoritative servers ignore the EDNS0 requestor's maximum | |||
| UDP payload size and return large UDP responses. [Fujiwara2018] | UDP payload size and return large UDP responses [Fujiwara2018]. | |||
| * Some authoritative servers do not support TCP transport. | * Some authoritative servers do not support TCP transport. | |||
| Such non-compliant behavior cannot become implementation or | Such non-compliant behavior cannot become implementation or | |||
| configuration constraints for the rest of the DNS. If failure is the | configuration constraints for the rest of the DNS. If failure is the | |||
| result, then that failure must be localized to the non-compliant | result, then that failure must be localized to the non-compliant | |||
| servers. | servers. | |||
| 6. IANA Considerations | 6. IANA Considerations | |||
| This document requests no IANA actions. | This document has no IANA actions. | |||
| 7. Security Considerations | 7. Security Considerations | |||
| 7.1. On-path fragmentation on IPv4 | 7.1. On-Path Fragmentation on IPv4 | |||
| If the Don't Fragment (DF) bit is not set, on-path fragmentation may | If the Don't Fragment (DF) bit is not set, on-path fragmentation may | |||
| happen on IPv4, and lead to vulnerabilities, as shown in Section 7.3. | happen on IPv4, and it can lead to vulnerabilities as shown in | |||
| To avoid this, recommendation R6 needs to be used to discard the | Section 7.3. To avoid this, recommendation R6 needs to be used to | |||
| fragmented responses and retry by TCP. | discard the fragmented responses and retry using TCP. | |||
| 7.2. Small MTU network | 7.2. Small MTU Network | |||
| When avoiding fragmentation, a DNS/UDP requestor behind a small MTU | When avoiding fragmentation, a DNS/UDP requestor behind a small MTU | |||
| network may experience UDP timeouts, which would reduce performance | network may experience UDP timeouts, which would reduce performance | |||
| and which may lead to TCP fallback. This would indicate prior | and may lead to TCP fallback. This would indicate prior reliance | |||
| reliance upon IP fragmentation, which is considered to be harmful to | upon IP fragmentation, which is considered to be harmful to both the | |||
| both the performance and stability of applications, endpoints, and | performance and stability of applications, endpoints, and gateways. | |||
| gateways. Avoiding IP fragmentation will improve operating | Avoiding IP fragmentation will improve operating conditions overall, | |||
| conditions overall, and the performance of DNS/TCP has increased and | and the performance of DNS/TCP has increased and will continue to | |||
| will continue to increase. | increase. | |||
| If a UDP response packet is dropped in transit, up to and including | If a UDP response packet is dropped in transit, up to and including | |||
| the network stack of the initiator, it increases the attack window | the network stack of the initiator, it increases the attack window | |||
| for poisoning the requestor's cache. | for poisoning the requestor's cache. | |||
| 7.3. Weaknesses of IP fragmentation | 7.3. Weaknesses of IP Fragmentation | |||
| "Fragmentation Considered Poisonous" [Herzberg2013] noted effective | "Fragmentation Considered Poisonous" [Herzberg2013] notes effective | |||
| off-path DNS cache poisoning attack vectors using IP fragmentation. | off-path DNS cache poisoning attack vectors using IP fragmentation. | |||
| "IP fragmentation attack on DNS" [Hlavacek2013] and "Domain | "IP fragmentation attack on DNS" [Hlavacek2013] and "Domain | |||
| Validation++ For MitM-Resilient PKI" [Brandt2018] noted that off-path | Validation++ For MitM-Resilient PKI" [Brandt2018] note that off-path | |||
| attackers can intervene in the path MTU discovery [RFC1191] to cause | attackers can intervene in the Path MTU Discovery [RFC1191] to cause | |||
| authoritative servers to produce fragmented responses. [RFC7739] | authoritative servers to produce fragmented responses. [RFC7739] | |||
| stated the security implications of predictable fragment | states the security implications of predictable fragment | |||
| identification values. | identification values. | |||
| In Section 3.2 (Message Side Guidelines) of UDP Usage Guidelines | In Section 3.2 ("Message Size Guidelines") of "UDP Usage Guidelines" | |||
| [RFC8085] we are told that an application SHOULD NOT send UDP | [RFC8085], we are told that an application SHOULD NOT send UDP | |||
| datagrams that result in IP packets that exceed the Maximum | datagrams that result in IP packets that exceed the MTU along the | |||
| Transmission Unit (MTU) along the path to the destination. | path to the destination. | |||
| A DNS message receiver cannot trust fragmented UDP datagrams | A DNS message receiver cannot trust fragmented UDP datagrams | |||
| primarily due to the small amount of entropy provided by UDP port | primarily due to the small amount of entropy provided by UDP port | |||
| numbers and DNS message identifiers, each of which being only 16 bits | numbers and DNS message identifiers, each of which is only 16 bits in | |||
| in size, and both likely being in the first fragment of a packet if | size, and both are likely to be in the first fragment of a packet if | |||
| fragmentation occurs. By comparison, the TCP protocol stack controls | fragmentation occurs. By comparison, the TCP protocol stack controls | |||
| packet size and avoids IP fragmentation under ICMP NEEDFRAG attacks. | packet size and avoids IP fragmentation under ICMP NEEDFRAG attacks. | |||
| In TCP, fragmentation should be avoided for performance reasons, | In TCP, fragmentation should be avoided for performance reasons, | |||
| whereas for UDP, fragmentation should be avoided for resiliency and | whereas for UDP, fragmentation should be avoided for resiliency and | |||
| authenticity reasons. | authenticity reasons. | |||
| 7.4. DNS Security Protections | 7.4. DNS Security Protections | |||
| DNSSEC is a countermeasure against cache poisoning attacks that use | DNSSEC is a countermeasure against cache poisoning attacks that use | |||
| IP fragmentation. However, DNS delegation responses are not signed | IP fragmentation. However, DNS delegation responses are not signed | |||
| with DNSSEC, and DNSSEC does not have a mechanism to get the correct | with DNSSEC, and DNSSEC does not have a mechanism to get the correct | |||
| response if an incorrect delegation is injected. This is a denial- | response if an incorrect delegation is injected. This is a denial- | |||
| of-service vulnerability that can yield failed name resolutions. If | of-service vulnerability that can yield failed name resolutions. If | |||
| cache poisoning attacks can be avoided, DNSSEC validation failures | cache poisoning attacks can be avoided, DNSSEC validation failures | |||
| will be avoided. | will be avoided. | |||
| 7.5. Possible actions for resolver operators | 7.5. Possible Actions for Resolver Operators | |||
| Because this document is published as an "Informational" document | Because this document is published as Informational rather than a | |||
| rather than a "Best Current Practice," this section presents steps | Best Current Practice, this section presents steps that resolver | |||
| that resolver operators can take to avoid vulnerabilities related to | operators can take to avoid vulnerabilities related to IP | |||
| IP fragmentation. | fragmentation. | |||
| To avoid vulnerabilities related to IP fragmentation, implement R5 | To avoid vulnerabilities related to IP fragmentation, implement R5 | |||
| and R6. | and R6. | |||
| Specifically, configure the firewall functions protecting the full- | Specifically, configure the firewall functions protecting the full- | |||
| service resolver to discard incoming DNS response packets with a non- | service resolver to discard incoming DNS response packets with a non- | |||
| zero Fragment offset or a More Fragments (MF) bit of 1 on IPv4, and | zero Fragment Offset (FO) or a More Fragments (MF) bit of 1 on IPv4, | |||
| discard packets with IPv6 Fragment Headers. (If the resolver's IP | and discard packets with IPv6 Fragment Headers. (If the resolver's | |||
| address is not dedicated to the DNS resolver and uses UDP | IP address is not dedicated to the DNS resolver and uses UDP | |||
| communication that relies on IP Fragmentation for purposes other than | communication that relies on IP Fragmentation for purposes other than | |||
| DNS, discard only the first fragment that contains the UDP header | DNS, discard only the first fragment that contains the UDP header | |||
| from port 53.) | from port 53.) | |||
| The most recent resolver software is believed to implement R7. | The most recent resolver software is believed to implement R7. | |||
| Even if R7 is not implemented, it will only result in a name | Even if R7 is not implemented, it will only result in a name | |||
| resolution error, preventing attacks from leading to malicious sites. | resolution error, preventing attacks from leading to malicious sites. | |||
| 8. Acknowledgments | 8. References | |||
| The author would like to specifically thank Paul Wouters, Mukund | ||||
| Sivaraman, Tony Finch, Hugo Salgado, Peter van Dijk, Brian Dickson, | ||||
| Puneet Sood, Jim Reid, Petr Spacek, Andrew McConachie, Joe Abley, | ||||
| Daisuke Higashi, Joe Touch, Wouter Wijngaards, Vladimir Cunat, Benno | ||||
| Overeinder and Štěpán Němec for extensive review and comments. | ||||
| 9. References | ||||
| 9.1. Normative References | 8.1. Normative References | |||
| [RFC1035] Mockapetris, P., "Domain names - implementation and | [RFC1035] Mockapetris, P., "Domain names - implementation and | |||
| specification", STD 13, RFC 1035, DOI 10.17487/RFC1035, | specification", STD 13, RFC 1035, DOI 10.17487/RFC1035, | |||
| November 1987, <https://www.rfc-editor.org/rfc/rfc1035>. | November 1987, <https://www.rfc-editor.org/info/rfc1035>. | |||
| [RFC1191] Mogul, J. and S. Deering, "Path MTU discovery", RFC 1191, | [RFC1191] Mogul, J. and S. Deering, "Path MTU discovery", RFC 1191, | |||
| DOI 10.17487/RFC1191, November 1990, | DOI 10.17487/RFC1191, November 1990, | |||
| <https://www.rfc-editor.org/rfc/rfc1191>. | <https://www.rfc-editor.org/info/rfc1191>. | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, | Requirement Levels", BCP 14, RFC 2119, | |||
| DOI 10.17487/RFC2119, March 1997, | DOI 10.17487/RFC2119, March 1997, | |||
| <https://www.rfc-editor.org/rfc/rfc2119>. | <https://www.rfc-editor.org/info/rfc2119>. | |||
| [RFC2931] Eastlake 3rd, D., "DNS Request and Transaction Signatures | [RFC2931] Eastlake 3rd, D., "DNS Request and Transaction Signatures | |||
| ( SIG(0)s )", RFC 2931, DOI 10.17487/RFC2931, September | ( SIG(0)s )", RFC 2931, DOI 10.17487/RFC2931, September | |||
| 2000, <https://www.rfc-editor.org/rfc/rfc2931>. | 2000, <https://www.rfc-editor.org/info/rfc2931>. | |||
| [RFC6891] Damas, J., Graff, M., and P. Vixie, "Extension Mechanisms | [RFC6891] Damas, J., Graff, M., and P. Vixie, "Extension Mechanisms | |||
| for DNS (EDNS(0))", STD 75, RFC 6891, | for DNS (EDNS(0))", STD 75, RFC 6891, | |||
| DOI 10.17487/RFC6891, April 2013, | DOI 10.17487/RFC6891, April 2013, | |||
| <https://www.rfc-editor.org/rfc/rfc6891>. | <https://www.rfc-editor.org/info/rfc6891>. | |||
| [RFC7739] Gont, F., "Security Implications of Predictable Fragment | [RFC7739] Gont, F., "Security Implications of Predictable Fragment | |||
| Identification Values", RFC 7739, DOI 10.17487/RFC7739, | Identification Values", RFC 7739, DOI 10.17487/RFC7739, | |||
| February 2016, <https://www.rfc-editor.org/rfc/rfc7739>. | February 2016, <https://www.rfc-editor.org/info/rfc7739>. | |||
| [RFC7766] Dickinson, J., Dickinson, S., Bellis, R., Mankin, A., and | [RFC7766] Dickinson, J., Dickinson, S., Bellis, R., Mankin, A., and | |||
| D. Wessels, "DNS Transport over TCP - Implementation | D. Wessels, "DNS Transport over TCP - Implementation | |||
| Requirements", RFC 7766, DOI 10.17487/RFC7766, March 2016, | Requirements", RFC 7766, DOI 10.17487/RFC7766, March 2016, | |||
| <https://www.rfc-editor.org/rfc/rfc7766>. | <https://www.rfc-editor.org/info/rfc7766>. | |||
| [RFC8085] Eggert, L., Fairhurst, G., and G. Shepherd, "UDP Usage | [RFC8085] Eggert, L., Fairhurst, G., and G. Shepherd, "UDP Usage | |||
| Guidelines", BCP 145, RFC 8085, DOI 10.17487/RFC8085, | Guidelines", BCP 145, RFC 8085, DOI 10.17487/RFC8085, | |||
| March 2017, <https://www.rfc-editor.org/rfc/rfc8085>. | March 2017, <https://www.rfc-editor.org/info/rfc8085>. | |||
| [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | |||
| 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | |||
| May 2017, <https://www.rfc-editor.org/rfc/rfc8174>. | May 2017, <https://www.rfc-editor.org/info/rfc8174>. | |||
| [RFC8200] Deering, S. and R. Hinden, "Internet Protocol, Version 6 | [RFC8200] Deering, S. and R. Hinden, "Internet Protocol, Version 6 | |||
| (IPv6) Specification", STD 86, RFC 8200, | (IPv6) Specification", STD 86, RFC 8200, | |||
| DOI 10.17487/RFC8200, July 2017, | DOI 10.17487/RFC8200, July 2017, | |||
| <https://www.rfc-editor.org/rfc/rfc8200>. | <https://www.rfc-editor.org/info/rfc8200>. | |||
| [RFC8201] McCann, J., Deering, S., Mogul, J., and R. Hinden, Ed., | [RFC8201] McCann, J., Deering, S., Mogul, J., and R. Hinden, Ed., | |||
| "Path MTU Discovery for IP version 6", STD 87, RFC 8201, | "Path MTU Discovery for IP version 6", STD 87, RFC 8201, | |||
| DOI 10.17487/RFC8201, July 2017, | DOI 10.17487/RFC8201, July 2017, | |||
| <https://www.rfc-editor.org/rfc/rfc8201>. | <https://www.rfc-editor.org/info/rfc8201>. | |||
| [RFC8499] Hoffman, P., Sullivan, A., and K. Fujiwara, "DNS | ||||
| Terminology", RFC 8499, DOI 10.17487/RFC8499, January | ||||
| 2019, <https://www.rfc-editor.org/rfc/rfc8499>. | ||||
| [RFC8899] Fairhurst, G., Jones, T., Tüxen, M., Rüngeler, I., and T. | [RFC8899] Fairhurst, G., Jones, T., Tüxen, M., Rüngeler, I., and T. | |||
| Völker, "Packetization Layer Path MTU Discovery for | Völker, "Packetization Layer Path MTU Discovery for | |||
| Datagram Transports", RFC 8899, DOI 10.17487/RFC8899, | Datagram Transports", RFC 8899, DOI 10.17487/RFC8899, | |||
| September 2020, <https://www.rfc-editor.org/rfc/rfc8899>. | September 2020, <https://www.rfc-editor.org/info/rfc8899>. | |||
| [RFC8945] Dupont, F., Morris, S., Vixie, P., Eastlake 3rd, D., | [RFC8945] Dupont, F., Morris, S., Vixie, P., Eastlake 3rd, D., | |||
| Gudmundsson, O., and B. Wellington, "Secret Key | Gudmundsson, O., and B. Wellington, "Secret Key | |||
| Transaction Authentication for DNS (TSIG)", STD 93, | Transaction Authentication for DNS (TSIG)", STD 93, | |||
| RFC 8945, DOI 10.17487/RFC8945, November 2020, | RFC 8945, DOI 10.17487/RFC8945, November 2020, | |||
| <https://www.rfc-editor.org/rfc/rfc8945>. | <https://www.rfc-editor.org/info/rfc8945>. | |||
| 9.2. Informative References | [RFC9499] Hoffman, P. and K. Fujiwara, "DNS Terminology", BCP 219, | |||
| RFC 9499, DOI 10.17487/RFC9499, March 2024, | ||||
| <https://www.rfc-editor.org/info/rfc9499>. | ||||
| 8.2. Informative References | ||||
| [Brandt2018] | [Brandt2018] | |||
| Brandt, M., Dai, T., Klein, A., Shulman, H., and M. | Brandt, M., Dai, T., Klein, A., Shulman, H., and M. | |||
| Waidner, "Domain Validation++ For MitM-Resilient PKI", | Waidner, "Domain Validation++ For MitM-Resilient PKI", | |||
| Proceedings of the 2018 ACM SIGSAC Conference on Computer | Proceedings of the 2018 ACM SIGSAC Conference on Computer | |||
| and Communications Security , 2018. | and Communications Security, pp. 2060-2076, | |||
| DOI 10.1145/3243734.3243790, October 2018, | ||||
| <https://doi.org/10.1145/3243734.3243790>. | ||||
| [DNSFlagDay2020] | [DNSFlagDay2020] | |||
| "DNS flag day 2020", n.d., <https://dnsflagday.net/2020/>. | "DNS flag day 2020", <https://dnsflagday.net/2020/>. | |||
| [Fujiwara2018] | [Fujiwara2018] | |||
| Fujiwara, K., "Measures against cache poisoning attacks | Fujiwara, K., "Measures against DNS cache poisoning | |||
| using IP fragmentation in DNS", OARC 30 Workshop , 2019. | attacks using IP fragmentation", OARC 30 Workshop, 2019. | |||
| [Herzberg2013] | [Herzberg2013] | |||
| Herzberg, A. and H. Shulman, "Fragmentation Considered | Herzberg, A. and H. Shulman, "Fragmentation Considered | |||
| Poisonous", IEEE Conference on Communications and Network | Poisonous, or: One-domain-to-rule-them-all.org", IEEE | |||
| Security , 2013. | Conference on Communications and Network Security (CNS), | |||
| DOI 10.1109/CNS.2013.6682711, 2013, | ||||
| <https://doi.org/10.1109/CNS.2013.6682711>. | ||||
| [Hlavacek2013] | [Hlavacek2013] | |||
| Hlavacek, T., "IP fragmentation attack on DNS", RIPE 67 | Hlavacek, T., "IP fragmentation attack on DNS", RIPE 67 | |||
| Meeting , 2013, <https://ripe67.ripe.net/ | Meeting, 2013, <https://ripe67.ripe.net/ | |||
| presentations/240-ipfragattack.pdf>. | presentations/240-ipfragattack.pdf>. | |||
| [Huston2021] | [Huston2021] | |||
| Huston, G. and J. Damas, "Measuring DNS Flag Day 2020", | Huston, G. and J. Damas, "Measuring DNS Flag Day 2020", | |||
| OARC 34 Workshop , February 2021. | OARC 34 Workshop, February 2021. | |||
| [RFC0791] Postel, J., "Internet Protocol", STD 5, RFC 791, | [RFC0791] Postel, J., "Internet Protocol", STD 5, RFC 791, | |||
| DOI 10.17487/RFC0791, September 1981, | DOI 10.17487/RFC0791, September 1981, | |||
| <https://www.rfc-editor.org/rfc/rfc791>. | <https://www.rfc-editor.org/info/rfc791>. | |||
| [RFC2308] Andrews, M., "Negative Caching of DNS Queries (DNS | [RFC2308] Andrews, M., "Negative Caching of DNS Queries (DNS | |||
| NCACHE)", RFC 2308, DOI 10.17487/RFC2308, March 1998, | NCACHE)", RFC 2308, DOI 10.17487/RFC2308, March 1998, | |||
| <https://www.rfc-editor.org/rfc/rfc2308>. | <https://www.rfc-editor.org/info/rfc2308>. | |||
| [RFC2671] Vixie, P., "Extension Mechanisms for DNS (EDNS0)", | ||||
| RFC 2671, DOI 10.17487/RFC2671, August 1999, | ||||
| <https://www.rfc-editor.org/info/rfc2671>. | ||||
| [RFC2782] Gulbrandsen, A., Vixie, P., and L. Esibov, "A DNS RR for | [RFC2782] Gulbrandsen, A., Vixie, P., and L. Esibov, "A DNS RR for | |||
| specifying the location of services (DNS SRV)", RFC 2782, | specifying the location of services (DNS SRV)", RFC 2782, | |||
| DOI 10.17487/RFC2782, February 2000, | DOI 10.17487/RFC2782, February 2000, | |||
| <https://www.rfc-editor.org/rfc/rfc2782>. | <https://www.rfc-editor.org/info/rfc2782>. | |||
| [RFC4035] Arends, R., Austein, R., Larson, M., Massey, D., and S. | [RFC4035] Arends, R., Austein, R., Larson, M., Massey, D., and S. | |||
| Rose, "Protocol Modifications for the DNS Security | Rose, "Protocol Modifications for the DNS Security | |||
| Extensions", RFC 4035, DOI 10.17487/RFC4035, March 2005, | Extensions", RFC 4035, DOI 10.17487/RFC4035, March 2005, | |||
| <https://www.rfc-editor.org/rfc/rfc4035>. | <https://www.rfc-editor.org/info/rfc4035>. | |||
| [RFC5155] Laurie, B., Sisson, G., Arends, R., and D. Blacka, "DNS | [RFC5155] Laurie, B., Sisson, G., Arends, R., and D. Blacka, "DNS | |||
| Security (DNSSEC) Hashed Authenticated Denial of | Security (DNSSEC) Hashed Authenticated Denial of | |||
| Existence", RFC 5155, DOI 10.17487/RFC5155, March 2008, | Existence", RFC 5155, DOI 10.17487/RFC5155, March 2008, | |||
| <https://www.rfc-editor.org/rfc/rfc5155>. | <https://www.rfc-editor.org/info/rfc5155>. | |||
| [RFC8900] Bonica, R., Baker, F., Huston, G., Hinden, R., Troan, O., | [RFC8900] Bonica, R., Baker, F., Huston, G., Hinden, R., Troan, O., | |||
| and F. Gont, "IP Fragmentation Considered Fragile", | and F. Gont, "IP Fragmentation Considered Fragile", | |||
| BCP 230, RFC 8900, DOI 10.17487/RFC8900, September 2020, | BCP 230, RFC 8900, DOI 10.17487/RFC8900, September 2020, | |||
| <https://www.rfc-editor.org/rfc/rfc8900>. | <https://www.rfc-editor.org/info/rfc8900>. | |||
| [RFC9460] Schwartz, B., Bishop, M., and E. Nygren, "Service Binding | [RFC9460] Schwartz, B., Bishop, M., and E. Nygren, "Service Binding | |||
| and Parameter Specification via the DNS (SVCB and HTTPS | and Parameter Specification via the DNS (SVCB and HTTPS | |||
| Resource Records)", RFC 9460, DOI 10.17487/RFC9460, | Resource Records)", RFC 9460, DOI 10.17487/RFC9460, | |||
| November 2023, <https://www.rfc-editor.org/rfc/rfc9460>. | November 2023, <https://www.rfc-editor.org/info/rfc9460>. | |||
| [RFC9471] Andrews, M., Huque, S., Wouters, P., and D. Wessels, "DNS | [RFC9471] Andrews, M., Huque, S., Wouters, P., and D. Wessels, "DNS | |||
| Glue Requirements in Referral Responses", RFC 9471, | Glue Requirements in Referral Responses", RFC 9471, | |||
| DOI 10.17487/RFC9471, September 2023, | DOI 10.17487/RFC9471, September 2023, | |||
| <https://www.rfc-editor.org/rfc/rfc9471>. | <https://www.rfc-editor.org/info/rfc9471>. | |||
| Appendix A. Details of requestor's maximum UDP payload size discussions | Appendix A. Details of Requestor's Maximum UDP Payload Size Discussions | |||
| There are many discussions for default path MTU size and requestor's | There are many discussions about default path MTU size and a | |||
| maximum UDP payload size. | requestor's maximum UDP payload size. | |||
| * The minimum MTU for an IPv6 interface is 1280 octets (see | * The minimum MTU for an IPv6 interface is 1280 octets (see | |||
| Section 5 of [RFC8200]). So, we can use it as the default path | Section 5 of [RFC8200]). So, it can be used as the default path | |||
| MTU value for IPv6. The corresponding minimum MTU for an IPv4 | MTU value for IPv6. The corresponding minimum MTU for an IPv4 | |||
| interface is 68 (60 + 8) [RFC0791]. | interface is 68 (60 + 8) [RFC0791]. | |||
| * [RFC4035] defines that "A security-aware name server MUST support | * [RFC4035] states that "A security-aware name server MUST support | |||
| the EDNS0 message size extension, MUST support a message size of | the EDNS0 ([RFC2671]) message size extension, [and it] MUST | |||
| at least 1220 octets". Then, the smallest number of the maximum | support a message size of at least 1220 octets". Then, the | |||
| DNS/UDP payload size is 1220. | smallest number of the maximum DNS/UDP payload size is 1220. | |||
| * In order to avoid IP fragmentation, [DNSFlagDay2020] proposed that | * In order to avoid IP fragmentation, [DNSFlagDay2020] proposes that | |||
| the UDP requestors set the requestor's payload size to 1232, and | UDP requestors set the requestor's payload size to 1232 and UDP | |||
| the UDP responders compose UDP responses so they fit in 1232 | responders compose UDP responses so they fit in 1232 octets. The | |||
| octets. The size 1232 is based on an MTU of 1280, which is | size 1232 is based on an MTU of 1280, which is required by the | |||
| required by the IPv6 specification [RFC8200], minus 48 octets for | IPv6 specification [RFC8200], minus 48 octets for the IPv6 and UDP | |||
| the IPv6 and UDP headers. | headers. | |||
| * Most of the Internet and especially the inner core has an MTU of | * Most of the Internet, especially the inner core, has an MTU of at | |||
| at least 1500 octets. Maximum DNS/UDP payload size for IPv6 on | least 1500 octets. Maximum DNS/UDP payload size for IPv6 on an | |||
| MTU 1500 ethernet is 1452 (1500 minus 40 (IPv6 header size) minus | MTU 1500 Ethernet is 1452 (1500 minus 40 (IPv6 header size) minus | |||
| 8 (UDP header size)). To allow for possible IP options and | 8 (UDP header size)). To allow for possible IP options and | |||
| distant tunnel overhead, the recommendation of default maximum | distant tunnel overhead, the recommendation of default maximum | |||
| DNS/UDP payload size is 1400. | DNS/UDP payload size is 1400. | |||
| * [Huston2021] analyzed the result of [DNSFlagDay2020] and reported | * [Huston2021] analyzes the result of [DNSFlagDay2020] and reports | |||
| that their measurements suggest that in the interior of the | that their measurements suggest that in the interior of the | |||
| Internet between recursive resolvers and authoritative servers the | Internet between recursive resolvers and authoritative servers, | |||
| prevailing MTU is 1500 and there is no measurable signal of use of | the prevailing MTU is 1500 and there is no measurable signal of | |||
| smaller MTUs in this part of the Internet, and proposed that their | use of smaller MTUs in this part of the Internet. They propose | |||
| measurements suggest setting the EDNS0 requestor's UDP payload | that their measurements suggest setting the EDNS0 requestor's UDP | |||
| size to 1472 octets for IPv4, and 1452 octets for IPv6. | payload size to 1472 octets for IPv4 and 1452 octets for IPv6. | |||
| As a result of discussions, this document decided to recommend a | As a result of these discussions, this document recommends a value of | |||
| value of 1400, with smaller values also allowed. | 1400, with smaller values also allowed. | |||
| Appendix B. Minimal-responses | Appendix B. Minimal Responses | |||
| Some implementations have a "minimal responses" configuration | Some implementations have a "minimal responses" configuration | |||
| setting/option that causes a DNS server to make response packets | setting/option that causes a DNS server to make response packets | |||
| smaller, containing only mandatory and required data. | smaller, containing only mandatory and required data. | |||
| Under the minimal-responses configuration, a DNS server composes | Under the minimal-responses configuration, a DNS server composes | |||
| responses containing only necessary RRs. For delegations, see | responses containing only necessary Resource Records (RRs). For | |||
| [RFC9471]. In case of a non-existent domain name or non-existent | delegations, see [RFC9471]. In case of a non-existent domain name or | |||
| type, the authority section will contain an SOA record and the answer | non-existent type, the authority section will contain an SOA record, | |||
| section is empty. (defined in Section 2 of [RFC2308]). | and the answer section is empty (see Section 2 of [RFC2308]). | |||
| Some resource records (MX, SRV, SVCB, HTTPS) require additional A, | Some resource records (MX, SRV, SVCB, and HTTPS) require additional | |||
| AAAA, and SVCB records in the Additional Section defined in | A, AAAA, and Service Binding (SVCB) records in the Additional section | |||
| [RFC1035], [RFC2782] and [RFC9460]. | defined in [RFC1035], [RFC2782], and [RFC9460]. | |||
| In addition, if the zone is DNSSEC signed and a query has the DNSSEC | In addition, if the zone is DNSSEC signed and a query has the DNSSEC | |||
| OK bit, signatures are added in the answer section, or the | OK bit, signatures are added in the answer section, or the | |||
| corresponding DS RRSet and signatures are added in the authority | corresponding DS RRSet and signatures are added in the authority | |||
| section. Details are defined in [RFC4035] and [RFC5155]. | section. Details are defined in [RFC4035] and [RFC5155]. | |||
| Appendix C. Known Implementations | Appendix C. Known Implementations | |||
| This section records the status of known implementations of these | This section records the status of known implementations of the best | |||
| best practices defined by this specification at the time of | practices defined by this specification at the time of publication | |||
| publication, and any deviation from the specification. | and any deviation from the specification. | |||
| Please note that the listing of any individual implementation here | Please note that the listing of any individual implementation here | |||
| does not imply endorsement by the IETF. Furthermore, no effort has | does not imply endorsement by the IETF. Furthermore, no effort has | |||
| been spent to verify the information presented here that was supplied | been made to verify the information that was supplied by IETF | |||
| by IETF contributors. | contributors and presented here. | |||
| C.1. BIND 9 | C.1. BIND 9 | |||
| BIND 9 does not implement the recommendations 1 and 2 in Section 3.1. | BIND 9 does not implement recommendations 1 and 2 in Section 3.1. | |||
| BIND 9 on Linux sets IP_MTU_DISCOVER to IP_PMTUDISC_OMIT with a | BIND 9 on Linux sets IP_MTU_DISCOVER to IP_PMTUDISC_OMIT with a | |||
| fallback to IP_PMTUDISC_DONT. | fallback to IP_PMTUDISC_DONT. | |||
| BIND 9 on systems with IP_DONTFRAG (such as FreeBSD), IP_DONTFRAG is | BIND 9 on systems with IP_DONTFRAG (such as FreeBSD), IP_DONTFRAG is | |||
| disabled. | disabled. | |||
| Accepting PATH MTU Discovery for UDP is considered harmful and | Accepting Path MTU Discovery for UDP is considered harmful and | |||
| dangerous. BIND 9's settings avoid attacks to path MTU discovery. | dangerous. BIND 9's settings avoid attacks to Path MTU Discovery. | |||
| For recommendation 3, BIND 9 will honor the requestor's size up to | For recommendation 3, BIND 9 will honor the requestor's size up to | |||
| the configured limit (max-udp-size). The UDP response packet is | the configured limit (max-udp-size). The UDP response packet is | |||
| bound to be between 512 and 4096 bytes, with the default set to 1232. | bound to be between 512 and 4096 bytes, with the default set to 1232. | |||
| BIND 9 supports the requestor's size up to the configured limit (max- | BIND 9 supports the requestor's size up to the configured limit (max- | |||
| udp-size). | udp-size). | |||
| In the case of recommendation 4, and the send fails with EMSGSIZE, | In the case of recommendation 4 and the send fails with EMSGSIZE, | |||
| BIND 9 set the TC bit and try to send a minimal answer again. | BIND 9 sets the TC bit and tries to send a minimal answer again. | |||
| In the first recommendation of Section 3.2, BIND 9 uses the edns-buf- | In the first recommendation of Section 3.2, BIND 9 uses the edns-buf- | |||
| size option, with the default of 1232. | size option, with the default of 1232. | |||
| BIND 9 does implement recommendation 2 of Section 3.2. | BIND 9 does implement recommendation 2 (Section 3.2). | |||
| For recommendation 3, after two UDP timeouts, BIND 9 will fall back | For recommendation 3, after two UDP timeouts, BIND 9 will fall back | |||
| to TCP. | to TCP. | |||
| C.2. Knot DNS and Knot Resolver | C.2. Knot DNS and Knot Resolver | |||
| Both Knot servers set IP_PMTUDISC_OMIT to avoid path MTU spoofing. | Both Knot servers set IP_PMTUDISC_OMIT to avoid path MTU spoofing. | |||
| UDP size limit is 1232 by default. | The UDP size limit is 1232 by default. | |||
| Fragments are ignored if they arrive over an XDP interface. | Fragments are ignored if they arrive over an XDP interface. | |||
| TCP is attempted after repeated UDP timeouts. | TCP is attempted after repeated UDP timeouts. | |||
| Minimal responses are returned and are currently not configurable. | Minimal responses are returned and are currently not configurable. | |||
| Smaller signatures are used, with ecdsap256sha256 as the default. | Smaller signatures are used, with ecdsap256sha256 as the default. | |||
| C.3. PowerDNS Authoritative Server, PowerDNS Recursor, PowerDNS dnsdist | C.3. PowerDNS Authoritative Server, PowerDNS Recursor, and PowerDNS | |||
| dnsdist | ||||
| * IP_PMTUDISC_OMIT with fallback to IP_PMTUDISC_DONT | * IP_PMTUDISC_OMIT with a fallback to IP_PMTUDISC_DONT | |||
| * default EDNS buffer size of 1232, no probing for smaller sizes | * default EDNS buffer size of 1232; no probing for smaller sizes | |||
| * no handling of EMSGSIZE | * no handling of EMSGSIZE | |||
| * Recursor: UDP timeouts do not cause a switch to TCP. "Spoofing | ||||
| * Recursor: UDP timeouts do not cause a switch to TCP; "Spoofing | ||||
| nearmisses" do. | nearmisses" do. | |||
| C.4. PowerDNS Authoritative Server | C.4. PowerDNS Authoritative Server | |||
| * the default DNSSEC algorithm is 13 | * The default DNSSEC algorithm is 13. | |||
| * responses are minimal, this is not configurable | * Responses are minimal; this is not configurable. | |||
| C.5. Unbound | C.5. Unbound | |||
| Unbound sets IP_MTU_DISCOVER to IP_PMTUDISC_OMIT with fallback to | Unbound sets IP_MTU_DISCOVER to IP_PMTUDISC_OMIT with fallback to | |||
| IP_PMTUDISC_DONT. It also disables IP_DONTFRAG on systems that have | IP_PMTUDISC_DONT. It also disables IP_DONTFRAG on systems that have | |||
| it, but not on Apple systems. On systems that support it Unbound | it, but not on Apple systems. On systems that support it, Unbound | |||
| sets IPV6_USE_MIN_MTU, with a fallback to IPV6_MTU at 1280, with a | sets IPV6_USE_MIN_MTU, with a fallback to IPV6_MTU at 1280, with a | |||
| fallback to IPV6_USER_MTU. It also sets IPV6_MTU_DISCOVER to | fallback to IPV6_USER_MTU. It also sets IPV6_MTU_DISCOVER to | |||
| IPV6_PMTUDISC_OMIT with a fallback to IPV6_PMTUDISC_DONT. | IPV6_PMTUDISC_OMIT, with a fallback to IPV6_PMTUDISC_DONT. | |||
| Unbound requests UDP size 1232 from peers, by default. The | Unbound requests a UDP size of 1232 from peers, by default. The | |||
| requestors size is limited to a max of 1232. | requestor's size is limited to a max of 1232. | |||
| After some timeouts, Unbound retries with a smaller size, if that is | After some timeouts, Unbound retries with a smaller size, if that is | |||
| smaller, at size 1232 for IPv6 and 1472 for IPv4. This does not do | smaller, at size 1232 for IPv6 and 1472 for IPv4. This does not do | |||
| anything since the flag day change to 1232. | anything since the flag day change to 1232. | |||
| Unbound has minimal responses as an option, default on. | Unbound has minimal responses as an option, default on. | |||
| Acknowledgments | ||||
| The authors would like to specifically thank Paul Wouters, Mukund | ||||
| Sivaraman, Tony Finch, Hugo Salgado, Peter van Dijk, Brian Dickson, | ||||
| Puneet Sood, Jim Reid, Petr Spacek, Andrew McConachie, Joe Abley, | ||||
| Daisuke Higashi, Joe Touch, Wouter Wijngaards, Vladimir Cunat, Benno | ||||
| Overeinder, and Štěpán Němec for their extensive reviews and | ||||
| comments. | ||||
| Authors' Addresses | Authors' Addresses | |||
| Kazunori Fujiwara | Kazunori Fujiwara | |||
| Japan Registry Services Co., Ltd. | Japan Registry Services Co., Ltd. | |||
| Chiyoda First Bldg. East 13F, 3-8-1 Nishi-Kanda, Chiyoda-ku, Tokyo | Chiyoda First Bldg. East 13F, 3-8-1 Nishi-Kanda, Chiyoda-ku, Tokyo | |||
| 101-0065 | 101-0065 | |||
| Japan | Japan | |||
| Phone: +81 3 5215 8451 | Phone: +81 3 5215 8451 | |||
| Email: fujiwara@jprs.co.jp | Email: fujiwara@jprs.co.jp | |||
| Paul Vixie | Paul Vixie | |||
| AWS Security | AWS Security | |||
| 11400 La Honda Road | 11400 La Honda Road | |||
| Woodside, CA, 94062 | Woodside, CA 94062 | |||
| United States of America | United States of America | |||
| Phone: +1 650 393 3994 | Phone: +1 650 393 3994 | |||
| Email: paul@redbarn.org | Email: paul@redbarn.org | |||
| End of changes. 114 change blocks. | ||||
| 268 lines changed or deleted | 286 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. | ||||