]> Problem Statement and Requirements for an Improved DNS Delegation Mechanism abbrev: DNS DELEG Requirements Salesforce
tale@dd.org
eppdnsprotocols@gmail.com
jim@rfc1035.com
Cox Communications
tjw.ietf@gmail.com
Internet DELEG Working Group dns delegations Authoritative control of parts of the Domain Name System namespace are indicated with a special record type, the NS record, that can only indicate the name of the server which a client resolver should contact for more information. Any other features of that server must then be discovered through other mechanisms. This draft considers the limitations of the current system, benefits that could be gained by changing it, and what requirements constrain an updated design.
Introduction In the Domain Name System , subtrees within the domain name hierarchy are indicated by delegations to servers which are authoritative for their portion of the namespace. The DNS records that do this, called NS records, can only represent the name of a nameserver. In practice, clients can expect nothing out of this delegated server other than that it will answer DNS requests on UDP port 53. As the DNS has evolved over the past four decades, this has proven to be a barrier for the efficient introduction of new DNS technology, particularly for interacting with servers other than via UDP or TCP on port 53. Many features that have been conceived come with additional overhead as they are limited by this least common denominator of nameserver functionality. Various mechanisms have been proposed for communicating additional information about authoritative nameservers. This document investigates problems that could be addressed with a new delegation mechanism and the factors that need to be considered in the design of a solution.
Terminology This document assumes familiarity with DNS terms as defined in . Additionally, the following new terms are introduced:
DELEG
A new method of DNS delegation, matching the requirements in this document but not presuming any particular mechanism, including previous specific proposals that used this name
Zone Operator
The person or organization responsible for the nameserver which serves the zone
Service Access Point
The network address tuple at which a zone is served
Requirements Framework The requirements constraining any proposed changes to DNS delegations fall broadly into two categories. "Hard Requirements" are those that must be followed by a successful protocol , because violating them would present too much of an obstacle for broad adoption. These will primarily be related to the way the existing Domain Name System functions at all levels. "Soft Requirements" are those that are desirable, but the absence of which does not intrinsically eliminate a design. These will largely be descriptive of the problems that are trying to be addressed with a new method, or features that would ease adoption. The context used here will be for the Domain Name System as it exists under the ICANN root and the Registry/Registrar/Registrant model (reference), and some conditions will only be relevant there. While it is expected that any design which satisfies the requirements of put forth here would be broadly applicable for any uses of the DNS outside of this environment, such uses are not in scope.
Hard Requirements The following strictures are necessary in a new delegation design.
  • DELEG must not disrupt the existing registration model of domains. Reservation of a name at a registry will still use the relevant registrar system to indicate the authorized registrant.
  • DELEG must be backwards compatible with the existing ecosystem. Legacy zone data must function identically with both DELEG-aware and DELEG-unaware software. Nameserver (NS) records will continue to define the delegation of authority between a parent zone and a child zone exactly as they have.
  • DELEG must not negatively impact most DNS software. This is intentionally a bit vague with regard to "most", because it can't be absolutely guaranteed for all possible DNS software on the network. However, the working group should strive to test any proposed mechanism against a wide range of legacy software and come to a consensus as to what constitutes adherence to this requirement.
  • DELEG must be able to secure delegations with DNSSEC. Ideally it should be able to convey an even stronger security model for delegations than currently exists.
  • DELEG must support updates to delegation information with the same relative ease as currently exists with NS records. Changes should take the same amount of time (eg, controlled by a DNS TTL) and allow a smooth transition between different operational platforms.
  • DELEG must be incrementally deployable and not require any sort of flag day of universal change to be effective.
  • DELEG must allow multiple independent operators to simultaneously serve a zone.
Soft Requirements The following items are the aspirational goals for this work, describing the features that are desired beyond what current NS-based delegations provide.
  • DELEG should facilitate the use of new DNS transport mechanisms, including those already defined by DNS-over-TLS (DoT ), DNS-over-HTTPS (DoH ), and DNS-over-QUIC (DoQ ). It should easily allow the adoption of new transport mechanisms.
  • DELEG should make clear all of the necessary details for contacting a Service Access Point -- its protocol, port, and any other data that would be required to initiate a DNS query.
  • DELEG should minimize transaction cost in its usage. This includes, but is not limited to, packet count, packet volume, and the amount of time it takes to resolve a query.
  • DELEG should enable a DNS operator to manage DNS service more completely on behalf of domain administrators. For example, DELEG could address long-standing issues of DNSSEC record maintenance that now often depend on registrant / registrar interaction. Similarly, DELEG could allow new transports to be deployed by an operator or nameserver names to be changed, without necessitating that delegation information be modified by the domain administrator.
  • DELEG should allow for backward compatibility to the conventional NS-based delegation mechanism. That is, a Zone Operator who wants to maintain a single source of truth of delegation information using DELEG should be able to easily have Do53 delegations derived from it.
  • DELEG should be easily extensible, much like Extension Mechanisms for DNS , allowing for the incremental addition of new parameters without needing all of the heavy lifting that is expected for the initial deployment.
  • DELEG should support an in-band means for the child to signal to the parent that parent-side records related to the child should be updated, akin to CDS/CDNSKEY .
Non-Requirements Several potential areas of requirement have been raised that are being explicitly acknowledged here as not being in the scope of this higher level document.
  • Whether NS records must continue to be the primary means by which resolutions happen or eventually fade in relevance.
  • Whether information for a new delegation mechanism is stored in at the zone name or elsewhere in the domain name hierarchy.
IANA Considerations This memo includes no request to IANA.
Security Considerations Updating the means by which DNS delegation information is communicated has tremendous implications for the security of the Internet. This section will be made more robust in future drafts. Contributions welcome.
Informative References Domain names - concepts and facilities This RFC is the revised basic definition of The Domain Name System. It obsoletes RFC-882. This memo describes the domain style names and their used for host address look up and electronic mail forwarding. It discusses the clients and servers in the domain name system and the protocol used between them. Domain names - implementation and specification This RFC is the revised specification of the protocol and format used in the implementation of the Domain Name System. It obsoletes RFC-883. This memo documents the details of the domain name client - server communication. DNS Terminology The Domain Name System (DNS) is defined in literally dozens of different RFCs. The terminology used by implementers and developers of DNS protocols, and by operators of DNS systems, has changed in the decades since the DNS was first defined. This document gives current definitions for many of the terms used in the DNS in a single document. This document updates RFC 2308 by clarifying the definitions of "forwarder" and "QNAME". It obsoletes RFC 8499 by adding multiple terms and clarifications. Comprehensive lists of changed and new definitions can be found in Appendices A and B. What Makes for a Successful Protocol? The Internet community has specified a large number of protocols to date, and these protocols have achieved varying degrees of success. Based on case studies, this document attempts to ascertain factors that contribute to or hinder a protocol's success. It is hoped that these observations can serve as guidance for future protocol work. This memo provides information for the Internet community. Specification for DNS over Transport Layer Security (TLS) This document describes the use of Transport Layer Security (TLS) to provide privacy for DNS. Encryption provided by TLS eliminates opportunities for eavesdropping and on-path tampering with DNS queries in the network, such as discussed in RFC 7626. In addition, this document specifies two usage profiles for DNS over TLS and provides advice on performance considerations to minimize overhead from using TCP and TLS with DNS. This document focuses on securing stub-to-recursive traffic, as per the charter of the DPRIVE Working Group. It does not prevent future applications of the protocol to recursive-to-authoritative traffic. DNS Queries over HTTPS (DoH) This document defines a protocol for sending DNS queries and getting DNS responses over HTTPS. Each DNS query-response pair is mapped into an HTTP exchange. Negative Caching of DNS Resolution Failures In the DNS, resolvers employ caching to reduce both latency for end users and load on authoritative name servers. The process of resolution may result in one of three types of responses: (1) a response containing the requested data, (2) a response indicating the requested data does not exist, or (3) a non-response due to a resolution failure in which the resolver does not receive any useful information regarding the data's existence. This document concerns itself only with the third type. RFC 2308 specifies requirements for DNS negative caching. There, caching of TYPE 2 responses is mandatory and caching of TYPE 3 responses is optional. This document updates RFC 2308 to require negative caching for DNS resolution failures. RFC 4035 allows DNSSEC validation failure caching. This document updates RFC 4035 to require caching for DNSSEC validation failures. RFC 4697 prohibits aggressive requerying for NS records at a failed zone's parent zone. This document updates RFC 4697 to expand this requirement to all query types and to all ancestor zones. Extension Mechanisms for DNS (EDNS(0)) The Domain Name System's wire protocol includes a number of fixed fields whose range has been or soon will be exhausted and does not allow requestors to advertise their capabilities to responders. This document describes backward-compatible mechanisms for allowing the protocol to grow. This document updates the Extension Mechanisms for DNS (EDNS(0)) specification (and obsoletes RFC 2671) based on feedback from deployment experience in several implementations. It also obsoletes RFC 2673 ("Binary Labels in the Domain Name System") and adds considerations on the use of extended labels in the DNS. Managing DS Records from the Parent via CDS/CDNSKEY RFC 7344 specifies how DNS trust can be maintained across key rollovers in-band between parent and child. This document elevates RFC 7344 from Informational to Standards Track. It also adds a method for initial trust setup and removal of a secure entry point. Changing a domain's DNSSEC status can be a complicated matter involving multiple unrelated parties. Some of these parties, such as the DNS operator, might not even be known by all the organizations involved. The inability to disable DNSSEC via in-band signaling is seen as a problem or liability that prevents some DNSSEC adoption at a large scale. This document adds a method for in-band signaling of these DNSSEC status changes. This document describes reasonable policies to ease deployment of the initial acceptance of new secure entry points (DS records). It is preferable that operators collaborate on the transfer or move of a domain. The best method is to perform a Key Signing Key (KSK) plus Zone Signing Key (ZSK) rollover. If that is not possible, the method using an unsigned intermediate state described in this document can be used to move the domain between two parties. This leaves the domain temporarily unsigned and vulnerable to DNS spoofing, but that is preferred over the alternative of validation failures due to a mismatched DS and DNSKEY record.
Acknowledgements