draft-fujiwara-dnsop-ds-query-increase-01

DNS Operations(dnsop)                                      K.F. Fujiwara
Internet-Draft                                                      JPRS
Intended status: Informational                             July 16, 2013
Expires: January 17, 2014


            Side effect of DNSSEC: an increase of DS queries
             draft-fujiwara-dnsop-ds-query-increase-01.txt

Abstract

   An increase of periodic DS queries is observed at top level domain
   (TLD) DNS servers.  Almost all of periodic DS queries are queries for
   unsigned delegations.  The reason of the increase is low NCACHE TTL
   value and DS nonexistence.  This phenomena is DNSSEC protocol and DNS
   parameter issue.  DS queries will increase as DNSSEC validators will
   increase.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on January 17, 2014.

Copyright Notice

   Copyright (c) 2013 IETF Trust and the persons identified as the
   document authors.  All rights reserved.












Fujiwara                Expires January 17, 2014                [Page 1]


Internet-Draft           Increase of DS queries                July 2013


   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Problem statement . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Possible affected domain names  . . . . . . . . . . . . . . .   3
   3.  Possible solutions  . . . . . . . . . . . . . . . . . . . . .   3
   4.  Possible approaches . . . . . . . . . . . . . . . . . . . . .   4
   5.  Issues of Dummy DS  . . . . . . . . . . . . . . . . . . . . .   4
   6.  Normative References  . . . . . . . . . . . . . . . . . . . .   5
   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . .   5

1.  Problem statement

   Many TLDs have supported DNSSEC.  However, many delegations do not
   have DS resource records.  Some of full-resolvers support DNSSEC
   validation.

   A significant increase of DS queries is observed at JP TLD DNS
   servers.  3.7% of queries are DS queries at JP TLD DNS servers in
   July, 2013 and they are still increasing.  Almost all query names of
   DS queries are unsigned zone cuts.  These DS queries are useless for
   DNSSEC validation because they are unsigned delegations.  Very small
   number of IP addresses send most of DS queries and the DS queries are
   periodic.

   The conditions of this phenomena are as follows.

   o  TLD's TTL value is relatively high, e.g., 86400.

   o  TLD's NCACHE TTL value is low, e.g., 900.

   o  There are many popular query names whose resource record TTLs are
      low, e.g., 300, and they are unsigned.

   o  DNSSEC validators receive queries of popular names frequently,
      e.g.  every 5 minutes.

   An unsigned delegation does not have a DS RR in its TLD zone.  DNSSEC
   validation process starts when the validator receives a query and it



Fujiwara                Expires January 17, 2014                [Page 2]


Internet-Draft           Increase of DS queries                July 2013


   does not exist in the validator's cache.  DNSSEC validators need to
   know DS RR existence for each query name.  The DS RR nonexistence
   information is cached within NCACHE TTL.  As a result, each DNSSEC
   validator may send DS queries for TLD DNS servers one zone cut per
   NCACHE TTL seconds.

   JP TLD case, NS, DS and glue TTL is 86400 and NCACHE TTL is 900.
   There are many popular names which are unsigned domain names and
   whose TTLs are low.  TTL of "www.yahoo.co.jp" A is 60 (CNAME TTL is
   900 and TTL of aliased name is 60) and TTL of "www.google.co.jp" A is
   300.  Busy full-resolvers receives both queries every minutes or
   more.  When a busy full resolver enables DNSSEC validation, it will
   send "yahoo.co.jp" and "google.co.jp" DS queries every 900 seconds.
   "yahoo.co.jp" NS and "google.co.jp" NS are cached in a day (86400
   seconds).  As a result, queries to JP DNS servers may increase 96
   (86400 / 900) times at the maximum.  This is DNSSEC protocol and
   parameter issue.

2.  Possible affected domain names

   Possible affected domain names are delegation centric domain names
   which support DNSSEC, whose NCACHE TTL is low, and which has popular
   domain names which are not signed and use low TTL values.

   TLDs:  com, net, org, jp use 900 as NCACHE TTL value.  Magnification
      is 96 or more.

   Reverse DNS:  193.in-addr.arpa uses 3600 as NCACHE TTL value.
      Magnification is 48.

   The root is affected a little because popular TLDs have already been
   signed and the magnification is not high, 8 or 24 (86400 / 10800 or
   86400 / 3600).

3.  Possible solutions

   There are four approaches to the problem.

   1.  Lengthen NCACHE TTL value.  However, this approach can not stop
       the increase of DS queries because section 5 of DNS NCACHE
       [RFC2308] recommends negative cache time limit as values of one
       to three hours.  Lengthening NCACHE TTL value over 10800 is
       useless.  Magnification can only be lowered.  (JP case, from 96
       to 8 or 24.)

   2.  Sign all delegations.  If all delegations are signed, DS RR are
       cached.  However, a TLD can not control.




Fujiwara                Expires January 17, 2014                [Page 3]


Internet-Draft           Increase of DS queries                July 2013


   3.  Lengthen resource record TTL of popular names.  However, a TLD
       can not control.

   4.  Add dummy DS to unsigned delegations.  Dummy DS RR is ignored at
       DNSSEC validators and it indicates that the delegation is an
       unsigned delegation.  Dummy DS TTL value is controllable.  This
       proposal requires new digest type.  Issues of this proposal is
       discussed in Section 5.

   5.  Update DNS/DNSSEC protocol to reduce unnecessary DS queries.

4.  Possible approaches

   A TLD can control its NCACHE TTL value and its zone.  Possible
   approaches for A TLD are to prepare the increase, careful query
   analysis, a combination of option 1 and option 4.  Step by step
   approach is possible.

   1.  Start discussing approaches (new digest type).

   2.  Prepare wide connectivity and reinforce DNS servers' performance.

   3.  Careful query analysis.

   4.  If DS queries will increase and exceed a certain limit, control
       NCACHE TTL value.

   5.  If DS queries will increase and exceed a certain limit, add dummy
       DS RRs to popular unsigned domain names.

5.  Issues of Dummy DS

   Adding dummy DS RRs to unsigned delegations is one of possible idea
   to reduce unnecessary DS queries.

   Dummy DS RR will be ignored by traditional DNSSEC validators because
   Section 5.2 of DNSSEC Protocol [RFC4035] defines that the resolver
   should treat unknown digest type as no DS RRset exists.  BIND 9 and
   Unbound validators ignored dummy DS RR whose digest type is 255.

   However, there are many issues.

   o  TLD can not use opt-out technique defined in NSEC3 [RFC5155].

   o  Dummy DS RRs may be treated as a DNSSEC error.






Fujiwara                Expires January 17, 2014                [Page 4]


Internet-Draft           Increase of DS queries                July 2013


   o  Newly added DS RRs may be used within dummy DSs' TTL seconds (for
      example, it will be 1 day).  Without dummy DS RRs, newly added DS
      RRs are used within NCACHE TTL (900 or 10800 seconds).

   o  Is it allowed that TLDs add dummy DS RRs without registrants'
      consent?  If adding dummy DS is same as 'NO DS', it is possible.
      Otherwise, TLDs cannot add dummy DS RRs without registrants'
      consent.

6.  Normative References

   [RFC2308]  Andrews, M., "Negative Caching of DNS Queries (DNS
              NCACHE)", RFC 2308, March 1998.

   [RFC4035]  Arends, R., Austein, R., Larson, M., Massey, D., and S.
              Rose, "Protocol Modifications for the DNS Security
              Extensions", RFC 4035, March 2005.

   [RFC5155]  Laurie, B., Sisson, G., Arends, R., and D. Blacka, "DNS
              Security (DNSSEC) Hashed Authenticated Denial of
              Existence", RFC 5155, March 2008.

Author's Address

   Kazunori Fujiwara
   Japan Registry Services Co., Ltd.
   Chiyoda First Bldg. East 13F, 3-8-1 Nishi-Kanda
   Chiyoda-ku, Tokyo  101-0065
   Japan

   Phone: +81 3 5215 8451
   EMail: fujiwara@jprs.co.jp



















Fujiwara                Expires January 17, 2014                [Page 5]

Document	Document type	This is an older version of an Internet-Draft whose latest revision state is "Expired". Expired & archived
	Select version	00 01 02
	Compare versions
	Author	Kazunori Fujiwara
	RFC stream	(None)
	Other formats	txt pdf bibtex bibxml