dnsop L. Pan
Internet-Draft
Intended status: Informational Y. Fu
Expires: March 29, 2018 CNNIC
September 25, 2017
SWILD RR Type (Wildcard on Intermediate Nameservers)
draft-pan-dnsop-swild-rr-type-01
Abstract
This document specifies a new SWILD RR type for Intermediate
Nameservers to cache subdomain wildcard record, in order to optimize
the wildcard domain cache miss, reduce the cache size, and help to
defense the DDoS attack.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on March 29, 2018.
Copyright Notice
Copyright (c) 2017 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Pan & Fu Expires March 29, 2018 [Page 1]
Internet-DraftSWILD RR Type (Wildcard on Intermediate NameSeptember 2017
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. The SWILD Resource Record . . . . . . . . . . . . . . . . . . 3
4. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 3
4.1. Authoritative Nameserver . . . . . . . . . . . . . . . . 3
4.2. Intermediate Nameserver: Recursive Resolver . . . . . . . 4
4.2.1. Recursive Resolvers that support SWILD RR . . . . . . 4
4.2.2. Recursive Resolvers that not support SWILD RR . . . . 4
4.3. Intermediate Nameserver: Forwarding Resolvers . . . . . . 4
5. DNS Cache . . . . . . . . . . . . . . . . . . . . . . . . . . 5
6. DDoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
7. DNSSEC . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
7.1. Compare to NSEC aggressiveuse wildcard . . . . . . . . . 5
7.2. DNSSEC Deployment . . . . . . . . . . . . . . . . . . . . 6
7.3. Hijack Risk . . . . . . . . . . . . . . . . . . . . . . . 6
7.4. Stub Validation . . . . . . . . . . . . . . . . . . . . . 6
8. Disposable Domain . . . . . . . . . . . . . . . . . . . . . . 6
9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 7
10. References . . . . . . . . . . . . . . . . . . . . . . . . . 7
10.1. Normative References . . . . . . . . . . . . . . . . . . 7
10.2. Informative References . . . . . . . . . . . . . . . . . 8
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 8
1. Introduction
[RFC1034] and [RFC4592] described wildcard domain name.
Nowadays wildcard domain is globally used, take "*.github.io" for
example,
foo.github.io. 3600 IN CNAME sni.github.map.fastly.net.
sni.github.map.fastly.net. 25 IN A 151.101.73.147
Wildcard domain is simple configured on Authoritative Nameserver, but
Intermediate Nameservers have to cache various domains
(xxx.github.io, yyy.github.io, ... ) of the same wildcard domain
configuration, with low cache hit rate, increase cache size.
This document specifies a new SWILD RR type for Intermediate
Nameservers to cache subdomain wildcard record, in order to optimize
the wildcard domain cache miss, reduce the cache size, and help to
defense the DDoS attack.
It is OPT-IN, Intermediate Nameservers can choose not to implement or
enable it.
Pan & Fu Expires March 29, 2018 [Page 2]
Internet-DraftSWILD RR Type (Wildcard on Intermediate NameSeptember 2017
2. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
Basic terms used in this specification are defined in the documents
[RFC1034], [RFC1035], [RFC4592], [RFC7719], [RFC7871] and [RFC8020].
Authoritative Nameserver: Described in [RFC1035] Section 6.
Intermediate Nameserver: Described in [RFC7871] Section 4.
Recursive Resolver: Described in [RFC1035] Section 7.
Forwarding Resolver: Described in [RFC2308] Section 1.
3. The SWILD Resource Record
The presentation format of the SWILD RR is as follows:
owner ttl class SWILD target
The "target" is a subdomain of the owner, to indicate that all
subdomains of the "owner" have the same configuration with the
"target".
4. Overview
Special character "_" to indicate the wildcard domain configuration
on Intermediate Nameservers, make all the subdomains CNAME to the "_"
subdomain, and generate a SWILD RR "_".
If most of Recursive Resolvers support SWILD RR in the future, "_"
special character is not strictly used for SWILD target.
Take "*.foo.com" for example.
4.1. Authoritative Nameserver
Authoritative Nameserver configures the zonefile of "foo.com":
o add SWILD RR "_" to indicate subdomain wildcard.
o configure "_.foo.com".
o make "*.foo.com" CNAME to "_.foo.com".
Pan & Fu Expires March 29, 2018 [Page 3]
Internet-DraftSWILD RR Type (Wildcard on Intermediate NameSeptember 2017
Note that, there is not any other subdomain configured in the
"foo.com" zone except "_.foo.com".
$ORIGIN foo.com.
@ 86400 IN SWILD _
_ 3600 IN CNAME map.bar.net.
* 600 IN CNAME _
4.2. Intermediate Nameserver: Recursive Resolver
4.2.1. Recursive Resolvers that support SWILD RR
Recursive Resolver sends "xxx.foo.com" A RR query to Authoritative
Nameserver, get subdomain wildcard response:
xxx.foo.com. 600 IN CNAME _.foo.com.
_.foo.com. 3600 IN CNAME map.bar.net.
map.bar.net. 600 IN A 202.38.64.10
foo.com. 86400 IN SWILD _.foo.com.
Recursive Resolver knows that SWILD RR is for wildcard domain on
recursive side, marks "_.foo.com" as wildcard domains of "*.foo.com".
In TTL time, if Recursive Resolver receives a "yyy.foo.com" A RR
query, it can directly return this subdomain wildcard response:
yyy.foo.com. 600 IN CNAME _.foo.com.
_.foo.com. 3600 IN CNAME map.bar.net.
map.bar.net. 600 IN A 202.38.64.10
foo.com. 86400 IN SWILD _.foo.com.
4.2.2. Recursive Resolvers that not support SWILD RR
Recursive Resolver can deal with DNS response as usual.
The next time, Recursive Resolver receives a "yyy.foo.com" A RR
query, it can send DNS query to Authoritative Nameserver.
4.3. Intermediate Nameserver: Forwarding Resolvers
Forwarding Resolver sends query to its next-hop Resolver is similar
with Recursive Resolver sends query to Authoritative Nameserver.
Pan & Fu Expires March 29, 2018 [Page 4]
Internet-DraftSWILD RR Type (Wildcard on Intermediate NameSeptember 2017
5. DNS Cache
Similar with [RFC8198] Section 6, SWILD can reduce latency and
decrease server load:
Intermediate Nameservers' cache hit rate will rise, avoid to query
Authoritative Nameserver for the same wildcard domain configuration.
Intermediate Nameservers' cache size can be reduced, avoid to cache
various domains of the same wildcard domain configuration.
6. DDoS
When Recursive Servers or Second Level Domain(SLD) Authoritative
Servers encounter DDoS attack, it will be better for the defense if
Recursive Servers know more information.
o SWILD can help Recursive Servers to make a fast correct response
when the queires of important subdomain wildcards rise suddenly
and sharply, on condition that the source clients are hard to be
deprecated.
o SWILD can help Recursive Servers to response the unvisited
important subdomain wildcards queries, when the SLD Authoritative
Servers encounter an accident which may cause SERVFAIL, TIMEOUT,
or hijack responses.
7. DNSSEC
Clients and DNSSEC-Enabled Intermediate Nameservers can use DNSSEC to
validate all the responses with the Authoritative Nameserver.
DNSSEC-Enabled Intermediate Nameservers can only validate the SWILD
RRSIG of "foo.com" and the RRSIGs of "_.foo.com", not need to
validate the CNAME RRSIG of "yyy.foo.com".
7.1. Compare to NSEC aggressiveuse wildcard
[RFC8198] wildcard could solve similar wildcard problem:
o NSEC/NSEC3 RR: give "NOT EXIST SUBDOMAIN" information.
o Cached deduced wildcard: give the default wildcard RR.
SWILD:
o Directly give "ALL SUBDOMAIN" information, and the default
wildcard RR.
Pan & Fu Expires March 29, 2018 [Page 5]
Internet-DraftSWILD RR Type (Wildcard on Intermediate NameSeptember 2017
SWILD can work with NSEC aggressiveuse wildcard, Authoritative
Servers can also return NSEC/NSEC3 RR.
SWILD is applicable even when Authoritative Nameservers don't give
NSEC/NSEC3 RR.
SWILD is applicable on non-validating Forwarding Resolvers.
7.2. DNSSEC Deployment
DNSSEC is designed to protect the integrity of DNS responses, avoid
package tampering.
How to encourge DNSSEC deployment is an old question, especially on
important SLD Authoritative Severs such as google.com, amazon.com.
Defense on domain hjiack such as [BankNSHijack] is the biggest
motivation to deploy DNSSEC.
NSEC aggressiveuse wildcard or SWILD can not make influnence on
DNSSEC deployment, but they solve similar subdomain problem under
different DNSSEC deployment prerequisites.
7.3. Hijack Risk
There is concern that SWILD will rise the hijack risk, because it
give a response on whole subdomain wildcards, but not a single
subdomain.
However, there is similar fatal hijack risk on NS and MX, which is
configured for the whole zone.
The hijack influnence of SWILD will not be larger than NS or MX.
7.4. Stub Validation
SWILD does not support directly DNSSEC validation on single subdomain
wildcard.
Forwarding Resolvers must trigger a tranditional DNSSEC resolution if
they receive a single subdomain wildcard query with DNSSEC validation
option from Stub Resolvers.
8. Disposable Domain
[DNSNoise] found that disposable domains are widely used by various
industries, such as Anti-Virus, DNSBLs, CDN, P2P.
Pan & Fu Expires March 29, 2018 [Page 6]
Internet-DraftSWILD RR Type (Wildcard on Intermediate NameSeptember 2017
They are software-generated subdomains with small target A RRSets,
which can be summaried by wildcards for passive DNS databases.
Take [McAfeeGTI] for example, *.avqs.mcafee.com's response is from
127.0.0.0/16 network, which is a information about the reputation of
the queried file. It can be optimized with a unique NAPTR RR, which
can offer an service api of the file reputation information, but not
use special A RR definition.
9. Acknowledgements
Thanks comments for Tony Finch, Petr Špaček, Matthew
Pounsett, Paul Hoffman, Richard Gibson, Paul Vixie, Dave Crocker,
Peter van Dijk, Mark Andrews, Vernon Schryver, Ted Lemon, Mukund
Sivaraman, Mikael Abrahamsson, Ralf Weber, Davey Song, Warren Kumari.
Thanks to all in the DNSOP mailing list.
10. References
10.1. Normative References
[RFC1034] Mockapetris, P., "Domain Names - Concepts and Facilities",
RFC 1034, November 1987.
[RFC1035] Mockapetris, P., "Domain Names - Implementation and
Specification", RFC 1035, November 1987.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", RFC 2119, March 1997.
[RFC2308] Andrews, M., "Negative Caching of DNS Queries (DNS
NCACHE)", RFC 2308, March 1998.
[RFC4592] Lewis, E., "The Role of Wildcards in the Domain Name
System", RFC 4592, July 2006.
[RFC7719] Hoffman, P., Sullivan, A., and K. Fujiwara, "DNS
Terminology", RFC 7719, December 2015.
[RFC7871] Contavalli, C., van der Gasst, W., Lawrence, D., and W.
Kumari, "Client Subnet in DNS Queries", RFC 7871, May
2016.
[RFC8020] Bortzmeyer, S. and S. Huque, "NXDOMAIN: There Really Is
Nothing Underneath", RFC 8020, Nov 2016.
Pan & Fu Expires March 29, 2018 [Page 7]
Internet-DraftSWILD RR Type (Wildcard on Intermediate NameSeptember 2017
[RFC8198] Fujiwara, K., Kato, A., and W. Kumari, "Aggressive Use of
DNSSEC-Validated Cache", RFC 8198, July 2017.
10.2. Informative References
[BankNSHijack]
"Brazilians whacked: Crooks hijack bank's DNS to fleece
victims", <https://www.theregister.co.uk/2017/04/05/
hackers_take_over_banks_dns_system/>.
[DNSNoise]
"DNS Noise: Measuring the Pervasiveness of Disposable
Domains in Modern DNS Traffic",
<http://astrolavos.gatech.edu/articles/
dnsnoise-dsn2014.pdf>.
[McAfeeGTI]
"McAfee Global Threat Intelligence (GTI) File Reputation",
<https://kc.mcafee.com/corporate/
index?page=content&id=KB53735>.
Authors' Addresses
Lanlan Pan
Beijing
China
Email: abbypan@gmail.com
URI: https://github.com/abbypan
Yu Fu
CNNIC
No.4 South 4th Street, Zhongguancun
Beijing
China
Email: fuyu@cnnic.cn
Pan & Fu Expires March 29, 2018 [Page 8]