SWILD RR Type (Wildcard on Intermediate Nameservers)
draft-pan-dnsop-swild-rr-type-01

Versions: 00 01                                                         
dnsop                                                             L. Pan
Internet-Draft
Intended status: Informational                                     Y. Fu
Expires: March 29, 2018                                            CNNIC
                                                      September 25, 2017


          SWILD RR Type (Wildcard on Intermediate Nameservers)
                    draft-pan-dnsop-swild-rr-type-01

Abstract

   This document specifies a new SWILD RR type for Intermediate
   Nameservers to cache subdomain wildcard record, in order to optimize
   the wildcard domain cache miss, reduce the cache size, and help to
   defense the DDoS attack.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on March 29, 2018.

Copyright Notice

   Copyright (c) 2017 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.



Pan & Fu                 Expires March 29, 2018                 [Page 1]


Internet-DraftSWILD RR Type (Wildcard on Intermediate NameSeptember 2017


Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Terminology . . . . . . . . . . . . . . . . . . . . . . . . .   3
   3.  The SWILD Resource Record . . . . . . . . . . . . . . . . . .   3
   4.  Overview  . . . . . . . . . . . . . . . . . . . . . . . . . .   3
     4.1.  Authoritative Nameserver  . . . . . . . . . . . . . . . .   3
     4.2.  Intermediate Nameserver: Recursive Resolver . . . . . . .   4
       4.2.1.  Recursive Resolvers that support SWILD RR . . . . . .   4
       4.2.2.  Recursive Resolvers that not support SWILD RR . . . .   4
     4.3.  Intermediate Nameserver: Forwarding Resolvers . . . . . .   4
   5.  DNS Cache . . . . . . . . . . . . . . . . . . . . . . . . . .   5
   6.  DDoS  . . . . . . . . . . . . . . . . . . . . . . . . . . . .   5
   7.  DNSSEC  . . . . . . . . . . . . . . . . . . . . . . . . . . .   5
     7.1.  Compare to NSEC aggressiveuse wildcard  . . . . . . . . .   5
     7.2.  DNSSEC Deployment . . . . . . . . . . . . . . . . . . . .   6
     7.3.  Hijack Risk . . . . . . . . . . . . . . . . . . . . . . .   6
     7.4.  Stub Validation . . . . . . . . . . . . . . . . . . . . .   6
   8.  Disposable Domain . . . . . . . . . . . . . . . . . . . . . .   6
   9.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .   7
   10. References  . . . . . . . . . . . . . . . . . . . . . . . . .   7
     10.1.  Normative References . . . . . . . . . . . . . . . . . .   7
     10.2.  Informative References . . . . . . . . . . . . . . . . .   8
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .   8

1.  Introduction

   [RFC1034] and [RFC4592] described wildcard domain name.

   Nowadays wildcard domain is globally used, take "*.github.io" for
   example,

  foo.github.io.           3600   IN  CNAME   sni.github.map.fastly.net.
  sni.github.map.fastly.net. 25   IN  A       151.101.73.147

   Wildcard domain is simple configured on Authoritative Nameserver, but
   Intermediate Nameservers have to cache various domains
   (xxx.github.io, yyy.github.io, ... ) of the same wildcard domain
   configuration, with low cache hit rate, increase cache size.

   This document specifies a new SWILD RR type for Intermediate
   Nameservers to cache subdomain wildcard record, in order to optimize
   the wildcard domain cache miss, reduce the cache size, and help to
   defense the DDoS attack.

   It is OPT-IN, Intermediate Nameservers can choose not to implement or
   enable it.




Pan & Fu                 Expires March 29, 2018                 [Page 2]


Internet-DraftSWILD RR Type (Wildcard on Intermediate NameSeptember 2017


2.  Terminology

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [RFC2119].

   Basic terms used in this specification are defined in the documents
   [RFC1034], [RFC1035], [RFC4592], [RFC7719], [RFC7871] and [RFC8020].

   Authoritative Nameserver: Described in [RFC1035] Section 6.

   Intermediate Nameserver: Described in [RFC7871] Section 4.

   Recursive Resolver: Described in [RFC1035] Section 7.

   Forwarding Resolver: Described in [RFC2308] Section 1.

3.  The SWILD Resource Record

   The presentation format of the SWILD RR is as follows:

      owner ttl class SWILD target

   The "target" is a subdomain of the owner, to indicate that all
   subdomains of the "owner" have the same configuration with the
   "target".

4.  Overview

   Special character "_" to indicate the wildcard domain configuration
   on Intermediate Nameservers, make all the subdomains CNAME to the "_"
   subdomain, and generate a SWILD RR "_".

   If most of Recursive Resolvers support SWILD RR in the future, "_"
   special character is not strictly used for SWILD target.

   Take "*.foo.com" for example.

4.1.  Authoritative Nameserver

   Authoritative Nameserver configures the zonefile of "foo.com":

   o  add SWILD RR "_" to indicate subdomain wildcard.

   o  configure "_.foo.com".

   o  make "*.foo.com" CNAME to "_.foo.com".




Pan & Fu                 Expires March 29, 2018                 [Page 3]


Internet-DraftSWILD RR Type (Wildcard on Intermediate NameSeptember 2017


   Note that, there is not any other subdomain configured in the
   "foo.com" zone except "_.foo.com".

   $ORIGIN  foo.com.

   @    86400  IN   SWILD  _
   _     3600  IN   CNAME  map.bar.net.
   *      600  IN   CNAME  _

4.2.  Intermediate Nameserver: Recursive Resolver

4.2.1.  Recursive Resolvers that support SWILD RR

   Recursive Resolver sends "xxx.foo.com" A RR query to Authoritative
   Nameserver, get subdomain wildcard response:

   xxx.foo.com.    600     IN  CNAME   _.foo.com.
   _.foo.com.     3600     IN  CNAME   map.bar.net.
   map.bar.net.    600     IN  A       202.38.64.10
   foo.com.      86400     IN  SWILD   _.foo.com.

   Recursive Resolver knows that SWILD RR is for wildcard domain on
   recursive side, marks "_.foo.com" as wildcard domains of "*.foo.com".

   In TTL time, if Recursive Resolver receives a "yyy.foo.com" A RR
   query, it can directly return this subdomain wildcard response:

   yyy.foo.com.    600     IN  CNAME   _.foo.com.
   _.foo.com.     3600     IN  CNAME   map.bar.net.
   map.bar.net.    600     IN  A       202.38.64.10
   foo.com.      86400     IN  SWILD   _.foo.com.

4.2.2.  Recursive Resolvers that not support SWILD RR

   Recursive Resolver can deal with DNS response as usual.

   The next time, Recursive Resolver receives a "yyy.foo.com" A RR
   query, it can send DNS query to Authoritative Nameserver.

4.3.  Intermediate Nameserver: Forwarding Resolvers

   Forwarding Resolver sends query to its next-hop Resolver is similar
   with Recursive Resolver sends query to Authoritative Nameserver.








Pan & Fu                 Expires March 29, 2018                 [Page 4]


Internet-DraftSWILD RR Type (Wildcard on Intermediate NameSeptember 2017


5.  DNS Cache

   Similar with [RFC8198] Section 6, SWILD can reduce latency and
   decrease server load:

   Intermediate Nameservers' cache hit rate will rise, avoid to query
   Authoritative Nameserver for the same wildcard domain configuration.

   Intermediate Nameservers' cache size can be reduced, avoid to cache
   various domains of the same wildcard domain configuration.

6.  DDoS

   When Recursive Servers or Second Level Domain(SLD) Authoritative
   Servers encounter DDoS attack, it will be better for the defense if
   Recursive Servers know more information.

   o  SWILD can help Recursive Servers to make a fast correct response
      when the queires of important subdomain wildcards rise suddenly
      and sharply, on condition that the source clients are hard to be
      deprecated.

   o  SWILD can help Recursive Servers to response the unvisited
      important subdomain wildcards queries, when the SLD Authoritative
      Servers encounter an accident which may cause SERVFAIL, TIMEOUT,
      or hijack responses.

7.  DNSSEC

   Clients and DNSSEC-Enabled Intermediate Nameservers can use DNSSEC to
   validate all the responses with the Authoritative Nameserver.

   DNSSEC-Enabled Intermediate Nameservers can only validate the SWILD
   RRSIG of "foo.com" and the RRSIGs of "_.foo.com", not need to
   validate the CNAME RRSIG of "yyy.foo.com".

7.1.  Compare to NSEC aggressiveuse wildcard

   [RFC8198] wildcard could solve similar wildcard problem:

   o  NSEC/NSEC3 RR: give "NOT EXIST SUBDOMAIN" information.

   o  Cached deduced wildcard: give the default wildcard RR.

   SWILD:

   o  Directly give "ALL SUBDOMAIN" information, and the default
      wildcard RR.



Pan & Fu                 Expires March 29, 2018                 [Page 5]


Internet-DraftSWILD RR Type (Wildcard on Intermediate NameSeptember 2017


   SWILD can work with NSEC aggressiveuse wildcard, Authoritative
   Servers can also return NSEC/NSEC3 RR.

   SWILD is applicable even when Authoritative Nameservers don't give
   NSEC/NSEC3 RR.

   SWILD is applicable on non-validating Forwarding Resolvers.

7.2.  DNSSEC Deployment

   DNSSEC is designed to protect the integrity of DNS responses, avoid
   package tampering.

   How to encourge DNSSEC deployment is an old question, especially on
   important SLD Authoritative Severs such as google.com, amazon.com.

   Defense on domain hjiack such as [BankNSHijack] is the biggest
   motivation to deploy DNSSEC.

   NSEC aggressiveuse wildcard or SWILD can not make influnence on
   DNSSEC deployment, but they solve similar subdomain problem under
   different DNSSEC deployment prerequisites.

7.3.  Hijack Risk

   There is concern that SWILD will rise the hijack risk, because it
   give a response on whole subdomain wildcards, but not a single
   subdomain.

   However, there is similar fatal hijack risk on NS and MX, which is
   configured for the whole zone.

   The hijack influnence of SWILD will not be larger than NS or MX.

7.4.  Stub Validation

   SWILD does not support directly DNSSEC validation on single subdomain
   wildcard.

   Forwarding Resolvers must trigger a tranditional DNSSEC resolution if
   they receive a single subdomain wildcard query with DNSSEC validation
   option from Stub Resolvers.

8.  Disposable Domain

   [DNSNoise] found that disposable domains are widely used by various
   industries, such as Anti-Virus, DNSBLs, CDN, P2P.




Pan & Fu                 Expires March 29, 2018                 [Page 6]


Internet-DraftSWILD RR Type (Wildcard on Intermediate NameSeptember 2017


   They are software-generated subdomains with small target A RRSets,
   which can be summaried by wildcards for passive DNS databases.

   Take [McAfeeGTI] for example, *.avqs.mcafee.com's response is from
   127.0.0.0/16 network, which is a information about the reputation of
   the queried file.  It can be optimized with a unique NAPTR RR, which
   can offer an service api of the file reputation information, but not
   use special A RR definition.

9.  Acknowledgements

   Thanks comments for Tony Finch, Petr Špaček, Matthew
   Pounsett, Paul Hoffman, Richard Gibson, Paul Vixie, Dave Crocker,
   Peter van Dijk, Mark Andrews, Vernon Schryver, Ted Lemon, Mukund
   Sivaraman, Mikael Abrahamsson, Ralf Weber, Davey Song, Warren Kumari.

   Thanks to all in the DNSOP mailing list.

10.  References

10.1.  Normative References

   [RFC1034]  Mockapetris, P., "Domain Names - Concepts and Facilities",
              RFC 1034, November 1987.

   [RFC1035]  Mockapetris, P., "Domain Names - Implementation and
              Specification", RFC 1035, November 1987.

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", RFC 2119, March 1997.

   [RFC2308]  Andrews, M., "Negative Caching of DNS Queries (DNS
              NCACHE)", RFC 2308, March 1998.

   [RFC4592]  Lewis, E., "The Role of Wildcards in the Domain Name
              System", RFC 4592, July 2006.

   [RFC7719]  Hoffman, P., Sullivan, A., and K. Fujiwara, "DNS
              Terminology", RFC 7719, December 2015.

   [RFC7871]  Contavalli, C., van der Gasst, W., Lawrence, D., and W.
              Kumari, "Client Subnet in DNS Queries", RFC 7871, May
              2016.

   [RFC8020]  Bortzmeyer, S. and S. Huque, "NXDOMAIN: There Really Is
              Nothing Underneath", RFC 8020, Nov 2016.





Pan & Fu                 Expires March 29, 2018                 [Page 7]


Internet-DraftSWILD RR Type (Wildcard on Intermediate NameSeptember 2017


   [RFC8198]  Fujiwara, K., Kato, A., and W. Kumari, "Aggressive Use of
              DNSSEC-Validated Cache", RFC 8198, July 2017.

10.2.  Informative References

   [BankNSHijack]
              "Brazilians whacked: Crooks hijack bank's DNS to fleece
              victims", <https://www.theregister.co.uk/2017/04/05/
              hackers_take_over_banks_dns_system/>.

   [DNSNoise]
              "DNS Noise: Measuring the Pervasiveness of Disposable
              Domains in Modern DNS Traffic",
              <http://astrolavos.gatech.edu/articles/
              dnsnoise-dsn2014.pdf>.

   [McAfeeGTI]
              "McAfee Global Threat Intelligence (GTI) File Reputation",
              <https://kc.mcafee.com/corporate/
              index?page=content&id=KB53735>.

Authors' Addresses

   Lanlan Pan
   Beijing
   China

   Email: abbypan@gmail.com
   URI:   https://github.com/abbypan


   Yu Fu
   CNNIC
   No.4 South 4th Street, Zhongguancun
   Beijing
   China

   Email: fuyu@cnnic.cn













Pan & Fu                 Expires March 29, 2018                 [Page 8]