Decreasing Access Time to Root Servers by Running One on Loopback
RFC 7706
Internet Engineering Task Force (IETF) W. Kumari
Request for Comments: 7706 Google
Category: Informational P. Hoffman
ISSN: 2070-1721 ICANN
November 2015
Decreasing Access Time to Root Servers by Running One on Loopback
Abstract
Some DNS recursive resolvers have longer-than-desired round-trip
times to the closest DNS root server. Some DNS recursive resolver
operators want to prevent snooping of requests sent to DNS root
servers by third parties. Such resolvers can greatly decrease the
round-trip time and prevent observation of requests by running a copy
of the full root zone on a loopback address (such as 127.0.0.1).
This document shows how to start and maintain such a copy of the root
zone that does not pose a threat to other users of the DNS, at the
cost of adding some operational fragility for the operator.
Status of This Memo
This document is not an Internet Standards Track specification; it is
published for informational purposes.
This document is a product of the Internet Engineering Task Force
(IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by the
Internet Engineering Steering Group (IESG). Not all documents
approved by the IESG are a candidate for any level of Internet
Standard; see Section 2 of RFC 5741.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
http://www.rfc-editor.org/info/rfc7706.
Kumari & Hoffman Informational [Page 1]
RFC 7706 Running Root on Loopback November 2015
Copyright Notice
Copyright (c) 2015 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Requirements Notation . . . . . . . . . . . . . . . . . . 4
2. Requirements . . . . . . . . . . . . . . . . . . . . . . . . 4
3. Operation of the Root Zone on the Loopback Address . . . . . 5
4. Using the Root Zone Server on the Loopback Address . . . . . 6
5. Security Considerations . . . . . . . . . . . . . . . . . . . 6
6. References . . . . . . . . . . . . . . . . . . . . . . . . . 6
6.1. Normative References . . . . . . . . . . . . . . . . . . 6
6.2. Informative References . . . . . . . . . . . . . . . . . 7
Appendix A. Current Sources of the Root Zone . . . . . . . . . . 8
Appendix B. Example Configurations of Common Implementations . . 8
B.1. Example Configuration: BIND 9.9 . . . . . . . . . . . . . 9
B.2. Example Configuration: Unbound 1.4 and NSD 4 . . . . . . 10
B.3. Example Configuration: Microsoft Windows Server 2012 . . 11
Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 12
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 12
Kumari & Hoffman Informational [Page 2]
RFC 7706 Running Root on Loopback November 2015
1. Introduction
DNS recursive resolvers have to provide answers to all queries from
their customers, even those for domain names that do not exist. For
each queried name that has a top-level domain (TLD) that is not in
the recursive resolver's cache, the resolver must send a query to a
root server to get the information for that TLD, or to find out that
the TLD does not exist. Typically, the vast majority of queries
going to the root are for names that do not exist in the root zone,
and the negative answers are cached for a much shorter period of
time. A slow path between the recursive resolver and the closest
root server has a negative effect on the resolver's customers.
Recursive resolvers currently send queries for all TLDs that are not
in their caches to root servers, even though most of those queries
get answers that are referrals to other servers. Malicious third
parties might be able to observe that traffic on the network between
the recursive resolver and one or more of the DNS roots.
Show full document text