Decreasing Access Time to Root Servers by Running One on Loopback
RFC 7706
Document | Type |
RFC - Informational
(November 2015; Errata)
Obsoleted by RFC 8806
|
|
---|---|---|---|
Authors | Warren Kumari , Paul Hoffman | ||
Last updated | 2020-01-21 | ||
Replaces | draft-wkumari-dnsop-root-loopback | ||
Stream | IETF | ||
Formats | plain text html pdf htmlized with errata bibtex | ||
Reviews | |||
Stream | WG state | Submitted to IESG for Publication | |
Document shepherd | Tim Wicinski | ||
Shepherd write-up | Show (last changed 2015-06-26) | ||
IESG | IESG state | RFC 7706 (Informational) | |
Consensus Boilerplate | Yes | ||
Telechat date | |||
Responsible AD | Joel Jaeggli | ||
Send notices to | (None) | ||
IANA | IANA review state | Version Changed - Review Needed | |
IANA action state | No IANA Actions |
Internet Engineering Task Force (IETF) W. Kumari Request for Comments: 7706 Google Category: Informational P. Hoffman ISSN: 2070-1721 ICANN November 2015 Decreasing Access Time to Root Servers by Running One on Loopback Abstract Some DNS recursive resolvers have longer-than-desired round-trip times to the closest DNS root server. Some DNS recursive resolver operators want to prevent snooping of requests sent to DNS root servers by third parties. Such resolvers can greatly decrease the round-trip time and prevent observation of requests by running a copy of the full root zone on a loopback address (such as 127.0.0.1). This document shows how to start and maintain such a copy of the root zone that does not pose a threat to other users of the DNS, at the cost of adding some operational fragility for the operator. Status of This Memo This document is not an Internet Standards Track specification; it is published for informational purposes. This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Not all documents approved by the IESG are a candidate for any level of Internet Standard; see Section 2 of RFC 5741. Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc7706. Kumari & Hoffman Informational [Page 1] RFC 7706 Running Root on Loopback November 2015 Copyright Notice Copyright (c) 2015 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1.1. Requirements Notation . . . . . . . . . . . . . . . . . . 4 2. Requirements . . . . . . . . . . . . . . . . . . . . . . . . 4 3. Operation of the Root Zone on the Loopback Address . . . . . 5 4. Using the Root Zone Server on the Loopback Address . . . . . 6 5. Security Considerations . . . . . . . . . . . . . . . . . . . 6 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 6 6.1. Normative References . . . . . . . . . . . . . . . . . . 6 6.2. Informative References . . . . . . . . . . . . . . . . . 7 Appendix A. Current Sources of the Root Zone . . . . . . . . . . 8 Appendix B. Example Configurations of Common Implementations . . 8 B.1. Example Configuration: BIND 9.9 . . . . . . . . . . . . . 9 B.2. Example Configuration: Unbound 1.4 and NSD 4 . . . . . . 10 B.3. Example Configuration: Microsoft Windows Server 2012 . . 11 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 12 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 12 Kumari & Hoffman Informational [Page 2] RFC 7706 Running Root on Loopback November 2015 1. Introduction DNS recursive resolvers have to provide answers to all queries from their customers, even those for domain names that do not exist. For each queried name that has a top-level domain (TLD) that is not in the recursive resolver's cache, the resolver must send a query to a root server to get the information for that TLD, or to find out that the TLD does not exist. Typically, the vast majority of queries going to the root are for names that do not exist in the root zone, and the negative answers are cached for a much shorter period of time. A slow path between the recursive resolver and the closest root server has a negative effect on the resolver's customers. Recursive resolvers currently send queries for all TLDs that are not in their caches to root servers, even though most of those queries get answers that are referrals to other servers. Malicious third parties might be able to observe that traffic on the network between the recursive resolver and one or more of the DNS roots.Show full document text