DNSSEC Roadblock Avoidance
RFC 8027
Document Type RFC - Best Current Practice (November 2016; Errata)
Also known as BCP 207
Last updated 2020-01-21
Replaces draft-hardaker-dnsop-dnssec-roadblock-avoidance
Stream IETF
Formats plain text html pdf htmlized with errata bibtex
Reviews
OPSDIR Last Call Review (of -04): Has Issues
Stream WG state Submitted to IESG for Publication
Document shepherd Tim Wicinski
Shepherd write-up Show (last changed 2016-05-26)
IESG IESG state RFC 8027 (Best Current Practice)
Consensus Boilerplate Yes
Telechat date
Responsible AD Joel Jaeggli
Send notices to (None)
IANA IANA review state Version Changed - Review Needed
IANA action state No IANA Actions
Email authors Email WG IPR 1 References Referenced by Nits 
Internet Engineering Task Force (IETF)                       W. Hardaker
Request for Comments: 8027                                       USC/ISI
BCP: 207                                                  O. Gudmundsson
Category: Best Current Practice                               CloudFlare
ISSN: 2070-1721                                          S. Krishnaswamy
                                                                 Parsons
                                                           November 2016

                       DNSSEC Roadblock Avoidance

Abstract

   This document describes problems that a Validating DNS resolver,
   stub-resolver, or application might run into within a non-compliant
   infrastructure.  It outlines potential detection and mitigation
   techniques.  The scope of the document is to create a shared approach
   to detect and overcome network issues that a DNSSEC software/system
   may face.

Status of This Memo

   This memo documents an Internet Best Current Practice.

   This document is a product of the Internet Engineering Task Force
   (IETF).  It represents the consensus of the IETF community.  It has
   received public review and has been approved for publication by the
   Internet Engineering Steering Group (IESG).  Further information on
   BCPs is available in Section 2 of RFC 7841.

   Information about the current status of this document, any errata,
   and how to provide feedback on it may be obtained at
   http://www.rfc-editor.org/info/rfc8027.

Copyright Notice

   Copyright (c) 2016 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Hardaker, et al.          Best Current Practice                 [Page 1]
RFC 8027               DNSSEC Roadblock Avoidance          November 2016

Table of Contents

   1. Introduction ....................................................3
      1.1. Notation ...................................................3
      1.2. Background .................................................3
      1.3. Implementation Experiences .................................4
           1.3.1. Test Zone Implementation ............................4
   2. Goals ...........................................................4
   3. Detecting DNSSEC Non-compliance .................................5
      3.1. Determining DNSSEC Support in Recursive Resolvers ..........5
           3.1.1. Supports UDP Answers ................................6
           3.1.2. Supports TCP Answers ................................6
           3.1.3. Supports EDNS0 ......................................6
           3.1.4. Supports the DO Bit .................................7
           3.1.5. Supports the AD Bit DNSKEY Algorithms 5 and/or 8 ....7
           3.1.6. Returns RRSIG for Signed Answer .....................7
           3.1.7. Supports Querying for DNSKEY Records ................8
           3.1.8. Supports Querying for DS Records ....................8
           3.1.9. Supports Negative Answers with NSEC Records .........8
           3.1.10. Supports Negative Answers with NSEC3 Records .......9
           3.1.11. Supports Queries Where DNAME Records Lead
                   to an Answer .......................................9
           3.1.12. Permissive DNSSEC .................................10
           3.1.13. Supports Unknown RRtypes ..........................10
      3.2. Direct Network Queries ....................................10
           3.2.1. Support for Remote UDP over Port 53 ................10
           3.2.2. Support for Remote UDP with Fragmentation ..........11
           3.2.3. Support for Outbound TCP over Port 53 ..............11
      3.3. Support for DNSKEY and DS Combinations ....................11
   4. Aggregating the Results ........................................12
      4.1. Resolver Capability Description ...........................12
   5. Roadblock Avoidance ............................................13
      5.1. Partial Resolver Usage ....................................16
           5.1.1. Known Insecure Lookups .............................16
           5.1.2. Partial NSEC/NSEC3 Support .........................16
   6. Start-Up and Network Connectivity Issues .......................16
      6.1. What to Do ................................................17
   7. Quick Test .....................................................17
Show full document text
RFC Editor IASA & IETF LLC IETF Trust IRTF IETF IESG IAB IANA Privacy Statement IETF Tools