DNSSEC Roadblock Avoidance
RFC 8027
Document | Type |
RFC - Best Current Practice
(November 2016; Errata)
Also known as BCP 207
|
|
---|---|---|---|
Authors | Wes Hardaker , Ólafur Guðmundsson , Suresh Krishnaswamy | ||
Last updated | 2020-01-21 | ||
Replaces | draft-hardaker-dnsop-dnssec-roadblock-avoidance | ||
Stream | IETF | ||
Formats | plain text html pdf htmlized with errata bibtex | ||
Reviews | |||
Stream | WG state | Submitted to IESG for Publication | |
Document shepherd | Tim Wicinski | ||
Shepherd write-up | Show (last changed 2016-05-26) | ||
IESG | IESG state | RFC 8027 (Best Current Practice) | |
Consensus Boilerplate | Yes | ||
Telechat date | |||
Responsible AD | Joel Jaeggli | ||
Send notices to | (None) | ||
IANA | IANA review state | Version Changed - Review Needed | |
IANA action state | No IANA Actions |
Internet Engineering Task Force (IETF) W. Hardaker Request for Comments: 8027 USC/ISI BCP: 207 O. Gudmundsson Category: Best Current Practice CloudFlare ISSN: 2070-1721 S. Krishnaswamy Parsons November 2016 DNSSEC Roadblock Avoidance Abstract This document describes problems that a Validating DNS resolver, stub-resolver, or application might run into within a non-compliant infrastructure. It outlines potential detection and mitigation techniques. The scope of the document is to create a shared approach to detect and overcome network issues that a DNSSEC software/system may face. Status of This Memo This memo documents an Internet Best Current Practice. This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on BCPs is available in Section 2 of RFC 7841. Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc8027. Copyright Notice Copyright (c) 2016 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Hardaker, et al. Best Current Practice [Page 1] RFC 8027 DNSSEC Roadblock Avoidance November 2016 Table of Contents 1. Introduction ....................................................3 1.1. Notation ...................................................3 1.2. Background .................................................3 1.3. Implementation Experiences .................................4 1.3.1. Test Zone Implementation ............................4 2. Goals ...........................................................4 3. Detecting DNSSEC Non-compliance .................................5 3.1. Determining DNSSEC Support in Recursive Resolvers ..........5 3.1.1. Supports UDP Answers ................................6 3.1.2. Supports TCP Answers ................................6 3.1.3. Supports EDNS0 ......................................6 3.1.4. Supports the DO Bit .................................7 3.1.5. Supports the AD Bit DNSKEY Algorithms 5 and/or 8 ....7 3.1.6. Returns RRSIG for Signed Answer .....................7 3.1.7. Supports Querying for DNSKEY Records ................8 3.1.8. Supports Querying for DS Records ....................8 3.1.9. Supports Negative Answers with NSEC Records .........8 3.1.10. Supports Negative Answers with NSEC3 Records .......9 3.1.11. Supports Queries Where DNAME Records Lead to an Answer .......................................9 3.1.12. Permissive DNSSEC .................................10 3.1.13. Supports Unknown RRtypes ..........................10 3.2. Direct Network Queries ....................................10 3.2.1. Support for Remote UDP over Port 53 ................10 3.2.2. Support for Remote UDP with Fragmentation ..........11 3.2.3. Support for Outbound TCP over Port 53 ..............11 3.3. Support for DNSKEY and DS Combinations ....................11 4. Aggregating the Results ........................................12 4.1. Resolver Capability Description ...........................12 5. Roadblock Avoidance ............................................13 5.1. Partial Resolver Usage ....................................16 5.1.1. Known Insecure Lookups .............................16 5.1.2. Partial NSEC/NSEC3 Support .........................16 6. Start-Up and Network Connectivity Issues .......................16 6.1. What to Do ................................................17 7. Quick Test .....................................................17Show full document text