A Common Operational Problem in DNS Servers: Failure to Communicate
RFC 8906

Document Type RFC - Best Current Practice (September 2020; No errata)
Also known as BCP 231
Authors Mark Andrews  , Ray Bellis 
Last updated 2020-09-22
Replaces draft-andrews-dns-no-response-issue
Stream IETF
Formats plain text html xml pdf htmlized bibtex
Reviews
Stream WG state Submitted to IESG for Publication
Document shepherd Tim Wicinski
Shepherd write-up Show (last changed 2019-11-17)
IESG IESG state RFC 8906 (Best Current Practice)
Consensus Boilerplate Yes
Telechat date
Responsible AD Warren Kumari
Send notices to "Tim Wicinski" <tjw.ietf@gmail.com>
IANA IANA review state IANA OK - No Actions Needed
IANA action state No IANA Actions


Internet Engineering Task Force (IETF)                        M. Andrews
Request for Comments: 8906                                     R. Bellis
BCP: 231                                                             ISC
Category: Best Current Practice                           September 2020
ISSN: 2070-1721

  A Common Operational Problem in DNS Servers: Failure to Communicate

Abstract

   The DNS is a query/response protocol.  Failing to respond to queries,
   or responding incorrectly, causes both immediate operational problems
   and long-term problems with protocol development.

   This document identifies a number of common kinds of queries to which
   some servers either fail to respond or respond incorrectly.  This
   document also suggests procedures for zone operators to apply to
   identify and remediate the problem.

   The document does not look at the DNS data itself, just the structure
   of the responses.

Status of This Memo

   This memo documents an Internet Best Current Practice.

   This document is a product of the Internet Engineering Task Force
   (IETF).  It represents the consensus of the IETF community.  It has
   received public review and has been approved for publication by the
   Internet Engineering Steering Group (IESG).  Further information on
   BCPs is available in Section 2 of RFC 7841.

   Information about the current status of this document, any errata,
   and how to provide feedback on it may be obtained at
   https://www.rfc-editor.org/info/rfc8906.

Copyright Notice

   Copyright (c) 2020 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (https://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction
   2.  Consequences
   3.  Common Kinds of Queries That Result in No or Bad Responses
     3.1.  Basic DNS Queries
       3.1.1.  Zone Existence
       3.1.2.  Unknown/Unsupported Type Queries
       3.1.3.  DNS Flags
       3.1.4.  Unknown DNS Opcodes
       3.1.5.  TCP Queries
     3.2.  EDNS Queries
       3.2.1.  EDNS Queries: Version Independent
       3.2.2.  EDNS Queries: Version Specific
       3.2.3.  EDNS Options
       3.2.4.  EDNS Flags
       3.2.5.  Truncated EDNS Responses
       3.2.6.  DO=1 Handling
       3.2.7.  EDNS over TCP
   4.  Firewalls and Load Balancers
   5.  Packet Scrubbing Services
   6.  Whole Answer Caches
   7.  Response Code Selection
   8.  Testing
     8.1.  Testing: Basic DNS
       8.1.1.  Is the server configured for the zone?
       8.1.2.  Testing Unknown Types
       8.1.3.  Testing Header Bits
       8.1.4.  Testing Unknown Opcodes
       8.1.5.  Testing TCP
     8.2.  Testing: Extended DNS
       8.2.1.  Testing Minimal EDNS
       8.2.2.  Testing EDNS Version Negotiation
       8.2.3.  Testing Unknown EDNS Options
       8.2.4.  Testing Unknown EDNS Flags
       8.2.5.  Testing EDNS Version Negotiation with Unknown EDNS
               Flags
       8.2.6.  Testing EDNS Version Negotiation with Unknown EDNS
               Options
       8.2.7.  Testing Truncated Responses
       8.2.8.  Testing DO=1 Handling
       8.2.9.  Testing EDNS Version Negotiation with DO=1
       8.2.10. Testing with Multiple Defined EDNS Options
     8.3.  When EDNS Is Not Supported
   9.  Remediation
   10. Security Considerations
   11. IANA Considerations
   12. References
     12.1.  Normative References
     12.2.  Informative References
   Acknowledgements
   Authors' Addresses

1.  Introduction

   The DNS [RFC1034] [RFC1035] is a query/response protocol.  Failing to
   respond to queries or responding incorrectly causes both immediate
   operational problems and long-term problems with protocol
   development.

   Failure to respond to a query is indistinguishable from packet loss
   without doing an analysis of query-response patterns.  Additionally,
   failure to respond results in unnecessary queries being made by DNS
   clients and introduces delays to the resolution process.

   Due to the inability to distinguish between packet loss and
   nameservers or middleboxes dropping Extension Mechanisms for DNS
   (EDNS) [RFC6891] queries, packet loss is sometimes misclassified as
   lack of EDNS support, which can lead to DNSSEC validation failures.

   The existence of servers that fail to respond to queries results in
   developers being hesitant to deploy new standards.  Such servers need
   to be identified and remediated.

   The DNS has response codes that cover almost any conceivable query
Show full document text