<?xml version="1.0"encoding="US-ASCII"?>encoding="UTF-8"?> <!-- [CS] updated by Chris 01/19/22 --> <!DOCTYPE rfcSYSTEM "rfc2629.dtd"[<!-- One method to get references from the online citation libraries. There has to be one entity for each item to be referenced. An alternate method (rfc include) is described in the references. --> <!-- User Datagram Protocol --> <!ENTITY RFC0768 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.0768.xml"> <!-- TRANSMISSION CONTROL PROTOCOL --> <!ENTITY RFC0793 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.0793.xml"> <!-- DOMAIN NAMES - CONCEPTS AND FACILITIES --> <!ENTITY RFC0883 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.0883.xml"> <!-- DOMAIN NAMES - IMPLEMENTATION and SPECIFICATION --> <!ENTITY RFC1034 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.1034.xml"> <!-- DOMAIN NAMES - IMPLEMENTATION AND SPECIFICATION --> <!ENTITY RFC1035 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.1035.xml"> <!-- double hyphen in comments not allowed, ASCII escape sequence used instead --> <!-- Requirements for Internet Hosts -- Application and Support --> <!ENTITY RFC1123 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.1123.xml"> <!-- Common DNS Implementation Errors and Suggested Fixes --> <!ENTITY RFC1536 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.1536.xml"> <!-- Incremental Zone Transfer in DNS --> <!ENTITY RFC1995 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.1995.xml"> <!-- A Mechanism for Prompt Notification of Zone Changes (DNS NOTIFY) --> <!ENTITY RFC1996 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.1996.xml"> <!-- Dynamic Updates in the Domain Name System (DNS UPDATE) --> <!ENTITY RFC2136 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2136.xml"> <!-- Clarifications to the DNS Specification --> <!ENTITY RFC2181 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2181.xml"> <!-- Domain Name System Security Extensions --> <!ENTITY RFC2541 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2541.xml"> <!-- Extension Mechanisms for DNS (EDNS(0)) --> <!ENTITY RFC2671 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2671.xml"> <!-- DNS extensions to Network Address Translators (DNS_ALG) --> <!ENTITY RFC2694 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2694.xml"> <!ENTITY RFC3022 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.3022.xml"> <!-- Indicating Resolver Support of DNSSEC --> <!ENTITY RFC3225 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.3225.xml"> <!-- DNSSEC and IPv6 A6 aware server/resolver message size requirements --> <!ENTITY RFC3226 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.3226.xml"> <!-- Operational Considerations and Issues with IPv6 DNS --> <!ENTITY RFC4472 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4472.xml"> <!-- Defending TCP Against Spoofing Attacks --> <!ENTITY RFC4953 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4953.xml"> <!-- TCP SYN Flooding Attacks and Common Mitigations --> <!ENTITY RFC4987 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4987.xml"> <!-- Preventing Use of Recursive Nameservers in Reflector Attacks --> <!ENTITY RFC5358 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5358.xml"> <!-- Measures for Making DNS More Resilient against Forged Answers --> <!ENTITY RFC5452 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5452.xml"> <!-- Design Choices When Expanding the DNS --> <!ENTITY RFC5507 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5507.xml"> <!-- DNS Proxy Implementation Guidelines --> <!ENTITY RFC5625 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5625.xml"> <!-- ICMP Attacks against TCP --> <!ENTITY RFC5927 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5927.xml"> <!-- DNS Zone Transfer Protocol (AXFR) --> <!ENTITY RFC5936 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5936.xml"> <!-- Improving TCP's Robustness to Blind In-Window Attacks --> <!ENTITY RFC5961 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5961.xml"> <!ENTITY RFC6298 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.6298.xml"> <!-- Multicast DNS --> <!ENTITY RFC6762 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.6762.xml"> <!-- Extension Mechanisms for DNS (EDNS (0)) --> <!ENTITY RFC6891 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.6891.xml"> <!-- Architectural Considerations on Application Features in the DNS --> <!ENTITY RFC6950 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.6950.xml"> <!-- TCP Fast Open --> <!ENTITY RFC7413 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.7413.xml"> <!-- Child-to-Parent Synchronization in DNS --> <!ENTITY RFC7477 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.7477.xml"> <!-- AS112 Nameserver Operations --> <!ENTITY RFC7534 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.7534.xml"> <!-- Root Name Service Requirements --> <!ENTITY RFC7720 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.7720.xml"> <!-- DNS Transport over TCP - Implementation Requirements --> <!ENTITY RFC5966 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5966.xml"> <!ENTITY RFC7766 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.7766.xml"> <!-- The edns-tcp-keepalive EDNS(0) Option --> <!ENTITY RFC7828 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.7828.xml"> <!-- Specification for DNS over Transport Layer Security (TLS) --> <!ENTITY RFC7858 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.7858.xml"> <!-- Domain Name System (DNS) Cookies --> <!ENTITY RFC7873 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.7873.xml"> <!-- CHAIN Query Requests in DNS --> <!ENTITY RFC7901 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.7901.xml"> <!-- TLS False Start --> <!ENTITY RFC7918 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.7918.xml"> <!-- DNSSEC Roadblock Avoidance --> <!ENTITY RFC8027 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.8027.xml"> <!-- DNS over DTLS --> <!ENTITY RFC8094 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.8094.xml"> <!-- DNS-Based Authentication for S/MIME --> <!ENTITY RFC8162 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.8162.xml"> <!-- Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words --> <!ENTITY RFC8174 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.8174.xml"> <!-- Internet Protocol, Version 6 (IPv6) Specification --> <!ENTITY RFC8200 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.8200.xml"> <!-- DNS Privacy, Authorization, Special Uses, Encoding, Characters, Matching, and Root Structure: Time for Another Look? --><!ENTITYRFC8324 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.8324.xml"> <!-- The Transport Layer Security (TLS) Protocol Version 1.3 -->nbsp " "> <!ENTITYRFC8446 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.8446.xml"> <!-- Padding Policies for Extension Mechanisms for DNS (EDNS(0)) -->zwsp "​"> <!ENTITYRFC8467 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.8467.xml"> <!-- Yeti DNS Testbed -->nbhy "‑"> <!ENTITYRFC8483 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.8483.xml"> <!-- Providing Minimal-Sized Responses to DNS Queries That Have QTYPE=ANY --> <!ENTITY RFC8482 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.8482.xml"> <!-- DNS Queries over HTTPS (DoH) --> <!ENTITY RFC8484 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.8484.xml"> <!-- DNS Stateful Operations --> <!ENTITY RFC8490 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.8490.xml"> <!-- Reverse DNS in IPv6 for Internet Service Providers --> <!ENTITY RFC8501 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.8501.xml"> <!-- Running a Root Server Local to a Resolver --> <!ENTITY RFC8806 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.8806.xml"> <!-- A Common Operational Problem in DNS Servers: Failure to Communicate --> <!ENTITY RFC8906 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.8906.xml"> <!-- Recommendations for DNS Privacy Service Operators --> <!ENTITY RFC8932 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.8932.xml"> <!-- Secret Key Transaction Authentication for DNS (TSIG) --> <!ENTITY RFC8945 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.8945.xml"> <!ENTITY RFC2119 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119.xml"> <!ENTITY RFC2629 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2629.xml">wj "⁠"> ]><?xml-stylesheet type='text/xsl' href='rfc2629.xslt' ?> <!-- used by XSLT processors --> <!-- For a complete list and description of processing instructions (PIs), please see http://xml.resource.org/authoring/README.html. --> <!-- Below are generally applicable Processing Instructions (PIs) that most I-Ds might want to use. (Here they are set differently than their defaults in xml2rfc v1.32) --> <?rfc strict="yes" ?> <!-- give errors regarding ID-nits and DTD validation --> <!-- control the table of contents (ToC) --> <?rfc toc="yes"?> <!-- generate a ToC --> <?rfc tocdepth="4"?> <!-- the number of levels of subsections in ToC. default: 3 --> <!-- control references --> <?rfc symrefs="yes"?> <!-- use symbolic references tags, i.e, [RFC2119] instead of [1] --> <?rfc sortrefs="yes" ?> <!-- sort the reference entries alphabetically --> <!-- control vertical white space (using these PIs as follows is recommended by the RFC Editor) --> <?rfc compact="yes" ?> <!-- do not start each main section on a new page --> <?rfc subcompact="no" ?> <!-- keep one blank line between list items --> <!-- end of list of popular I-D processing instructions --><rfccategory="bcp"xmlns:xi="http://www.w3.org/2001/XInclude" docName="draft-ietf-dnsop-dns-tcp-requirements-15" number="9210" ipr="trust200902"updates="1123,1536"> <!-- category values: std, bcp, info, exp, and historic ipr values: trust200902, noModificationTrust200902, noDerivativesTrust200902, or pre5378Trust200902 you can add the attributes updates="NNNN" and obsoletes="NNNN" they will automatically be output with "(if approved)" -->updates="1123,1536" obsoletes="" submissionType="IETF" category="bcp" consensus="true" xml:lang="en" tocInclude="true" tocDepth="4" symRefs="true" sortRefs="true" version="3"> <!--***** FRONT MATTER *****xml2rfc v2v3 conversion 3.12.0 --> <front><!-- The abbreviated title is used in the page header - it is only necessary if the full title is longer than 39 characters --><title abbrev="DNS Transport over TCP">DNS Transport over TCP - Operational Requirements</title><!-- add 'role="editor"' below for the editors if appropriate --> <!-- Another author who claims to be an editor --><seriesInfo name="RFC" value="9210"/> <seriesInfo name="BCP" value="235"/> <author fullname="John Kristoff"initials="J.T."initials="J." surname="Kristoff"> <organization>DataPlane.org</organization> <address> <postal><street></street><street/> <city>Chicago</city> <region>IL</region> <code>60605</code><country>US</country><country>United States of America</country> </postal> <phone>+1 312 493 0305</phone> <email>jtk@dataplane.org</email> <uri>https://dataplane.org/jtk/</uri> </address> </author> <author fullname="Duane Wessels" initials="D." surname="Wessels"> <organization>Verisign</organization> <address> <postal> <street>12061 Bluemont Way</street> <city>Reston</city> <region>VA</region> <code>20190</code><country>US</country><country>United States of America</country> </postal> <phone>+1 703 948 3200</phone> <email>dwessels@verisign.com</email> <uri>https://verisign.com</uri> </address> </author> <date year="2022" month="March" /><!-- If the month and year are both specified and are the current ones, xml2rfc will fill in the current day for you. If only the current year is specified, xml2rfc will fill in the current day and month for you. If the year is not the current one, it is necessary to specify at least a month (xml2rfc assumes day="1" if not specified for the purpose of calculating the expiry date). With drafts it is normally sufficient to specify just the year. --> <!-- Meta-data Declarations --><area>Operations and Management</area> <workgroup>Domain Name System Operations</workgroup><!-- WG name at the upperleft corner of the doc, IETF is fine for individual submissions. If this element is not present, the default is "Network Working Group", which is used by the RFC Editor as a nod to the history of the IETF. --><keyword>DNS</keyword> <keyword>TCP</keyword><!-- Keywords will be incorporated into HTML output files in a meta tag but they have no effect on text or nroff output. If you submit your draft to the RFC Editor, the keywords will be used for the search engine. --><abstract> <t>This document updatesRFCRFCs 1123 andRFC1536. This document requires the operational practice of permitting DNS messages to be carried over TCP on the Internet as a Best Current Practice. This operational requirement is aligned with the implementation requirements in RFC 7766. The use of TCP includes both DNS over unencryptedTCP,TCP as well as over an encrypted TLS session. The document also considers the consequences of this form of DNS communication and the potential operational issues that can arise when this Best Current Practice is not upheld.</t> </abstract> </front> <middle> <sectiontitle="Introduction">numbered="true" toc="default"> <name>Introduction</name> <t>DNS messages are delivered using UDP or TCP communications. While most DNS transactions are carried over UDP, some operators have been led to believe that anyDNS over TCPDNS-over-TCP traffic is unwanted or unnecessary for general DNS operation. When DNS over TCP has been restricted, a variety of communication failures and debugging challenges often arise. As DNS and new naming system features have evolved, TCP as a transport has become increasingly important for the correct and safe operation of an Internet DNS. Reflecting modern usage, the DNS standards declare that support for TCP is a required part of the DNS implementation specifications <xreftarget="RFC7766"></xref>.target="RFC7766" format="default"/>. This document is the equivalent of formal requirementsequivalentfor the operational community, encouraging system administrators, network engineers, and security staff to ensureDNS over TCPDNS-over-TCP communications support is on par withDNS over UDPDNS-over-UDP communications. It updates <xreftarget="RFC1123"/> Section 6.1.3.2target="RFC1123" sectionFormat="comma" section="6.1.3.2"/> to clarify that all DNS resolvers and recursive serversMUST<bcp14>MUST</bcp14> support and service both TCP and UDPqueries,queries and also updates <xreftarget="RFC1536"/>target="RFC1536" format="default"/> to remove the misconception that TCP is only useful for zone transfers. </t> <sectiontitle="Requirements Language"> <t>Thenumbered="true" toc="default"><name>Requirements Language</name> <t> The key words"MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY","<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>", "<bcp14>MAY</bcp14>", and"OPTIONAL""<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as described inBCP 14BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they appear in all capitals, as shownhere.</t>here. </t> </section> </section> <sectiontitle="Historynumbered="true" toc="default"> <name>History of DNS overTCP">TCP</name> <t>The curious state of disagreement between operational best practices and guidance for DNS transport protocols derives from conflicting messages operators have received from other operators, implementors, and even the IETF. Sometimes these mixed signals have been explicit; on other occasions, conflicting messages have been implicit. This section presents an interpretation of the storied and conflicting history that led to this document. This section is included for informational purposes only.</t> <sectiontitle="Unevennumbered="true" toc="default"> <name>Uneven Transport Usage andPreference">Preference</name> <t>In the original suite of DNS specifications, <xreftarget="RFC1034"></xref>target="RFC1034" format="default"/> and <xreftarget="RFC1035"></xref>target="RFC1035" format="default"/> clearlyspecifiedspecify that DNS messages could be carried in either UDP or TCP, but they alsostatedstate that there is a preference for UDP as the best transport for queries in the general case. As stated in <xreftarget="RFC1035"></xref>: <list hangIndent="10" style="empty"> <t>"Whiletarget="RFC1035" format="default"/>: </t> <blockquote> While virtual circuits can be used for any DNS activity, datagrams are preferred for queries due to their lower overhead and betterperformance."</t> </list> </t>performance. </blockquote> <t>Another early, important, and influential document, <xreftarget="RFC1123"></xref>, markedtarget="RFC1123" format="default"/>, marks the preference for a transport protocol moreexplicitly:<list hangIndent="10" style="empty"> <t>"DNSexplicitly:</t> <blockquote> DNS resolvers and recursive serversMUST<bcp14>MUST</bcp14> support UDP, andSHOULD<bcp14>SHOULD</bcp14> support TCP, for sending (non-zone-transfer)queries." </t> </list>queries. </blockquote> <t> and it furtherstipulated:<list hangIndent="10" style="empty"> <t>"Astipulates that:</t> <blockquote> A name serverMAY<bcp14>MAY</bcp14> limit the resources it devotes to TCP queries, but itSHOULD NOT<bcp14>SHOULD NOT</bcp14> refuse to service a TCP query just because it would have succeeded withUDP."</t> </list> </t>UDP. </blockquote> <t>Culminating in <xreftarget="RFC1536"></xref>,target="RFC1536" format="default"/>, DNS over TCP came to be associated primarily with the zone transfer mechanism, while most DNS queries and responses were seen as the dominion of UDP.</t> </section> <sectiontitle="Waitingnumbered="true" toc="default"> <name>Waiting for Large Messages andReliability">Reliability</name> <t>In the original specifications, the maximumDNS over UDPDNS-over-UDP message size was enshrined at 512 bytes. However, even while <xreftarget="RFC1123"></xref> preferredtarget="RFC1123" format="default"/> prefers UDP for non-zone transfer queries, it foresaw that DNS over TCPbecomingwould become more popular in the future to overcome thislimitation:<list hangIndent="10" style="empty"> <t>"[...]limitation:</t> <blockquote> [...] it is also clear that some new DNS record types defined in the future will contain information exceeding the 512 byte limit that applies to UDP, and hence will requireTCP."</t> </list> </t>TCP. </blockquote> <t>At least two new, widely anticipated developments were set to elevate the need forDNS over TCPDNS-over-TCP transactions. <!--[rfced] Since RFC 2541 has been obsoleted by RFC 6781, may we include the following note (i.e., "note that [RFC2541] has been obsoleted by [RFC6781]")? Original: The first was dynamic updates defined in<xref target="RFC2136"></xref>[RFC2136] and the second was the set of extensions collectively known as DNSSEC, whose operational considerations are originally given in [RFC2541]. Perhaps: The first was dynamic updates defined in [RFC2136], and the second was the set of extensions collectively known as "DNSSEC", whose operational considerations were originally given in [RFC2541] (note that [RFC2541] has been obsoleted by [RFC6781]). --> The first was dynamic updates defined in <xref target="RFC2136" format="default"/>, and the second was the set of extensions collectively known as "DNSSEC", whose operational considerations were originally given in <xreftarget="RFC2541"/>.target="RFC2541" format="default"/>. The formersuggested "requestorssuggests that</t> <blockquote> ...requestors who require an accurate response code must useTCP,"TCP.</blockquote> <t> while the latterwarned "...warns that </t><blockquote>... larger keys increase the size of the KEY and SIG RRs. This increases the chance of DNS UDP packet overflow and the possible necessity for using higher overhead TCP inresponses."</t>responses.</blockquote> <t>Yet, defying some expectations, DNS over TCP remainedlittle-usedlittle used in real traffic across the Internet in the late 1990s. Dynamic updates saw little deployment between autonomous networks. Around the time DNSSEC was first defined, another new feature helped solidify UDP transport dominance for message transactions.</t> </section> <sectiontitle="EDNS(0)">numbered="true" toc="default"> <name>EDNS(0)</name> <t>In19991999, the IETF published the Extension Mechanisms for DNS (EDNS(0)) in <xreftarget="RFC2671"></xref> (superseded in 2013target="RFC2671"/> (which was obsoleted byan update in<xreftarget="RFC6891"></xref>).target="RFC6891" format="default"/> in 2013). That document standardized a way for communicating DNS nodes to perform rudimentary capabilities negotiation. One such capability written into the base specification and present in every EDNS(0)-compatible message is the value of the maximum UDP payload size the sender can support. This unsigned 16-bit field specifies, in bytes, the maximum (possibly fragmented) DNS message size a node is capable of receiving over UDP. In practice, typical values are a subset of the 512- to 4096-byte range. EDNS(0) became widely deployed over the next several years, and numerous surveys(<xref target="CASTRO2010"></xref>,(see <xref target="CASTRO2010" format="default"/> and <xreftarget="NETALYZR"></xref>)target="NETALYZR" format="default"/>) have shown that many systems support larger UDP MTUs with EDNS(0).</t> <t>The natural effect of EDNS(0) deployment meant DNS messages larger than 512 bytes would be less reliant on TCP than they might otherwise have been. While a non-negligible population of DNS systems lacked EDNS(0) or fell back to TCP when necessary, DNS clients still strongly prefer UDP to TCP. For example, as of 2014,DNS over TCPDNS-over-TCP transactions remained a very small fraction of overall DNS traffic received by root name servers <xreftarget="VERISIGN"></xref>.</t>target="VERISIGN" format="default"/>.</t> </section> <sectiontitle="Fragmentationnumbered="true" toc="default"> <name>Fragmentation andTruncation">Truncation</name> <t>Although EDNS(0) provides a way for endpoints to signal support for DNS messages exceeding 512 bytes, the realities of a diverse and inconsistently deployed Internet may result in some large messages being unable to reach their destination. Any IP datagram whose size exceeds the MTU of a link it transits will be fragmented and then reassembled by the receiving host. Unfortunately, it is not uncommon for middleboxes and firewalls to block IP fragments. If one or more fragments do not arrive, the application does not receive themessagemessage, and the request times out.</t> <t>For IPv4-connected hosts, the MTU is oftenthean Ethernet payload size of 1500 bytes. This means that the largest unfragmented UDP DNS message that can be sent over IPv4 is likely 1472 bytes, although tunnel encapsulation may reduce that maximum message size in some cases.</t> <t>For IPv6, the situation is a little more complicated. First, IPv6 headers are 40 bytes (versus 20 without options in IPv4). Second, approximatelyone thirdone-third of DNS recursive resolvers use the minimum MTU of 1280 bytes <xreftarget="APNIC"/>.target="APNIC" format="default"/>. Third, fragmentation in IPv6 can only be done by the host originating the datagram. The need to fragment is conveyed in an ICMPv6"packet too big""Packet Too Big" message. The originating host indicates a fragmented datagram with IPv6 extension headers. Unfortunately, it is quite common for both ICMPv6 and IPv6 extension headers to be blocked by middleboxes. According to <xreftarget="HUSTON"/>target="HUSTON" format="default"/>, some 35% <!-- 3,592 / 10,115 --> of IPv6-capable recursive resolvers were unable to receive a fragmented IPv6 packet. When the originating host receives a signal that fragmentation is required, it is expected to populate itsPathpath MTU cache for that destination. Theapplication, then,application will then retry the query after a timeout since the host does not generally retain copies of messages sent over UDP for potential retransmission.</t> <t>The practical consequence of all this is that DNS requestors must be prepared to retry queries with different EDNS(0) maximum message size values. <!--[rfced] Would it be correct to say that the administrators see the following "message" rather than "messages" in their system logs? Original: Administrators of [BIND] are likely to be familiar with seeing "success resolving ... after reducing the advertised EDNS(0) UDP packet size to 512 octets" messages in their system logs. Perhaps: Administrators of [BIND] are likely to be familiar with seeing the following message in their system logs: “success resolving ... after reducing the advertised EDNS(0) UDP packet size to 512 octets”. --> Administrators of <xreftarget="BIND"/>target="BIND" format="default"/> are likely to be familiar with seeing "success resolving ... after reducing the advertised EDNS(0) UDP packet size to 512 octets" messages in their system logs.</t> <t>Often, reducing the EDNS(0) UDP packet size leads to a successful response. That is, the necessary data fits within the smaller message size. However, when the data does not fit, the server sets the truncated flag in its response, indicating the client should retry over TCP to receive the whole response. This is undesirable from the client's point of view because it adds more latency and is potentially undesirable from the server's point of view due to the increased resource requirements of TCP.</t> <t>Note that a receiver is unable to differentiate between packets lost due to congestion and packets (fragments) intentionally dropped by firewalls or middleboxes. Over network paths with non-trivial amounts of packet loss, larger, fragmented DNS responses are more likely to never arrive and time out compared to smaller, unfragmented responses. Clients might be misled into retrying queries with different EDNS(0) UDP packet size values for the wrong reason.</t> <t>The issues around fragmentation, truncation, and TCP are driving certain implementation and policy decisions in the DNS. Notably, Cloudflare implemented what it calls "DNSSEC black lies" <xreftarget="CLOUDFLARE"/>target="CLOUDFLARE" format="default"/> and usesECDSA algorithms,Elliptic Curve Digital Signature Algorithms (ECDSAs) such that their signed responses fit easily in 512 bytes. The Key Signing Key (KSK) Rolloverdesign teamDesign Team <xreftarget="DESIGNTEAM"/>target="DESIGNTEAM" format="default"/> spent a lot of time thinking and worrying about response sizes. There is growing sentiment in the DNSSEC community that RSA key sizes beyond2048-bits2048 bits are impractical and that critical infrastructure zones should transition to elliptic curve algorithms to keep response sizes manageable <xreftarget="ECDSA"/>.</t>target="ECDSA" format="default"/>.</t> <t>More recently, renewed security concerns about fragmented DNS messages(<xref target="AVOID_FRAGS"/>,(see <xreftarget="FRAG_POISON"/>)target="I-D.ietf-dnsop-avoid-fragmentation" format="default"/> and <xref target="FRAG_POISON" format="default"/>) are leading implementors to consider smaller responses and lower default EDNS(0) UDP payload size values for both queriers and responders <xreftarget="FLAGDAY2020"/>.</t>target="FLAGDAY2020" format="default"/>.</t> </section> <sectiontitle=""Onlynumbered="true" toc="default"> <!--[rfced] Is it necessary for this section title to have quote marks or should the quote marks be removed for consistency with the other titles? Original: 2.5. "Only Zone Transfers Use TCP" Perhaps: 2.5. Only Zone Transfers Use TCP --> <name>"Only Zone Transfers UseTCP"">TCP"</name> <t>Today, the majority of the DNS community expects, or at least has a desire, to seeDNS over TCPDNS-over-TCP transactions occur without interference <xreftarget="FLAGDAY2020"/>.target="FLAGDAY2020" format="default"/>. However, there has also been a long-held belief by some operators, particularly for security-related reasons, thatDNS over TCPDNS-over-TCP services should be purposely limited or not provided at all <xreftarget="CHES94"></xref>,target="CHES94" format="default"/> <xreftarget="DJBDNS"></xref>.target="DJBDNS" format="default"/>. A popular meme is that DNS over TCP is only ever used for zone transfers and is generally unnecessary otherwise, with filtering allDNS over TCPDNS-over-TCP traffic even described as a best practice.</t> <t>The position on restricting DNS over TCP had some justification given that historical implementations of DNSnameserversname servers provided very little in the way of TCP connection management (forexampleexample, seeSection 6.1.2 of<xreftarget="RFC7766"></xref>target="RFC7766" sectionFormat="of" section="6.1.2"/> for more details). However, modern standards and implementations are nearing parity with the more sophisticated TCP management techniques employed by, for example, HTTP(S) servers and load balancers.</t> </section> <sectiontitle="Reuse,numbered="true" toc="default"> <name>Reuse, Pipelining, and Out-of-OrderProcessing">Processing</name> <t>The idea that a TCP connection can support multiple transactions goes back as far as <xreftarget="RFC0883"/>,target="RFC0883" format="default"/>, which states: "Multiple messages may be sent over a virtual circuit." Although <xreftarget="RFC1035"/>,target="RFC1035" format="default"/>, which updates the former, omits this particular detail, it has been generally accepted that a TCP connection can be used for more than one query and response.</t> <t><xreftarget="RFC5966"/> clarifiedtarget="RFC5966" format="default"/> clarifies that servers are not required to preserve the order of queries and responses over any transport. <xreftarget="RFC7766"/>,target="RFC7766" format="default"/>, which updates the former, further encourages query pipelining over TCP to achieve performance on par with UDP. A server that sends out-of-order responses to pipelined queries avoids head-of-line blocking when the response for a later query is ready before the response to an earlier query.</t> <t>However, TCP can potentially suffer from a different head-of-line blocking problem due to packet loss. Since TCP itself enforces ordering, a single lost segment delays delivery of data in any following segments until the lost segment is retransmitted and successfully received.</t> </section> </section> <sectiontitle="DNS over TCP Requirements">numbered="true" toc="default"> <name>DNS-over-TCP Requirements</name> <t>An average increase in DNS message size (e.g., due to DNSSEC), the continued development of new DNS features (<xreftarget="dnsrfcs"></xref>),target="dnsrfcs" format="default"/>), and adenial of servicedenial-of-service mitigation technique (<xreftarget="Security"></xref>),target="Security" format="default"/>) all show thatDNS over TCPDNS-over-TCP transactions are as important to the correct and safe operation of the Internet DNS as ever, if not more so. Furthermore, there has been research that argues connection-oriented DNS transactions may provide security and privacy advantages over UDP transport <xreftarget="TDNS"></xref>.target="TDNS" format="default"/>. In fact, the standard for DNS over TLS <xreftarget="RFC7858"></xref>target="RFC7858" format="default"/> is just this sort of specification. Therefore, this document makes explicit that it is undesirable for network operators to artificially inhibitDNS over TCPDNS-over-TCP transport.</t><t>Section<!--[rfced] Should this text be presented in "Old/New" format for consistency with the other updates in this section? Original: Section 6.1.3.2 in<xref target="RFC1123" />[RFC1123] is updated: All DNS resolvers and servers MUST support and service both UDP and TCP queries.<list hangIndent="10" style="symbols"> <t>DNS* DNS servers (including forwarders) MUST support and service TCP for receiving queries, so that clients can reliably receive responses that are larger than what either side considers too large forUDP.</t> <t>DNSUDP. * DNS clients MUST support TCP for sending queries, so that they can retry truncated UDP responses asnecessary.</t> </list>necessary. Perhaps: Section 6.1.3.2 of [RFC1123] is updated as follows: Old: DNS resolvers and recursive servers MUST support UDP, and SHOULD support TCP, for sending (non-zone-transfer) queries. New: All DNS resolvers and servers MUST support and service both UDP and TCP queries. Note that: * DNS servers (including forwarders) MUST support and service TCP for receiving queries so that clients can reliably receive responses that are larger than what either side considers too large for UDP. * DNS clients MUST support TCP for sending queries so that they can retry truncated UDP responses as necessary. --> <t><xref target="RFC1123" sectionFormat="of" section="6.1.3.2"/> is updated: All DNS resolvers and servers <bcp14>MUST</bcp14> support and service both UDP and TCP queries. </t> <ul spacing="normal"> <li>DNS servers (including forwarders) <bcp14>MUST</bcp14> support and service TCP for receiving queries so that clients can reliably receive responses that are larger than what either side considers too large for UDP.</li> <li>DNS clients <bcp14>MUST</bcp14> support TCP for sending queries so that they can retry truncated UDP responses as necessary.</li> </ul> <t> Furthermore, the requirement inSection 6.1.3.2 of<xref target="RFC1123"/>sectionFormat="of" section="6.1.3.2"/> around limiting the resources a server devotes to queries is hereby updated:</t> <t>OLD:<list hangIndent="10" style="empty"> <t>A</t> <blockquote> A name serverMAY<bcp14>MAY</bcp14> limit the resources it devotes to TCP queries, but itSHOULD NOT<bcp14>SHOULD NOT</bcp14> refuse to service a TCP query just because it would have succeeded withUDP.</t> </list>UDP. </blockquote> <t> NEW:<list hangIndent="10" style="empty"> <t>A</t> <blockquote> A name serverMAY<bcp14>MAY</bcp14> limit the resources it devotes to queries, but itMUST NOT<bcp14>MUST NOT</bcp14> refuse to service a query just because it would have succeeded with another transportprotocol.</t> </list> </t>protocol.</blockquote> <t>Lastly,Section 1 of<xreftarget="RFC1536"/>target="RFC1536" sectionFormat="of" section="1"/> is updated to eliminate the misconception that TCP is only useful for zone transfers:</t> <t>OLD:<list hangIndent="10" style="empty"> <t>DNS</t> <blockquote> DNS implements the classic request-response scheme of client-server interaction. UDP is, therefore, the chosen protocol for communication though TCP is used for zonetransfers.</t> </list>transfers. </blockquote> <t> NEW:<list hangIndent="10" style="empty"> <t>DNS</t> <blockquote> DNS implements the classic request-response scheme of client-serverinteraction.</t> </list> </t> <t>Filteringinteraction. </blockquote> <t>The filtering of DNS over TCP is harmful in the general case. DNS resolver and server operatorsMUST<bcp14>MUST</bcp14> support and provide DNS service over both UDP and TCP transports. Likewise, network operatorsMUST<bcp14>MUST</bcp14> allow DNS service over both UDP and TCP transports. It is acknowledged thatDNS over TCPDNS-over-TCP service can pose operational challenges that are not present when running DNS over UDP alone, andvice-versa.vice versa. However, <!-- it is the aim of this document to argue that --> the potential damage incurred by prohibitingDNS over TCPDNS-over-TCP service is more detrimental to the continued utility and success of the DNS than when its usage is allowed.</t> </section> <sectiontitle="Networknumbered="true" toc="default"> <name>Network and SystemConsiderations">Considerations</name> <t>This section describes measures that systems and applications can take to optimize performance over TCP and to protect themselves from TCP-based resource exhaustion and attacks.</t> <sectiontitle="Connectionnumbered="true" toc="default"> <name>Connection Establishment andAdmission">Admission</name> <t>Resolvers and other DNS clients should be aware that some servers might not be reachable over TCP. For this reason, clientsMAY<bcp14>MAY</bcp14> track and limit the number of TCP connections and connection attempts to a single server. Reachability problems can be caused by network elements close to the server, close to the client, or anywhere along the path between them. Mobile clients that cache connection failuresMAY<bcp14>MAY</bcp14> do so on a per-networkbasis,basis orMAY<bcp14>MAY</bcp14> clear such a cache upon change of network.</t> <t>Additionally, DNS clientsMAY<bcp14>MAY</bcp14> enforce a short timeout on unestablishedconnections,connections rather than rely on the host operating system's TCP connection timeout, which is often around 60-120 seconds (i.e., due to an initial retransmission timeout of 1 second, the exponentialback offback-off rules of <xreftarget="RFC6298"/>,target="RFC6298" format="default"/>, and a limit of six retries as is the default in Linux).</t> <t>The SYN flooding attack is a denial-of-service method affecting hosts that run TCP server processes <xreftarget="RFC4987"/>.target="RFC4987" format="default"/>. This attack can be very effective if not mitigated. One of the most effective mitigation techniques is SYN cookies, described inSection 3.6 of<xreftarget="RFC4987"/>,target="RFC4987" sectionFormat="of" section="3.6"/>, which allows the server to avoid allocating any state until the successful completion of the three-way handshake.</t> <t>Services not intended for use by the public Internet, such as most recursive name servers,SHOULD<bcp14>SHOULD</bcp14> be protected with access controls.IdeallyIdeally, these controls are placed in the network, well before any unwanted TCP packets can reach the DNS server host or application. If this is not possible, the controls can be placed in the application itself. In some situations(e.g. attacks)(e.g., attacks), it may be necessary to deploy access controls for DNS services that should otherwise be globally reachable. See also <xreftarget="RFC5358"/>.</t>target="RFC5358" format="default"/>.</t> <t>The FreeBSD and NetBSD operating systems have an "accept filter" feature (<xreftarget="accept_filter"/>)target="accept_filter" format="default"/>) that postpones delivery of TCP connections to applications until a complete, valid request has been received. The dns_accf(9) filter ensures that a valid DNS message is received. If not, the bogus connection never reaches the application. The Linux TCP_DEFER_ACCEPT feature, while more limited in scope, can provide some of the same benefits as the BSD accept filter feature. These features are implemented as low-level socketoptions,options and are not activated automatically. If applications wish to use these features, they need to make specific calls to set the right options, and administrators may also need to configure the applications to appropriately use the features.</t> <t>Per <xreftarget="RFC7766"/>,target="RFC7766" format="default"/>, applications and administrators are advised to remember that TCPMAY<bcp14>MAY</bcp14> be used before sending any UDP queries. Networks and applicationsMUST NOT<bcp14>MUST NOT</bcp14> be configured to refuse TCP queries that were not preceded by a UDP query.</t> <t>TCP Fast Open<xref target="RFC7413"/>(TFO) <xref target="RFC7413" format="default"/> allows TCP clients to shorten the handshake for subsequent connections to the same server. TFO saves one round-trip time in the connection setup. DNS serversSHOULD<bcp14>SHOULD</bcp14> enable TFO when possible. Furthermore, DNS servers clustered behind a single service address (e.g., anycast orload-balancing), SHOULDload balancing) <bcp14>SHOULD</bcp14> either use the same TFO server key on allinstances,instances or disable TFO for all members of the cluster.</t> <t>DNS clientsMAY<bcp14>MAY</bcp14> also enable TFO. At the time of this writing,on some operating systemsit is notimplemented,implemented or is disabled bydefault.default on some operating systems. <xreftarget="WIKIPEDIA_TFO"/>target="WIKIPEDIA_TFO" format="default"/> describes applications and operating systems that support TFO.</t> </section> <sectiontitle="Connection Management">numbered="true" toc="default"> <name>Connection Management</name> <t>Since host memory for TCP state is a finite resource, DNS clients and serversSHOULD<bcp14>SHOULD</bcp14> actively manage their connections. Applications that do not actively manage their connections can encounter resource exhaustion leading to denial of service. For DNS, as in other protocols, there is atradeofftrade-off between keeping connections open for potential future use and the need to free up resources for new connections that will arrive.</t> <t>Operators of DNS server softwareSHOULD<bcp14>SHOULD</bcp14> be aware that operating system and application vendorsMAY<bcp14>MAY</bcp14> impose a limit on the total number of established connections. These limits may be designed to protect against DDoS attacks or performance degradation. OperatorsSHOULD<bcp14>SHOULD</bcp14> understand how to increase these limits ifnecessary,necessary and the consequences of doing so. Limits imposed by the applicationSHOULD<bcp14>SHOULD</bcp14> be lower than limits imposed by the operatingsystem,system so that the application can apply its own policy to connection management, such as closing the oldest idle connections first.</t> <t>DNS server softwareMAY<bcp14>MAY</bcp14> provide a configurable limit on the number of established connections per source IP address or subnet. This can be used to ensure that a single or small set of users cannot consume all TCP resources and deny service to other users. Note, however, that if this limit is enabled, it possibly limits client performance while leaving some TCP resources unutilized. OperatorsSHOULD<bcp14>SHOULD</bcp14> be aware of thesetradeoffstrade-offs and ensure this limit, if configured, is set appropriately based on the number and diversity of theirusers,users and whether users connect from unique IP addresses or through a shared Network Address Translator (NAT) <xreftarget="RFC3022"/>.</t>target="RFC3022" format="default"/>.</t> <t>DNS server softwareSHOULD<bcp14>SHOULD</bcp14> provide a configurable timeout for idle TCP connections. This can be used to free up resources for new connections and to ensure that idle connections are eventually closed. At the same time, it possibly limits client performance while leaving some TCP resources unutilized. For very busy nameserversservers, this might be set to a low value, such as a few seconds. For less busyserversservers, it might be set to a higher value, such as tens of seconds. <!--[rfced] We updated one instance of "edns-tcp-keepalive option" to "edns-tcp-keepalive EDNS(0) option" for consistency and per use in RFC 7828. Please let us know of any objections. Original: DNS clients and servers SHOULD signal their timeout values using the edns-tcp-keepalive option [RFC7828]. Current: DNS clients and servers SHOULD signal their timeout values using the edns-tcp-keepalive EDNS(0) option [RFC7828]. --> DNS clients and servers <bcp14>SHOULD</bcp14> signal their timeout values using the edns-tcp-keepalive option <xreftarget="RFC7828"/>.</t>target="RFC7828" format="default"/>.</t> <t>DNS server softwareMAY<bcp14>MAY</bcp14> provide a configurable limit on the number of transactions per TCP connection. This can help protect against unfair connection use (e.g., not releasing connection slots to other clients) and network evasion attacks.</t> <t>Similarly, DNS server softwareMAY<bcp14>MAY</bcp14> provide a configurable limit on the total duration of a TCP connection. This can help protect against unfair connection use, slow read attacks, and network evasion attacks.</t> <t>Since clients may not be aware of server-imposed limits, clients utilizing TCP for DNS need to always be prepared to re-establish connections or otherwise retry outstanding queries.</t> <!-- language lifted from RFC7766 --> </section> <sectiontitle="Connection Termination">numbered="true" toc="default"> <name>Connection Termination</name> <t>The TCP peer that initiates a connection close retains the socket in the TIME_WAIT state for some amount of time, possibly a few minutes. It is generally preferable for clients to initiate the close of a TCP connection so that busy servers do not accumulate many sockets in the TIME_WAIT state, which can cause performance problems or even denial of service. The edns-tcp-keepalive EDNS(0) option <xreftarget="RFC7828"/>target="RFC7828" format="default"/> can be used to encourage clients to close connections.</t> <t>On systems where large numbers of sockets in TIME_WAIT are observed(either as(as either a client orserver),a server) and are affecting an application's performance, it may be tempting to tune local TCP parameters. For example, the Linux kernel has a "sysctl" parameter namednet.ipv4.tcp_tw_reusenet.ipv4.tcp_tw_reuse, which allows connections in the TIME_WAIT state to be reused in specific circumstances. Note, however, that this affects only outgoing (client) connections and has no impact on servers. In mostcasescases, it isNOT RECOMMENDED<bcp14>NOT RECOMMENDED</bcp14> to change parameters related to the TIME_WAIT state. It should only be done by those with detailed knowledge of both TCP and the affected application.</t> </section> <sectiontitle="DNS-over-TLS">numbered="true" toc="default"> <name>DNS over TLS</name> <t>DNS messages may be sent over TLS to provide privacy between stubs and recursive resolvers. <xreftarget="RFC7858"/>target="RFC7858" format="default"/> is a Standards Track document describing how this works. AlthoughDNS-over-TLSDNS over TLS utilizes TCP port 853 instead of port 53, this document applies equally well toDNS-over-TLS.DNS over TLS. Note, however,DNS-over-TLSthat DNS over TLS is only defined between stubs and recursives at the time of this writing.</t> <t>The use of TLS places even stronger operational burdens on DNS clients and servers. Cryptographic functions for authentication and encryption require additional processing. Unoptimized connection setup with TLS 1.3 <xreftarget="RFC8446"/>target="RFC8446" format="default"/> takes one additionalround-tripround trip compared to TCP. <!-- [rfced] Is TCP Fast Open only for TLS 1.3 and TLS False Start only for TLS 1.2? Original: Connection setup times can be reduced with TCP Fast Open, and TLS False Start [RFC7918] for TLS 1.2. Perhaps: Connection setup times can be reduced with TCP Fast Open for TLS 1.3 and TLS False Start [RFC7918] for TLS 1.2. --> Connection setup times can be reduced with TCP Fast Open, and TLS False Start <xreftarget="RFC7918"/>target="RFC7918" format="default"/> for TLS 1.2. TLS 1.3 session resumption does not reduce round-trip latency because no application profile for use of TLS 0-RTT data with DNS has been published at the time of this writing. However, TLS session resumption can reduce the number of cryptographic operations, and in TLS 1.2, session resumption does reduce the number of additional round trips from two to one.</t> </section> <sectiontitle="Defaultsnumbered="true" toc="default"> <name>Defaults and RecommendedLimits">Limits</name> <t>A survey of features and defaults was conducted for popularopen sourceopen-source DNS server implementations at the time of writing. This section documents those defaults and makes recommendations for configurable limits that can be used in the absence of any other information. Any recommended values in this document are only intended as a starting point for administrators that are unsure of what sorts of limits might be reasonable. OperatorsSHOULD<bcp14>SHOULD</bcp14> use application-specific monitoring, system logs, and system monitoring tools to gauge whether their service is operating within or exceeding theselimits,limits and adjust accordingly.</t> <t>Mostopen sourceopen-source DNS server implementations provide a configurable limit on the total number of established connections. Default values range from 20 to 150. In most cases, where the majority of queries take place over UDP, 150 is a reasonable limit. For services or environments where most queries take place over TCP or TLS, 5000 is a more appropriate limit.</t> <t>Only someopen sourceopen-source implementations provide a way to limit the number of connections per source IP address or subnet, but the default is to have no limit. For environments or situations where it may be necessary to enable this limit, 25 connections per source IP address is a reasonable starting point. The limit should be increased when aggregated bysubnet,subnet or for services where most queries take place over TCP or TLS.</t> <t>Mostopen sourceopen-source implementations provide a configurable idle timeout on connections. Default values range from 2 to 30 seconds. In most cases, 10 seconds is a reasonable default for this limit. Longer timeouts improve connection reuse, but busy servers may need to use a lower limit.</t> <t>Only someopen sourceopen-source implementations provide a way to limit the number of transactions per connection, but the default is to have no limit. This document does not offer advice on particular values for such a limit.</t> <t>Only someopen sourceopen-source implementations provide a way to limit the duration of connection, but the default is to have no limit. This document does not offer advice on particular values for such a limit.</t> </section> </section> <sectiontitle="DNS over TCPnumbered="true" toc="default"> <name>DNS-over-TCP FilteringRisks">Risks</name> <t>Networks that filter DNS over TCP risk losing access to significant or important pieces of the DNS namespace. For a variety ofreasonsreasons, a DNS answer may require aDNS over TCPDNS-over-TCP query. This may include large message sizes, lack of EDNS(0) support, or DDoS mitigation techniques (including Response Rate Limiting <xreftarget="RRL"/>), ortarget="RRL" format="default"/>); additionally, perhaps some future capability that is as yet unforeseen will also demand TCP transport.</t> <t>For example, <xreftarget="RFC7901"/>target="RFC7901" format="default"/> describes a latency-avoiding technique that sends extra data in DNS responses. This makes responses larger and potentially increases the effectiveness of DDoS reflection attacks. The specification mandates the use of TCP or DNSCookiescookies <xreftarget="RFC7873"/>.</t>target="RFC7873" format="default"/>.</t> <t>Even if any or all particular answers have consistently been returned successfully with UDP in the past, this continued behavior cannot be guaranteed when DNS messages are exchanged between autonomous systems. Therefore, filtering of DNS over TCP is considered harmful and contrary to the safe and successful operation of the Internet. This section enumerates some of the known risks at the time of this writing when networks filter DNS over TCP.</t> <sectiontitle="Truncation,numbered="true" toc="default"> <name>Truncation, Retries, andTimeouts">Timeouts</name> <!-- formerly DNS Wedgie --> <t>Networks that filter DNS over TCP may inadvertently cause problems for third-party resolvers as experienced by <xreftarget="TOYAMA"></xref>.target="TOYAMA" format="default"/>. For example, a resolver receives queries for a moderately popular domain. The resolver forwards the queries to the domain's authoritative name servers, but those servers respond with the TC bit set. The resolver retries over TCP, but the authoritative server blocks DNS over TCP. The pending connections consume resources on the resolver until they time out. If the number and frequency of these truncated-and-then-blocked queriesisare sufficiently high, the resolver wastes valuable resources on queries that can never be answered. This condition is generally not easily or completely mitigated by the affected DNS resolver operator.</t> </section> <sectiontitle="DNSnumbered="true" toc="default"> <name>DNS Root Zone KSKRollover">Rollover</name> <!-- [rfced] Is the new root zone called "DNSSEC KSK"? Original: The plans for deploying a new root zone DNSSEC KSK highlighted a potential problem in retrieving the root zone key set [LEWIS]. Perhaps: The plans for deploying a new root zone, DNSSEC KSK, highlighted a potential problem in retrieving the root zone key set [LEWIS]. --> <t>The plans for deploying a new root zone DNSSEC KSK highlighted a potential problem in retrieving the root zone key set <xreftarget="LEWIS"></xref>.target="LEWIS" format="default"/>. During some phases of the KSK rollover process, root zone DNSKEY responses were larger than 1280 bytes, the IPv6 minimum MTU for links carrying IPv6 traffic <xreftarget="RFC8200"/>.target="RFC8200" format="default"/>. <!--[rfced] We believe this text refers to "[KSK_ROLLOVER_ARCHIVES]", so we moved the citation to the end of the sentence for clarity. Please let us know of any objections. Original: There was some concern [KSK_ROLLOVER_ARCHIVES] that any DNS server unable to receive large DNS messages over UDP, or any DNS message over TCP, would experience disruption while performing DNSSEC validation. Current: There was some concern<xref target="KSK_ROLLOVER_ARCHIVES"/>that any DNS server unable to receive large DNS messages over UDP, or any DNS message over TCP, would experience disruption while performing DNSSECvalidation.</t>validation [KSK_ROLLOVER_ARCHIVES]. --> There was some concern that any DNS server unable to receive large DNS messages over UDP, or any DNS message over TCP, would experience disruption while performing DNSSEC validation <xref target="KSK_ROLLOVER_ARCHIVES" format="default"/>.</t> <t>However, during the year-long postponement of the KSKrolloverrollover, there were no reported problems that could be attributed to the 1414 octet DNSKEY response when both the old and new keys were published in the zone. Additionally, there were no reported problems during the two-month period when the old key was published as revoked and the DNSKEY response was 1425 octets in size <xreftarget="ROLL_YOUR_ROOT"/>.</t>target="ROLL_YOUR_ROOT" format="default"/>.</t> </section> </section> <section anchor="logging-monitoring"title="Loggingnumbered="true" toc="default"> <name>Logging andMonitoring">Monitoring</name> <t>Developers of applications that log or monitor DNSSHOULD NOT<bcp14>SHOULD NOT</bcp14> ignore TCP due to the perception that it is rarely used or is hard to process. OperatorsSHOULD<bcp14>SHOULD</bcp14> ensure that their monitoring and logging applications properly capture DNS messages over TCP. Otherwise, attacks, exfiltration attempts, and normal traffic may go undetected.</t> <t>DNS messages over TCP are in no way guaranteed to arrive in single segments. In fact, a clever attacker might attempt to hide certain messages by forcing them over very small TCP segments. Applications that capture network packets (e.g., with libpcap <xreftarget="libpcap"/>) SHOULDtarget="libpcap" format="default"/>) <bcp14>SHOULD</bcp14> implement and perform full TCP stream reassembly and analyze the reassembled stream instead of the individual packets. Otherwise, they are vulnerable to network evasion attacks <xreftarget="phrack"/>.target="phrack" format="default"/>. Furthermore, such applications need to protect themselves from resource exhaustion attacks by limiting the amount of memory allocated to tracking unacknowledged connection state data. dnscap <xreftarget="dnscap"/>target="dnscap" format="default"/> is an open-source example of a DNS logging program that implements TCP stream reassembly.</t> <t>DevelopersSHOULD<bcp14>SHOULD</bcp14> also keep in mind connection reuse, query pipelining, and out-of-order responses when building and testing DNS monitoring applications.</t> <t>As an alternative to packet capture, some DNS server software supports dnstap <xreftarget="dnstap"/>target="dnstap" format="default"/> as an integrated monitoring protocol intended to facilitate wide-scale DNS monitoring.</t> </section> <section anchor="IANA"title="IANA Considerations">numbered="true" toc="default"> <name>IANA Considerations</name> <t>Thismemo includesdocument has norequest to IANA.</t>IANA actions.</t> </section> <section anchor="Security"title="Security Considerations">numbered="true" toc="default"> <name>Security Considerations</name> <t>This document, providing operational requirements, is the companion to the implementation requirements of DNS overTCP,TCP provided in <xreftarget="RFC7766"/>.target="RFC7766" format="default"/>. The security considerations from <xreftarget="RFC7766"/>target="RFC7766" format="default"/> still apply.</t> <t>Ironically, returning truncatedDNS over UDPDNS-over-UDP answers in order to induce a client query to switch to DNS over TCP has become a common response tosource address spoofed,source-address-spoofed, DNS denial-of-service attacks <xreftarget="RRL"></xref>.target="RRL" format="default"/>. Historically, operators have been wary of TCP-based attacks, but in recent years, UDP-based flooding attacks have proven to be the most common protocol attack on the DNS. Nevertheless, a high rate of short-lived DNS transactions over TCP may pose challenges. In fact, <xreftarget="DAI21"></xref>target="DAI21" format="default"/> details a class of IP fragmentation attacks on DNS transactions if the IP Identifier field (16 bits in IPv4 and 32 bits in IPv6) can be predicted and a system is coerced to fragment rather than retransmit messages. While many operators have providedDNS over TCPDNS-over-TCP service for many years without duress, past experience is no guarantee of future success.</t> <t>DNS over TCP is similar to many other Internet TCP services. TCP threats and many mitigation strategies have beenwell-documentedwell documented in a series of documents such as <xreftarget="RFC4953"></xref>,target="RFC4953" format="default"/>, <xreftarget="RFC4987"></xref>,target="RFC4987" format="default"/>, <xreftarget="RFC5927"></xref>,target="RFC5927" format="default"/>, and <xreftarget="RFC5961"></xref>.</t>target="RFC5961" format="default"/>.</t> <t>As mentioned in <xreftarget="logging-monitoring"/>,target="logging-monitoring" format="default"/>, applications that implement TCP stream reassembly need to limit the amount of memory allocated to connection tracking. A failure to do so could lead to a total failure of the logging or monitoring application. Imposition of resource limits creates atradeofftrade-off between allowing some stream reassembly to continue and allowing some evasion attacks to succeed.</t> <t>This document recommends that DNSServersservers enable TFO when possible. <xreftarget="RFC7413"/>target="RFC7413" format="default"/> recommends that a pool of servers behind a load balancer with a shared server IP address also share the key used to generate Fast Opencookies,cookies to prevent inordinate fallback to the3WHS.three-way handshake (3WHS). This guidance remainsaccurate,accurate but comes with a caveat: compromise of one server would reveal this group-sharedkey,key and allow for attacks involving the other servers in the pool by forging invalid Fast Open cookies.</t> </section> <section anchor="Privacy"title="Privacy Considerations">numbered="true" toc="default"> <name>Privacy Considerations</name> <t>Since DNS over both UDP and TCP uses the same underlying message format, the use of one transport instead of the other does not change the privacy characteristics of the message content (i.e., the name being queried). A number of protocols have recently been developed to provide DNS privacy, including DNS over TLS <xreftarget="RFC7858"/>,target="RFC7858" format="default"/>, DNS over DTLS <xreftarget="RFC8094"/>,target="RFC8094" format="default"/>, DNS over HTTPS <xreftarget="RFC8484"/>,target="RFC8484" format="default"/>, with even more on the way.</t> <t>Because TCP is somewhat more complex than UDP, some characteristics of a TCP conversation may enable DNS client fingerprinting and tracking that is not possible with UDP. For example, the choice of initial sequence numbers, window size, and options might be able to identify a particular TCPimplementation,implementation or even individual hosts behind shared resources such asnetwork address translators (NATs).</t> </section> <section anchor="Acknowledgments" title="Acknowledgments"> <t>This document was initially motivated by feedback from students who pointed out that they were hearing contradictory information about filtering DNS over TCP messages. Thanks in particular to a teaching colleague, JPL, who perhaps unknowingly encouraged the initial research into the differences between what the community has historically said and did. Thanks to all the NANOG 63 attendees who provided feedback to an early talk on this subject.</t> <!-- https://archive.nanog.org/sites/default/files/nanog63-dnstrack-kristoff-dnstcp.pdf --> <t>The following individuals provided an array of feedback to help improve this document: Joe Abley, Piet Barber, Sara Dickinson, Tony Finch, Bob Harold, Paul Hoffman, Geoff Huston, Tatuya Jinmei, Puneet Sood, and Richard Wilhelm. The authors are also indebted to the contributions stemming from discussion in the tcpm working group meeting at IETF 104. Any remaining errors or imperfections are the sole responsibility of the document authors.</t>NATs.</t> </section> </middle> <back><!-- References split into informative and normative --> <!-- There are 2 ways to insert reference entries from the citation libraries: 1. define an ENTITY at the top, and use "ampersand character"RFC2629; here (as shown) 2. simply use a PI "less than character"?rfc include="reference.RFC.2119.xml"?> here (for I-Ds: include="reference.I-D.narten-iana-considerations-rfc2434bis.xml") Both are cited textually in the same manner: by using xref elements. If you use the PI option, xml2rfc will, by default, try to find included files in the same directory as the including file. You can also define the XML_LIBRARY environment variable with a value containing a set of directories to search. These can be either in the local filing system or remote ones accessed by http (http://domain/dir/... ).--> <references title="Normative References"> <!--?rfc include="http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119.xml"?--> &RFC1035; &RFC2119; &RFC2181; &RFC6891; &RFC7766; &RFC7828; &RFC7873; &RFC8174;<displayreference target="I-D.ietf-dnsop-avoid-fragmentation" to="AVOID_FRAGS"/> <references> <name>References</name> <references> <name>Normative References</name> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.1035.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.2181.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.6891.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.7766.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.7828.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.7873.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml"/> </references><references title="Informative References"> <!-- Here we use entities that we defined at the beginning. --> &RFC0768; &RFC0793; &RFC0883; &RFC1034; &RFC1123; &RFC1536; &RFC1995; &RFC1996; &RFC2136; &RFC2541;<references> <name>Informative References</name> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.0768.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.0793.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.0883.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.1034.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.1123.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.1536.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.1995.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.1996.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.2136.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.2541.xml"/> <!-- &RFC2629; -->&RFC2671; &RFC2694; &RFC3022; &RFC3225; &RFC3226; &RFC4472; &RFC4953; &RFC4987; &RFC5358; &RFC5452; &RFC5507; &RFC5625; &RFC5927; &RFC5936; &RFC5961; &RFC5966; &RFC6298; &RFC6762; &RFC6950; &RFC7413; &RFC7477; &RFC7534; &RFC7720; &RFC7858; &RFC7901; &RFC7918; &RFC8027; &RFC8094; &RFC8162; &RFC8200; &RFC8324; &RFC8446; &RFC8467; &RFC8482; &RFC8483; &RFC8484; &RFC8490; &RFC8501; &RFC8806; &RFC8906; &RFC8932; &RFC8945;<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.2671.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.2694.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.3022.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.3225.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.3226.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.4472.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.4953.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.4987.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.5358.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.5452.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.5507.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.5625.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.5927.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.5936.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.5961.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.5966.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.6298.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.6762.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.6950.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.7413.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.7477.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.7534.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.7720.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.7858.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.7901.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.7918.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8027.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8094.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8162.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8200.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8324.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8446.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8467.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8482.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8483.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8484.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8490.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8501.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8806.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8906.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8932.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8945.xml"/> <!-- A reference written by by an organization not a person. --> <reference anchor="CHES94"> <front> <title>Firewalls and Internet Security: Repelling the Wily Hacker</title> <author fullname="William R. Cheswick"initials="W.R." surname="Cheswick" />initials="W." surname="Cheswick"/> <author fullname="Steven M. Bellovin"initials="S.M." surname="Bellovin" />initials="S." surname="Bellovin"/> <dateyear="1994" />year="1994"/> </front> <refcontent>First Edition</refcontent> </reference> <reference anchor="DAI21"> <front> <title>DNS-over-TCP Considered Vulnerable</title> <author fullname="Tianxiang Dai" initials="T."surname="Tianxiang" />surname="Dai"/> <author fullname="Haya Shulman" initials="H."surname="Shulman" />surname="Shulman"/> <author fullname="Michael Waidner" initials="M."surname="Waidner" />surname="Waidner"/> <date year="2021" month="July" /> </front> <seriesInfo name="DOI" value="10.1145/3472305.3472884"/> </reference> <reference anchor="DJBDNS" target="https://cr.yp.to/djbdns/tcp.html#why"> <front> <title>When are TCP queries sent?</title><author> <organization>D.J. Bernstein</organization><author surname="Bernstein" initials="D."> </author> <dateyear="2002" />month="November" year="2002"/> </front> </reference> <reference anchor="CASTRO2010"> <front> <title>Understanding andpreparingPreparing for DNSevolution</title>Evolution</title> <author fullname="Sebastian Castro" initials="S."surname="Castro" />surname="Castro"/> <author fullname="Min Zhang" initials="M."surname="Zhang" />surname="Zhang"/> <author fullname="Wolfgang John" initials="W."surname="John" />surname="John"/> <author fullname="Duane Wessels" initials="D."surname="Wessels" />surname="Wessels"/> <authorfullname="kcfullname="Kimberly claffy"initials="k.c." surname="claffy" />initials="K." surname="claffy"/> <dateyear="2010" />month="April" year="2010"/> </front> <seriesInfo name="DOI" value="10.1007/978-3-642-12365-8_1"/> </reference> <reference anchor="NETALYZR"> <front> <title>Netalyzr: Illuminating The Edge Network</title> <author fullname="Christian Kreibich" initials="C."surname="Kreibich" />surname="Kreibich"/> <author fullname="Nicholas Weaver" initials="N."surname="Weaver" />surname="Weaver"/> <author fullname="Boris Nechaev" initials="B."surname="Nechaev" />surname="Nechaev"/> <author fullname="Vern Paxson" initials="V."surname="Paxson" />surname="Paxson"/> <date year="2010"/>month="November"/> </front> <seriesInfo name="DOI" value="10.1145/1879141.1879173"/> </reference> <reference anchor="VERISIGN"> <front> <title>An Analysis of TCP Traffic in Root Server DITL Data</title> <author fullname="Matt Thomas" initials="M."surname="Thomas" />surname="Thomas"/> <author fullname="Duane Wessels" initials="D."surname="Wessels" />surname="Wessels"/> <date year="2014"/>month="October"/> </front><seriesInfo name="DNS-OARC<refcontent>DNS-OARC 2014 FallWorkshop" value="Los Angeles" />Workshop</refcontent> </reference> <reference anchor="TDNS"> <front><title>Connection-oriented<title>Connection-Oriented DNS to Improve Privacy and Security</title> <author fullname="Liang Zhu" initials="L."surname="Zhu" />surname="Zhu"/> <author fullname="John Heidemann" initials="J."surname="Heidemann" />surname="Heidemann"/> <author fullname="Duane Wessels" initials="D."surname="Wessels" />surname="Wessels"/> <author fullname="Allison Mankin" initials="A."surname="Mankin" />surname="Mankin"/> <author fullname="Nikita Somaiya" initials="N."surname="Somaiya" />surname="Somaiya"/> <date year="2015"/>month="May"/> </front> <seriesInfo name="DOI" value="10.1109/SP.2015.18"/> </reference> <reference anchor="RRL"> <front> <title>DNS Response Rate Limiting (DNS RRL)</title> <author fullname="Paul Vixie" initials="P."surname="Vixie" />surname="Vixie"/> <author fullname="Vernon Schryver" initials="V."surname="Schryver" />surname="Schryver"/> <date year="2012"month="April" />month="April"/> </front><seriesInfo name="ISC-TN 2012-1" value="Draft1" /><refcontent>ISC-TN-2012-1-Draft1</refcontent> </reference> <reference anchor="LEWIS" target="https://ripe74.ripe.net/presentations/25-RIPE74-lewis-submission.pdf"> <front> <title>2017 DNSSEC KSK Rollover</title> <author fullname="Edward Lewis" initials="E."surname="Lewis" />surname="Lewis"/> <date year="2017"month="May" day="8" />month="May"/> </front><seriesInfo name="RIPE 74" value="Budapest, Hungary" /><refcontent>RIPE 74</refcontent> </reference> <reference anchor="TOYAMA"> <front> <title>DNS Anomalies and Their Impacts on DNS Cache Servers</title> <author fullname="Katsuyasu Toyama" initials="K."surname="Toyama" />surname="Toyama"/> <author fullname="Keisuke Ishibashi" initials="K."surname="Ishibashi" />surname="Ishibashi"/> <author fullname="Tsuyoshi Toyono" initials="T." surname="Toyono"/> <author fullname="Masahiro Ishino" initials="M."surname="Ishino" />surname="Ishino"/> <author fullname="Chika Yoshimura" initials="C."surname="Yoshimura" />surname="Yoshimura"/> <author fullname="Kazunori Fujiwara" initials="K."surname="Fujiwara" />surname="Fujiwara"/> <date year="2004"/>month="October"/> </front><seriesInfo name="NANOG 32" value="Reston, VA USA" /><refcontent>NANOG 32</refcontent> </reference> <reference anchor="HUSTON" target="https://blog.apnic.net/2017/08/22/dealing-ipv6-fragmentation-dns/"> <front> <title>Dealing with IPv6 fragmentation in the DNS</title> <author fullname="Geoff Huston" initials="G."surname="Huston" />surname="Huston"/> <date year="2017"month="August" day="22"/>month="August"/> </front><format type="HTML" target="https://blog.apnic.net/2017/08/22/dealing-ipv6-fragmentation-dns/"/></reference> <reference anchor="CLOUDFLARE" target="https://blog.cloudflare.com/black-lies/"> <front> <title>Economical With The Truth: Making DNSSEC Answers Cheap</title> <author fullname="Dani Grant" initials="D." surname="Grant"> <organization>Cloudflare</organization> </author> <date year="2016"month="June" day="24"/>month="June"/> </front><format type="HTML" target="https://blog.cloudflare.com/black-lies/"/></reference> <reference anchor="DESIGNTEAM" target="https://www.iana.org/reports/2016/root-ksk-rollover-design-20160307.pdf"> <front> <title>Root Zone KSK Rollover Plan</title> <author><organization>Design Team Report</organization><organization>ICANN</organization> </author> <dateyear="2015" month="December" day="18"/>year="2016" month="March"/> </front><format type="PDF" target="https://www.iana.org/reports/2016/root-ksk-rollover-design-20160307.pdf"/></reference> <reference anchor="WIKIPEDIA_TFO"target="https://en.wikipedia.org/wiki/TCP_Fast_Open">target="https://en.wikipedia.org/w/index.php?title=TCP_Fast_Open&oldid=1071397204"> <front> <title>TCP Fast Open</title> <author> <organization>Wikipedia</organization> </author> <dateyear="2018" month="May" day="4"/>year="2022" month="February"/> </front> </reference> <!-- reference anchor="Stevens"> <front> <title>UNIX Network Programming Volume 1, Third Edition: The Sockets Networking API</title> <author fullname="W. Richard Stevens" initials="W.R." surname="Stevens"/> <author fullname="Bill Fenner" initials="B." surname="Fenner"/> <author fullname="Andrew M. Rudoff" initials="A.M." surname="Rudoff"/> <date year="2003" month="November" day="21"/> </front> </reference --> <reference anchor="libpcap" target="https://www.tcpdump.org"> <front> <title>Tcpdump and Libpcap</title> <author><organization>Tcpdump/Libpcap</organization><organization>The Tcpdump Group</organization> </author><date year="2018" month="May" day="7"/></front><format type="HTML" target="https://www.tcpdump.org"/></reference> <!-- [rfced] For "[dnscap]", the date listed at "https://www.dns-oarc.net/tools/dnscap" is "February 2014". May we update the reference information to reflect this? Original: [dnscap] DNS-OARC, "DNSCAP", 7 May 2018, <https://www.dns-oarc.net/tools/dnscap> Perhaps: Original: [dnscap] DNS-OARC, "DNSCAP", February 2014, <https://www.dns-oarc.net/tools/dnscap> --> <reference anchor="dnscap" target="https://www.dns-oarc.net/tools/dnscap"> <front> <title>DNSCAP</title> <author> <organization>DNS-OARC</organization> </author> <date year="2018"month="May" day="7"/>month="May"/> </front> </reference> <reference anchor="dnstap" target="https://dnstap.info"> <front> <title>dnstap</title><author fullname="Robert Edmonds" initials="R." surname="Edmonds"/> <author fullname="Paul Vixie" initials="P." surname="Vixie"/> <date year="2018" month="May" day="7"/><author/> <date/> </front> </reference> <!--[rfced] For the reference [accept_filter], we see "June 2000" listed as the date; may we use this date instead of "May 2018"? Also, should the title perhaps be updated as "BSD Kernel Developer's Manual: accept_filter(9)"? Original: [accept_filter] FreeBSD, "FreeBSD accept_filter(9)", 7 May 2018, <https://www.freebsd.org/cgi/man.cgi?query=accept_filter>. Perhaps: [accept_filter] FreeBSD, "BSD Kernel Developer's Manual: accept_filter(9)", June 2000, <https://www.freebsd.org/cgi/man.cgi?query=accept_filter>. --> <reference anchor="accept_filter" target="https://www.freebsd.org/cgi/man.cgi?query=accept_filter"> <front> <title>FreeBSD accept_filter(9)</title> <author> <organization>FreeBSD</organization> </author> <dateyear="2018"month="May"day="7"/>year="2018"/> </front><format type="HTML" target="https://www.freebsd.org/cgi/man.cgi?query=accept_filter"/> </reference> <reference anchor="AVOID_FRAGS"> <front> <title>Fragmentation Avoidance in DNS</title> <author fullname="Kazunori Fujiwara" initials="K." surname="Fujiwara"/> <author fullname="Paul Vixie" initials="P." surname="Vixie"/> <date year="2021" month="February"/> </front> <seriesInfo name="Work in Progress," value="draft-ietf-dnsop-avoid-fragmentation-05"/></reference> <!-- [AVOID_FRAGS] [I-D.ietf-dnsop-avoid-fragmentation] IESG state I-D Exists --> <xi:include href="https://datatracker.ietf.org/doc/bibxml3/reference.I-D.ietf-dnsop-avoid-fragmentation.xml"/> <!-- [rfced] The link for [FRAG_POISON] redirects to "https://cs.biu.ac.il/". Should "https://arxiv.org/pdf/1205.4011.pdf" be used instead? Original: [FRAG_POISON] Herzberg, A. and H. Shulman, "Fragmentation Considered Poisonous", May 2012, <https://u.cs.biu.ac.il/~herzbea/security/13-03-frag.pdf>. Perhaps: [FRAG_POISON] Herzberg, A. and H. Shulman, "Fragmentation Considered Poisonous", May 2012, <https://arxiv.org/pdf/1205.4011.pdf>. --> <reference anchor="FRAG_POISON" target="https://u.cs.biu.ac.il/~herzbea/security/13-03-frag.pdf"> <front> <title>Fragmentation Considered Poisonous</title> <author fullname="Amir Herzberg" initials="A." surname="Herzberg"/> <author fullname="Haya Shulman" initials="H." surname="Shulman"/> <date year="2012" month="May"/> </front> </reference> <reference anchor="ROLL_YOUR_ROOT" target="https://dl.acm.org/doi/10.1145/3355369.3355570"> <front> <title>Roll, Roll, Roll Your Root: A Comprehensive Analysis of the First Ever DNSSEC Root KSK Rollover</title> <author fullname="MoritzMüller"Müller" initials="M."surname="Müller"/>surname="Müller"/> <author fullname="Matthew Thomas" initials="M." surname="Thomas"/> <author fullname="Duane Wessels" initials="D." surname="Wessels"/> <author fullname="Wes Hardaker" initials="W." surname="Hardaker"/> <author fullname="Taejoong Chung" initials="T." surname="Chung"/> <author fullname="Willem Toorop" initials="W." surname="Toorop"/> <author fullname="Roland van Rijswijk-Deij"initials="R.v." surname="Rijswijk-Deij"/>initials="R." surname="van Rijswijk-Deij"/> <date year="2019"month="Oct"/>month="October"/> </front> <seriesInfo name="DOI" value="10.1145/3355369.3355570"/> </reference> <reference anchor="BIND" target="https://www.isc.org/bind/"> <front> <title>BIND9 - ISC</title>9</title> <author> <organization>Internet Systems Consortium</organization> </author><date year="2021" month="Apr"/><date/> </front> </reference> <reference anchor="ECDSA" target="https://dl.acm.org/doi/10.1145/2831347.2831350"> <front> <title>Making the Case for Elliptic Curves in DNSSEC</title> <author fullname="Roland van Rijswijk-Deij" initials="R."surname="Rijswijk-Deij"/>surname="van Rijswijk-Deij"/> <author fullname="Anna Sperotto" initials="A." surname="Sperotto"/> <author fullname="Aiko Pras" initials="A." surname="Pras"/> <date year="2015"month="Sep"/>month="October"/> </front> <seriesInfo name="DOI" value="10.1145/2831347.2831350"/> </reference> <reference anchor="FLAGDAY2020" target="https://dnsflagday.net/2020/"> <front> <title>DNS Flag Day 2020</title><author> <organization>Various DNS software<author><organization>DNS Software andservice providers</organization> </author>Service Providers </organization></author> <dateyear="2020" month="Oct"/>month="October" year="2020"/> </front> </reference> <reference anchor="KSK_ROLLOVER_ARCHIVES" target="https://mm.icann.org/pipermail/ksk-rollover/2019-January/date.html"> <front> <title>KSK Rollover List Archives</title> <author><organization>Internet Coporation for Assigned Names and Numbers</organization><organization>ICANN</organization> </author> <date year="2019"month="Jan"/>month="January"/> </front> </reference> <reference anchor="phrack" target="http://phrack.org/issues/54/10.html"> <front> <title>Defeating Sniffers and Intrusion Detection Systems</title> <author fullname="horizon"/> <date year="1998"month="Dec"/>month="December"/> </front> <refcontent>Phrack Magazine</refcontent> </reference> <reference anchor="APNIC" target="https://labs.apnic.net/?p=1380"> <front> <title>DNS XL</title> <author fullname="Geoff Huston" initials="G." surname="Huston"/> <date year="2020"month="Oct"/>month="October"/> </front> </reference> </references> </references> <section anchor="dnsrfcs"title="Standardsnumbered="true" toc="default"> <name>Standards Related to DNS Transport overTCP"> <t>ThisTCP</name> <!-- [rfced] FYI: We have removed "IETF" in the following text because not all documents listed in the Appendix are IETF documents. For example, RFCs 8324 and 8483 are from the Independent Stream rather than the IETF Stream. Also, which RFC(s) is a "Draft Standard"? If none are, this term should be removed. Please confirm. Original: This section enumerates all known IETF RFC documents that are currently of status Internet Standard, Draft Standard, Proposed Standard, Informational, Best Current Practice, or Experimental and either implicitly or explicitly make assumptions or statements about the use of TCP as a transport for the DNS germane to this document. Current: This section enumerates all known RFCs with a status of Internet Standard, Draft Standard, Proposed Standard, Informational, Best Current Practice, or Experimental that either implicitly or explicitly make assumptions or statements about the use of TCP as a transport for the DNS germane to this document. --> <!-- [rfced] Unless we hear objection, we will update “Standards” to “RFCs” in the title of Appendix A as not all documents listed are standards (e.g., some are Experimental or Informational). In addition, we will remove “IETF" from the subsection titles as not all the RFCs listed are from the IETF Stream. Original: Appendix A. Standards Related to DNS Transport over TCP A.1. IETF RFC 1035 - DOMAIN NAMES - IMPLEMENTATION AND SPECIFICATION A.2. IETF RFC 1536 - Common DNS Implementation Errors and Suggested Fixes A.3. IETF RFC 1995 - Incremental Zone Transfer in DNS A.4. IETF RFC 1996 - A Mechanism for Prompt Notification of Zone Changes (DNS NOTIFY) ....., etc. Perhaps: Appendix A. RFCs Related to DNS Transport over TCP A.1. RFC 1035 - DOMAIN NAMES - IMPLEMENTATION AND SPECIFICATION A.2. RFC 1536 - Common DNS Implementation Errors and Suggested Fixes A.3. RFC 1995 - Incremental Zone Transfer in DNS A.4. RFC 1996 - A Mechanism for Prompt Notification of Zone Changes (DNS NOTIFY) ....., etc. --> <t>This section enumerates all known RFCs with a status of Internet Standard, Draft Standard, Proposed Standard, Informational, Best Current Practice, or Experimental that either implicitly or explicitly make assumptions or statements about the use of TCP as a transport for the DNS germane to this document.</t> <sectiontitle="IETFnumbered="true" toc="default"> <name>IETF RFC 1035 - DOMAIN NAMES - IMPLEMENTATION ANDSPECIFICATION">SPECIFICATION</name> <t>The Internet Standard <xreftarget="RFC1035"></xref>target="RFC1035" format="default"/> is the base DNS specification that explicitly defines support for DNS over TCP.</t> </section> <sectiontitle="IETFnumbered="true" toc="default"> <name>IETF RFC 1536 - Common DNS Implementation Errors and SuggestedFixes"> <t>ThisFixes</name> <t>The Informational document <xreftarget="RFC1536"></xref>target="RFC1536" format="default"/> states that UDP isthe "chosen"the chosen protocol for communication though TCP is used for zone transfers." That statement should now be considered in its historical context and is no longer a proper reflection of modern expectations.</t> </section> <sectiontitle="IETFnumbered="true" toc="default"> <name>IETF RFC 1995 - Incremental Zone Transfer inDNS"> <t>ThisDNS</name> <t>The Proposed Standard <xreftarget="RFC1995"/>target="RFC1995" format="default"/> documents the use of TCP as the fallback transport whenIXFRIncremental Zone Transfer (IXFR) responses do not fit into a single UDP response. As withAXFR,Authoritative Transfer (AXFR), IXFR messages are typically delivered over TCP by default in practice.</t> </section> <sectiontitle="IETFnumbered="true" toc="default"> <name>IETF RFC 1996 - A Mechanism for Prompt Notification of Zone Changes (DNSNOTIFY)"> <t>ThisNOTIFY)</name> <t>The Proposed Standard <xreftarget="RFC1996"/>target="RFC1996" format="default"/> suggests that a primary server may decide to issue NOTIFY messages over TCP. In practice, NOTIFY messages are generally sent over UDP, but this specification leaves open the possibility that the choice of transport protocol is up to the primaryserver, and thereforeserver; therefore, a secondary server ought to be able to operate over both UDP and TCP.</t> </section> <sectiontitle="IETFnumbered="true" toc="default"> <name>IETF RFC 2181 - Clarifications to the DNSSpecification"> <t>ThisSpecification</name> <t>The Proposed Standard <xreftarget="RFC2181"/>target="RFC2181" format="default"/> includes clarifying text on how a client should react to the TC bit set on responses. It is advised that the responseshouldbe discarded and the query resent using TCP.</t> </section> <sectiontitle="IETFnumbered="true" toc="default"> <name>IETF RFC 2694 - DNS extensions to Network Address Translators(DNS_ALG)"> <t>This(DNS_ALG)</name> <t>The Informational document <xreftarget="RFC2694"></xref>target="RFC2694" format="default"/> enumerates considerations fornetwork address translation (NAT)NAT devices to properly handle DNS traffic. This document is noteworthy in its suggestion that "[t]ypically, TCP is used for AXFR requests," as further evidence that helps explain why DNS over TCP may have often been treated very differently than DNS over UDP in operational networks.</t> </section> <sectiontitle="IETFnumbered="true" toc="default"> <name>IETF RFC 3225 - Indicating Resolver Support ofDNSSEC"> <t>ThisDNSSEC</name> <!-- [rfced] Would "that describes" be clearer than "expressing"? Original: This document is a companion to the next document in the RFC series expressing the requirement for EDNS(0) support for DNSSEC. Perhaps: This document is a companion to the next document in the RFC Series that describes the requirement for EDNS(0) support for DNSSEC. --> <t>The Proposed Standard <xreftarget="RFC3225"/>target="RFC3225" format="default"/> makes statements indicating that DNS over TCP is "detrimental" as a result of increased traffic, latency, and server load. This document is a companion to the next document in the RFCseriesSeries expressing the requirement for EDNS(0) support for DNSSEC.</t> </section> <sectiontitle="IETFnumbered="true" toc="default"> <name>IETF RFC 3226 - DNSSEC and IPv6 A6 aware server/resolver message sizerequirements">requirements</name> <t>Although updated by later DNSSEC RFCs, the Proposed Standard <xreftarget="RFC3226"></xref>target="RFC3226" format="default"/> strongly argues in favor of UDP messages instead of TCP, largely for performance reasons. The document declares EDNS(0) a requirement for DNSSEC servers and advocates that packet fragmentation may be preferable to TCP in certain situations.</t> </section> <sectiontitle="IETFnumbered="true" toc="default"> <name>IETF RFC 4472 - Operational Considerations and Issues with IPv6DNS"> <t>ThisDNS</name> <t>The Informational document <xreftarget="RFC4472"></xref>target="RFC4472" format="default"/> notes that IPv6 data may increase DNS responses beyond what would fit in a UDP message.ParticularlyWhat is particularly noteworthy, but perhaps less common today than when this document was written, is that it refers to implementations that truncate data without setting the TC bit to encourage the client to resend the query using TCP.</t> </section> <sectiontitle="IETFnumbered="true" toc="default"> <name>IETF RFC 5452 - Measures for Making DNS More Resilient against ForgedAnswers"> <t>This Informational documentAnswers</name> <t>The Proposed Standard <xreftarget="RFC5452"></xref>target="RFC5452" format="default"/> arose as public DNS systems began to experience widespread abuse from spoofed queries, resulting in amplification and reflection attacks against unwitting victims. One of the leading justifications for supporting DNS over TCP to thwart these attacks is briefly described inthis document's 9.3 Spoof<xref target="RFC5452" sectionFormat="of" section="9.3"/> ("Spoof Detection andCountermeasure section.</t>Countermeasure").</t> </section> <sectiontitle="IETFnumbered="true" toc="default"> <name>IETF RFC 5507 - Design Choices When Expanding theDNS"> <t>ThisDNS</name> <t>The Informational document <xreftarget="RFC5507"></xref>target="RFC5507" format="default"/> was largely an attempt to dissuade new DNS data types from overloading the TXT resource record type. In sodoingdoing, it summarizes the conventional wisdom of DNS design and implementation practices. The authors suggest TCP overhead and stateful properties pose challenges compared toUDP,UDP and imply that UDP is generally preferred for performance and robustness.</t> </section> <sectiontitle="IETFnumbered="true" toc="default"> <name>IETF RFC 5625 - DNS Proxy ImplementationGuidelines"> <t>ThisGuidelines</name> <t>The Best Current Practice document <xreftarget="RFC5625"></xref>target="RFC5625" format="default"/> provides DNS proxy implementation guidance including the mandate that a proxy"MUST"<bcp14>MUST</bcp14> [...] be prepared to receive and forward queries over TCP" even though it suggestshistoricallythat, historically, TCP transport has not been strictly mandatory in stub resolvers or recursive servers.</t> </section> <sectiontitle="IETFnumbered="true" toc="default"> <name>IETF RFC 5936 - DNS Zone Transfer Protocol(AXFR)"> <t>This(AXFR)</name> <t>The Proposed Standard <xreftarget="RFC5936"/>target="RFC5936" format="default"/> provides a detailed specification for the zone transfer protocol, as originally outlined in the early DNS standards. AXFR operation is limited to TCP and not specified for UDP. This document discusses TCP usage at length.</t> </section> <sectiontitle="IETFnumbered="true" toc="default"> <name>IETF RFC 7534 - AS112 NameserverOperations"> <t><xref target="RFC7534"></xref> is anOperations</name> <t>The Informational documentenumerating<xref target="RFC7534" format="default"/> enumerates the requirements for operation of AS112 project DNS servers. New AS112 nodes are tested for their ability to provide service on both UDP and TCP transports, with the implication that TCP service is an expected part of normal operations.</t> </section> <sectiontitle="IETFnumbered="true" toc="default"> <name>IETF RFC 6762 - MulticastDNS">DNS</name> <t>Inthisthe Proposed Standard <xreftarget="RFC6762"></xref>,target="RFC6762" format="default"/>, the TC bit is deemed to have essentially the same meaning as described in the original DNS specifications. That is, if a response with the TC bit set is received, "[...] the querierSHOULD<bcp14>SHOULD</bcp14> reissue its query using TCP in order to receive the larger response."</t> </section> <sectiontitle="IETFnumbered="true" toc="default"> <name>IETF RFC 6891 - Extension Mechanisms for DNS(EDNS(0))"> <t>This(EDNS(0))</name> <t>The Internet Standard <xreftarget="RFC6891"></xref>target="RFC6891" format="default"/> helped slow the use of and need forDNS over TCPDNS-over-TCP messages. This document highlights concerns over server load and scalability in widespread use of DNS over TCP.</t> </section> <sectiontitle="IETFnumbered="true" toc="default"> <name>IAB RFC 6950 - Architectural Considerations on Application Features in theDNS"> <t>AnDNS</name> <t>The Informational document <xreftarget="RFC6950"></xref> thattarget="RFC6950" format="default"/> draws attention to large data in the DNS. TCP is referenced in the context as a common fallback mechanism and counter to some spoofing attacks.</t> </section> <sectiontitle="IETFnumbered="true" toc="default"> <name>IETF RFC 7477 - Child-to-Parent Synchronization inDNS"> <t>ThisDNS</name> <t>The Proposed Standard <xreftarget="RFC7477"></xref>target="RFC7477" format="default"/> specifiesaan RRType and a protocol to signal and synchronize NS, A, and AAAA resource record changes from achild to parentchild-to-parent zone. Since this protocol may require multiple requests and responses, it recommends utilizing DNS over TCP to ensure the conversation takes place between a consistent pair of end nodes.</t> </section> <sectiontitle="IETFnumbered="true" toc="default"> <name>IETF RFC 7720 - DNS Root Name Service Protocol and DeploymentRequirements"> <t>ThisRequirements</name> <t>The Best Current Practice document <xreftarget="RFC7720"></xref>target="RFC7720" format="default"/> declares that root name service"MUST"<bcp14>MUST</bcp14> support UDP <xreftarget="RFC0768"></xref>target="RFC0768" format="default"/> and TCP <xreftarget="RFC0793"></xref>target="RFC0793" format="default"/> transport of DNS queries and responses."</t> </section> <section anchor="app-rfc7766"title="IETFnumbered="true" toc="default"> <name>IETF RFC 7766 - DNS Transport over TCP - ImplementationRequirements"> <t>ThisRequirements</name> <t>The Proposed Standard <xreftarget="RFC7766"/>target="RFC7766" format="default"/> instructs DNSimplementersimplementors to provide support for carryingDNS over TCPDNS-over-TCP messages in theirsoftware,software and might be considered the direct ancestor of this operational requirements document. The implementation requirements document codifies mandatory support forDNS over TCPDNS-over-TCP in compliant DNSsoftware,software but makes no recommendations to operators, which we seek to address here.</t> </section> <sectiontitle="IETFnumbered="true" toc="default"> <name>IETF RFC 7828 - The edns-tcp-keepalive EDNS(0)Option"> <t>ThisOption</name> <t>The Proposed Standard <xreftarget="RFC7828"></xref>target="RFC7828" format="default"/> defines an EDNS(0) option to negotiate an idle timeout value for long-livedDNS over TCPDNS-over-TCP connections. Consequently, this document is only applicable and relevant toDNS over TCPDNS-over-TCP sessions and between implementations that support this option.</t> </section> <sectiontitle="IETFnumbered="true" toc="default"> <name>IETF RFC 7858 - Specification for DNS over Transport Layer Security(TLS)"> <t>This(TLS)</name> <t>The Proposed Standard <xreftarget="RFC7858"></xref>target="RFC7858" format="default"/> defines a method for putting DNS messages into a TCP-based encrypted channel using TLS. This specification is noteworthy for explicitly targeting the stub-to-recursivetraffic,traffic but does not preclude its application from recursive-to-authoritative traffic.</t> </section> <sectiontitle="IETFnumbered="true" toc="default"> <name>IETF RFC 7873 - Domain Name System (DNS)Cookies"> <t>ThisCookies</name> <t>The Proposed Standard <xreftarget="RFC7873"></xref>target="RFC7873" format="default"/> describes an EDNS(0) option to provide additional protection against query and answer forgery. This specification mentions DNS over TCP as an alternative mechanism when DNSCookiescookies are not available. The specification does make mention ofDNS over TCPDNS-over-TCP processing in two specific situations. In one, when a server receives only a client cookie in a request, the server should consider whether the request arrived overTCPTCP, and if so, it should consider accepting TCP as sufficient to authenticate the request and respond accordingly. In another, when a client receives a BADCOOKIE reply using a fresh server cookie, the client should retry using TCP as the transport.</t> </section> <sectiontitle="IETFnumbered="true" toc="default"> <name>IETF RFC 7901 - CHAIN Query Requests inDNS"> <t>ThisDNS</name> <t>The Experimental specification <xreftarget="RFC7901"></xref>target="RFC7901" format="default"/> describes an EDNS(0) option that can be used by a security-aware validating resolver to request and obtain a complete DNSSEC validation path for any single query. This document requires the use of DNS over TCP or a transport mechanism verified by a source IP addressverified transport mechanismsuch as EDNS-COOKIE <xreftarget="RFC7873"></xref>.</t>target="RFC7873" format="default"/>.</t> </section> <sectiontitle="IETFnumbered="true" toc="default"> <name>IETF RFC 8027 - DNSSEC RoadblockAvoidance"> <t>ThisAvoidance</name> <t>The Best Current Practice document <xreftarget="RFC8027"></xref>target="RFC8027" format="default"/> details observed problems with DNSSEC deployment and mitigation techniques. Network traffic blocking and restrictions, includingDNS over TCPDNS-over-TCP messages, are highlighted as one reason for DNSSEC deployment issues. While this document suggests these sorts of problems are due to "non-compliant infrastructure", the scope of the document is limited to detection and mitigation techniques to avoid so-called DNSSEC roadblocks.</t> </section> <sectiontitle="IETFnumbered="true" toc="default"> <name>IETF RFC 8094 - DNS over Datagram Transport Layer Security(DTLS)"> <t>This(DTLS)</name> <t>The Experimental specification <xreftarget="RFC8094"></xref>target="RFC8094" format="default"/> details a protocol that uses a datagram transport(UDP),(UDP) but stipulates that "DNS clients and servers that implement DNS over DTLSMUST<bcp14>MUST</bcp14> also implement DNS over TLS in order to provide privacy for clients that desire Strict Privacy [...]." This requirement implies DNS over TCP must be supported in case the message size is larger than the path MTU.</t> </section> <sectiontitle="IETFnumbered="true" toc="default"> <name>IETF RFC 8162 - Using Secure DNS to Associate Certificates with Domain Names forS/MIME"> <t>ThisS/MIME</name> <t>The Experimental specification <xreftarget="RFC8162"></xref>target="RFC8162" format="default"/> describes a technique to authenticate user X.509 certificates in an S/MIME system via the DNS. The document points out that the new experimental resource record types are expected to carry large payloads, resulting in the suggestion that "applicationsSHOULD<bcp14>SHOULD</bcp14> use TCP -- not UDP -- to perform queries for the SMIMEA resource record."</t> </section> <sectiontitle="IETFnumbered="true" toc="default"> <name>IETF RFC 8324 - DNS Privacy, Authorization, Special Uses, Encoding, Characters, Matching, and Root Structure: Time for AnotherLook?"> <t>AnLook?</name> <t> The Informational document <xreftarget="RFC8324"></xref> thattarget="RFC8324" format="default"/> briefly discusses the common role and challenges of DNS over TCP throughout the history of DNS.</t> </section> <sectiontitle="IETFnumbered="true" toc="default"> <name>IETF RFC 8467 - Padding Policies for Extension Mechanisms for DNS(EDNS(0))"> <t>An(EDNS(0))</name> <t>The Experimental document <xreftarget="RFC8467"></xref>target="RFC8467" format="default"/> remindsimplementersimplementors to consider the underlying transport protocol(e.g.(e.g., TCP) when calculating the padding length when artificially increasing the DNS message size with an EDNS(0) padding option.</t> </section> <sectiontitle="IETFnumbered="true" toc="default"> <name>IETF RFC 8482 - Providing Minimal-Sized Responses to DNS Queries That HaveQTYPE=ANY"> <t><xref target="RFC8482"/> is aQTYPE=ANY</name> <t>The Proposed Standardthat<xref target="RFC8482" format="default"/> describes alternative ways that DNS servers can respond to queries of type ANY, which are sometimes used to provide amplification in DDoS attacks. The specification notes that responders may behave differently, depending on the transport. For example, minimal-sized responses may be used over UDP transport, while full responses may be given over TCP.</t> </section> <sectiontitle="IETFnumbered="true" toc="default"> <name>IETF RFC 8483 - Yeti DNSTestbed"> <t>ThisTestbed</name> <t>The Informational document <xreftarget="RFC8483"></xref>target="RFC8483" format="default"/> describes a testbed environment that highlights someDNS over TCPDNS-over-TCP behaviors, including issues involving packet fragmentation and operational requirements for TCP stream assembly in order to conduct DNS measurement and analysis.</t> </section> <sectiontitle="IETFnumbered="true" toc="default"> <name>IETF RFC 8484 - DNS Queries over HTTPS(DoH)"> <t>This(DoH)</name> <t>The Proposed Standard <xreftarget="RFC8484"></xref>target="RFC8484" format="default"/> defines a protocol for sending DNS queries and responses over HTTPS. This specification assumes TLS and TCP for the underlying security and transport layers, respectively. Self-described as a technique that more closely resembles a tunneling mechanism, DoH nevertheless likely implies DNS over TCP in some sense, if not directly.</t> </section> <sectiontitle="IETFnumbered="true" toc="default"> <name>IETF RFC 8490 - DNS StatefulOperations"> <t>ThisOperations</name> <t>The Proposed Standard <xreftarget="RFC8490"></xref>target="RFC8490" format="default"/> updates the base protocol specification with a new OPCODE to help manage stateful operations in persistent sessions, such as those that might be used by DNS over TCP.</t> </section> <sectiontitle="IETFnumbered="true" toc="default"> <name>IETF RFC 8501 - Reverse DNS in IPv6 for Internet ServiceProviders"> <t>ThisProviders</name> <t>The Informational document <xreftarget="RFC8501"></xref>target="RFC8501" format="default"/> identifies potential operational challenges withDynamic DNSdynamic DNS, including denial-of-service threats. The document suggests TCP may provide someadvantages,advantages but that updating hosts would need to be explicitly configured to use TCP instead of UDP.</t> </section> <sectiontitle="IETFnumbered="true" toc="default"> <name>IETF RFC 8806 - Running a Root Server Local to aResolver"> <t>ThisResolver</name> <t>The Informational document <xreftarget="RFC8806"></xref>target="RFC8806" format="default"/> describes how to obtain and operate a local copy of the root zone with examples showing how to pull from authoritative sources using aDNS over TCPDNS-over-TCP zone transfer.</t> </section> <sectiontitle="IETFnumbered="true" toc="default"> <name>IETF RFC 8906 - A Common Operational Problem in DNS Servers: Failure toCommunicate"> <t>ThisCommunicate</name> <t>The Best Current Practice document <xreftarget="RFC8906"></xref>target="RFC8906" format="default"/> discusses a number of DNS operational failure scenarios and how to avoid them. This includes discussions involvingDNS over TCPDNS-over-TCP queries, EDNS over TCP, and a testing methodology that includes a section on verifyingDNS over TCPDNS-over-TCP functionality.</t> </section> <sectiontitle="IETFnumbered="true" toc="default"> <name>IETF RFC 8932 - Recommendations for DNS Privacy ServiceOperators"> <t>ThisOperators</name> <t>The Best Current Practice document <xreftarget="RFC8932"></xref>target="RFC8932" format="default"/> presents privacy considerations to DNS privacy service operators. These mechanisms sometimes include the use of TCP and are therefore susceptible to information leakage such as TCP-based fingerprinting. This document also referencesaan earlier draft version of this document.</t> </section> <sectiontitle="IETFnumbered="true" toc="default"> <name>IETF RFC 8945 - Secret Key Transaction Authentication for DNS(TSIG)"> <t>This(TSIG)</name> <t>The Internet Standard <xreftarget="RFC8945"></xref>target="RFC8945" format="default"/> recommends that a client use TCP if truncated TSIG messages are received.</t> </section> </section> <section anchor="Acknowledgments" numbered="false" toc="default"> <name>Acknowledgments</name> <t>This document was initially motivated by feedback from students who pointed out that they were hearing contradictory information about filtering DNS-over-TCP messages. Thanks in particular to a teaching colleague, JPL, who perhaps unknowingly encouraged the initial research into the differences between what the community has historically said and did. Thanks to all the NANOG 63 attendees who provided feedback for an early talk on this subject.</t> <!-- https://archive.nanog.org/sites/default/files/nanog63-dnstrack-kristoff-dnstcp.pdf --> <t>The following individuals provided an array of feedback to help improve this document: <contact fullname="Joe Abley"/>, <contact fullname="Piet Barber"/>, <contact fullname="Sara Dickinson"/>, <contact fullname="Tony Finch"/>, <contact fullname="Bob Harold"/>, <contact fullname="Paul Hoffman"/>, <contact fullname="Geoff Huston"/>, <contact fullname="Tatuya Jinmei"/>, <contact fullname="Puneet Sood"/>, and <contact fullname="Richard Wilhelm"/>. The authors are also indebted to the contributions stemming from discussion in the TCPM Working Group meeting at IETF 104. Any remaining errors or imperfections are the sole responsibility of the document authors.</t> </section> </back> <!-- [rfced] Some author comments are present in the XML. Please confirm that no updates related to these comments are outstanding. Note that the comments will be deleted prior to publication. --> <!-- [rfced] Please review the "Inclusive Language" portion of the online Style Guide <https://www.rfc-editor.org/styleguide/part2/#inclusive_language> and let us know if any changes are needed. Specifically, please review use of the term "black". --> </rfc>