rfc9210xml2.original.xml   rfc9210.xml 
<?xml version="1.0" encoding="US-ASCII"?> <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd" [
<!-- One method to get references from the online citation libraries.
There has to be one entity for each item to be referenced.
An alternate method (rfc include) is described in the references. -->
<!-- User Datagram Protocol --> <!-- [CS] updated by Chris 01/19/22 -->
<!ENTITY RFC0768 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.R
FC.0768.xml">
<!-- TRANSMISSION CONTROL PROTOCOL -->
<!ENTITY RFC0793 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.R
FC.0793.xml">
<!-- DOMAIN NAMES - CONCEPTS AND FACILITIES -->
<!ENTITY RFC0883 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.R
FC.0883.xml">
<!-- DOMAIN NAMES - IMPLEMENTATION and SPECIFICATION -->
<!ENTITY RFC1034 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.R
FC.1034.xml">
<!-- DOMAIN NAMES - IMPLEMENTATION AND SPECIFICATION -->
<!ENTITY RFC1035 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.R
FC.1035.xml">
<!-- double hyphen in comments not allowed, ASCII escape sequence used instead
-->
<!-- Requirements for Internet Hosts &#45;&#45; Application and Support -->
<!ENTITY RFC1123 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.R
FC.1123.xml">
<!-- Common DNS Implementation Errors and Suggested Fixes -->
<!ENTITY RFC1536 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.R
FC.1536.xml">
<!-- Incremental Zone Transfer in DNS -->
<!ENTITY RFC1995 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.R
FC.1995.xml">
<!-- A Mechanism for Prompt Notification of Zone Changes (DNS NOTIFY) -->
<!ENTITY RFC1996 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.R
FC.1996.xml">
<!-- Dynamic Updates in the Domain Name System (DNS UPDATE) -->
<!ENTITY RFC2136 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.R
FC.2136.xml">
<!-- Clarifications to the DNS Specification -->
<!ENTITY RFC2181 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.R
FC.2181.xml">
<!-- Domain Name System Security Extensions -->
<!ENTITY RFC2541 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.R
FC.2541.xml">
<!-- Extension Mechanisms for DNS (EDNS(0)) -->
<!ENTITY RFC2671 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.R
FC.2671.xml">
<!-- DNS extensions to Network Address Translators (DNS_ALG) -->
<!ENTITY RFC2694 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.R
FC.2694.xml">
<!ENTITY RFC3022 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.R
FC.3022.xml">
<!-- Indicating Resolver Support of DNSSEC -->
<!ENTITY RFC3225 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.R
FC.3225.xml">
<!-- DNSSEC and IPv6 A6 aware server/resolver message size requirements -->
<!ENTITY RFC3226 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.R
FC.3226.xml">
<!-- Operational Considerations and Issues with IPv6 DNS -->
<!ENTITY RFC4472 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.R
FC.4472.xml">
<!-- Defending TCP Against Spoofing Attacks -->
<!ENTITY RFC4953 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.R
FC.4953.xml">
<!-- TCP SYN Flooding Attacks and Common Mitigations -->
<!ENTITY RFC4987 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.R
FC.4987.xml">
<!-- Preventing Use of Recursive Nameservers in Reflector Attacks -->
<!ENTITY RFC5358 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.R
FC.5358.xml">
<!-- Measures for Making DNS More Resilient against Forged Answers -->
<!ENTITY RFC5452 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.R
FC.5452.xml">
<!-- Design Choices When Expanding the DNS -->
<!ENTITY RFC5507 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.R
FC.5507.xml">
<!-- DNS Proxy Implementation Guidelines -->
<!ENTITY RFC5625 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.R
FC.5625.xml">
<!-- ICMP Attacks against TCP -->
<!ENTITY RFC5927 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.R
FC.5927.xml">
<!-- DNS Zone Transfer Protocol (AXFR) -->
<!ENTITY RFC5936 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.R
FC.5936.xml">
<!-- Improving TCP's Robustness to Blind In-Window Attacks -->
<!ENTITY RFC5961 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.R
FC.5961.xml">
<!ENTITY RFC6298 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.R
FC.6298.xml">
<!-- Multicast DNS -->
<!ENTITY RFC6762 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.R
FC.6762.xml">
<!-- Extension Mechanisms for DNS (EDNS (0)) -->
<!ENTITY RFC6891 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.R
FC.6891.xml">
<!-- Architectural Considerations on Application Features in the DNS -->
<!ENTITY RFC6950 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.R
FC.6950.xml">
<!-- TCP Fast Open -->
<!ENTITY RFC7413 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.R
FC.7413.xml">
<!-- Child-to-Parent Synchronization in DNS -->
<!ENTITY RFC7477 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.R
FC.7477.xml">
<!-- AS112 Nameserver Operations -->
<!ENTITY RFC7534 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.R
FC.7534.xml">
<!-- Root Name Service Requirements -->
<!ENTITY RFC7720 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.R
FC.7720.xml">
<!-- DNS Transport over TCP - Implementation Requirements -->
<!ENTITY RFC5966 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.R
FC.5966.xml">
<!ENTITY RFC7766 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.R
FC.7766.xml">
<!-- The edns-tcp-keepalive EDNS(0) Option -->
<!ENTITY RFC7828 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.R
FC.7828.xml">
<!-- Specification for DNS over Transport Layer Security (TLS) -->
<!ENTITY RFC7858 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.R
FC.7858.xml">
<!-- Domain Name System (DNS) Cookies -->
<!ENTITY RFC7873 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.R
FC.7873.xml">
<!-- CHAIN Query Requests in DNS -->
<!ENTITY RFC7901 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.R
FC.7901.xml">
<!-- TLS False Start -->
<!ENTITY RFC7918 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.R
FC.7918.xml">
<!-- DNSSEC Roadblock Avoidance -->
<!ENTITY RFC8027 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.R
FC.8027.xml">
<!-- DNS over DTLS -->
<!ENTITY RFC8094 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.R
FC.8094.xml">
<!-- DNS-Based Authentication for S/MIME -->
<!ENTITY RFC8162 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.R
FC.8162.xml">
<!-- Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words -->
<!ENTITY RFC8174 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.R
FC.8174.xml">
<!-- Internet Protocol, Version 6 (IPv6) Specification -->
<!ENTITY RFC8200 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.R
FC.8200.xml">
<!-- DNS Privacy, Authorization, Special Uses, Encoding, Characters, Matching,
and Root Structure: Time for Another Look? -->
<!ENTITY RFC8324 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.R
FC.8324.xml">
<!-- The Transport Layer Security (TLS) Protocol Version 1.3 -->
<!ENTITY RFC8446 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.R
FC.8446.xml">
<!-- Padding Policies for Extension Mechanisms for DNS (EDNS(0)) -->
<!ENTITY RFC8467 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.R
FC.8467.xml">
<!-- Yeti DNS Testbed -->
<!ENTITY RFC8483 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.R
FC.8483.xml">
<!-- Providing Minimal-Sized Responses to DNS Queries That Have QTYPE=ANY -->
<!ENTITY RFC8482 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.R
FC.8482.xml">
<!-- DNS Queries over HTTPS (DoH) -->
<!ENTITY RFC8484 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.R
FC.8484.xml">
<!-- DNS Stateful Operations -->
<!ENTITY RFC8490 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.R
FC.8490.xml">
<!-- Reverse DNS in IPv6 for Internet Service Providers -->
<!ENTITY RFC8501 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.R
FC.8501.xml">
<!-- Running a Root Server Local to a Resolver -->
<!ENTITY RFC8806 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.R
FC.8806.xml">
<!-- A Common Operational Problem in DNS Servers: Failure to Communicate -->
<!ENTITY RFC8906 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.R
FC.8906.xml">
<!-- Recommendations for DNS Privacy Service Operators -->
<!ENTITY RFC8932 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.R
FC.8932.xml">
<!-- Secret Key Transaction Authentication for DNS (TSIG) -->
<!ENTITY RFC8945 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.R
FC.8945.xml">
<!ENTITY RFC2119 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.R <!DOCTYPE rfc [
FC.2119.xml"> <!ENTITY nbsp "&#160;">
<!ENTITY RFC2629 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.R <!ENTITY zwsp "&#8203;">
FC.2629.xml"> <!ENTITY nbhy "&#8209;">
<!ENTITY wj "&#8288;">
]> ]>
<?xml-stylesheet type='text/xsl' href='rfc2629.xslt' ?> <rfc xmlns:xi="http://www.w3.org/2001/XInclude" docName="draft-ietf-dnsop-dns-tc
<!-- used by XSLT processors --> p-requirements-15" number="9210" ipr="trust200902" updates="1123,1536" obsoletes
<!-- For a complete list and description of processing instructions (PIs), ="" submissionType="IETF" category="bcp" consensus="true" xml:lang="en" tocInclu
please see http://xml.resource.org/authoring/README.html. --> de="true" tocDepth="4" symRefs="true" sortRefs="true" version="3">
<!-- Below are generally applicable Processing Instructions (PIs) that most I-Ds
might want to use.
(Here they are set differently than their defaults in xml2rfc v1.32) -->
<?rfc strict="yes" ?>
<!-- give errors regarding ID-nits and DTD validation -->
<!-- control the table of contents (ToC) -->
<?rfc toc="yes"?>
<!-- generate a ToC -->
<?rfc tocdepth="4"?>
<!-- the number of levels of subsections in ToC. default: 3 -->
<!-- control references -->
<?rfc symrefs="yes"?>
<!-- use symbolic references tags, i.e, [RFC2119] instead of [1] -->
<?rfc sortrefs="yes" ?>
<!-- sort the reference entries alphabetically -->
<!-- control vertical white space
(using these PIs as follows is recommended by the RFC Editor) -->
<?rfc compact="yes" ?>
<!-- do not start each main section on a new page -->
<?rfc subcompact="no" ?>
<!-- keep one blank line between list items -->
<!-- end of list of popular I-D processing instructions -->
<rfc category="bcp" docName="draft-ietf-dnsop-dns-tcp-requirements-15" ipr="trus
t200902" updates="1123,1536">
<!-- category values: std, bcp, info, exp, and historic
ipr values: trust200902, noModificationTrust200902, noDerivativesTrust200902
,
or pre5378Trust200902
you can add the attributes updates="NNNN" and obsoletes="NNNN"
they will automatically be output with "(if approved)" -->
<!-- ***** FRONT MATTER ***** --> <!-- xml2rfc v2v3 conversion 3.12.0 -->
<front>
<!-- The abbreviated title is used in the page header - it is only necessary <front>
if the
full title is longer than 39 characters -->
<title abbrev="DNS Transport over TCP">DNS Transport over TCP - Operational R equirements</title> <title abbrev="DNS Transport over TCP">DNS Transport over TCP - Operational R equirements</title>
<seriesInfo name="RFC" value="9210"/>
<seriesInfo name="BCP" value="235"/>
<!-- add 'role="editor"' below for the editors if appropriate --> <author fullname="John Kristoff" initials="J." surname="Kristoff">
<!-- Another author who claims to be an editor --> <organization>DataPlane.org</organization>
<address>
<author fullname="John Kristoff" initials="J.T." surname="Kristoff"> <postal>
<organization>DataPlane.org</organization> <street/>
<address> <city>Chicago</city>
<postal> <region>IL</region>
<street></street> <code>60605</code>
<city>Chicago</city> <country>United States of America</country>
<region>IL</region> </postal>
<code>60605</code> <phone>+1 312 493 0305</phone>
<country>US</country> <email>jtk@dataplane.org</email>
</postal> <uri>https://dataplane.org/jtk/</uri>
<phone>+1 312 493 0305</phone> </address>
<email>jtk@dataplane.org</email> </author>
<uri>https://dataplane.org/jtk/</uri> <author fullname="Duane Wessels" initials="D." surname="Wessels">
</address> <organization>Verisign</organization>
</author> <address>
<postal>
<author fullname="Duane Wessels" initials="D." surname="Wessels"> <street>12061 Bluemont Way</street>
<organization>Verisign</organization> <city>Reston</city>
<address> <region>VA</region>
<postal> <code>20190</code>
<street>12061 Bluemont Way</street> <country>United States of America</country>
<city>Reston</city> </postal>
<region>VA</region> <phone>+1 703 948 3200</phone>
<code>20190</code> <email>dwessels@verisign.com</email>
<country>US</country> <uri>https://verisign.com</uri>
</postal> </address>
<phone>+1 703 948 3200</phone> </author>
<email>dwessels@verisign.com</email> <date year="2022" month="March" />
<uri>https://verisign.com</uri>
</address>
</author>
<date year="2022" />
<!-- If the month and year are both specified and are the current ones, xml2r
fc will fill
in the current day for you. If only the current year is specified, xml2r
fc will fill
in the current day and month for you. If the year is not the current one
, it is
necessary to specify at least a month (xml2rfc assumes day="1" if not sp
ecified for the
purpose of calculating the expiry date). With drafts it is normally suf
ficient to
specify just the year. -->
<!-- Meta-data Declarations -->
<area>Operations and Management</area> <area>Operations and Management</area>
<workgroup>Domain Name System Operations</workgroup> <workgroup>Domain Name System Operations</workgroup>
<!-- WG name at the upperleft corner of the doc,
IETF is fine for individual submissions.
If this element is not present, the default is "Network Working Group",
which is used by the RFC Editor as a nod to the history of the IETF. -->
<keyword>DNS</keyword> <keyword>DNS</keyword>
<keyword>TCP</keyword> <keyword>TCP</keyword>
<!-- Keywords will be incorporated into HTML output
files in a meta tag but they have no effect on text or nroff
output. If you submit your draft to the RFC Editor, the
keywords will be used for the search engine. -->
<abstract> <abstract>
<t>This document updates RFC 1123 and RFC 1536. This <t>This document updates RFCs 1123 and 1536. This
document requires the operational practice of permitting document requires the operational practice of permitting
DNS messages to be carried over TCP on the Internet as a Best DNS messages to be carried over TCP on the Internet as a Best
Current Practice. This operational requirement is aligned with the Current Practice. This operational requirement is aligned with the
implementation requirements in RFC 7766. The use of TCP includes implementation requirements in RFC 7766. The use of TCP includes
both DNS over unencrypted TCP, as well as over an encrypted TLS both DNS over unencrypted TCP as well as over an encrypted TLS
session. The document also considers the consequences of this session. The document also considers the consequences of this
form of DNS communication and the potential operational issues that form of DNS communication and the potential operational issues that
can arise when this Best Current Practice is not upheld.</t> can arise when this Best Current Practice is not upheld.</t>
</abstract> </abstract>
</front> </front>
<middle>
<middle> <section numbered="true" toc="default">
<name>Introduction</name>
<section title="Introduction"> <t>DNS messages are delivered using UDP or TCP communications.
<t>DNS messages are delivered using UDP or TCP communications.
While most DNS transactions are carried over UDP, some operators While most DNS transactions are carried over UDP, some operators
have been led to believe that any DNS over TCP traffic is unwanted have been led to believe that any DNS-over-TCP traffic is unwanted
or unnecessary for general DNS operation. When DNS over TCP has or unnecessary for general DNS operation. When DNS over TCP has
been restricted, a variety of communication failures and debugging been restricted, a variety of communication failures and debugging
challenges often arise. As DNS and new naming system features have challenges often arise. As DNS and new naming system features have
evolved, TCP as a transport has become increasingly important for evolved, TCP as a transport has become increasingly important for
the correct and safe operation of an Internet DNS. Reflecting the correct and safe operation of an Internet DNS. Reflecting
modern usage, the DNS standards declare that modern usage, the DNS standards declare that
support for TCP is a required part of the DNS implementation support for TCP is a required part of the DNS implementation
specifications <xref target="RFC7766"></xref>. This document is the specifications <xref target="RFC7766" format="default"/>. This document is
formal requirements equivalent for the operational community, the
equivalent of formal requirements for the operational community,
encouraging system administrators, network engineers, and security encouraging system administrators, network engineers, and security
staff to ensure DNS over TCP communications support is on par with staff to ensure DNS-over-TCP communications support is on par with
DNS over UDP communications. It updates <xref target="RFC1123"/> DNS-over-UDP communications. It updates <xref target="RFC1123" sectionForma
Section 6.1.3.2 to clarify that all DNS resolvers and recursive t="comma" section="6.1.3.2"/> to clarify that all DNS resolvers and recursive
servers servers
MUST support and service both TCP and UDP queries, and also <bcp14>MUST</bcp14> support and service both TCP and UDP queries and also
updates <xref target="RFC1536"/> to remove the misconception updates <xref target="RFC1536" format="default"/> to remove the misconcepti
on
that TCP is only useful for zone transfers. that TCP is only useful for zone transfers.
</t> </t>
<section numbered="true" toc="default"><name>Requirements Language</name>
<section title="Requirements Language"> <t>
<t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQU
NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", IRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
"MAY", and "OPTIONAL" in this document are to be interpreted as NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> whe RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
n, and only when, they "<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to
appear in all capitals, as shown here.</t> be interpreted as
</section> described in BCP&nbsp;14 <xref target="RFC2119"/> <xref target="RFC8174"/>
when, and only when, they appear in all capitals, as shown here.
</section> </t>
</section>
<section title="History of DNS over TCP"> </section>
<t>The curious state of disagreement between operational best practices <section numbered="true" toc="default">
<name>History of DNS over TCP</name>
<t>The curious state of disagreement between operational best practices
and guidance for DNS transport protocols derives from conflicting and guidance for DNS transport protocols derives from conflicting
messages operators have received from other operators, implementors, messages operators have received from other operators, implementors,
and even the IETF. Sometimes these mixed signals have been and even the IETF. Sometimes these mixed signals have been
explicit; on other occasions, conflicting messages have been implicit. Thi s explicit; on other occasions, conflicting messages have been implicit. Thi s
section presents an interpretation of the storied and conflicting section presents an interpretation of the storied and conflicting
history that led to this document. This section is included for history that led to this document. This section is included for
informational purposes only.</t> informational purposes only.</t>
<section numbered="true" toc="default">
<section title="Uneven Transport Usage and Preference"> <name>Uneven Transport Usage and Preference</name>
<t>In the original suite of DNS specifications, <xref <t>In the original suite of DNS specifications, <xref target="RFC1034" f
target="RFC1034"></xref> and <xref target="RFC1035"></xref> ormat="default"/> and <xref target="RFC1035" format="default"/> clearly specify
clearly specified that DNS messages could be carried in either that DNS messages could be carried in either
UDP or TCP, but they also stated a preference for UDP as the UDP or TCP, but they also state that there is a preference for UDP as the
best transport for queries in the general case. As stated in best transport for queries in the general case. As stated in
<xref target="RFC1035"></xref>: <xref target="RFC1035" format="default"/>:
<list hangIndent="10" style="empty"> </t>
<t>"While virtual circuits can be used for any DNS activity, <blockquote>
While virtual circuits can be used for any DNS activity,
datagrams are preferred for queries due to their lower overhead datagrams are preferred for queries due to their lower overhead
and better performance."</t> and better performance.
</list> </blockquote>
</t> <t>Another early, important, and influential document, <xref target="RFC
1123" format="default"/>, marks the preference for a transport protocol more exp
<t>Another early, important, and influential document, licitly:</t>
<xref target="RFC1123"></xref>, marked the preference for a <blockquote>
transport protocol more DNS resolvers and recursive servers <bcp14>MUST</bcp14> support UDP, and
explicitly:<list hangIndent="10" style="empty"> <bcp14>SHOULD</bcp14> support TCP, for sending (non-zone-transfer) quer
<t>"DNS resolvers and recursive servers MUST support UDP, and ies.
SHOULD support TCP, for sending (non-zone-transfer) queries." </blockquote>
</t> <t>
</list> and it further stipulates that:</t>
and further stipulated:<list hangIndent="10" style="empty"> <blockquote>
<t>"A name server MAY limit the resources it devotes to TCP A name server <bcp14>MAY</bcp14> limit the resources it devotes to TCP
queries, but it SHOULD NOT refuse to service a TCP query just queries, but it <bcp14>SHOULD NOT</bcp14> refuse to service a TCP query
because it would have succeeded with UDP."</t> just
</list> because it would have succeeded with UDP.
</t> </blockquote>
<t>Culminating in <xref target="RFC1536" format="default"/>, DNS over TC
<t>Culminating in <xref target="RFC1536"></xref>, DNS over TCP P
came to be associated primarily with the zone transfer mechanism, came to be associated primarily with the zone transfer mechanism,
while most DNS queries and responses were seen as the dominion of while most DNS queries and responses were seen as the dominion of
UDP.</t> UDP.</t>
</section> </section>
<section numbered="true" toc="default">
<section title="Waiting for Large Messages and Reliability"> <name>Waiting for Large Messages and Reliability</name>
<t>In the original specifications, the maximum DNS over UDP <t>In the original specifications, the maximum DNS-over-UDP
message size was enshrined at 512 bytes. However, even while message size was enshrined at 512 bytes. However, even while
<xref target="RFC1123"></xref> preferred UDP for non-zone transfer <xref target="RFC1123" format="default"/> prefers UDP for non-zone trans
queries, it foresaw DNS over TCP becoming more popular in the fer
future to overcome this limitation:<list hangIndent="10" queries, it foresaw that DNS over TCP would become more popular in the fu
style="empty"> ture to overcome this limitation:</t>
<t>"[...] it is also clear that some new DNS record types <blockquote>
[...] it is also clear that some new DNS record types
defined in the future will contain information exceeding the defined in the future will contain information exceeding the
512 byte limit that applies to UDP, and hence will require 512 byte limit that applies to UDP, and hence will require
TCP."</t> TCP.
</list> </blockquote>
</t> <t>At least two new, widely anticipated developments were set to
elevate the need for DNS-over-TCP transactions.
<t>At least two new, widely anticipated developments were set to <!--[rfced] Since RFC 2541 has been obsoleted by RFC 6781, may we
elevate the need for DNS over TCP transactions. The first was include the following note (i.e., "note that [RFC2541] has
dynamic updates defined in <xref target="RFC2136"></xref> and the been obsoleted by [RFC6781]")?
second was the set of extensions collectively known as DNSSEC,
whose operational considerations are originally given in <xref target="RF
C2541"/>. The
former suggested "requestors who require an accurate response
code must use TCP," while the latter warned "... larger keys
increase the size of KEY and SIG RRs. This increases the chance
of DNS UDP packet overflow and the possible necessity for using
higher overhead TCP in responses."</t>
<t>Yet, defying some expectations, DNS over TCP remained little-used Original:
The first was dynamic updates defined in [RFC2136] and the
second was the set of extensions collectively known as
DNSSEC, whose operational considerations are originally
given in [RFC2541].
Perhaps:
The first was dynamic updates defined in [RFC2136], and the
second was the set of extensions collectively known as
"DNSSEC", whose operational considerations were originally
given in [RFC2541] (note that [RFC2541] has been obsoleted
by [RFC6781]).
-->
The first was
dynamic updates defined in <xref target="RFC2136" format="default"/>, and
the
second was the set of extensions collectively known as "DNSSEC",
whose operational considerations were originally given in <xref target="R
FC2541" format="default"/>. The
former suggests that</t>
<blockquote>
...requestors who require an accurate response
code must use TCP.</blockquote>
<t>
while the latter warns that </t><blockquote>... larger keys
increase the size of the KEY and SIG RRs. This increases the chance
of DNS UDP packet overflow and the possible necessity for using
higher overhead TCP in responses.</blockquote>
<t>Yet, defying some expectations, DNS over TCP remained little used
in real traffic across the Internet in the late 1990s. Dynamic updates s aw in real traffic across the Internet in the late 1990s. Dynamic updates s aw
little deployment between autonomous networks. Around the time little deployment between autonomous networks. Around the time
DNSSEC was first defined, another new feature helped solidify DNSSEC was first defined, another new feature helped solidify
UDP transport dominance for message transactions.</t> UDP transport dominance for message transactions.</t>
</section> </section>
<section numbered="true" toc="default">
<section title="EDNS(0)"> <name>EDNS(0)</name>
<t>In 1999 the IETF published the Extension Mechanisms for DNS <t>In 1999, the IETF published the Extension Mechanisms for DNS (EDNS(0)
(EDNS(0)) in <xref target="RFC2671"></xref> (superseded in 2013 by ) in <xref target="RFC2671"/> (which was obsoleted by <xref target="RFC6891" for
an update in <xref target="RFC6891"></xref>). That document mat="default"/> in 2013). That document
standardized a way for communicating DNS nodes to perform standardized a way for communicating DNS nodes to perform
rudimentary capabilities negotiation. One such capability rudimentary capabilities negotiation. One such capability
written into the base specification and present in every EDNS(0)-compatib le written into the base specification and present in every EDNS(0)-compatib le
message is the value of the maximum UDP payload size message is the value of the maximum UDP payload size
the sender can support. This unsigned 16-bit field specifies, the sender can support. This unsigned 16-bit field specifies,
in bytes, the maximum (possibly fragmented) DNS message size a in bytes, the maximum (possibly fragmented) DNS message size a
node is capable of receiving over UDP. In practice, typical values are node is capable of receiving over UDP. In practice, typical values are
a subset of the 512- to 4096-byte range. EDNS(0) became a subset of the 512- to 4096-byte range. EDNS(0) became
widely deployed over the next several years, and numerous surveys widely deployed over the next several years, and numerous surveys
(<xref target="CASTRO2010"></xref>, <xref target="NETALYZR"></xref>) (see <xref target="CASTRO2010" format="default"/> and <xref target="NETAL YZR" format="default"/>)
have shown that many systems support larger UDP MTUs have shown that many systems support larger UDP MTUs
with EDNS(0).</t> with EDNS(0).</t>
<t>The natural effect of EDNS(0) deployment meant DNS messages
<t>The natural effect of EDNS(0) deployment meant DNS messages
larger than 512 bytes would be less reliant on TCP than they larger than 512 bytes would be less reliant on TCP than they
might otherwise have been. While a non-negligible population of might otherwise have been. While a non-negligible population of
DNS systems lacked EDNS(0) or fell back to TCP when necessary, DNS systems lacked EDNS(0) or fell back to TCP when necessary,
DNS clients still strongly prefer UDP to TCP. DNS clients still strongly prefer UDP to TCP.
For example, as of 2014, For example, as of 2014,
DNS over TCP transactions remained a very small fraction of DNS-over-TCP transactions remained a very small fraction of
overall DNS traffic received by root name servers <xref target="VERISIGN" overall DNS traffic received by root name servers <xref target="VERISIGN"
></xref>.</t> format="default"/>.</t>
</section> </section>
<section numbered="true" toc="default">
<section title="Fragmentation and Truncation"> <name>Fragmentation and Truncation</name>
<t>Although EDNS(0) provides a way for endpoints to signal support for <t>Although EDNS(0) provides a way for endpoints to signal support for
DNS messages exceeding 512 bytes, the realities of a diverse and DNS messages exceeding 512 bytes, the realities of a diverse and
inconsistently deployed Internet may result in some large messages inconsistently deployed Internet may result in some large messages
being unable to reach their destination. Any IP datagram whose size being unable to reach their destination. Any IP datagram whose size
exceeds the MTU of a link it transits will be fragmented and then exceeds the MTU of a link it transits will be fragmented and then
reassembled by the receiving host. Unfortunately, it is not uncommon reassembled by the receiving host. Unfortunately, it is not uncommon
for middleboxes and firewalls to block IP fragments. If one or more for middleboxes and firewalls to block IP fragments. If one or more
fragments do not arrive, the application does not receive the message fragments do not arrive, the application does not receive the message,
and the request times out.</t> and the request times out.</t>
<t>For IPv4-connected hosts, the MTU is often an Ethernet
<t>For IPv4-connected hosts, the MTU is often the Ethernet
payload size of 1500 bytes. This means that the largest unfragmented payload size of 1500 bytes. This means that the largest unfragmented
UDP DNS message that can be sent over IPv4 is likely 1472 bytes, UDP DNS message that can be sent over IPv4 is likely 1472 bytes,
although tunnel encapsulation may reduce that maximum message although tunnel encapsulation may reduce that maximum message
size in some cases.</t> size in some cases.</t>
<t>For
<t>For
IPv6, the situation is a little more complicated. First, IPv6 headers IPv6, the situation is a little more complicated. First, IPv6 headers
are 40 bytes (versus 20 without options in IPv4). Second, approximately are 40 bytes (versus 20 without options in IPv4). Second, approximately
one third of DNS recursive resolvers one-third of DNS recursive resolvers
use the minimum MTU of 1280 bytes <xref target="APNIC"/>. use the minimum MTU of 1280 bytes <xref target="APNIC" format="default"/>
.
Third, fragmentation in IPv6 can only be Third, fragmentation in IPv6 can only be
done by the host originating the datagram. The need to fragment is done by the host originating the datagram. The need to fragment is
conveyed in an ICMPv6 "packet too big" message. The originating host conveyed in an ICMPv6 "Packet Too Big" message. The originating host
indicates a fragmented datagram with IPv6 extension headers. indicates a fragmented datagram with IPv6 extension headers.
Unfortunately, it is quite common for both ICMPv6 and IPv6 extension Unfortunately, it is quite common for both ICMPv6 and IPv6 extension
headers to be blocked by middleboxes. According to headers to be blocked by middleboxes. According to
<xref target="HUSTON"/> some 35% <!-- 3,592 / 10,115 --> of IPv6-capable <xref target="HUSTON" format="default"/>, some 35% <!-- 3,592 / 10,115 -- > of IPv6-capable
recursive resolvers were unable to receive a fragmented IPv6 packet. recursive resolvers were unable to receive a fragmented IPv6 packet.
When the originating host receives a signal that When the originating host receives a signal that
fragmentation is required, it is expected to populate its Path fragmentation is required, it is expected to populate its path
MTU cache for that destination. The application, then, will retry MTU cache for that destination. The application will then retry
the query after a timeout since the host does not generally retain the query after a timeout since the host does not generally retain
copies of messages sent over UDP for potential retransmission.</t> copies of messages sent over UDP for potential retransmission.</t>
<t>The practical consequence of all this is that DNS requestors
<t>The practical consequence of all this is that DNS requestors
must be prepared to retry queries with different EDNS(0) maximum must be prepared to retry queries with different EDNS(0) maximum
message size values. Administrators of <xref target="BIND"/> are likely message size values.
to be
familiar with seeing "success resolving ... after reducing the
advertised EDNS(0) UDP packet size to 512 octets" messages in their
system logs.</t>
<t>Often, reducing the EDNS(0) UDP packet size leads to a <!--[rfced] Would it be correct to say that the administrators see the
following "message" rather than "messages" in their system logs?
Original:
Administrators of [BIND] are likely to be familiar with
seeing "success resolving ... after reducing the advertised EDNS(0)
UDP packet size to 512 octets" messages in their system logs.
Perhaps:
Administrators of [BIND] are likely to be familiar with
seeing the following message in their system logs: “success
resolving ... after reducing the advertised EDNS(0) UDP
packet size to 512 octets”.
-->
Administrators of <xref target="BIND" format="default"/> are likely to be
familiar with seeing "success resolving ... after reducing the
advertised EDNS(0) UDP packet size to 512 octets"
messages in their system logs.</t>
<t>Often, reducing the EDNS(0) UDP packet size leads to a
successful response. That is, the necessary data fits within the successful response. That is, the necessary data fits within the
smaller message size. However, when the data does not fit, the smaller message size. However, when the data does not fit, the
server sets the truncated flag in its response, indicating the server sets the truncated flag in its response, indicating the
client should retry over TCP to receive the whole response. This client should retry over TCP to receive the whole response. This
is undesirable from the client's point of view because it adds is undesirable from the client's point of view because it adds
more latency and potentially undesirable from the server's point more latency and is potentially undesirable from the server's point
of view due to the increased resource requirements of TCP.</t> of view due to the increased resource requirements of TCP.</t>
<t>Note that a receiver is unable to differentiate between packets
<t>Note that a receiver is unable to differentiate between packets
lost due to congestion and packets (fragments) intentionally lost due to congestion and packets (fragments) intentionally
dropped by firewalls or middleboxes. Over network paths with dropped by firewalls or middleboxes. Over network paths with
non-trivial amounts of packet loss, larger, fragmented DNS responses non-trivial amounts of packet loss, larger, fragmented DNS responses
are more likely to never arrive and time out compared to smaller, are more likely to never arrive and time out compared to smaller,
unfragmented responses. Clients might be misled into retrying unfragmented responses. Clients might be misled into retrying
queries with different EDNS(0) UDP packet size values for the queries with different EDNS(0) UDP packet size values for the
wrong reason.</t> wrong reason.</t>
<t>The issues around fragmentation, truncation, and TCP are
<t>The issues around fragmentation, truncation, and TCP are
driving certain implementation and policy decisions in the DNS. driving certain implementation and policy decisions in the DNS.
Notably, Cloudflare implemented what it calls "DNSSEC black lies" Notably, Cloudflare implemented what it calls "DNSSEC black lies"
<xref target="CLOUDFLARE"/> and uses ECDSA algorithms, such that <xref target="CLOUDFLARE" format="default"/> and uses Elliptic Curve Digi
tal
Signature Algorithms (ECDSAs) such that
their signed responses fit easily in 512 bytes. The Key Signing Key (KSK ) Rollover their signed responses fit easily in 512 bytes. The Key Signing Key (KSK ) Rollover
design team <xref target="DESIGNTEAM"/> spent a lot of time Design Team <xref target="DESIGNTEAM" format="default"/> spent a lot of t ime
thinking and worrying about response sizes. There is growing thinking and worrying about response sizes. There is growing
sentiment in the DNSSEC community that RSA key sizes beyond sentiment in the DNSSEC community that RSA key sizes beyond
2048-bits are impractical and that critical infrastructure zones 2048 bits are impractical and that critical infrastructure zones
should transition to elliptic curve algorithms to keep response should transition to elliptic curve algorithms to keep response
sizes manageable <xref target="ECDSA"/>.</t> sizes manageable <xref target="ECDSA" format="default"/>.</t>
<t>More recently, renewed security concerns about fragmented DNS
<t>More recently, renewed security concerns about fragmented DNS messages (see <xref target="I-D.ietf-dnsop-avoid-fragmentation" format="d
messages (<xref target="AVOID_FRAGS"/>, <xref target="FRAG_POISON"/>) efault"/> and <xref target="FRAG_POISON" format="default"/>)
are leading implementors to consider smaller responses and lower are leading implementors to consider smaller responses and lower
default EDNS(0) UDP payload size values for both queriers and default EDNS(0) UDP payload size values for both queriers and
responders <xref target="FLAGDAY2020"/>.</t> responders <xref target="FLAGDAY2020" format="default"/>.</t>
</section>
<section numbered="true" toc="default">
<!--[rfced] Is it necessary for this section title to have quote marks
or should the quote marks be removed for consistency with the
other titles?
</section> Original:
2.5. "Only Zone Transfers Use TCP"
<section title="&quot;Only Zone Transfers Use TCP&quot;"> Perhaps:
<t>Today, the majority of the DNS community expects, or at least 2.5. Only Zone Transfers Use TCP
has a desire, to see DNS over TCP transactions occur without -->
interference <xref target="FLAGDAY2020"/>. However, there has also been
a long-held belief by <name>"Only Zone Transfers Use TCP"</name>
<t>Today, the majority of the DNS community expects, or at least
has a desire, to see DNS-over-TCP transactions occur without
interference <xref target="FLAGDAY2020" format="default"/>. However, the
re has also been a long-held belief by
some operators, particularly for security-related reasons, that some operators, particularly for security-related reasons, that
DNS over TCP services should be purposely limited or not provided DNS-over-TCP services should be purposely limited or not provided
at all <xref target="CHES94"></xref>, <xref at all <xref target="CHES94" format="default"/> <xref target="DJBDNS" for
target="DJBDNS"></xref>. A popular meme is mat="default"/>. A popular meme is
that DNS over TCP is only ever used for zone that DNS over TCP is only ever used for zone
transfers and is generally unnecessary otherwise, with filtering transfers and is generally unnecessary otherwise, with filtering
all DNS over TCP traffic even described as a best practice.</t> all DNS-over-TCP traffic even described as a best practice.</t>
<t>The position on restricting DNS over TCP had some
<t>The position on restricting DNS over TCP had some
justification given that historical implementations of DNS justification given that historical implementations of DNS
nameservers provided very little in the way of TCP connection name servers provided very little in the way of TCP connection
management (for example see Section 6.1.2 of <xref management (for example, see <xref target="RFC7766" sectionFormat="of" se
target="RFC7766"></xref> for more details). However, modern ction="6.1.2"/> for more details). However, modern
standards and implementations are nearing parity with the more standards and implementations are nearing parity with the more
sophisticated TCP management techniques employed by, for example, sophisticated TCP management techniques employed by, for example,
HTTP(S) servers and load balancers.</t> HTTP(S) servers and load balancers.</t>
</section> </section>
<section numbered="true" toc="default">
<section title="Reuse, Pipelining, and Out-of-Order Processing"> <name>Reuse, Pipelining, and Out-of-Order Processing</name>
<t>The idea that a TCP connection can support multiple transactions <t>The idea that a TCP connection can support multiple transactions
goes back as far as <xref target="RFC0883"/>, which states: goes back as far as <xref target="RFC0883" format="default"/>, which stat
es:
"Multiple messages may be sent over a virtual circuit." Although "Multiple messages may be sent over a virtual circuit." Although
<xref target="RFC1035"/>, which updates the former, omits this <xref target="RFC1035" format="default"/>, which updates the former, omit s this
particular detail, it has been generally accepted that a TCP connection particular detail, it has been generally accepted that a TCP connection
can be used for more than one query and response.</t> can be used for more than one query and response.</t>
<t><xref target="RFC5966" format="default"/> clarifies that servers are
<t><xref target="RFC5966"/> clarified that servers are not not
required to preserve the order of queries and responses over required to preserve the order of queries and responses over
any transport. any transport.
<xref target="RFC7766"/>, which updates the former, further <xref target="RFC7766" format="default"/>, which updates the former, furt her
encourages query pipelining over TCP to achieve performance on encourages query pipelining over TCP to achieve performance on
par with UDP. par with UDP.
A server that sends out-of-order responses to pipelined queries A server that sends out-of-order responses to pipelined queries
avoids head-of-line blocking when the response for a later avoids head-of-line blocking when the response for a later
query is ready before the response to an earlier query.</t> query is ready before the response to an earlier query.</t>
<t>However, TCP can potentially suffer from a different
<t>However, TCP can potentially suffer from a different
head-of-line blocking problem due to packet loss. head-of-line blocking problem due to packet loss.
Since TCP itself enforces ordering, a single lost segment Since TCP itself enforces ordering, a single lost segment
delays delivery of data in any following segments until delays delivery of data in any following segments until
the lost segment is retransmitted and successfully received.</t> the lost segment is retransmitted and successfully received.</t>
</section> </section>
</section> </section>
<section numbered="true" toc="default">
<section title="DNS over TCP Requirements"> <name>DNS-over-TCP Requirements</name>
<t>An average increase in DNS message size (e.g., due to DNSSEC),
<t>An average increase in DNS message size (e.g., due to DNSSEC), the continued development of new DNS features (<xref target="dnsrfcs" forma
the continued development of new DNS features (<xref t="default"/>), and a denial-of-service mitigation
target="dnsrfcs"></xref>), and a denial of service mitigation technique (<xref target="Security" format="default"/>) all show that
technique (<xref target="Security"></xref>), all show that DNS-over-TCP transactions are as important to the correct and safe
DNS over TCP transactions are as important to the correct and safe
operation of the Internet DNS as ever, if not more so. operation of the Internet DNS as ever, if not more so.
Furthermore, there has been research that argues Furthermore, there has been research that argues
connection-oriented DNS transactions may provide security and connection-oriented DNS transactions may provide security and
privacy advantages over UDP transport <xref target="TDNS"></xref>. privacy advantages over UDP transport <xref target="TDNS" format="default"/
In fact, the standard for DNS over TLS <xref target="RFC7858"></xref> >.
In fact, the standard for DNS over TLS <xref target="RFC7858" format="defau
lt"/>
is just this sort of specification. Therefore, this document makes is just this sort of specification. Therefore, this document makes
explicit that it is undesirable for network operators to explicit that it is undesirable for network operators to
artificially inhibit DNS over TCP transport.</t> artificially inhibit DNS-over-TCP transport.</t>
<t>Section 6.1.3.2 in <xref target="RFC1123" /> is updated: All <!--[rfced] Should this text be presented in "Old/New" format for consistency wi
DNS resolvers and servers MUST support and service both UDP and th the other updates in this section?
Original:
Section 6.1.3.2 in [RFC1123] is updated: All DNS resolvers and
servers MUST support and service both UDP and TCP queries.
* DNS servers (including forwarders) MUST support and service TCP
for receiving queries, so that clients can reliably receive
responses that are larger than what either side considers too
large for UDP.
* DNS clients MUST support TCP for sending queries, so that they can
retry truncated UDP responses as necessary.
Perhaps:
Section 6.1.3.2 of [RFC1123] is updated as follows:
Old:
DNS resolvers and recursive servers MUST support UDP, and
SHOULD support TCP, for sending (non-zone-transfer) queries.
New:
All DNS resolvers and servers MUST support and service
both UDP and TCP queries.
Note that:
* DNS servers (including forwarders) MUST support and service TCP
for receiving queries so that clients can reliably receive
responses that are larger than what either side considers too
large for UDP.
* DNS clients MUST support TCP for sending queries so that they can
retry truncated UDP responses as necessary.
-->
<t><xref target="RFC1123" sectionFormat="of" section="6.1.3.2"/> is update
d: All
DNS resolvers and servers <bcp14>MUST</bcp14> support and service both UDP
and
TCP queries. TCP queries.
<list hangIndent="10" style="symbols"> </t>
<t>DNS servers (including forwarders) MUST support and service <ul spacing="normal">
TCP for receiving queries, so that clients can reliably receive <li>DNS servers (including forwarders) <bcp14>MUST</bcp14> support and s
ervice
TCP for receiving queries so that clients can reliably receive
responses that are larger than what either side considers too large responses that are larger than what either side considers too large
for UDP.</t> for UDP.</li>
<t>DNS clients MUST support TCP for sending <li>DNS clients <bcp14>MUST</bcp14> support TCP for sending
queries, so that they can retry truncated UDP responses as necessary.</ queries so that they can retry truncated UDP responses as necessary.</l
t> i>
</list> </ul>
Furthermore, the requirement in Section 6.1.3.2 of <xref <t>
target="RFC1123" /> around limiting the resources a server devotes Furthermore, the requirement in <xref target="RFC1123" sectionFormat="of" s
ection="6.1.3.2"/> around limiting the resources a server devotes
to queries is hereby updated:</t> to queries is hereby updated:</t>
<t>OLD:
<t>OLD: </t>
<list hangIndent="10" style="empty"> <blockquote>
<t>A name server MAY limit the resources it devotes to TCP queries, A name server <bcp14>MAY</bcp14> limit the resources it devotes to TCP
but it SHOULD NOT refuse to service a TCP query just queries,
because it would have succeeded with UDP.</t> but it <bcp14>SHOULD NOT</bcp14> refuse to service a TCP query just
</list> because it would have succeeded with UDP.
</blockquote>
<t>
NEW: NEW:
<list hangIndent="10" style="empty"> </t>
<t>A name server MAY limit the resources it devotes to queries, but <blockquote>
it MUST NOT refuse to service a query just because it would have A name server <bcp14>MAY</bcp14> limit the resources it devotes to qu
succeeded with another transport protocol.</t> eries, but
</list> it <bcp14>MUST NOT</bcp14> refuse to service a query just because it
</t> would have
succeeded with another transport protocol.</blockquote>
<t>Lastly, Section 1 of <xref target="RFC1536"/> is updated to eliminate <t>Lastly, <xref target="RFC1536" sectionFormat="of" section="1"/> is upda
ted to eliminate
the misconception that TCP is only useful for zone transfers:</t> the misconception that TCP is only useful for zone transfers:</t>
<t>OLD:
<t>OLD: </t>
<list hangIndent="10" style="empty"> <blockquote>
<t>DNS implements the classic request-response scheme of DNS implements the classic request-response scheme of
client-server interaction. UDP is, therefore, the chosen protocol client-server interaction. UDP is, therefore, the chosen protocol
for communication though TCP is used for zone transfers.</t> for communication though TCP is used for zone transfers.
</list> </blockquote>
<t>
NEW: NEW:
<list hangIndent="10" style="empty"> </t>
<t>DNS implements the classic request-response scheme of <blockquote>
client-server interaction.</t> DNS implements the classic request-response scheme of
</list> client-server interaction.
</t> </blockquote>
<t>Filtering of DNS over TCP is harmful in the general <t>The filtering of DNS over TCP is harmful in the general
case. DNS resolver and server operators MUST support and provide case. DNS resolver and server operators <bcp14>MUST</bcp14> support and pr
ovide
DNS service over both UDP and TCP transports. Likewise, network DNS service over both UDP and TCP transports. Likewise, network
operators MUST allow DNS service over both UDP and TCP transports. operators <bcp14>MUST</bcp14> allow DNS service over both UDP and TCP trans
It is acknowledged that DNS over TCP service can pose operational ports.
It is acknowledged that DNS-over-TCP service can pose operational
challenges that are not present when running DNS over UDP alone, challenges that are not present when running DNS over UDP alone,
and vice-versa. However, <!-- it is the aim of this document to argue that and vice versa. However, <!-- it is the aim of this document to argue that
--> -->
the potential damage incurred by prohibiting DNS over TCP the potential damage incurred by prohibiting DNS-over-TCP
service is more detrimental to the continued utility and success of service is more detrimental to the continued utility and success of
the DNS than when its usage is allowed.</t> the DNS than when its usage is allowed.</t>
</section> </section>
<section numbered="true" toc="default">
<section title="Network and System Considerations"> <name>Network and System Considerations</name>
<t>This section describes measures that systems and applications
<t>This section describes measures that systems and applications
can take to optimize performance over TCP and to protect themselves can take to optimize performance over TCP and to protect themselves
from TCP-based resource exhaustion and attacks.</t> from TCP-based resource exhaustion and attacks.</t>
<section numbered="true" toc="default">
<section title="Connection Establishment and Admission"> <name>Connection Establishment and Admission</name>
<t>Resolvers and other DNS clients should be aware that some
<t>Resolvers and other DNS clients should be aware that some
servers might not be reachable over TCP. For this reason, clients servers might not be reachable over TCP. For this reason, clients
MAY track and limit the number of TCP connections and <bcp14>MAY</bcp14> track and limit the number of TCP connections and
connection attempts to a single server. Reachability problems connection attempts to a single server. Reachability problems
can be caused by network elements close to the server, close can be caused by network elements close to the server, close
to the client, or anywhere along the path between them. Mobile to the client, or anywhere along the path between them. Mobile
clients that cache connection failures MAY do so on a per-network clients that cache connection failures <bcp14>MAY</bcp14> do so on a per-
basis, or MAY clear such a cache upon change of network.</t> network
basis or <bcp14>MAY</bcp14> clear such a cache upon change of network.</t
<t>Additionally, DNS clients >
MAY enforce a short timeout on unestablished connections, <t>Additionally, DNS clients
<bcp14>MAY</bcp14> enforce a short timeout on unestablished connections
rather than rely on the host operating system's TCP connection rather than rely on the host operating system's TCP connection
timeout, which is often around 60-120 seconds (i.e., due to an timeout, which is often around 60-120 seconds (i.e., due to an
initial retransmission timeout of 1 second, the exponential initial retransmission timeout of 1 second, the exponential
back off rules of <xref target="RFC6298"/>, and a limit of six back-off rules of <xref target="RFC6298" format="default"/>, and a limit of six
retries as is the default in Linux).</t> retries as is the default in Linux).</t>
<t>The SYN flooding attack is a denial-of-service method
<t>The SYN flooding attack is a denial-of-service method affecting hosts that run TCP server processes <xref target="RFC4987" form
affecting hosts that run TCP server processes <xref at="default"/>. This attack can be very effective if
target="RFC4987"/>. This attack can be very effective if
not mitigated. One of the most effective mitigation techniques not mitigated. One of the most effective mitigation techniques
is SYN cookies, described in Section 3.6 of <xref target="RFC4987"/>, whi ch allows the server to avoid allocating is SYN cookies, described in <xref target="RFC4987" sectionFormat="of" se ction="3.6"/>, which allows the server to avoid allocating
any state until the successful completion of the three-way any state until the successful completion of the three-way
handshake.</t> handshake.</t>
<t>Services not intended for use by the public Internet,
<t>Services not intended for use by the public Internet, such as most recursive name servers, <bcp14>SHOULD</bcp14> be protected
such as most recursive name servers, SHOULD be protected with access controls. Ideally, these controls are placed in
with access controls. Ideally these controls are placed in
the network, well before any unwanted TCP packets can the network, well before any unwanted TCP packets can
reach the DNS server host or application. If this is not reach the DNS server host or application. If this is not
possible, the controls can be placed in the application possible, the controls can be placed in the application
itself. In some situations (e.g. attacks) it may be necessary itself. In some situations (e.g., attacks), it may be necessary
to deploy access controls for DNS services that should to deploy access controls for DNS services that should
otherwise be globally reachable. See also <xref target="RFC5358"/>.</t> otherwise be globally reachable. See also <xref target="RFC5358" format=
"default"/>.</t>
<t>The FreeBSD and NetBSD operating systems have an "accept filter" featu <t>The FreeBSD and NetBSD operating systems have an "accept filter" feat
re ure
(<xref target="accept_filter"/>) (<xref target="accept_filter" format="default"/>)
that postpones delivery of TCP connections to applications that postpones delivery of TCP connections to applications
until a complete, valid request has been received. The until a complete, valid request has been received. The
dns_accf(9) filter ensures that a valid DNS message is dns_accf(9) filter ensures that a valid DNS message is
received. If not, the bogus connection never reaches the received. If not, the bogus connection never reaches the
application. application.
The Linux TCP_DEFER_ACCEPT feature, while more limited in scope, The Linux TCP_DEFER_ACCEPT feature, while more limited in scope,
can provide some of the same benefits as the BSD accept filter can provide some of the same benefits as the BSD accept filter
feature. feature.
These features are implemented as low-level socket options, These features are implemented as low-level socket options
and are not activated automatically. If applications wish to and are not activated automatically. If applications wish to
use these features, they need to make specific calls to set the use these features, they need to make specific calls to set the
right options, and administrators may also need to configure the right options, and administrators may also need to configure the
applications to appropriately use the features.</t> applications to appropriately use the features.</t>
<t>Per <xref target="RFC7766" format="default"/>, applications and admin
<t>Per <xref target="RFC7766"/>, applications and administrators istrators
are advised to remember that TCP MAY be used before sending are advised to remember that TCP <bcp14>MAY</bcp14> be used before sendin
any UDP queries. Networks and applications MUST NOT be configured g
any UDP queries. Networks and applications <bcp14>MUST NOT</bcp14> be co
nfigured
to refuse TCP queries that were not preceded by a UDP query.</t> to refuse TCP queries that were not preceded by a UDP query.</t>
<t>TCP Fast Open (TFO) <xref target="RFC7413" format="default"/> allows
<t>TCP Fast Open <xref target="RFC7413"/> (TFO) allows TCP TCP
clients to shorten the handshake for subsequent connections clients to shorten the handshake for subsequent connections
to the same server. TFO saves one round-trip time in the to the same server. TFO saves one round-trip time in the
connection setup. DNS servers SHOULD enable TFO when possible. connection setup. DNS servers <bcp14>SHOULD</bcp14> enable TFO when poss ible.
Furthermore, DNS servers clustered behind a single service Furthermore, DNS servers clustered behind a single service
address (e.g., anycast or load-balancing), SHOULD either use the address (e.g., anycast or load balancing) <bcp14>SHOULD</bcp14> either us
same TFO server key on all instances, or disable TFO for all members of t e the
he cluster.</t> same TFO server key on all instances or disable TFO for all members of th
e cluster.</t>
<t>DNS clients MAY also enable TFO. At the time of this writing, <t>DNS clients <bcp14>MAY</bcp14> also enable TFO. At the time of this
on some operating systems it is not implemented, or is disabled by defaul writing, it is not implemented or is disabled by default on some operating syste
t. ms.
<xref target="WIKIPEDIA_TFO"/> describes applications and operating syste <xref target="WIKIPEDIA_TFO" format="default"/> describes applications an
ms d operating systems
that support TFO.</t> that support TFO.</t>
</section>
</section> <section numbered="true" toc="default">
<name>Connection Management</name>
<section title="Connection Management"> <t>Since host memory for TCP state is a finite resource, DNS
<t>Since host memory for TCP state is a finite resource, DNS
clients and clients and
servers SHOULD actively manage their connections. Applications servers <bcp14>SHOULD</bcp14> actively manage their connections. Applica tions
that do not actively manage their connections that do not actively manage their connections
can encounter resource exhaustion leading to denial of can encounter resource exhaustion leading to denial of
service. For DNS, as in other protocols, there is a tradeoff service. For DNS, as in other protocols, there is a trade-off
between keeping connections open for potential future use and between keeping connections open for potential future use and
the need to free up resources for new connections that will arrive.</t> the need to free up resources for new connections that will arrive.</t>
<t>Operators of DNS server software <bcp14>SHOULD</bcp14> be aware that
<t>Operators of DNS server software SHOULD be aware that operating operating
system and application vendors MAY impose a limit on the total system and application vendors <bcp14>MAY</bcp14> impose a limit on the t
otal
number of established connections. These limits may be designed number of established connections. These limits may be designed
to protect against DDoS attacks or performance degradation. to protect against DDoS attacks or performance degradation.
Operators SHOULD understand how to increase these limits if Operators <bcp14>SHOULD</bcp14> understand how to increase these limits i
necessary, and the consequences of doing so. Limits imposed by f
the application SHOULD be lower than limits imposed by the necessary and the consequences of doing so. Limits imposed by
operating system, so that the application can apply its own the application <bcp14>SHOULD</bcp14> be lower than limits imposed by the
operating system so that the application can apply its own
policy to connection management, such as closing the oldest policy to connection management, such as closing the oldest
idle connections first.</t> idle connections first.</t>
<t>DNS server software <bcp14>MAY</bcp14> provide a configurable limit o
<t>DNS server software MAY provide a configurable limit on n
the number of established connections per source IP address the number of established connections per source IP address
or subnet. This can be used to ensure that a single or small or subnet. This can be used to ensure that a single or small
set of users cannot consume all TCP resources and deny set of users cannot consume all TCP resources and deny
service to other users. Note, however, that if this limit service to other users. Note, however, that if this limit
is enabled, it possibly limits client performance while leaving is enabled, it possibly limits client performance while leaving
some TCP resources unutilized. Operators SHOULD be aware of some TCP resources unutilized. Operators <bcp14>SHOULD</bcp14> be aware o
these tradeoffs and ensure this limit, if configured, f
these trade-offs and ensure this limit, if configured,
is set appropriately based on the number and diversity is set appropriately based on the number and diversity
of their users, and whether users connect from unique IP addresses or of their users and whether users connect from unique IP addresses or
through a shared Network Address Translator <xref target="RFC3022"/>.</t> through a shared Network Address Translator (NAT) <xref target="RFC3022"
format="default"/>.</t>
<t>DNS server software SHOULD provide a configurable timeout <t>DNS server software <bcp14>SHOULD</bcp14> provide a configurable time
out
for idle TCP connections. This can be used to free up resources for idle TCP connections. This can be used to free up resources
for new connections and to ensure that idle for new connections and to ensure that idle
connections are eventually closed. At the same time, it possibly connections are eventually closed. At the same time, it possibly
limits client performance while leaving some TCP resources unutilized. limits client performance while leaving some TCP resources unutilized.
For very busy name servers this For very busy name servers, this
might be set to a low value, such as a few seconds. For might be set to a low value, such as a few seconds. For
less busy servers it might be set to a higher value, such less busy servers, it might be set to a higher value, such
as tens of seconds. DNS clients and servers SHOULD signal as tens of seconds.
their timeout values using the edns-tcp-keepalive
option <xref target="RFC7828"/>.</t>
<t>DNS server software MAY provide a configurable limit on <!--[rfced] We updated one instance of "edns-tcp-keepalive option" to
"edns-tcp-keepalive EDNS(0) option" for consistency and per use
in RFC 7828. Please let us know of any objections.
Original:
DNS clients and servers SHOULD signal their timeout
values using the edns-tcp-keepalive option [RFC7828].
Current:
DNS clients and servers SHOULD signal their timeout
values using the edns-tcp-keepalive EDNS(0) option
[RFC7828].
-->
DNS clients and servers <bcp14>SHOULD</bcp14> signal
their timeout values using the edns-tcp-keepalive
option <xref target="RFC7828" format="default"/>.</t>
<t>DNS server software <bcp14>MAY</bcp14> provide a configurable limit o
n
the number of transactions per TCP connection. the number of transactions per TCP connection.
This can help protect against unfair connection use (e.g., not releasing This can help protect against unfair connection use (e.g., not releasing
connection slots to other clients) and network evasion attacks.</t> connection slots to other clients) and network evasion attacks.</t>
<t>Similarly, DNS server software <bcp14>MAY</bcp14> provide a configura
<t>Similarly, DNS server software MAY provide a configurable ble
limit on the total duration of a TCP connection. limit on the total duration of a TCP connection.
This can help protect against unfair connection use, slow read attacks, This can help protect against unfair connection use, slow read attacks,
and network evasion attacks.</t> and network evasion attacks.</t>
<t>Since clients may not be aware of server-imposed limits,
<t>Since clients may not be aware of server-imposed limits,
clients utilizing TCP for DNS need to always be prepared to clients utilizing TCP for DNS need to always be prepared to
re-establish connections or otherwise retry outstanding re-establish connections or otherwise retry outstanding
queries.</t> <!-- language lifted from RFC7766 --> queries.</t>
<!-- language lifted from RFC7766 -->
</section> </section>
<section numbered="true" toc="default">
<section title="Connection Termination"> <name>Connection Termination</name>
<t>The TCP peer that initiates a
<t>The TCP peer that initiates a
connection close retains the socket in the TIME_WAIT state connection close retains the socket in the TIME_WAIT state
for some amount of time, possibly a few minutes. for some amount of time, possibly a few minutes.
It is generally preferable for clients to initiate the It is generally preferable for clients to initiate the
close of a TCP connection so that busy servers do not close of a TCP connection so that busy servers do not
accumulate many sockets in the TIME_WAIT state, which can accumulate many sockets in the TIME_WAIT state, which can
cause performance problems or even denial of service. cause performance problems or even denial of service.
The edns-tcp-keepalive EDNS(0) option <xref target="RFC7828"/> The edns-tcp-keepalive EDNS(0) option <xref target="RFC7828" format="defa ult"/>
can be used to encourage clients to close connections.</t> can be used to encourage clients to close connections.</t>
<t>On systems where large numbers of sockets in TIME_WAIT
<t>On systems where large numbers of sockets in TIME_WAIT are observed (as either a client or a server) and are affecting
are observed (either as client or server), and are affecting
an application's performance, it may be tempting to tune local TCP an application's performance, it may be tempting to tune local TCP
parameters. For example, the Linux kernel has parameters. For example, the Linux kernel has
a "sysctl" parameter named net.ipv4.tcp_tw_reuse which allows a "sysctl" parameter named net.ipv4.tcp_tw_reuse, which allows
connections in the TIME_WAIT state to be reused in specific connections in the TIME_WAIT state to be reused in specific
circumstances. Note, however, this affects only outgoing (client) circumstances. Note, however, that this affects only outgoing (client)
connections and has no impact on servers. In most cases it is NOT connections and has no impact on servers. In most cases, it is <bcp14>NO
RECOMMENDED to change parameters related to the TIME_WAIT state. T
RECOMMENDED</bcp14> to change parameters related to the TIME_WAIT state.
It should only be done by those with detailed knowledge of both TCP It should only be done by those with detailed knowledge of both TCP
and the affected application.</t> and the affected application.</t>
</section> </section>
<section numbered="true" toc="default">
<section title="DNS-over-TLS"> <name>DNS over TLS</name>
<t>DNS messages may be sent over TLS to provide privacy
<t>DNS messages may be sent over TLS to provide privacy between stubs and recursive resolvers. <xref target="RFC7858" format="def
between stubs and recursive resolvers. <xref target="RFC7858"/> ault"/>
is a Standards Track document describing how this works. is a Standards Track document describing how this works.
Although DNS-over-TLS utilizes TCP port 853 instead of port 53, this Although DNS over TLS utilizes TCP port 853 instead of port 53, this
document applies equally well to DNS-over-TLS. Note, however, document applies equally well to DNS over TLS. Note, however,
DNS-over-TLS is only defined between stubs and that DNS over TLS is only defined between stubs and
recursives at the time of this writing.</t> recursives at the time of this writing.</t>
<t>The use of TLS places even stronger operational burdens
<t>The use of TLS places even stronger operational burdens
on DNS clients and servers. Cryptographic functions for on DNS clients and servers. Cryptographic functions for
authentication and encryption require additional processing. authentication and encryption require additional processing.
Unoptimized connection setup with TLS 1.3 <xref target="RFC8446"/> Unoptimized connection setup with TLS 1.3 <xref target="RFC8446" format="
takes one additional round-trip compared to TCP. Connection setup default"/>
times can be reduced with TCP Fast Open, and TLS False Start <xref takes one additional round trip compared to TCP.
target="RFC7918"/> for TLS 1.2. TLS 1.3 session resumption does not <!-- [rfced] Is TCP Fast Open only for TLS 1.3 and TLS False Start only for TLS
1.2?
Original:
Connection setup times can be reduced with TCP Fast Open, and TLS False
Start [RFC7918] for TLS 1.2.
Perhaps:
Connection setup times can be reduced with TCP Fast Open for TLS 1.3 and
TLS False Start [RFC7918] for TLS 1.2.
-->
Connection setup
times can be reduced with TCP Fast Open, and TLS False Start <xref target
="RFC7918" format="default"/> for TLS 1.2. TLS 1.3 session resumption does not
reduce round-trip latency because no application profile for use of reduce round-trip latency because no application profile for use of
TLS 0-RTT data with DNS has been published at the time of this TLS 0-RTT data with DNS has been published at the time of this
writing. However, TLS session resumption can reduce the number of writing. However, TLS session resumption can reduce the number of
cryptographic operations, and in TLS 1.2, session resumption does cryptographic operations, and in TLS 1.2, session resumption does
reduce the number of additional round trips from two to one.</t> reduce the number of additional round trips from two to one.</t>
</section>
</section> <section numbered="true" toc="default">
<name>Defaults and Recommended Limits</name>
<section title="Defaults and Recommended Limits"> <t>A survey of features and defaults was conducted for popular
open-source DNS server implementations at the time of writing.
<t>A survey of features and defaults was conducted for popular
open source DNS server implementations at the time of writing.
This section documents those defaults and makes recommendations This section documents those defaults and makes recommendations
for configurable limits that can be used in the absence of any for configurable limits that can be used in the absence of any
other information. Any recommended values in this document are other information. Any recommended values in this document are
only intended as a starting point for administrators that are only intended as a starting point for administrators that are
unsure what sorts of limits might be reasonable. Operators SHOULD unsure of what sorts of limits might be reasonable. Operators <bcp14>SHOU LD</bcp14>
use application-specific monitoring, system logs, and system use application-specific monitoring, system logs, and system
monitoring tools to gauge whether their service is operating monitoring tools to gauge whether their service is operating
within or exceeding these limits, and adjust accordingly.</t> within or exceeding these limits and adjust accordingly.</t>
<t>Most open-source DNS server implementations provide a
<t>Most open source DNS server implementations provide a
configurable limit on the total number of established connections. configurable limit on the total number of established connections.
Default values range from 20 to 150. In most cases, where the Default values range from 20 to 150. In most cases, where the
majority of queries take place over UDP, 150 is a reasonable limit. majority of queries take place over UDP, 150 is a reasonable limit.
For services or environments where most queries take place over For services or environments where most queries take place over
TCP or TLS, 5000 is a more appropriate limit.</t> TCP or TLS, 5000 is a more appropriate limit.</t>
<t>Only some open-source implementations provide a way to limit
<t>Only some open source implementations provide a way to limit
the number of connections per source IP address or subnet, but the number of connections per source IP address or subnet, but
the default is to have no limit. For environments or situations the default is to have no limit. For environments or situations
where it may be necessary to enable this limit, 25 connections where it may be necessary to enable this limit, 25 connections
per source IP address is a reasonable starting point. The limit per source IP address is a reasonable starting point. The limit
should be increased when aggregated by subnet, or for services should be increased when aggregated by subnet or for services
where most queries take place over TCP or TLS.</t> where most queries take place over TCP or TLS.</t>
<t>Most open-source implementations provide a configurable idle
<t>Most open source implementations provide a configurable idle
timeout on connections. Default values range from 2 to 30 seconds. timeout on connections. Default values range from 2 to 30 seconds.
In most cases, 10 seconds is a reasonable default for this limit. In most cases, 10 seconds is a reasonable default for this limit.
Longer timeouts improve connection reuse, but busy servers may Longer timeouts improve connection reuse, but busy servers may
need to use a lower limit.</t> need to use a lower limit.</t>
<t>Only some open-source implementations provide a way to limit
<t>Only some open source implementations provide a way to limit
the number of transactions per connection, but the default is to the number of transactions per connection, but the default is to
have no limit. This document does not offer advice on particular have no limit. This document does not offer advice on particular
values for such a limit.</t> values for such a limit.</t>
<t>Only some open-source implementations provide a way to limit
<t>Only some open source implementations provide a way to limit
the duration of connection, but the default is to have no limit. the duration of connection, but the default is to have no limit.
This document does not offer advice on particular values for such This document does not offer advice on particular values for such
a limit.</t> a limit.</t>
</section>
</section> </section>
<section numbered="true" toc="default">
</section> <name>DNS-over-TCP Filtering Risks</name>
<t>Networks that filter DNS over TCP risk losing access to
<section title="DNS over TCP Filtering Risks">
<t>Networks that filter DNS over TCP risk losing access to
significant or important pieces of the DNS namespace. For a significant or important pieces of the DNS namespace. For a
variety of reasons a DNS answer may require a DNS over TCP query. variety of reasons, a DNS answer may require a DNS-over-TCP query.
This may include large message sizes, lack of EDNS(0) support, DDoS This may include large message sizes, lack of EDNS(0) support, or DDoS
mitigation techniques (including <xref target="RRL"/>), or perhaps some fut mitigation techniques (including Response Rate Limiting <xref target="RRL"
ure capability that is as format="default"/>); additionally, perhaps some future capability that is as
yet unforeseen will also demand TCP transport.</t> yet unforeseen will also demand TCP transport.</t>
<t>For example, <xref target="RFC7901" format="default"/> describes a late
<t>For example, <xref target="RFC7901"/> describes a latency-avoiding ncy-avoiding
technique that sends extra data in DNS responses. This makes technique that sends extra data in DNS responses. This makes
responses larger and potentially increases the effectiveness of DDoS reflec tion responses larger and potentially increases the effectiveness of DDoS reflec tion
attacks. The specification mandates the use of TCP or DNS attacks. The specification mandates the use of TCP or DNS
Cookies <xref target="RFC7873"/>.</t> cookies <xref target="RFC7873" format="default"/>.</t>
<t>Even if any or all particular answers have consistently been
<t>Even if any or all particular answers have consistently been
returned successfully with UDP in the past, this continued behavior returned successfully with UDP in the past, this continued behavior
cannot be guaranteed when DNS messages are exchanged between cannot be guaranteed when DNS messages are exchanged between
autonomous systems. Therefore, filtering of DNS over TCP is autonomous systems. Therefore, filtering of DNS over TCP is
considered harmful and contrary to the safe and successful operation considered harmful and contrary to the safe and successful operation
of the Internet. This section enumerates some of the known risks of the Internet. This section enumerates some of the known risks
at the time of this writing when networks filter DNS over at the time of this writing when networks filter DNS over
TCP.</t> TCP.</t>
<section numbered="true" toc="default">
<section title="Truncation, Retries, and Timeouts"> <!-- formerly DNS <name>Truncation, Retries, and Timeouts</name>
Wedgie --> <!-- formerly DNS Wedgie -->
<t>Networks that filter DNS over TCP may inadvertently cause <t>Networks that filter DNS over TCP may inadvertently cause
problems for third-party resolvers as experienced by <xref problems for third-party resolvers as experienced by <xref target="TOYAMA
target="TOYAMA"></xref>. For example, a resolver receives queries " format="default"/>. For example, a resolver receives queries
for a moderately popular domain. The resolver forwards the queries for a moderately popular domain. The resolver forwards the queries
to the domain's authoritative name servers, but those servers to the domain's authoritative name servers, but those servers
respond with the TC bit set. The resolver retries over TCP, respond with the TC bit set. The resolver retries over TCP,
but the authoritative server blocks DNS over TCP. The pending but the authoritative server blocks DNS over TCP. The pending
connections consume resources on the resolver until they time out. connections consume resources on the resolver until they time out.
If the number If the number
and frequency of these truncated-and-then-blocked queries is sufficiently high, and frequency of these truncated-and-then-blocked queries are sufficientl y high,
the resolver wastes valuable resources on queries that can never be answe red. the resolver wastes valuable resources on queries that can never be answe red.
This condition is generally not easily or completely mitigated by the This condition is generally not easily or completely mitigated by the
affected DNS resolver operator.</t> affected DNS resolver operator.</t>
</section> </section>
<section numbered="true" toc="default">
<name>DNS Root Zone KSK Rollover</name>
<!-- [rfced] Is the new root zone called "DNSSEC KSK"?
<section title="DNS Root Zone KSK Rollover"> Original:
<t>The plans for deploying a new root zone DNSSEC KSK highlighted The plans for deploying a new root zone DNSSEC KSK highlighted a
a potential problem in retrieving the root zone key set <xref potential problem in retrieving the root zone key set [LEWIS].
target="LEWIS"></xref>. During some phases of the KSK rollover process,
Perhaps:
The plans for deploying a new root zone, DNSSEC KSK, highlighted a
potential problem in retrieving the root zone key set [LEWIS].
-->
<t>The plans for deploying a new root zone DNSSEC KSK highlighted
a potential problem in retrieving the root zone key set <xref target="LEW
IS" format="default"/>. During some phases of the KSK rollover process,
root zone DNSKEY responses were root zone DNSKEY responses were
larger than 1280 bytes, the IPv6 minimum MTU for links larger than 1280 bytes, the IPv6 minimum MTU for links
carrying IPv6 traffic <xref target="RFC8200"/>. carrying IPv6 traffic <xref target="RFC8200" format="default"/>.
There was some concern <xref target="KSK_ROLLOVER_ARCHIVES"/>
<!--[rfced] We believe this text refers to "[KSK_ROLLOVER_ARCHIVES]",
so we moved the citation to the end of the sentence for
clarity. Please let us know of any objections.
Original:
There was some concern [KSK_ROLLOVER_ARCHIVES] that any DNS server unable
to receive large DNS messages over UDP, or any DNS message over TCP,
would experience disruption while performing DNSSEC validation.
Current:
There was some concern that any DNS server unable to receive large
DNS messages over UDP, or any DNS message over TCP, would experience
disruption while performing DNSSEC validation [KSK_ROLLOVER_ARCHIVES].
-->
There was some concern
that any DNS server unable to receive large that any DNS server unable to receive large
DNS messages over UDP, or any DNS message over TCP, would experience DNS messages over UDP, or any DNS message over TCP, would experience
disruption while performing DNSSEC validation.</t> disruption while performing DNSSEC validation <xref target="KSK_ROLLOVER_
ARCHIVES" format="default"/>.</t>
<t>However, during the <t>However, during the
year-long postponement of the KSK rollover there were no reported problem year-long postponement of the KSK rollover, there were no reported proble
s ms
that could be attributed to the 1414 octet DNSKEY response when both that could be attributed to the 1414 octet DNSKEY response when both
the old and new keys were published in the zone. Additionally, there the old and new keys were published in the zone. Additionally, there
were no reported problems during the two-month period when the old key wa s were no reported problems during the two-month period when the old key wa s
published as revoked and the DNSKEY response was 1425 octets in size <xre published as revoked and the DNSKEY response was 1425 octets in size <xre
f target="ROLL_YOUR_ROOT"/>.</t> f target="ROLL_YOUR_ROOT" format="default"/>.</t>
</section> </section>
</section>
</section> <section anchor="logging-monitoring" numbered="true" toc="default">
<name>Logging and Monitoring</name>
<section anchor="logging-monitoring" title="Logging and Monitoring"> <t>Developers of applications that log or monitor DNS
<t>Developers of applications that log or monitor DNS <bcp14>SHOULD NOT</bcp14> ignore TCP due to the perception that it is rarel
SHOULD NOT ignore TCP due to the perception that it is rarely used or y used or
is hard to process. Operators SHOULD ensure that is hard to process. Operators <bcp14>SHOULD</bcp14> ensure that
their monitoring and logging applications properly capture their monitoring and logging applications properly capture
DNS messages over TCP. Otherwise, attacks, exfiltration DNS messages over TCP. Otherwise, attacks, exfiltration
attempts, and normal traffic may go undetected.</t> attempts, and normal traffic may go undetected.</t>
<t>DNS messages over TCP are in no way guaranteed to arrive
<t>DNS messages over TCP are in no way guaranteed to arrive
in single segments. In fact, a clever attacker might attempt in single segments. In fact, a clever attacker might attempt
to hide certain messages by forcing them over very small TCP to hide certain messages by forcing them over very small TCP
segments. Applications that capture network packets (e.g., segments. Applications that capture network packets (e.g.,
with libpcap <xref target="libpcap"/>) SHOULD implement and perform full with libpcap <xref target="libpcap" format="default"/>) <bcp14>SHOULD</bcp1 4> implement and perform full
TCP stream reassembly and analyze the reassembled stream instead of the ind ividual packets. TCP stream reassembly and analyze the reassembled stream instead of the ind ividual packets.
Otherwise, they are vulnerable to network evasion attacks <xref target="phr ack"/>. Otherwise, they are vulnerable to network evasion attacks <xref target="phr ack" format="default"/>.
Furthermore, such applications need to protect Furthermore, such applications need to protect
themselves from resource exhaustion attacks by limiting the amount themselves from resource exhaustion attacks by limiting the amount
of memory allocated to tracking unacknowledged connection state data. of memory allocated to tracking unacknowledged connection state data.
dnscap <xref target="dnscap"/> is an dnscap <xref target="dnscap" format="default"/> is an
open-source example of a DNS logging program that implements open-source example of a DNS logging program that implements
TCP stream reassembly.</t> TCP stream reassembly.</t>
<t>Developers <bcp14>SHOULD</bcp14> also keep in mind connection reuse,
<t>Developers SHOULD also keep in mind connection reuse,
query pipelining, and out-of-order responses when building and testing query pipelining, and out-of-order responses when building and testing
DNS monitoring applications.</t> DNS monitoring applications.</t>
<t>As an alternative to packet capture, some DNS server software
<t>As an alternative to packet capture, some DNS server software supports dnstap <xref target="dnstap" format="default"/> as an integrated m
supports dnstap <xref target="dnstap"/> as an integrated monitoring onitoring
protocol intended to facilitate wide-scale DNS monitoring.</t> protocol intended to facilitate wide-scale DNS monitoring.</t>
</section> </section>
<section anchor="IANA" numbered="true" toc="default">
<section anchor="IANA" title="IANA Considerations"> <name>IANA Considerations</name>
<t>This memo includes no request to IANA.</t> <t>This document has no IANA actions.</t>
</section> </section>
<section anchor="Security" numbered="true" toc="default">
<section anchor="Security" title="Security Considerations"> <name>Security Considerations</name>
<t>This document, providing operational requirements, is the
<t>This document, providing operational requirements, is the companion to the implementation requirements of DNS over TCP
companion to the implementation requirements of DNS over TCP, provided in <xref target="RFC7766" format="default"/>. The security consid
provided in <xref target="RFC7766"/>. The security considerations erations
from <xref target="RFC7766"/> still apply.</t> from <xref target="RFC7766" format="default"/> still apply.</t>
<t>Ironically, returning truncated DNS-over-UDP answers in order
<t>Ironically, returning truncated DNS over UDP answers in order
to induce a client query to switch to DNS over TCP has become to induce a client query to switch to DNS over TCP has become
a common response to source address spoofed, DNS denial-of-service a common response to source-address-spoofed, DNS denial-of-service
attacks <xref target="RRL"></xref>. Historically, operators have attacks <xref target="RRL" format="default"/>. Historically, operators hav
e
been wary of TCP-based attacks, but in recent years, UDP-based been wary of TCP-based attacks, but in recent years, UDP-based
flooding attacks have proven to be the most common protocol attack flooding attacks have proven to be the most common protocol attack
on the DNS. Nevertheless, a high rate of short-lived DNS on the DNS. Nevertheless, a high rate of short-lived DNS
transactions over TCP may pose challenges. In fact, <xref transactions over TCP may pose challenges. In fact, <xref target="DAI21" f
target="DAI21"></xref> details a class of IP fragmentation attacks ormat="default"/> details a class of IP fragmentation attacks
on DNS transactions if the IP Identifier field (16 bits in IPv4 and 32 bits in IPv6) can be predicted and a on DNS transactions if the IP Identifier field (16 bits in IPv4 and 32 bits in IPv6) can be predicted and a
system is coerced to fragment rather than retransmit messages. system is coerced to fragment rather than retransmit messages.
While many operators have provided DNS over TCP service for many While many operators have provided DNS-over-TCP service for many
years without duress, past experience is no guarantee of future years without duress, past experience is no guarantee of future
success.</t> success.</t>
<t>DNS over TCP is similar to many other Internet TCP services.
<t>DNS over TCP is similar to many other Internet TCP services.
TCP threats and many mitigation strategies have been TCP threats and many mitigation strategies have been
well-documented in a series of documents such as <xref well documented in a series of documents such as <xref target="RFC4953" for
target="RFC4953"></xref>, <xref target="RFC4987"></xref>, <xref mat="default"/>, <xref target="RFC4987" format="default"/>, <xref target="RFC592
target="RFC5927"></xref>, and <xref target="RFC5961"></xref>.</t> 7" format="default"/>, and <xref target="RFC5961" format="default"/>.</t>
<t>As mentioned in <xref target="logging-monitoring" format="default"/>, a
<t>As mentioned in <xref target="logging-monitoring"/>, applications pplications
that implement TCP stream reassembly need to limit the amount of that implement TCP stream reassembly need to limit the amount of
memory allocated to connection tracking. A failure to do so could memory allocated to connection tracking. A failure to do so could
lead to a total failure of the logging or monitoring application. lead to a total failure of the logging or monitoring application.
Imposition of resource limits creates a tradeoff between allowing Imposition of resource limits creates a trade-off between allowing
some stream reassembly to continue and allowing some evasion attacks some stream reassembly to continue and allowing some evasion attacks
to succeed.</t> to succeed.</t>
<t>This document recommends that DNS servers enable TFO when possible. <x
<t>This document recommends that DNS Servers enable TFO when possible. <xr ref target="RFC7413" format="default"/>
ef target="RFC7413"/> recommends that a pool of servers behind a load balancer with a shared
recommends that a pool of servers behind a load balancer with shared server IP address also share the key used to generate Fast Open cookies
server IP address also share the key used to generate Fast Open cookies, to prevent inordinate fallback to the three-way handshake (3WHS). This gui
to prevent inordinate fallback to the 3WHS. This guidance remains dance remains
accurate, but comes with a caveat: compromise of one server would reveal accurate but comes with a caveat: compromise of one server would reveal
this group-shared key, and allow for attacks involving the other servers this group-shared key and allow for attacks involving the other servers
in the pool by forging invalid Fast Open cookies.</t> in the pool by forging invalid Fast Open cookies.</t>
</section>
</section> <section anchor="Privacy" numbered="true" toc="default">
<name>Privacy Considerations</name>
<section anchor="Privacy" title="Privacy Considerations"> <t>Since DNS over both UDP and TCP uses the same underlying message
<t>Since DNS over both UDP and TCP uses the same underlying message
format, the use of one transport instead of the other does not change format, the use of one transport instead of the other does not change
the privacy characteristics of the message content (i.e., the name the privacy characteristics of the message content (i.e., the name
being queried). A number of protocols have recently been developed to being queried). A number of protocols have recently been developed to
provide DNS privacy, including DNS over TLS <xref target="RFC7858"/>, provide DNS privacy, including DNS over TLS <xref target="RFC7858" format="
DNS over DTLS <xref target="RFC8094"/>, DNS over HTTPS <xref default"/>,
target="RFC8484"/>, with even more on the way.</t> DNS over DTLS <xref target="RFC8094" format="default"/>, DNS over HTTPS
<xref target="RFC8484" format="default"/>, with even more on the way.</t>
<t>Because TCP is somewhat more complex than UDP, some <t>Because TCP is somewhat more complex than UDP, some
characteristics of a TCP conversation may enable DNS client fingerprinting and characteristics of a TCP conversation may enable DNS client fingerprinting and
tracking that is not possible with UDP. For example, the choice of tracking that is not possible with UDP. For example, the choice of
initial sequence numbers, window size, and options might be able initial sequence numbers, window size, and options might be able
to identify a particular TCP implementation, or even individual to identify a particular TCP implementation or even individual
hosts behind shared resources such as network address translators hosts behind shared resources such as NATs.</t>
(NATs).</t> </section>
</middle>
<back>
</section> <displayreference target="I-D.ietf-dnsop-avoid-fragmentation" to="AVOID_FRAGS"/>
<section anchor="Acknowledgments" title="Acknowledgments"> <references>
<t>This document was initially motivated by feedback from students <name>References</name>
who pointed out that they were hearing contradictory information <references>
about filtering DNS over TCP messages. Thanks in particular to a <name>Normative References</name>
teaching colleague, JPL, who perhaps unknowingly encouraged the <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.
initial research into the differences between what the community has 1035.xml"/>
historically said and did. Thanks to all the NANOG 63 attendees <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.
who provided feedback to an early talk on this subject.</t> 2119.xml"/>
<!-- https://archive.nanog.org/sites/default/files/nanog63-dnstrack-kristof <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.
f-dnstcp.pdf --> 2181.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.
6891.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.
7766.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.
7828.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.
7873.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.
8174.xml"/>
</references>
<references>
<name>Informative References</name>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.
0768.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.
0793.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.
0883.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.
1034.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.
1123.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.
1536.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.
1995.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.
1996.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.
2136.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.
2541.xml"/>
<!-- &RFC2629; -->
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.
2671.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.
2694.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.
3022.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.
3225.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.
3226.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.
4472.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.
4953.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.
4987.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.
5358.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.
5452.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.
5507.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.
5625.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.
5927.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.
5936.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.
5961.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.
5966.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.
6298.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.
6762.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.
6950.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.
7413.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.
7477.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.
7534.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.
7720.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.
7858.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.
7901.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.
7918.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.
8027.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.
8094.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.
8162.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.
8200.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.
8324.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.
8446.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.
8467.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.
8482.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.
8483.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.
8484.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.
8490.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.
8501.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.
8806.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.
8906.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.
8932.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.
8945.xml"/>
<!-- A reference written by by an organization not a person. -->
<t>The following individuals provided an array of feedback to help <reference anchor="CHES94">
improve this document: Joe Abley, Piet Barber, Sara Dickinson, Tony Finch, <front>
Bob Harold, Paul Hoffman, Geoff Huston, Tatuya Jinmei, <title>Firewalls and Internet Security: Repelling the Wily Hacker</t
Puneet Sood, and Richard Wilhelm. The authors are also indebted to the con itle>
tributions <author fullname="William R. Cheswick" initials="W." surname="Cheswi
stemming from discussion in the tcpm working group meeting at ck"/>
IETF 104. Any remaining errors or imperfections are the sole <author fullname="Steven M. Bellovin" initials="S." surname="Bellovi
responsibility of the document authors.</t> n"/>
</section> <date year="1994"/>
</front>
<refcontent>First Edition</refcontent>
</reference>
</middle> <reference anchor="DAI21">
<front>
<title>DNS-over-TCP Considered Vulnerable</title>
<author fullname="Tianxiang Dai" initials="T." surname="Dai"/>
<author fullname="Haya Shulman" initials="H." surname="Shulman"/>
<author fullname="Michael Waidner" initials="M." surname="Waidner"/>
<date year="2021" month="July" />
</front>
<seriesInfo name="DOI" value="10.1145/3472305.3472884"/>
</reference>
<back> <reference anchor="DJBDNS" target="https://cr.yp.to/djbdns/tcp.html#why"
<!-- References split into informative and normative --> >
<front>
<title>When are TCP queries sent?</title>
<author surname="Bernstein" initials="D.">
</author>
<date month="November" year="2002"/>
</front>
</reference>
<!-- There are 2 ways to insert reference entries from the citation libraries <reference anchor="CASTRO2010">
: <front>
1. define an ENTITY at the top, and use "ampersand character"RFC2629; here ( <title>Understanding and Preparing for DNS Evolution</title>
as shown) <author fullname="Sebastian Castro" initials="S." surname="Castro"/>
2. simply use a PI "less than character"?rfc include="reference.RFC.2119.xml <author fullname="Min Zhang" initials="M." surname="Zhang"/>
"?> here <author fullname="Wolfgang John" initials="W." surname="John"/>
(for I-Ds: include="reference.I-D.narten-iana-considerations-rfc2434bis.x <author fullname="Duane Wessels" initials="D." surname="Wessels"/>
ml") <author fullname="Kimberly claffy" initials="K." surname="claffy"/>
<date month="April" year="2010"/>
</front>
<seriesInfo name="DOI" value="10.1007/978-3-642-12365-8_1"/>
</reference>
Both are cited textually in the same manner: by using xref elements. <reference anchor="NETALYZR">
If you use the PI option, xml2rfc will, by default, try to find included fil <front>
es in the same <title>Netalyzr: Illuminating The Edge Network</title>
directory as the including file. You can also define the XML_LIBRARY environ <author fullname="Christian Kreibich" initials="C." surname="Kreibic
ment variable h"/>
with a value containing a set of directories to search. These can be either <author fullname="Nicholas Weaver" initials="N." surname="Weaver"/>
in the local <author fullname="Boris Nechaev" initials="B." surname="Nechaev"/>
filing system or remote ones accessed by http (http://domain/dir/... ).--> <author fullname="Vern Paxson" initials="V." surname="Paxson"/>
<date year="2010" month="November"/>
</front>
<seriesInfo name="DOI" value="10.1145/1879141.1879173"/>
</reference>
<references title="Normative References"> <reference anchor="VERISIGN">
<!--?rfc include="http://xml.resource.org/public/rfc/bibxml/reference.RFC.2 <front>
119.xml"?--> <title>An Analysis of TCP Traffic in Root Server DITL Data</title>
&RFC1035; <author fullname="Matt Thomas" initials="M." surname="Thomas"/>
&RFC2119; <author fullname="Duane Wessels" initials="D." surname="Wessels"/>
&RFC2181; <date year="2014" month="October"/>
&RFC6891; </front>
&RFC7766; <refcontent>DNS-OARC 2014 Fall Workshop</refcontent>
&RFC7828; </reference>
&RFC7873;
&RFC8174;
</references> <reference anchor="TDNS">
<front>
<title>Connection-Oriented DNS to Improve Privacy and Security</titl
e>
<author fullname="Liang Zhu" initials="L." surname="Zhu"/>
<author fullname="John Heidemann" initials="J." surname="Heidemann"/
>
<author fullname="Duane Wessels" initials="D." surname="Wessels"/>
<author fullname="Allison Mankin" initials="A." surname="Mankin"/>
<author fullname="Nikita Somaiya" initials="N." surname="Somaiya"/>
<date year="2015" month="May"/>
</front>
<seriesInfo name="DOI" value="10.1109/SP.2015.18"/>
</reference>
<references title="Informative References"> <reference anchor="RRL">
<!-- Here we use entities that we defined at the beginning. --> <front>
<title>DNS Response Rate Limiting (DNS RRL)</title>
<author fullname="Paul Vixie" initials="P." surname="Vixie"/>
<author fullname="Vernon Schryver" initials="V." surname="Schryver"/
>
<date year="2012" month="April"/>
</front>
<refcontent>ISC-TN-2012-1-Draft1</refcontent>
</reference>
&RFC0768; <reference anchor="LEWIS" target="https://ripe74.ripe.net/presentations/
&RFC0793; 25-RIPE74-lewis-submission.pdf">
&RFC0883; <front>
&RFC1034; <title>2017 DNSSEC KSK Rollover</title>
&RFC1123; <author fullname="Edward Lewis" initials="E." surname="Lewis"/>
&RFC1536; <date year="2017" month="May"/>
&RFC1995; </front>
&RFC1996; <refcontent>RIPE 74</refcontent>
&RFC2136; </reference>
&RFC2541;
<!-- &RFC2629; -->
&RFC2671;
&RFC2694;
&RFC3022;
&RFC3225;
&RFC3226;
&RFC4472;
&RFC4953;
&RFC4987;
&RFC5358;
&RFC5452;
&RFC5507;
&RFC5625;
&RFC5927;
&RFC5936;
&RFC5961;
&RFC5966;
&RFC6298;
&RFC6762;
&RFC6950;
&RFC7413;
&RFC7477;
&RFC7534;
&RFC7720;
&RFC7858;
&RFC7901;
&RFC7918;
&RFC8027;
&RFC8094;
&RFC8162;
&RFC8200;
&RFC8324;
&RFC8446;
&RFC8467;
&RFC8482;
&RFC8483;
&RFC8484;
&RFC8490;
&RFC8501;
&RFC8806;
&RFC8906;
&RFC8932;
&RFC8945;
<!-- A reference written by by an organization not a person. --> <reference anchor="TOYAMA">
<front>
<title>DNS Anomalies and Their Impacts on DNS Cache Servers</title>
<author fullname="Katsuyasu Toyama" initials="K." surname="Toyama"/>
<author fullname="Keisuke Ishibashi" initials="K." surname="Ishibash
i"/>
<author fullname="Tsuyoshi Toyono" initials="T." surname="Toyono"/>
<author fullname="Masahiro Ishino" initials="M." surname="Ishino"/>
<author fullname="Chika Yoshimura" initials="C." surname="Yoshimura"
/>
<author fullname="Kazunori Fujiwara" initials="K." surname="Fujiwara
"/>
<date year="2004" month="October"/>
</front>
<refcontent>NANOG 32</refcontent>
</reference>
<reference anchor="CHES94"> <reference anchor="HUSTON" target="https://blog.apnic.net/2017/08/22/dea
<front> ling-ipv6-fragmentation-dns/">
<title>Firewalls and Internet Security: Repelling the Wily Hacker</titl <front>
e> <title>Dealing with IPv6 fragmentation in the DNS</title>
<author fullname="William R. Cheswick" initials="W.R." surname="Cheswic <author fullname="Geoff Huston" initials="G." surname="Huston"/>
k" /> <date year="2017" month="August"/>
<author fullname="Steven M. Bellovin" initials="S.M." surname="Bellovin </front>
" /> </reference>
<date year="1994" />
</front>
</reference>
<reference anchor="DAI21"> <reference anchor="CLOUDFLARE" target="https://blog.cloudflare.com/black
<front> -lies/">
<title>DNS-over-TCP Considered Vulnerable</title> <front>
<author fullname="Tianxiang Dai" initials="T." surname="Tianxiang" /> <title>Economical With The Truth: Making DNSSEC Answers Cheap</title
<author fullname="Haya Shulman" initials="H." surname="Shulman" /> >
<author fullname="Michael Waidner" initials="M." surname="Waidner" /> <author fullname="Dani Grant" initials="D." surname="Grant">
<date year="2021" /> <organization>Cloudflare</organization>
</front> </author>
</reference> <date year="2016" month="June"/>
</front>
</reference>
<reference anchor="DJBDNS" <reference anchor="DESIGNTEAM" target="https://www.iana.org/reports/2016
target="https://cr.yp.to/djbdns/tcp.html#why"> /root-ksk-rollover-design-20160307.pdf">
<front> <front>
<title>When are TCP queries sent?</title> <title>Root Zone KSK Rollover Plan</title>
<author> <author>
<organization>D.J. Bernstein</organization> <organization>ICANN</organization>
</author> </author>
<date year="2002" /> <date year="2016" month="March"/>
</front> </front>
</reference> </reference>
<reference anchor="WIKIPEDIA_TFO" target="https://en.wikipedia.org/w/ind
ex.php?title=TCP_Fast_Open&amp;oldid=1071397204">
<front>
<title>TCP Fast Open</title>
<author>
<organization>Wikipedia</organization>
</author>
<date year="2022" month="February"/>
</front>
</reference>
<!-- reference anchor="Stevens">
<front>
<title>UNIX Network Programming Volume 1, Third Edition: The Sockets Ne
tworking API</title>
<author fullname="W. Richard Stevens" initials="W.R." surname="Stevens"
/>
<author fullname="Bill Fenner" initials="B." surname="Fenner"/>
<author fullname="Andrew M. Rudoff" initials="A.M." surname="Rudoff"/>
<date year="2003" month="November" day="21"/>
</front>
</reference -->
<reference anchor="CASTRO2010"> <reference anchor="libpcap" target="https://www.tcpdump.org">
<front> <front>
<title>Understanding and preparing for DNS evolution</title> <title>Tcpdump and Libpcap</title>
<author fullname="Sebastian Castro" initials="S." surname="Castro" /> <author>
<author fullname="Min Zhang" initials="M." surname="Zhang" /> <organization>The Tcpdump Group</organization>
<author fullname="Wolfgang John" initials="W." surname="John" /> </author>
<author fullname="Duane Wessels" initials="D." surname="Wessels" /> </front>
<author fullname="kc claffy" initials="k.c." surname="claffy" /> </reference>
<date year="2010" />
</front>
</reference>
<reference anchor="NETALYZR"> <!-- [rfced] For "[dnscap]", the date listed at "https://www.dns-oarc.net/tools/
<front> dnscap" is "February 2014". May we update the reference information to reflect t
<title>Netalyzr: Illuminating The Edge Network</title> his?
<author fullname="Christian Kreibich" initials="C." surname="Kreibich"
/>
<author fullname="Nicholas Weaver" initials="N." surname="Weaver" />
<author fullname="Boris Nechaev" initials="B." surname="Nechaev" />
<author fullname="Vern Paxson" initials="V." surname="Paxson" />
<date year="2010" />
</front>
</reference>
<reference anchor="VERISIGN"> Original:
<front> [dnscap] DNS-OARC, "DNSCAP", 7 May 2018,
<title>An Analysis of TCP Traffic in Root Server DITL Data</title> <https://www.dns-oarc.net/tools/dnscap>
<author fullname="Matt Thomas" initials="M." surname="Thomas" />
<author fullname="Duane Wessels" initials="D." surname="Wessels" />
<date year="2014" />
</front>
<seriesInfo name="DNS-OARC 2014 Fall Workshop" value="Los Angeles" />
</reference>
<reference anchor="TDNS"> Perhaps:
<front> Original:
<title>Connection-oriented DNS to Improve Privacy and Security</title> [dnscap] DNS-OARC, "DNSCAP", February 2014,
<author fullname="Liang Zhu" initials="L." surname="Zhu" /> <https://www.dns-oarc.net/tools/dnscap>
<author fullname="John Heidemann" initials="J." surname="Heidemann" /> -->
<author fullname="Duane Wessels" initials="D." surname="Wessels" />
<author fullname="Allison Mankin" initials="A." surname="Mankin" />
<author fullname="Nikita Somaiya" initials="N." surname="Somaiya" />
<date year="2015" />
</front>
</reference>
<reference anchor="RRL"> <reference anchor="dnscap" target="https://www.dns-oarc.net/tools/dnscap
<front> ">
<title>DNS Response Rate Limiting (DNS RRL)</title> <front>
<author fullname="Paul Vixie" initials="P." surname="Vixie" /> <title>DNSCAP</title>
<author fullname="Vernon Schryver" initials="V." surname="Schryver" /> <author>
<date year="2012" month="April" /> <organization>DNS-OARC</organization>
</front> </author>
<seriesInfo name="ISC-TN 2012-1" value="Draft1" /> <date year="2018" month="May"/>
</reference> </front>
</reference>
<reference anchor="LEWIS" target="https://ripe74.ripe.net/presentations/25- <reference anchor="dnstap" target="https://dnstap.info">
RIPE74-lewis-submission.pdf"> <front>
<front> <title>dnstap</title>
<title>2017 DNSSEC KSK Rollover</title> <author/>
<author fullname="Edward Lewis" initials="E." surname="Lewis" /> <date/>
<date year="2017" month="May" day="8" /> </front>
</front> </reference>
<seriesInfo name="RIPE 74" value="Budapest, Hungary" />
</reference>
<reference anchor="TOYAMA"> <!--[rfced] For the reference [accept_filter], we see "June 2000"
<front> listed as the date; may we use this date instead of "May 2018"?
<title>DNS Anomalies and Their Impacts on DNS Cache Servers</title> Also, should the title perhaps be updated as "BSD Kernel
<author fullname="Katsuyasu Toyama" initials="K." surname="Toyama" /> Developer's Manual: accept_filter(9)"?
<author fullname="Keisuke Ishibashi" initials="K." surname="Ishibashi"
/>
<author fullname="Masahiro Ishino" initials="M." surname="Ishino" />
<author fullname="Chika Yoshimura" initials="C." surname="Yoshimura" />
<author fullname="Kazunori Fujiwara" initials="K." surname="Fujiwara" /
>
<date year="2004" />
</front>
<seriesInfo name="NANOG 32" value="Reston, VA USA" />
</reference>
<reference anchor="HUSTON" target="https://blog.apnic.net/2017/08/22/dealin Original:
g-ipv6-fragmentation-dns/"> [accept_filter]
<front> FreeBSD, "FreeBSD accept_filter(9)", 7 May 2018,
<title>Dealing with IPv6 fragmentation in the DNS</title> <https://www.freebsd.org/cgi/man.cgi?query=accept_filter>.
<author fullname="Geoff Huston" initials="G." surname="Huston" />
<date year="2017" month="August" day="22"/>
</front>
<format type="HTML" target="https://blog.apnic.net/2017/08/22/dealing-ipv
6-fragmentation-dns/"/>
</reference>
<reference anchor="CLOUDFLARE" target="https://blog.cloudflare.com/black-li Perhaps:
es/"> [accept_filter]
<front> FreeBSD, "BSD Kernel Developer's Manual: accept_filter(9)", June 2
<title>Economical With The Truth: Making DNSSEC Answers Cheap</title> 000,
<author fullname="Dani Grant" initials="D." surname="Grant"> <https://www.freebsd.org/cgi/man.cgi?query=accept_filter>.
<organization>Cloudflare</organization>
</author>
<date year="2016" month="June" day="24"/>
</front>
<format type="HTML" target="https://blog.cloudflare.com/black-lies/"/>
</reference>
<reference anchor="DESIGNTEAM" target="https://www.iana.org/reports/2016/ro -->
ot-ksk-rollover-design-20160307.pdf"> <reference anchor="accept_filter" target="https://www.freebsd.org/cgi/ma
<front> n.cgi?query=accept_filter">
<title>Root Zone KSK Rollover Plan</title> <front>
<author> <title>FreeBSD accept_filter(9)</title>
<organization>Design Team Report</organization> <author>
</author> <organization>FreeBSD</organization>
<date year="2015" month="December" day="18"/> </author>
</front> <date month="May" year="2018"/>
<format type="PDF" target="https://www.iana.org/reports/2016/root-ksk-rol </front>
lover-design-20160307.pdf"/> </reference>
</reference>
<reference anchor="WIKIPEDIA_TFO" target="https://en.wikipedia.org/wiki/TCP <!-- [AVOID_FRAGS] [I-D.ietf-dnsop-avoid-fragmentation] IESG state I-D Exists --
_Fast_Open"> >
<front>
<title>TCP Fast Open</title>
<author>
<organization>Wikipedia</organization>
</author>
<date year="2018" month="May" day="4"/>
</front>
</reference>
<!-- reference anchor="Stevens"> <xi:include href="https://datatracker.ietf.org/doc/bibxml3/reference.I-D.ietf-dn
<front> sop-avoid-fragmentation.xml"/>
<title>UNIX Network Programming Volume 1, Third Edition: The Sockets Ne
tworking API</title>
<author fullname="W. Richard Stevens" initials="W.R." surname="Stevens"
/>
<author fullname="Bill Fenner" initials="B." surname="Fenner"/>
<author fullname="Andrew M. Rudoff" initials="A.M." surname="Rudoff"/>
<date year="2003" month="November" day="21"/>
</front>
</reference -->
<reference anchor="libpcap" target="https://www.tcpdump.org"> <!-- [rfced] The link for [FRAG_POISON] redirects to "https://cs.biu.ac.il/". S
<front> hould "https://arxiv.org/pdf/1205.4011.pdf" be used instead?
<title>Tcpdump and Libpcap</title>
<author>
<organization>Tcpdump/Libpcap</organization>
</author>
<date year="2018" month="May" day="7"/>
</front>
<format type="HTML" target="https://www.tcpdump.org"/>
</reference>
<reference anchor="dnscap" target="https://www.dns-oarc.net/tools/dnscap"> Original:
<front> [FRAG_POISON]
<title>DNSCAP</title> Herzberg, A. and H. Shulman, "Fragmentation Considered
<author> Poisonous", May 2012,
<organization>DNS-OARC</organization> <https://u.cs.biu.ac.il/~herzbea/security/13-03-frag.pdf>.
</author>
<date year="2018" month="May" day="7"/>
</front>
</reference>
<reference anchor="dnstap" target="https://dnstap.info"> Perhaps:
<front> [FRAG_POISON]
<title>dnstap</title> Herzberg, A. and H. Shulman, "Fragmentation Considered
<author fullname="Robert Edmonds" initials="R." surname="Edmonds"/> Poisonous", May 2012,
<author fullname="Paul Vixie" initials="P." surname="Vixie"/> <https://arxiv.org/pdf/1205.4011.pdf>.
<date year="2018" month="May" day="7"/> -->
</front>
</reference>
<reference anchor="accept_filter" target="https://www.freebsd.org/cgi/man.c <reference anchor="FRAG_POISON" target="https://u.cs.biu.ac.il/~herzbea/
gi?query=accept_filter"> security/13-03-frag.pdf">
<front> <front>
<title>FreeBSD accept_filter(9)</title> <title>Fragmentation Considered Poisonous</title>
<author> <author fullname="Amir Herzberg" initials="A." surname="Herzberg"/>
<organization>FreeBSD</organization> <author fullname="Haya Shulman" initials="H." surname="Shulman"/>
</author> <date year="2012" month="May"/>
<date year="2018" month="May" day="7"/> </front>
</front> </reference>
<format type="HTML" target="https://www.freebsd.org/cgi/man.cgi?query=ac
cept_filter"/>
</reference>
<reference anchor="AVOID_FRAGS"> <reference anchor="ROLL_YOUR_ROOT" target="https://dl.acm.org/doi/10.114
<front> 5/3355369.3355570">
<title>Fragmentation Avoidance in DNS</title> <front>
<author fullname="Kazunori Fujiwara" initials="K." surname="Fujiwara"/> <title>Roll, Roll, Roll Your Root: A Comprehensive Analysis of the F
<author fullname="Paul Vixie" initials="P." surname="Vixie"/> irst Ever DNSSEC Root KSK Rollover</title>
<date year="2021" month="February"/> <author fullname="Moritz Müller" initials="M." surname="Müller"/>
</front> <author fullname="Matthew Thomas" initials="M." surname="Thomas"/>
<seriesInfo name="Work in Progress," value="draft-ietf-dnsop-avoid-fragm <author fullname="Duane Wessels" initials="D." surname="Wessels"/>
entation-05"/> <author fullname="Wes Hardaker" initials="W." surname="Hardaker"/>
</reference> <author fullname="Taejoong Chung" initials="T." surname="Chung"/>
<author fullname="Willem Toorop" initials="W." surname="Toorop"/>
<author fullname="Roland van Rijswijk-Deij" initials="R." surname="v
an Rijswijk-Deij"/>
<date year="2019" month="October"/>
</front>
<seriesInfo name="DOI" value="10.1145/3355369.3355570"/>
</reference>
<reference anchor="FRAG_POISON" target="https://u.cs.biu.ac.il/~herzbea/sec <reference anchor="BIND" target="https://www.isc.org/bind/">
urity/13-03-frag.pdf"> <front>
<front> <title>BIND 9</title>
<title>Fragmentation Considered Poisonous</title> <author>
<author fullname="Amir Herzberg" initials="A." surname="Herzberg"/> <organization>Internet Systems Consortium</organization>
<author fullname="Haya Shulman" initials="H." surname="Shulman"/> </author>
<date year="2012" month="May"/> <date/>
</front> </front>
</reference> </reference>
<reference anchor="ROLL_YOUR_ROOT" target="https://dl.acm.org/doi/10.1145/3 <reference anchor="ECDSA" target="https://dl.acm.org/doi/10.1145/2831347
355369.3355570"> .2831350">
<front> <front>
<title>Roll, Roll, Roll Your Root: A Comprehensive Analysis of the Firs <title>Making the Case for Elliptic Curves in DNSSEC</title>
t Ever DNSSEC Root KSK Rollover</title> <author fullname="Roland van Rijswijk-Deij" initials="R." surname="v
<author fullname="Moritz M&uuml;ller" initials="M." surname="M&uuml;lle an Rijswijk-Deij"/>
r"/> <author fullname="Anna Sperotto" initials="A." surname="Sperotto"/>
<author fullname="Matthew Thomas" initials="M." surname="Thomas"/> <author fullname="Aiko Pras" initials="A." surname="Pras"/>
<author fullname="Duane Wessels" initials="D." surname="Wessels"/> <date year="2015" month="October"/>
<author fullname="Wes Hardaker" initials="W." surname="Hardaker"/> </front>
<author fullname="Taejoong Chung" initials="T." surname="Chung"/> <seriesInfo name="DOI" value="10.1145/2831347.2831350"/>
<author fullname="Willem Toorop" initials="W." surname="Toorop"/> </reference>
<author fullname="Roland van Rijswijk-Deij" initials="R.v." surname="Ri
jswijk-Deij"/>
<date year="2019" month="Oct"/>
</front>
</reference>
<reference anchor="BIND" target="https://www.isc.org/bind/"> <reference anchor="FLAGDAY2020" target="https://dnsflagday.net/2020/">
<front> <front>
<title>BIND 9 - ISC</title> <title>DNS Flag Day 2020</title>
<author> <author><organization>DNS Software and Service Providers </organizat
<organization>Internet Systems Consortium</organization> ion></author>
</author> <date month="October" year="2020"/>
<date year="2021" month="Apr"/> </front>
</front> </reference>
</reference>
<reference anchor="ECDSA" target="https://dl.acm.org/doi/10.1145/2831347.28 <reference anchor="KSK_ROLLOVER_ARCHIVES" target="https://mm.icann.org/p
31350"> ipermail/ksk-rollover/2019-January/date.html">
<front> <front>
<title>Making the Case for Elliptic Curves in DNSSEC</title> <title>KSK Rollover List Archives</title>
<author fullname="Roland van Rijswijk-Deij" initials="R." surname="Rijs <author>
wijk-Deij"/> <organization>ICANN</organization>
<author fullname="Anna Sperotto" initials="A." surname="Sperotto"/> </author>
<author fullname="Aiko Pras" initials="A." surname="Pras"/> <date year="2019" month="January"/>
<date year="2015" month="Sep"/> </front>
</front> </reference>
</reference>
<reference anchor="FLAGDAY2020" target="https://dnsflagday.net/2020/"> <reference anchor="phrack" target="http://phrack.org/issues/54/10.html">
<front> <front>
<title>DNS Flag Day 2020</title> <title>Defeating Sniffers and Intrusion Detection Systems</title>
<author> <author fullname="horizon"/>
<organization>Various DNS software and service providers</organizati <date year="1998" month="December"/>
on> </front>
</author> <refcontent>Phrack Magazine</refcontent>
<date year="2020" month="Oct"/> </reference>
</front>
</reference>
<reference anchor="KSK_ROLLOVER_ARCHIVES" target="https://mm.icann.org/pipe <reference anchor="APNIC" target="https://labs.apnic.net/?p=1380">
rmail/ksk-rollover/2019-January/date.html"> <front>
<front> <title>DNS XL</title>
<title>KSK Rollover List Archives</title> <author fullname="Geoff Huston" initials="G." surname="Huston"/>
<author> <date year="2020" month="October"/>
<organization>Internet Coporation for Assigned Names and Numbers</or </front>
ganization> </reference>
</author> </references>
<date year="2019" month="Jan"/> </references>
</front> <section anchor="dnsrfcs" numbered="true" toc="default">
</reference> <name>Standards Related to DNS Transport over TCP</name>
<!-- [rfced] FYI: We have removed "IETF" in the following text because
not all documents listed in the Appendix are IETF documents. For
example, RFCs 8324 and 8483 are from the Independent Stream
rather than the IETF Stream.
<reference anchor="phrack" target="http://phrack.org/issues/54/10.html"> Also, which RFC(s) is a "Draft Standard"? If none
<front> are, this term should be removed. Please confirm.
<title>Defeating Sniffers and Intrusion Detection Systems</title>
<author fullname="horizon"/>
<date year="1998" month="Dec"/>
</front>
</reference>
<reference anchor="APNIC" target="https://labs.apnic.net/?p=1380"> Original:
<front> This section enumerates all known IETF RFC documents that are
<title>DNS XL</title> currently of status Internet Standard, Draft Standard, Proposed
<author fullname="Geoff Huston" initials="G." surname="Huston"/> Standard, Informational, Best Current Practice, or Experimental
<date year="2020" month="Oct"/> and either implicitly or explicitly make assumptions or statements
</front> about the use of TCP as a transport for the DNS germane to this
</reference> document.
</references> Current:
This section enumerates all known RFCs with a status of
Internet Standard, Draft Standard, Proposed Standard, Informational,
Best Current Practice, or Experimental that either implicitly or
explicitly make assumptions or statements about the use of TCP as a
transport for the DNS germane to this document.
-->
<section anchor="dnsrfcs" title="Standards Related to DNS Transport over TCP" <!-- [rfced] Unless we hear objection, we will update “Standards” to
> “RFCs” in the title of Appendix A as not all documents listed are
<t>This section enumerates all known IETF RFC documents that are standards (e.g., some are Experimental or Informational). In
currently of status Internet Standard, Draft Standard, Proposed Standard, addition, we will remove “IETF" from the subsection titles as not
all the RFCs listed are from the IETF Stream.
Original:
Appendix A. Standards Related to DNS Transport over TCP
A.1. IETF RFC 1035 - DOMAIN NAMES - IMPLEMENTATION AND
SPECIFICATION
A.2. IETF RFC 1536 - Common DNS Implementation Errors and
Suggested Fixes
A.3. IETF RFC 1995 - Incremental Zone Transfer in DNS
A.4. IETF RFC 1996 - A Mechanism for Prompt Notification of Zone
Changes (DNS NOTIFY)
....., etc.
Perhaps:
Appendix A. RFCs Related to DNS Transport over TCP
A.1. RFC 1035 - DOMAIN NAMES - IMPLEMENTATION AND
SPECIFICATION
A.2. RFC 1536 - Common DNS Implementation Errors and
Suggested Fixes
A.3. RFC 1995 - Incremental Zone Transfer in DNS
A.4. RFC 1996 - A Mechanism for Prompt Notification of Zone
Changes (DNS NOTIFY)
....., etc.
-->
<t>This section enumerates all known RFCs with a status of
Internet Standard, Draft Standard, Proposed Standard,
Informational, Best Current Practice, Informational, Best Current Practice,
or Experimental and either implicitly or explicitly make or Experimental that either implicitly or explicitly make
assumptions or statements about the use of TCP as a transport for assumptions or statements about the use of TCP as a transport for
the DNS germane to this document.</t> the DNS germane to this document.</t>
<section numbered="true" toc="default">
<section title="IETF RFC 1035 - DOMAIN NAMES - IMPLEMENTATION AND SPECIFICA <name>IETF RFC 1035 - DOMAIN NAMES - IMPLEMENTATION AND SPECIFICATION</n
TION"> ame>
<t>The Internet Standard <xref target="RFC1035"></xref> is the <t>The Internet Standard <xref target="RFC1035" format="default"/> is th
e
base DNS specification that explicitly defines support for DNS base DNS specification that explicitly defines support for DNS
over TCP.</t> over TCP.</t>
</section> </section>
<section numbered="true" toc="default">
<section title="IETF RFC 1536 - Common DNS Implementation Errors and Sugges <name>IETF RFC 1536 - Common DNS Implementation Errors and Suggested Fix
ted Fixes"> es</name>
<t>This Informational document <xref target="RFC1536"></xref> <t>The Informational document <xref target="RFC1536" format="default"/>
states UDP is the "chosen protocol for communication though TCP states that UDP is "the chosen protocol for communication though TCP
is used for zone transfers." That statement should now be is used for zone transfers." That statement should now be
considered in its historical context and is no longer a proper considered in its historical context and is no longer a proper
reflection of modern expectations.</t> reflection of modern expectations.</t>
</section> </section>
<section numbered="true" toc="default">
<section title="IETF RFC 1995 - Incremental Zone Transfer in DNS"> <name>IETF RFC 1995 - Incremental Zone Transfer in DNS</name>
<t>This Proposed Standard <xref target="RFC1995"/> <t>The Proposed Standard <xref target="RFC1995" format="default"/>
documents the use of TCP as the fallback transport when IXFR documents the use of TCP as the fallback transport when Incremental Zone
responses do not fit into a single UDP response. As with AXFR, Transfer (IXFR)
responses do not fit into a single UDP response. As with Authoritative T
ransfer (AXFR),
IXFR messages are typically delivered over TCP by default in IXFR messages are typically delivered over TCP by default in
practice.</t> practice.</t>
</section> </section>
<section numbered="true" toc="default">
<section title="IETF RFC 1996 - A Mechanism for Prompt Notification of Zone <name>IETF RFC 1996 - A Mechanism for Prompt Notification of Zone Change
Changes (DNS NOTIFY)"> s (DNS NOTIFY)</name>
<t>This Proposed Standard <xref target="RFC1996"/> <t>The Proposed Standard <xref target="RFC1996" format="default"/>
suggests a primary server may decide to issue NOTIFY messages over suggests that a primary server may decide to issue NOTIFY messages over
TCP. In practice, NOTIFY messages are generally sent over UDP, TCP. In practice, NOTIFY messages are generally sent over UDP,
but this specification leaves open the possibility that the but this specification leaves open the possibility that the
choice of transport protocol is up to the primary server, and therefore choice of transport protocol is up to the primary server; therefore,
a secondary server ought to be able to operate over both UDP and TCP.</t> a secondary server ought to be able to operate over both UDP and TCP.</t>
</section> </section>
<section numbered="true" toc="default">
<section title="IETF RFC 2181 - Clarifications to the DNS Specification"> <name>IETF RFC 2181 - Clarifications to the DNS Specification</name>
<t>This Proposed Standard <xref target="RFC2181"/> <t>The Proposed Standard <xref target="RFC2181" format="default"/>
includes clarifying text on how a client should react to the TC includes clarifying text on how a client should react to the TC
bit set on responses. It is advised that the response should be bit set on responses. It is advised that the response be
discarded and the query resent using TCP.</t> discarded and the query resent using TCP.</t>
</section> </section>
<section numbered="true" toc="default">
<section title="IETF RFC 2694 - DNS extensions to Network Address Translato <name>IETF RFC 2694 - DNS extensions to Network Address Translators (DNS
rs (DNS_ALG)"> _ALG)</name>
<t>This Informational document <xref target="RFC2694"></xref> <t>The Informational document <xref target="RFC2694" format="default"/>
enumerates considerations for network address translation (NAT) enumerates considerations for NAT
devices to properly handle DNS traffic. This document is devices to properly handle DNS traffic. This document is
noteworthy in its suggestion that noteworthy in its suggestion that
"[t]ypically, TCP is used for AXFR requests," "[t]ypically, TCP is used for AXFR requests,"
as further evidence that helps as further evidence that helps
explain why DNS over TCP may have often been treated very explain why DNS over TCP may have often been treated very
differently than DNS over UDP in operational networks.</t> differently than DNS over UDP in operational networks.</t>
</section> </section>
<section numbered="true" toc="default">
<name>IETF RFC 3225 - Indicating Resolver Support of DNSSEC</name>
<section title="IETF RFC 3225 - Indicating Resolver Support of DNSSEC"> <!-- [rfced] Would "that describes" be clearer than "expressing"?
<t>This Proposed Standard <xref target="RFC3225"/>
makes statements indicating DNS over TCP is "detrimental" as a Original:
This document is a companion to the next document in the RFC series
expressing the requirement for EDNS(0) support for DNSSEC.
Perhaps:
This document is a companion to the next document in the RFC Series
that describes the requirement for EDNS(0) support for DNSSEC.
-->
<t>The Proposed Standard <xref target="RFC3225" format="default"/>
makes statements indicating that DNS over TCP is "detrimental" as a
result of increased traffic, latency, and server load. This result of increased traffic, latency, and server load. This
document is a companion to the next document in the RFC document is a companion to the next document in the RFC
series expressing the requirement for EDNS(0) support for DNSSEC.</t> Series expressing the requirement for EDNS(0) support for DNSSEC.</t>
</section> </section>
<section numbered="true" toc="default">
<section title="IETF RFC 3226 - DNSSEC and IPv6 A6 aware server/resolver me <name>IETF RFC 3226 - DNSSEC and IPv6 A6 aware server/resolver message s
ssage size requirements"> ize requirements</name>
<t>Although updated by later DNSSEC RFCs, <t>Although updated by later DNSSEC RFCs,
the Proposed Standard <xref target="RFC3226"></xref> the Proposed Standard <xref target="RFC3226" format="default"/>
strongly argues in favor of strongly argues in favor of
UDP messages instead of TCP, largely for performance reasons. The UDP messages instead of TCP, largely for performance reasons.
document declares EDNS(0) a requirement for DNSSEC servers and The document declares EDNS(0) a requirement for DNSSEC servers and
advocates that packet fragmentation may be preferable to TCP in advocates that packet fragmentation may be preferable to TCP in
certain situations.</t> certain situations.</t>
</section> </section>
<section numbered="true" toc="default">
<section title="IETF RFC 4472 - Operational Considerations and Issues with <name>IETF RFC 4472 - Operational Considerations and Issues with IPv6 DN
IPv6 DNS"> S</name>
<t>This Informational document <xref target="RFC4472"></xref> notes <t>The Informational document <xref target="RFC4472" format="default"/>
notes
that IPv6 data may increase DNS responses beyond what would fit in that IPv6 data may increase DNS responses beyond what would fit in
a UDP message. Particularly noteworthy, perhaps less common today a UDP message. What is particularly noteworthy, but perhaps less common
than when this document was written, it refers to implementations that today
than when this document was written, is that it refers to implementations
that
truncate data without setting the TC bit to encourage the client to truncate data without setting the TC bit to encourage the client to
resend the query using TCP.</t> resend the query using TCP.</t>
</section> </section>
<section numbered="true" toc="default">
<section title="IETF RFC 5452 - Measures for Making DNS More Resilient agai <name>IETF RFC 5452 - Measures for Making DNS More Resilient against For
nst Forged Answers"> ged Answers</name>
<t>This Informational document <xref target="RFC5452"></xref> arose <t>The Proposed Standard <xref target="RFC5452" format="default"/> arose
as public DNS systems began to experience widespread abuse from spoofed as public DNS systems began to experience widespread abuse from spoofed
queries, resulting in amplification and reflection attacks against queries, resulting in amplification and reflection attacks against
unwitting victims. One of the leading justifications for supporting unwitting victims. One of the leading justifications for supporting
DNS over TCP to thwart these attacks is briefly described in this DNS over TCP to thwart these attacks is briefly described in <xref target
document's 9.3 Spoof Detection and Countermeasure section.</t> ="RFC5452" sectionFormat="of" section="9.3"/> ("Spoof Detection and Countermeasu
</section> re").</t>
</section>
<section title="IETF RFC 5507 - Design Choices When Expanding the DNS"> <section numbered="true" toc="default">
<t>This Informational document <xref target="RFC5507"></xref> was <name>IETF RFC 5507 - Design Choices When Expanding the DNS</name>
<t>The Informational document <xref target="RFC5507" format="default"/>
was
largely an attempt to dissuade new DNS data types from overloading the largely an attempt to dissuade new DNS data types from overloading the
TXT resource record type. In so doing it summarizes the conventional TXT resource record type. In so doing, it summarizes the conventional
wisdom of DNS design and implementation practices. The authors wisdom of DNS design and implementation practices. The authors
suggest TCP overhead and stateful properties pose challenges compared suggest TCP overhead and stateful properties pose challenges compared
to UDP, and imply that UDP is generally preferred for performance and to UDP and imply that UDP is generally preferred for performance and
robustness.</t> robustness.</t>
</section> </section>
<section numbered="true" toc="default">
<section title="IETF RFC 5625 - DNS Proxy Implementation Guidelines"> <name>IETF RFC 5625 - DNS Proxy Implementation Guidelines</name>
<t>This Best Current Practice document <xref target="RFC5625"></xref> <t>The Best Current Practice document <xref target="RFC5625" format="def
ault"/>
provides DNS proxy implementation guidance including the mandate that a provides DNS proxy implementation guidance including the mandate that a
proxy "MUST [...] be prepared to receive and forward queries over TCP" proxy "<bcp14>MUST</bcp14> [...] be prepared to receive and forward queri
even though it suggests historically TCP transport has not been strictly es over TCP"
even though it suggests that, historically, TCP transport has not been st
rictly
mandatory in stub resolvers or recursive servers.</t> mandatory in stub resolvers or recursive servers.</t>
</section> </section>
<section numbered="true" toc="default">
<section title="IETF RFC 5936 - DNS Zone Transfer Protocol (AXFR)"> <name>IETF RFC 5936 - DNS Zone Transfer Protocol (AXFR)</name>
<t>This Proposed Standard <xref target="RFC5936"/> <t>The Proposed Standard <xref target="RFC5936" format="default"/>
provides a detailed specification for the zone transfer protocol, provides a detailed specification for the zone transfer protocol,
as originally outlined in the early DNS standards. AXFR operation as originally outlined in the early DNS standards. AXFR operation
is limited to TCP and not specified for UDP. This document is limited to TCP and not specified for UDP. This document
discusses TCP usage at length.</t> discusses TCP usage at length.</t>
</section> </section>
<section numbered="true" toc="default">
<section title="IETF RFC 7534 - AS112 Nameserver Operations"> <name>IETF RFC 7534 - AS112 Nameserver Operations</name>
<t><xref target="RFC7534"></xref> is an Informational document <t>The Informational document <xref target="RFC7534" format="default"/>
enumerating the requirements for operation of AS112 project DNS enumerates the requirements for operation of AS112 project DNS
servers. New AS112 nodes are tested for their ability to provide servers. New AS112 nodes are tested for their ability to provide
service on both UDP and TCP transports, with the implication that service on both UDP and TCP transports, with the implication that
TCP service is an expected part of normal operations.</t> TCP service is an expected part of normal operations.</t>
</section> </section>
<section numbered="true" toc="default">
<section title="IETF RFC 6762 - Multicast DNS"> <name>IETF RFC 6762 - Multicast DNS</name>
<t>In this Proposed Standard <xref target="RFC6762"></xref>, the <t>In the Proposed Standard <xref target="RFC6762" format="default"/>, t
he
TC bit is deemed to have essentially the same meaning as described TC bit is deemed to have essentially the same meaning as described
in the original DNS specifications. That is, if a response with the in the original DNS specifications. That is, if a response with the
TC bit set is received, "[...] the querier SHOULD reissue its query TC bit set is received, "[...] the querier <bcp14>SHOULD</bcp14> reissue its query
using TCP in order to receive the larger response."</t> using TCP in order to receive the larger response."</t>
</section> </section>
<section numbered="true" toc="default">
<section title="IETF RFC 6891 - Extension Mechanisms for DNS (EDNS(0))"> <name>IETF RFC 6891 - Extension Mechanisms for DNS (EDNS(0))</name>
<t>This Internet Standard <xref target="RFC6891"></xref> <t>The Internet Standard <xref target="RFC6891" format="default"/>
helped slow the use of and need for DNS over TCP messages. This helped slow the use of and need for DNS-over-TCP messages. This
document highlights concerns over server load and scalability in document highlights concerns over server load and scalability in
widespread use of DNS over TCP.</t> widespread use of DNS over TCP.</t>
</section> </section>
<section numbered="true" toc="default">
<section title="IETF RFC 6950 - Architectural Considerations on Application <name>IAB RFC 6950 - Architectural Considerations on Application Feature
Features in the DNS"> s in the DNS</name>
<t>An Informational document <xref target="RFC6950"></xref> that draws <t>The Informational document <xref target="RFC6950" format="default"/>
draws
attention to large data in the DNS. TCP is referenced in the attention to large data in the DNS. TCP is referenced in the
context as a common fallback mechanism and counter to some spoofing context as a common fallback mechanism and counter to some spoofing
attacks.</t> attacks.</t>
</section> </section>
<section numbered="true" toc="default">
<section title="IETF RFC 7477 - Child-to-Parent Synchronization in DNS"> <name>IETF RFC 7477 - Child-to-Parent Synchronization in DNS</name>
<t>This Proposed Standard <xref target="RFC7477"></xref> <t>The Proposed Standard <xref target="RFC7477" format="default"/>
specifies a RRType and protocol to signal and synchronize NS, A, specifies an RRType and a protocol to signal and synchronize NS, A,
and AAAA resource record changes from a child to parent zone. and AAAA resource record changes from a child-to-parent zone.
Since this protocol may require multiple requests and responses, Since this protocol may require multiple requests and responses,
it recommends utilizing DNS over TCP to ensure the conversation it recommends utilizing DNS over TCP to ensure the conversation
takes place between a consistent pair of end nodes.</t> takes place between a consistent pair of end nodes.</t>
</section> </section>
<section numbered="true" toc="default">
<section title="IETF RFC 7720 - DNS Root Name Service Protocol and Deployme <name>IETF RFC 7720 - DNS Root Name Service Protocol and Deployment Requ
nt Requirements"> irements</name>
<t>This Best Current Practice <xref target="RFC7720"></xref> <t>The Best Current Practice document <xref target="RFC7720" format="def
declares root name service "MUST support UDP <xref ault"/>
target="RFC0768"></xref> and TCP <xref target="RFC0793"></xref> declares that root name service "<bcp14>MUST</bcp14> support UDP <xref ta
rget="RFC0768" format="default"/> and TCP <xref target="RFC0793" format="default
"/>
transport of DNS queries and responses."</t> transport of DNS queries and responses."</t>
</section> </section>
<section anchor="app-rfc7766" numbered="true" toc="default">
<section anchor="app-rfc7766" title="IETF RFC 7766 - DNS Transport over TCP <name>IETF RFC 7766 - DNS Transport over TCP - Implementation Requiremen
- Implementation Requirements"> ts</name>
<t>This Proposed Standard <xref target="RFC7766"/> <t>The Proposed Standard <xref target="RFC7766" format="default"/>
instructs DNS implementers to provide support for carrying DNS instructs DNS implementors to provide support for carrying DNS-over-TCP m
over TCP messages in their software, and essages in their software and
might be considered the direct ancestor of this operational might be considered the direct ancestor of this operational
requirements document. requirements document.
The implementation requirements document The implementation requirements document
codifies mandatory support for DNS over TCP in compliant DNS codifies mandatory support for DNS-over-TCP in compliant DNS
software, but software but
makes no recommendations to operators, which we seek to address makes no recommendations to operators, which we seek to address
here.</t> here.</t>
</section> </section>
<section numbered="true" toc="default">
<section title="IETF RFC 7828 - The edns-tcp-keepalive EDNS(0) Option"> <name>IETF RFC 7828 - The edns-tcp-keepalive EDNS(0) Option</name>
<t>This Proposed Standard <xref target="RFC7828"></xref> <t>The Proposed Standard <xref target="RFC7828" format="default"/>
defines an EDNS(0) option to negotiate an idle timeout value for defines an EDNS(0) option to negotiate an idle timeout value for
long-lived DNS over TCP connections. Consequently, this document long-lived DNS-over-TCP connections. Consequently, this document
is only applicable and relevant to DNS over TCP sessions and is only applicable and relevant to DNS-over-TCP sessions and
between implementations that support this option.</t> between implementations that support this option.</t>
</section> </section>
<section numbered="true" toc="default">
<section title="IETF RFC 7858 - Specification for DNS over Transport Layer <name>IETF RFC 7858 - Specification for DNS over Transport Layer Securit
Security (TLS)"> y (TLS)</name>
<t>This Proposed Standard <xref target="RFC7858"></xref> <t>The Proposed Standard <xref target="RFC7858" format="default"/>
defines a method for putting DNS messages into a TCP-based defines a method for putting DNS messages into a TCP-based
encrypted channel using TLS. This specification is noteworthy encrypted channel using TLS. This specification is noteworthy
for explicitly targeting the stub-to-recursive traffic, but for explicitly targeting the stub-to-recursive traffic but
does not preclude its application from recursive-to-authoritative does not preclude its application from recursive-to-authoritative
traffic.</t> traffic.</t>
</section> </section>
<section numbered="true" toc="default">
<section title="IETF RFC 7873 - Domain Name System (DNS) Cookies"> <name>IETF RFC 7873 - Domain Name System (DNS) Cookies</name>
<t>This Proposed Standard <xref target="RFC7873"></xref> <t>The Proposed Standard <xref target="RFC7873" format="default"/>
describes an EDNS(0) option to provide additional protection describes an EDNS(0) option to provide additional protection
against query and answer forgery. This specification mentions against query and answer forgery. This specification mentions
DNS over TCP as an alternative mechanism when DNS Cookies DNS over TCP as an alternative mechanism when DNS cookies
are not available. The specification does make mention of DNS are not available. The specification does make mention of DNS-over-TCP p
over TCP processing in two specific situations. In one, when a rocessing in two specific situations. In one, when a
server receives only a client cookie in a request, the server server receives only a client cookie in a request, the server
should consider whether the request arrived over TCP and if so, should consider whether the request arrived over TCP, and if so,
it should consider accepting TCP as sufficient to authenticate it should consider accepting TCP as sufficient to authenticate
the request and respond accordingly. In another, when a client the request and respond accordingly. In another, when a client
receives a BADCOOKIE reply using a fresh server cookie, the receives a BADCOOKIE reply using a fresh server cookie, the
client should retry using TCP as the transport.</t> client should retry using TCP as the transport.</t>
</section> </section>
<section numbered="true" toc="default">
<section title="IETF RFC 7901 - CHAIN Query Requests in DNS"> <name>IETF RFC 7901 - CHAIN Query Requests in DNS</name>
<t>This Experimental specification <xref target="RFC7901"></xref> <t>The Experimental specification <xref target="RFC7901" format="default
"/>
describes an EDNS(0) option that can be used by a security-aware describes an EDNS(0) option that can be used by a security-aware
validating resolver to request and obtain a complete DNSSEC validating resolver to request and obtain a complete DNSSEC
validation path for any single query. This document requires the validation path for any single query. This document requires the
use of DNS over TCP or a source IP address verified transport use of DNS over TCP or a transport
mechanism such as EDNS-COOKIE <xref target="RFC7873"></xref>.</t> mechanism verified by a source IP address such as EDNS-COOKIE <xref targe
</section> t="RFC7873" format="default"/>.</t>
</section>
<section title="IETF RFC 8027 - DNSSEC Roadblock Avoidance"> <section numbered="true" toc="default">
<t>This Best Current Practice <xref target="RFC8027"></xref> details obse <name>IETF RFC 8027 - DNSSEC Roadblock Avoidance</name>
rved <t>The Best Current Practice document <xref target="RFC8027" format="def
ault"/> details observed
problems with DNSSEC deployment and mitigation techniques. problems with DNSSEC deployment and mitigation techniques.
Network traffic blocking and restrictions, including DNS over TCP Network traffic blocking and restrictions, including DNS-over-TCP
messages, are highlighted as one reason for DNSSEC deployment messages, are highlighted as one reason for DNSSEC deployment
issues. While this document suggests these sorts of problems are issues. While this document suggests these sorts of problems are
due to "non-compliant infrastructure", the due to "non-compliant infrastructure", the
scope of the document is limited to detection and mitigation scope of the document is limited to detection and mitigation
techniques to avoid so-called DNSSEC roadblocks.</t> techniques to avoid so-called DNSSEC roadblocks.</t>
</section> </section>
<section numbered="true" toc="default">
<section title="IETF RFC 8094 - DNS over Datagram Transport Layer Security <name>IETF RFC 8094 - DNS over Datagram Transport Layer Security (DTLS)<
(DTLS)"> /name>
<t>This Experimental specification <xref target="RFC8094"></xref> <t>The Experimental specification <xref target="RFC8094" format="default
details a protocol that uses a datagram transport (UDP), but "/>
details a protocol that uses a datagram transport (UDP) but
stipulates that "DNS clients and servers that implement DNS over stipulates that "DNS clients and servers that implement DNS over
DTLS MUST also implement DNS over TLS in order to provide privacy DTLS <bcp14>MUST</bcp14> also implement DNS over TLS in order to provide privacy
for clients that desire Strict Privacy [...]." This requirement for clients that desire Strict Privacy [...]." This requirement
implies DNS over TCP must be supported in case the message size implies DNS over TCP must be supported in case the message size
is larger than the path MTU.</t> is larger than the path MTU.</t>
</section> </section>
<section numbered="true" toc="default">
<section title="IETF RFC 8162 - Using Secure DNS to Associate Certificates <name>IETF RFC 8162 - Using Secure DNS to Associate Certificates with Do
with Domain Names for S/MIME"> main Names for S/MIME</name>
<t>This Experimental specification <xref target="RFC8162"></xref> <t>The Experimental specification <xref target="RFC8162" format="default
"/>
describes a technique to authenticate user X.509 certificates describes a technique to authenticate user X.509 certificates
in an S/MIME system via the DNS. The document points out that in an S/MIME system via the DNS. The document points out that
the new experimental resource record types are expected to carry the new experimental resource record types are expected to carry
large payloads, resulting in the suggestion that "applications large payloads, resulting in the suggestion that "applications
SHOULD use TCP -- not UDP -- to perform queries for the SMIMEA <bcp14>SHOULD</bcp14> use TCP -- not UDP -- to perform queries for the SM IMEA
resource record."</t> resource record."</t>
</section> </section>
<section numbered="true" toc="default">
<section title="IETF RFC 8324 - DNS Privacy, Authorization, Special Uses, E <name>IETF RFC 8324 - DNS Privacy, Authorization, Special Uses, Encoding
ncoding, Characters, Matching, and Root Structure: Time for Another Look?"> , Characters, Matching, and Root Structure: Time for Another Look?</name>
<t>An Informational document <xref target="RFC8324"></xref> that <t> The Informational document <xref target="RFC8324" format="default"/>
briefly discusses the common role and challenges of DNS over TCP briefly discusses the common role and challenges of DNS over TCP
throughout the history of DNS.</t> throughout the history of DNS.</t>
</section> </section>
<section numbered="true" toc="default">
<section title="IETF RFC 8467 - Padding Policies for Extension Mechanisms f <name>IETF RFC 8467 - Padding Policies for Extension Mechanisms for DNS
or DNS (EDNS(0))"> (EDNS(0))</name>
<t>An Experimental document <xref target="RFC8467"></xref> <t>The Experimental document <xref target="RFC8467" format="default"/>
reminds implementers to consider the underlying transport reminds implementors to consider the underlying transport
protocol (e.g. TCP) when calculating the padding length when protocol (e.g., TCP) when calculating the padding length when
artificially increasing the DNS message size with an EDNS(0) artificially increasing the DNS message size with an EDNS(0)
padding option.</t> padding option.</t>
</section> </section>
<section numbered="true" toc="default">
<section title="IETF RFC 8482 - Providing Minimal-Sized Responses to DNS Qu <name>IETF RFC 8482 - Providing Minimal-Sized Responses to DNS Queries T
eries That Have QTYPE=ANY"> hat Have QTYPE=ANY</name>
<t><xref target="RFC8482"/> is a Proposed Standard that <t>The Proposed Standard <xref target="RFC8482" format="default"/>
describes alternative ways that DNS servers can respond to queries describes alternative ways that DNS servers can respond to queries
of type ANY, which are sometimes used to provide amplification of type ANY, which are sometimes used to provide amplification
in DDoS attacks. The specification notes that responders may in DDoS attacks. The specification notes that responders may
behave differently, depending on the transport. For example, behave differently, depending on the transport. For example,
minimal-sized responses may be used over UDP transport, while minimal-sized responses may be used over UDP transport, while
full responses may be given over TCP.</t> full responses may be given over TCP.</t>
</section> </section>
<section numbered="true" toc="default">
<section title="IETF RFC 8483 - Yeti DNS Testbed"> <name>IETF RFC 8483 - Yeti DNS Testbed</name>
<t>This Informational document <xref target="RFC8483"></xref> <t>The Informational document <xref target="RFC8483" format="default"/>
describes a testbed environment that highlights some DNS over TCP describes a testbed environment that highlights some DNS-over-TCP
behaviors, including issues involving packet fragmentation and behaviors, including issues involving packet fragmentation and
operational requirements for TCP stream assembly in order to operational requirements for TCP stream assembly in order to
conduct DNS measurement and analysis.</t> conduct DNS measurement and analysis.</t>
</section> </section>
<section numbered="true" toc="default">
<section title="IETF RFC 8484 - DNS Queries over HTTPS (DoH)"> <name>IETF RFC 8484 - DNS Queries over HTTPS (DoH)</name>
<t>This Proposed Standard <xref target="RFC8484"></xref> <t>The Proposed Standard <xref target="RFC8484" format="default"/>
defines a protocol for sending DNS queries and responses over defines a protocol for sending DNS queries and responses over
HTTPS. This specification assumes TLS and TCP for the underlying HTTPS. This specification assumes TLS and TCP for the underlying
security and transport layers, respectively. Self-described as a security and transport layers, respectively. Self-described as a
technique that more closely resembles a tunneling mechanism, technique that more closely resembles a tunneling mechanism,
DoH nevertheless likely implies DNS over TCP in some sense, if not DoH nevertheless likely implies DNS over TCP in some sense, if not
directly.</t> directly.</t>
</section> </section>
<section numbered="true" toc="default">
<section title="IETF RFC 8490 - DNS Stateful Operations"> <name>IETF RFC 8490 - DNS Stateful Operations</name>
<t>This Proposed Standard <xref target="RFC8490"></xref> <t>The Proposed Standard <xref target="RFC8490" format="default"/>
updates the base protocol specification with a new OPCODE to updates the base protocol specification with a new OPCODE to
help manage stateful operations in persistent sessions, such help manage stateful operations in persistent sessions, such
as those that might be used by DNS over TCP.</t> as those that might be used by DNS over TCP.</t>
</section> </section>
<section numbered="true" toc="default">
<section title="IETF RFC 8501 - Reverse DNS in IPv6 for Internet Service Pr <name>IETF RFC 8501 - Reverse DNS in IPv6 for Internet Service Providers
oviders"> </name>
<t>This Informational document <xref target="RFC8501"></xref> <t>The Informational document <xref target="RFC8501" format="default"/>
identifies potential operational challenges with Dynamic DNS identifies potential operational challenges with dynamic DNS,
including denial-of-service threats. The document suggests TCP including denial-of-service threats. The document suggests TCP
may provide some advantages, but that updating hosts would need may provide some advantages but that updating hosts would need
to be explicitly configured to use TCP instead of UDP.</t> to be explicitly configured to use TCP instead of UDP.</t>
</section> </section>
<section numbered="true" toc="default">
<section title="IETF RFC 8806 - Running a Root Server Local to a Resolver"> <name>IETF RFC 8806 - Running a Root Server Local to a Resolver</name>
<t>This Informational document <xref target="RFC8806"></xref> <t>The Informational document <xref target="RFC8806" format="default"/>
describes how to obtain and operate a local copy of the root zone describes how to obtain and operate a local copy of the root zone
with examples showing how to pull from authoritative sources using with examples showing how to pull from authoritative sources using
a DNS over TCP zone transfer.</t> a DNS-over-TCP zone transfer.</t>
</section> </section>
<section numbered="true" toc="default">
<section title="IETF RFC 8906 - A Common Operational Problem in DNS Servers <name>IETF RFC 8906 - A Common Operational Problem in DNS Servers: Failu
: Failure to Communicate"> re to Communicate</name>
<t>This Best Current Practice document <xref target="RFC8906"></xref> <t>The Best Current Practice document <xref target="RFC8906" format="def
ault"/>
discusses a number of DNS operational failure scenarios and how to discusses a number of DNS operational failure scenarios and how to
avoid them. This includes discussions involving DNS over TCP queries, avoid them. This includes discussions involving DNS-over-TCP queries,
EDNS over TCP, and a testing methodology that includes a section on EDNS over TCP, and a testing methodology that includes a section on
verifying DNS over TCP functionality.</t> verifying DNS-over-TCP functionality.</t>
</section> </section>
<section numbered="true" toc="default">
<section title="IETF RFC 8932 - Recommendations for DNS Privacy Service Ope <name>IETF RFC 8932 - Recommendations for DNS Privacy Service Operators<
rators"> /name>
<t>This Best Current Practice document <xref target="RFC8932"></xref> <t>The Best Current Practice document <xref target="RFC8932" format="def
ault"/>
presents privacy considerations to DNS privacy service operators. presents privacy considerations to DNS privacy service operators.
These mechanisms sometimes include the use of TCP and are therefore These mechanisms sometimes include the use of TCP and are therefore
susceptible to information leakage such as TCP-based fingerprinting. susceptible to information leakage such as TCP-based fingerprinting.
This document also references a draft version of this document.</t> This document also references an earlier draft version of this document.<
</section> /t>
</section>
<section title="IETF RFC 8945 - Secret Key Transaction Authentication for D <section numbered="true" toc="default">
NS (TSIG)"> <name>IETF RFC 8945 - Secret Key Transaction Authentication for DNS (TSI
<t>This Internet Standard <xref target="RFC8945"></xref> G)</name>
recommends a client use TCP if truncated TSIG messages are <t>The Internet Standard <xref target="RFC8945" format="default"/>
recommends that a client use TCP if truncated TSIG messages are
received.</t> received.</t>
</section> </section>
</section>
<section anchor="Acknowledgments" numbered="false" toc="default">
<name>Acknowledgments</name>
<t>This document was initially motivated by feedback from students
who pointed out that they were hearing contradictory information
about filtering DNS-over-TCP messages. Thanks in particular to a
teaching colleague, JPL, who perhaps unknowingly encouraged the
initial research into the differences between what the community has
historically said and did. Thanks to all the NANOG 63 attendees
who provided feedback for an early talk on this subject.</t>
<!-- https://archive.nanog.org/sites/default/files/nanog63-dnstrack-kristo
ff-dnstcp.pdf -->
</section> <t>The following individuals provided an array of feedback to help
improve this document: <contact fullname="Joe Abley"/>, <contact fullname="
Piet Barber"/>, <contact fullname="Sara Dickinson"/>, <contact fullname="Tony Fi
nch"/>, <contact fullname="Bob Harold"/>, <contact fullname="Paul Hoffman"/>, <c
ontact fullname="Geoff Huston"/>, <contact fullname="Tatuya Jinmei"/>,
<contact fullname="Puneet Sood"/>, and <contact fullname="Richard Wilhelm"/
>. The authors are also indebted to the contributions
stemming from discussion in the TCPM Working Group meeting at
IETF 104. Any remaining errors or imperfections are the sole
responsibility of the document authors.</t>
</section>
</back>
<!-- [rfced] Some author comments are present in the XML. Please confirm that no
updates related to these comments are outstanding. Note that the comments will
be deleted prior to publication.
-->
<!-- [rfced] Please review the "Inclusive Language" portion of the online
Style Guide <https://www.rfc-editor.org/styleguide/part2/#inclusive_language>
and let us know if any changes are needed.
Specifically, please review use of the term "black".
-->
</back>
</rfc> </rfc>
 End of changes. 250 change blocks. 
1366 lines changed or deleted 1438 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/