| blob | c6ec7e42a559941921f3dffbf47b6d330066b086 |
5 Network Working Group S. Woolf
6 Internet-Draft Internet Systems Consortium, Inc.
7 Expires: September 6, 2006 D. Conrad
8 Nominum, Inc.
9 March 5, 2006
12 Requirements for a Mechanism Identifying a Name Server Instance
13 draft-ietf-dnsop-serverid-06
15 Status of this Memo
17 By submitting this Internet-Draft, each author represents that any
18 applicable patent or other IPR claims of which he or she is aware
19 have been or will be disclosed, and any of which he or she becomes
20 aware will be disclosed, in accordance with Section 6 of BCP 79.
22 Internet-Drafts are working documents of the Internet Engineering
23 Task Force (IETF), its areas, and its working groups. Note that
24 other groups may also distribute working documents as Internet-
25 Drafts.
27 Internet-Drafts are draft documents valid for a maximum of six months
28 and may be updated, replaced, or obsoleted by other documents at any
29 time. It is inappropriate to use Internet-Drafts as reference
30 material or to cite them other than as "work in progress."
32 The list of current Internet-Drafts can be accessed at
33 http://www.ietf.org/ietf/1id-abstracts.txt.
35 The list of Internet-Draft Shadow Directories can be accessed at
36 http://www.ietf.org/shadow.html.
38 This Internet-Draft will expire on September 6, 2006.
40 Copyright Notice
42 Copyright (C) The Internet Society (2006).
44 Abstract
46 With the increased use of DNS anycast, load balancing, and other
47 mechanisms allowing more than one DNS name server to share a single
48 IP address, it is sometimes difficult to tell which of a pool of name
49 servers has answered a particular query. A standardized mechanism to
50 determine the identity of a name server responding to a particular
51 query would be useful, particularly as a diagnostic aid for
52 administrators. Existing ad hoc mechanisms for addressing this need
56 Woolf & Conrad Expires September 6, 2006 [Page 1]
57 \f
58 Internet-Draft Serverid March 2006
61 have some shortcomings, not the least of which is the lack of prior
62 analysis of exactly how such a mechanism should be designed and
63 deployed. This document describes the existing convention used in
64 some widely deployed implementations of the DNS protocol, including
65 advantages and disadvantages, and discusses some attributes of an
66 improved mechanism.
112 Woolf & Conrad Expires September 6, 2006 [Page 2]
113 \f
114 Internet-Draft Serverid March 2006
117 1. Introduction and Rationale
119 Identifying which name server is responding to queries is often
120 useful, particularly in attempting to diagnose name server
121 difficulties. This is most obviously useful for authoritative
122 nameservers in the attempt to diagnose the source or prevalence of
123 inaccurate data, but can also conceivably be useful for caching
124 resolvers in similar and other situations. Furthermore, the ability
125 to identify which server is responding to a query has become more
126 useful as DNS has become more critical to more Internet users, and as
127 network and server deployment topologies have become more complex.
129 The traditional means for determining which of several possible
130 servers is answering a query has traditionally been based on the use
131 of the server's IP address as a unique identifier. However, the
132 modern Internet has seen the deployment of various load balancing,
133 fault-tolerance, or attack-resistance schemes such as shared use of
134 unicast IP addresses as documented in [RFC3258]. An unfortunate side
135 effect of these schemes has been to make the use of IP addresses as
136 identifiers somewhat problematic. Specifically, a dedicated DNS
137 query may not go to the same server as answered a previous query,
138 even though sent to the same IP address. Non-DNS methods such as
139 ICMP ping, TCP connections, or non-DNS UDP packets (such as those
140 generated by tools like "traceroute"), etc., may well be even less
141 certain to reach the same server as the one which receives the DNS
142 queries.
144 There is a well-known and frequently-used technique for determining
145 an identity for a nameserver more specific than the possibly-non-
146 unique "server that answered the query I sent to IP address XXX".
147 The widespread use of the existing convention suggests a need for a
148 documented, interoperable means of querying the identity of a
149 nameserver that may be part of an anycast or load-balancing cluster.
150 At the same time, however, it also has some drawbacks that argue
151 against standardizing it as it's been practiced so far.
168 Woolf & Conrad Expires September 6, 2006 [Page 3]
169 \f
170 Internet-Draft Serverid March 2006
173 2. Existing Conventions
175 For some time, the commonly deployed Berkeley Internet Name Domain
176 implementation of the DNS protocol suite from the Internet Systems
177 Consortium [BIND] has supported a way of identifying a particular
178 server via the use of a standards-compliant, if somewhat unusual, DNS
179 query. Specifically, a query to a recent BIND server for a TXT
180 resource record in class 3 (CHAOS) for the domain name
181 "HOSTNAME.BIND." will return a string that can be configured by the
182 name server administrator to provide a unique identifier for the
183 responding server. (The value defaults to the result of a
184 gethostname() call). This mechanism, which is an extension of the
185 BIND convention of using CHAOS class TXT RR queries to sub-domains of
186 the "BIND." domain for version information, has been copied by
187 several name server vendors.
189 A refinement to the BIND-based mechanism, which dropped the
190 implementation-specific string, replaces ".BIND" with ".SERVER".
191 Thus the query string to learn the unique name of a server may be
192 queried as "ID.SERVER".
194 (For reference, the other well-known name used by recent versions of
195 BIND within the CHAOS class "BIND." domain is "VERSION.BIND." A
196 query for a CHAOS TXT RR for this name will return an
197 administratively defined string which defaults to the version of the
198 server responding. This is, however, not generally implemented by
199 other vendors.)
201 2.1. Advantages
203 There are several valuable attributes to this mechanism, which
204 account for its usefulness.
206 1. The "HOSTNAME.BIND" or "ID.SERVER" query response mechanism is
207 within the DNS protocol itself. An identification mechanism that
208 relies on the DNS protocol is more likely to be successful
209 (although not guaranteed) in going to the same system as a
210 "normal" DNS query.
212 2. Since the identity information is requested and returned within
213 the DNS protocol, it doesn't require allowing any other query
214 mechanism to the server, such as holes in firewalls for
215 otherwise-unallowed ICMP Echo requests. Thus it is likely to
216 reach the same server over a path subject to the same routing,
217 resource, and security policy as the query, without any special
218 exceptions to site security policy.
224 Woolf & Conrad Expires September 6, 2006 [Page 4]
225 \f
226 Internet-Draft Serverid March 2006
229 3. It is simple to configure. An administrator can easily turn on
230 this feature and control the results of the relevant query.
232 4. It allows the administrator complete control of what information
233 is given out in the response, minimizing passive leakage of
234 implementation or configuration details. Such details are often
235 considered sensitive by infrastructure operators.
237 5. Hypothetically, since it's an ordinary DNS record and the
238 relevant DNSSEC RRs are class independent, the id.server response
239 RR could be signed, which has the advantages described in
240 [RFC4033].
242 2.2. Disadvantages
244 At the same time, there are some serious drawbacks to the CHAOS/TXT
245 query mechanism that argue against standardizing it as it currently
246 operates.
248 1. It requires an additional query to correlate between the answer
249 to a DNS query under normal conditions and the supposed identity
250 of the server receiving the query. There are a number of
251 situations in which this simply isn't reliable.
253 2. It reserves an entire class in the DNS (CHAOS) for what amounts
254 to one zone. While CHAOS class is defined in [RFC1034] and
255 [RFC1035], it's not clear that supporting it solely for this
256 purpose is a good use of the namespace or of implementation
257 effort.
259 3. The initial and still common form, using .BIND, is implementation
260 specific. BIND is one DNS implementation. At the time of this
261 writing, it is probably the most prevalent for authoritative
262 servers. This does not justify standardizing on its ad hoc
263 solution to a problem shared across many operators and
264 implementors. Meanwhile, the proposed refinement changes the
265 string but preserves the ad hoc CHAOS/TXT mechanism.
267 4. There is no convention or shared understanding of what
268 information an answer to such a query for a server identity could
269 or should include, including a possible encoding or
270 authentication mechanism.
272 The first of the listed disadvantages may be technically the most
273 serious. It argues for an attempt to design a good answer to the
274 problem that "I need to know what nameserver is answering my
275 queries", not simply a convenient one.
280 Woolf & Conrad Expires September 6, 2006 [Page 5]
281 \f
282 Internet-Draft Serverid March 2006
285 2.3. Characteristics of an Implementation Neutral Convention
287 The discussion above of advantages and disadvantages to the
288 HOSTNAME.BIND mechanism suggest some requirements for a better
289 solution to the server identification problem. These are summarized
290 here as guidelines for any effort to provide appropriate protocol
291 extensions:
293 1. The mechanism adopted must be in-band for the DNS protocol. That
294 is, it needs to allow the query for the server's identifying
295 information to be part of a normal, operational query. It should
296 also permit a separate, dedicated query for the server's
297 identifying information. But it should preserve the ability of
298 the CHAOS/TXT query-based mechanism to work through firewalls and
299 in other situations where only DNS can be relied upon to reach
300 the server of interest.
302 2. The new mechanism should not require dedicated namespaces or
303 other reserved values outside of the existing protocol mechanisms
304 for these, i.e. the OPT pseudo-RR. In particular, it should not
305 propagate the existing drawback of requiring support for a CLASS
306 and top level domain in the authoritative server (or the querying
307 tool) to be useful.
309 3. Support for the identification functionality should be easy to
310 implement and easy to enable. It must be easy to disable and
311 should lend itself to access controls on who can query for it.
313 4. It should be possible to return a unique identifier for a server
314 without requiring the exposure of information that may be non-
315 public and considered sensitive by the operator, such as a
316 hostname or unicast IP address maintained for administrative
317 purposes.
319 5. It should be possible to authenticate the received data by some
320 mechanism analogous to those provided by DNSSEC. In this
321 context, the need could be met by including encryption options in
322 the specification of a new mechanism.
324 6. The identification mechanism should not be implementation-
325 specific.
336 Woolf & Conrad Expires September 6, 2006 [Page 6]
337 \f
338 Internet-Draft Serverid March 2006
341 3. IANA Considerations
343 This document proposes no specific IANA action. Protocol extensions,
344 if any, to meet the requirements described are out of scope for this
345 document. A proposed extension, specified and adopted by normal IETF
346 process, is described in [NSID], including relevant IANA action.
392 Woolf & Conrad Expires September 6, 2006 [Page 7]
393 \f
394 Internet-Draft Serverid March 2006
397 4. Security Considerations
399 Providing identifying information as to which server is responding to
400 a particular query from a particular location in the Internet can be
401 seen as information leakage and thus a security risk. This motivates
402 the suggestion above that a new mechanism for server identification
403 allow the administrator to disable the functionality altogether or
404 partially restrict availability of the data. It also suggests that
405 the serverid data should not be readily correlated with a hostname or
406 unicast IP address that may be considered private to the nameserver
407 operator's management infrastructure.
409 Propagation of protocol or service meta-data can sometimes expose the
410 application to denial of service or other attack. As DNS is a
411 critically important infrastructure service for the production
412 Internet, extra care needs to be taken against this risk for
413 designers, implementors, and operators of a new mechanism for server
414 identification.
416 Both authentication and confidentiality of serverid data are
417 potentially of interest to administrators-- that is, operators may
418 wish to make serverid data available and reliable to themselves and
419 their chosen associates only. This would imply both an ability to
420 authenticate it to themselves and keep it private from arbitrary
421 other parties. This led to Characteristics 4 and 5 of an improved
422 solution.
448 Woolf & Conrad Expires September 6, 2006 [Page 8]
449 \f
450 Internet-Draft Serverid March 2006
453 5. Acknowledgements
455 The technique for host identification documented here was initially
456 implemented by Paul Vixie of the Internet Software Consortium in the
457 Berkeley Internet Name Daemon package. Comments and questions on
458 earlier drafts were provided by Bob Halley, Brian Wellington, Andreas
459 Gustafsson, Ted Hardie, Chris Yarnell, Randy Bush, and members of the
460 ICANN Root Server System Advisory Committee. The newest version
461 takes a significantly different direction from previous versions,
462 owing to discussion among contributors to the DNSOP working group and
463 others, particularly Olafur Gudmundsson, Ed Lewis, Bill Manning, Sam
464 Weiler, and Rob Austein.
466 6. References
468 [1] Mockapetris, P., "Domain Names - Concepts and Facilities",
469 RFC 1034, STD 0013, November 1987.
471 [2] Mockapetris, P., "Domain Names - Implementation and
472 Specification", RFC 1035, STD 0013, November 1987.
474 [3] Hardie, T., "Distributing Authoritative Name Servers via Shared
475 Unicast Addresses", RFC 3258, April 2002.
477 [4] ISC, "BIND 9 Configuration Reference".
479 [5] Austein, S., "DNS Name Server Identifier Option (NSID)",
480 Internet Drafts http://www.ietf.org/internet-drafts/
481 draft-ietf-dnsext-nsid-01.txt, January 2006.
483 [6] Arends, R., Austein, S., Larson, M., Massey, D., and S. Rose,
484 "DNS Security Introduction and Requirements", RFC 4033,
485 March 2005.
504 Woolf & Conrad Expires September 6, 2006 [Page 9]
505 \f
506 Internet-Draft Serverid March 2006
509 Authors' Addresses
511 Suzanne Woolf
512 Internet Systems Consortium, Inc.
513 950 Charter Street
514 Redwood City, CA 94063
515 US
517 Phone: +1 650 423-1333
518 Email: woolf@isc.org
519 URI: http://www.isc.org/
522 David Conrad
523 Nominum, Inc.
524 2385 Bay Road
525 Redwood City, CA 94063
526 US
528 Phone: +1 1 650 381 6003
529 Email: david.conrad@nominum.com
530 URI: http://www.nominum.com/
560 Woolf & Conrad Expires September 6, 2006 [Page 10]
561 \f
562 Internet-Draft Serverid March 2006
565 Intellectual Property Statement
567 The IETF takes no position regarding the validity or scope of any
568 Intellectual Property Rights or other rights that might be claimed to
569 pertain to the implementation or use of the technology described in
570 this document or the extent to which any license under such rights
571 might or might not be available; nor does it represent that it has
572 made any independent effort to identify any such rights. Information
573 on the procedures with respect to rights in RFC documents can be
574 found in BCP 78 and BCP 79.
576 Copies of IPR disclosures made to the IETF Secretariat and any
577 assurances of licenses to be made available, or the result of an
578 attempt made to obtain a general license or permission for the use of
579 such proprietary rights by implementers or users of this
580 specification can be obtained from the IETF on-line IPR repository at
581 http://www.ietf.org/ipr.
583 The IETF invites any interested party to bring to its attention any
584 copyrights, patents or patent applications, or other proprietary
585 rights that may cover technology that may be required to implement
586 this standard. Please address the information to the IETF at
587 ietf-ipr@ietf.org.
590 Disclaimer of Validity
592 This document and the information contained herein are provided on an
593 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
594 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
595 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
596 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
597 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
598 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
601 Copyright Statement
603 Copyright (C) The Internet Society (2006). This document is subject
604 to the rights, licenses and restrictions contained in BCP 78, and
605 except as set forth therein, the authors retain all their rights.
608 Acknowledgment
610 Funding for the RFC Editor function is currently provided by the
611 Internet Society.
616 Woolf & Conrad Expires September 6, 2006 [Page 11]
617 \f