DNS Operations(dnsop) K. Fujiwara Internet-Draft JPRS Intended status: Informational January 20, 2014 Expires: July 24, 2014 Side effect of DNSSEC: an increase of DS queries draft-fujiwara-dnsop-ds-query-increase-02.txt Abstract An increase of periodic DS queries is observed at top level domain (TLD) DNS servers. The reason of the increase is low NCACHE TTL value and DS nonexistence. This memo presents issues with DNSSEC and small NCACHE TTL value, including possible countermeasures in order to prepare future increase of DS queries. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on July 24, 2014. Copyright Notice Copyright (c) 2014 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Fujiwara Expires July 24, 2014 [Page 1] Internet-Draft Increase of DS queries January 2014 Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Problem statement . . . . . . . . . . . . . . . . . . . . . . 2 3. Possible affected domain names . . . . . . . . . . . . . . . 3 4. Possible measures . . . . . . . . . . . . . . . . . . . . . . 3 4.1. Dummy DS idea . . . . . . . . . . . . . . . . . . . . . . 4 5. References . . . . . . . . . . . . . . . . . . . . . . . . . 5 1. Introduction A significant increase of DS queries is observed at JP TLD DNS servers. 4.5% of queries are DS queries at JP TLD DNS servers in Dec., 2013 and they are still increasing. Almost all query names of DS queries are unsigned zone cuts. These DS queries are useless for DNSSEC validation because they are unsigned delegations. Very small number of IP addresses send most of DS queries and the DS queries are periodic. The reason of the increase is low NCACHE TTL value and DS nonexistence. Details are described in Section 2. Possible affected domain names are described in Section 3. Possible countermeasures are described in Section 4. 2. Problem statement Many TLDs have supported DNSSEC. However, many delegations do not have DS resource records. Some of full-resolvers support DNSSEC validation. The conditions of the DS query increase are as follows. o TLD's TTL value is relatively high, e.g., 86400. o TLD's NCACHE TTL value is low, e.g., 900. o There are many popular query names whose resource record TTLs are low, e.g., 300, and they are unsigned. o DNSSEC validators receive queries of popular names frequently, e.g. every 5 minutes. An unsigned delegation does not have a DS RR in its TLD zone. DNSSEC validation process starts when the validator receives a query and it does not exist in the validator's cache. DNSSEC validators need to know DS RR existence for each query name. The DS RR nonexistence information is cached within NCACHE TTL. As a result, each DNSSEC validator may send DS queries to TLD DNS servers one zone cut per NCACHE TTL seconds. Fujiwara Expires July 24, 2014 [Page 2] Internet-Draft Increase of DS queries January 2014 This phenomena is DNSSEC protocol and DNS parameter issue. DS queries will increase as DNSSEC validators will increase. JP TLD case, NS and glue TTL is 86400 and NCACHE TTL is 900. There are many popular names which are unsigned domain names and whose TTLs are low. TTL of "www.yahoo.co.jp" A is 60 (CNAME TTL is 900 and TTL of aliased name is 60) and TTL of "www.google.co.jp" A is 300. Busy full-resolvers receive both queries every minutes or more. When a busy full-resolver enables DNSSEC validation, it will send "yahoo.co.jp" and "google.co.jp" DS queries every 900 seconds. "yahoo.co.jp" NS and "google.co.jp" NS are cached in a day (86400 seconds). As a result, queries to JP DNS servers may increase 96 (86400 / 900) times at the maximum. This is DNSSEC protocol and parameter issue. 3. Possible affected domain names Possible affected domain names are delegation centric domain names which support DNSSEC, whose NCACHE TTL is low, and which has popular domain names which are not signed and use low TTL values. TLDs: com, net, org, jp use 900 as NCACHE TTL value. Magnification is 96 or more. Reverse DNS: 193.in-addr.arpa uses 3600 as NCACHE TTL value. Magnification is 48. The root is affected a little because popular TLDs have already been signed and the magnification is not high, 8 or 24 (86400 / 10800 or 86400 / 3600). 4. Possible measures There are no good solutions and five possible measures to the problem. 1. Reinforce DNS infrastructures. 2. Sign popular domain names. If popular domain names are signed, their DS RRs are cached. However, a TLD can not control them. Some TLDs have been trying to increase signed delegations by price or security campaigns. 3. Lengthen resource record TTL of popular names. However, a TLD can not control. 4. Lengthen NCACHE TTL value. However, the value is chosen by the TLD's policy and this approach can not stop the increase of DS Fujiwara Expires July 24, 2014 [Page 3] Internet-Draft Increase of DS queries January 2014 queries. Section 5 of DNS NCACHE [RFC2308] recommends negative cache time limit as values of one to three hours. Lengthening NCACHE TTL value over 10800 is useless. Magnification can only be lowered. (JP case, from 96 to 8 or 24.) 5. Update DNS/DNSSEC protocol to reduce unnecessary DS queries. There are some idea. 1. Changing validator's caching algorithms. 2. Adding dummy DS to popular unsigned delegations. Details are described in Section 4.1. Without protocol modifications, we need to reinforce DNS infrastructures and try to increase signed delegations. 4.1. Dummy DS idea "Adding dummy DS to popular unsigned delegations." Dummy DS RR may be ignored by traditional DNSSEC validators and it indicates that the delegation is an unsigned delegation. Dummy DS TTL value is controllable. This proposal requires new digest type. Dummy DS RR will be ignored by traditional DNSSEC validators because Section 5.2 of DNSSEC Protocol [RFC4035] defines that the resolver should treat unknown digest type as no DS RRset exists. BIND 9 and Unbound validators ignored dummy DS RR whose digest type is 255. However, there are many considerations. o Dummy DS RRs may be treated as a DNSSEC error. Google public DNS reports validation error at dummy DSs. BIND 9 and Unbound validators ignore dummy DSs. DNSSEC Protocol [RFC4035] may be ambiguous. o Dummy DS RRs increase signing costs because most of TLDs use opt- out technique defined in NSEC3 [RFC5155] to reduce signed domain names. o Newly added DS RRs may be used within dummy DSs' TTL seconds (for example, it will be 1 day). Without dummy DS RRs, newly added DS RRs are used within NCACHE TTL (900 or 10800 seconds). o Is it allowed that TLDs add dummy DS RRs without registrants' consent? If adding dummy DS is same as 'NO DS', it is possible. Otherwise, TLDs cannot add dummy DS RRs without registrants' consent. Fujiwara Expires July 24, 2014 [Page 4] Internet-Draft Increase of DS queries January 2014 5. References [RFC2308] Andrews, M., "Negative Caching of DNS Queries (DNS NCACHE)", RFC 2308, March 1998. [RFC4035] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose, "Protocol Modifications for the DNS Security Extensions", RFC 4035, March 2005. [RFC5155] Laurie, B., Sisson, G., Arends, R., and D. Blacka, "DNS Security (DNSSEC) Hashed Authenticated Denial of Existence", RFC 5155, March 2008. Author's Address Kazunori Fujiwara Japan Registry Services Co., Ltd. Chiyoda First Bldg. East 13F, 3-8-1 Nishi-Kanda Chiyoda-ku, Tokyo 101-0065 Japan Phone: +81 3 5215 8451 EMail: fujiwara@jprs.co.jp Fujiwara Expires July 24, 2014 [Page 5]