Internet DRAFT - draft-daley-servezones

draft-daley-servezones







Internet Engineering Task Force                            J. Daley, Ed.
Internet-Draft                                     .nz Registry Services
Intended status: Standards Track                         August 13, 2013
Expires: February 14, 2014


                         DNS SERVEZONES message
                       draft-daley-servezones-00

Abstract

   This memo describes an addition to the DNS protocol that support the
   remote provisioning of zones on authoritative servers.  This addition
   is complementary to the existing mechanisms for provisioning zone
   data using the DNS protocol.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on February 14, 2014.

Copyright Notice

   Copyright (c) 2013 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.




Daley                   Expires February 14, 2014               [Page 1]

Internet-Draft                 SERVEZONES                    August 2013


Table of Contents

   1.  Definitions . . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
     2.1.  Requirements Language . . . . . . . . . . . . . . . . . .   3
   3.  The SERVEZONES message  . . . . . . . . . . . . . . . . . . .   3
     3.1.  SERVEZONES request  . . . . . . . . . . . . . . . . . . .   3
       3.1.1.  Specifying master servers . . . . . . . . . . . . . .   4
       3.1.2.  Specifying initial zone data  . . . . . . . . . . . .   4
     3.2.  SERVEZONES response . . . . . . . . . . . . . . . . . . .   4
   4.  Processing the SERVEZONES messages  . . . . . . . . . . . . .   5
   5.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .   5
   6.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   5
   7.  Security Considerations . . . . . . . . . . . . . . . . . . .   6
   8.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   6
     8.1.  Normative References  . . . . . . . . . . . . . . . . . .   6
     8.2.  Informative References  . . . . . . . . . . . . . . . . .   6
   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . .   6

1.  Definitions

   This memo uses the following DNS server roles in a manner consistent
   with RFC 2136 [RFC2136]:

   Slave   An authoritative server that uses AXFR or IXFR to retrieve
           the zone and is named in the zone's NS RRset.

   Master  An authoritative server configured to be the source of AXFR
           or IXFR data for one or more slave servers.

2.  Introduction

   It is common practice for Internet service providers and domain name
   registrars to operate DNS servers that are simultaneously
   authoritative for many zones.  In some case a single DNS server may
   be authoritative for hundreds of thousands of zones.  Despite the
   large number of zones served, the server is unlikely to also be
   authoritative for a common parent of these zones and so must operate
   each zone independently.

   The DNS protocol supports the provisioning of resource records in
   zones already being served by an authoritative DNS server using the
   DNS UPDATE message described in RFC 2136 [RFC2136].  However no
   similar operation exists to update the list of zones that a server
   serves.

   This memo describes the SERVEZONES message that instructs an
   authoritative DNS server to start serving or stop serving zones.



Daley                   Expires February 14, 2014               [Page 2]

Internet-Draft                 SERVEZONES                    August 2013


   This message supports the remote provisioning of zones in the same
   manner that DNS UPDATE supports the remote provisioning of Resource
   Records.

2.1.  Requirements Language

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in RFC 2119 [RFC2119].

3.  The SERVEZONES message

   When a DNS server or provisioning system chooses to instruct an
   authoritative DNS server to start serving or stop serving one or more
   zones then it does so by sending a SERVEZONES message.  SERVEZONES
   uses the DNS message format, although it uses only a subset of the
   available fields.

   SERVEZONES is similar to NOTIFY in that it has a request message with
   the header QR=0 and a response message with QR=1.  The response
   message contains no useful information, but its reception is an
   indication that the server has received the SERVEZONES message.

   SERVEZONES is similar to UPDATE in that the contents of the QTYPE
   field are used to differentiate between a request to start serving a
   specified zone or to stop serving a specified zone.

   The SERVEZONES message is signalled by Opcode=6.

   Except where specified, all DNS header fields are set as for a normal
   DNS query or response.

3.1.  SERVEZONES request

   A SERVEZONES request contains one or more zones included as a QNAME
   in the QUERY section of the SERVEZONES message.

   A single SERVEZONES request can instruct the receiving server to both
   start serving one or more zones and to stop serving one or more
   zones.

   Each zone for which serving is to start is included as a QNAME in the
   QUERY section with the QTYPE set to SOA.

   Each zone for which serving is to stop is included as a QNAME in the
   QUERY section with the QTYPE set to ANY.

   For all SERVEZONES requests:



Daley                   Expires February 14, 2014               [Page 3]

Internet-Draft                 SERVEZONES                    August 2013


   o  The QCLASS for each entry in the QUERY section is set as required

   o  QDCOUNT is set to the number of zones in the QUERY section.

   o  ANCOUNT is set to zero (0).

3.1.1.  Specifying master servers

   If the server receiving the message is intended to act as a slave
   server then the AUTHORITY section MAY include a list of master
   servers.  NSCOUNT is set to the number of master servers listed in
   the AUTHORITY section.

   If a list of master servers is provided then it applies to all the
   zones listed in the SERVEZONES message for whom serving is to start
   (QTYPE is set to SOA).

   The receiving server MUST fetch the zone data from one of the listed
   master servers before serving the zone.

3.1.2.  Specifying initial zone data

   If the server receiving the message is intended to act as a master
   then the ADDITIONAL section MUST include the initial zone data.
   ARCOUNT is set to the number of entries in the ADDITIONAL section.

   If initial zone data is included in the ADDITIONAL section then it
   applies to all the zones listed in the SERVEZONES message for whom
   serving is to start (QTYPE is set to SOA).  If multiple zones are
   listed then the initial zone data MUST NOT contain any fully
   qualified domain names (FQDNs).

   The receiving server MUST add the initial zone data before serving
   the zone.

3.2.  SERVEZONES response

   A SERVEZONES response is sent to acknowledge receipt of the
   SERVEZONES request to the same source that sent the original request.

   QDCOUNT, ANCOUNT, NSCOUNT and ARCOUNT are all set to zero (0).

   If the SERVEZONES request is processed correctly then the receiving
   server SHOULD respond with a SERVEZONES response with RCode=NOERROR.

   The following specific error conditions apply:





Daley                   Expires February 14, 2014               [Page 4]

Internet-Draft                 SERVEZONES                    August 2013


   1.  If any of the zones listed in the request to start serving are
       already being served by the receiving server then it MUST ignore
       the entire request and return an error response with
       RCode=YXDOMAIN.

   2.  If any zones are listed in the request to start serving and
       neither the AUTHORITY or ADDITIONAL sections appear in the
       request then the receiving server MUST ignore the entire request
       and return an error response with RCode=FORMERROR.

   3.  If any zones are listed in the request to start serving and both
       the AUTHORITY and ADDITIONAL sections contain data then the
       receiving server MUST ignore the entire request and return an
       error response with RCode=FORMERROR.

   4.  If FQDNs are included in the initial zone data and the SERVEZONES
       message lists multiple zones to start serving then the receiving
       server SHOULD return an error response with RCode=FORMERROR.

   5.  If any of the zones listed in the request to stop serving are not
       being served by the receiving server then it MUST ignore the
       entire request and return an error response with RCode=NXDOMAIN.

4.  Processing the SERVEZONES messages

   It is recognised that not all authoritative nameservers are capable
   of dynamically loading new zones to serve or dynamically ceasing to
   serve zones.  It is left to the implementor to decide whether to load
   /unload the zones dynamically; wait for a server restart or to
   initiate a restart itself.

5.  Acknowledgements

   The author thanks Sebastian Castro for his input and review.

6.  IANA Considerations

   This memo requests that IANA assigns the following values in the DNS
   Opcode registry:

                          +--------+------------+
                          | Opcode |  Mnemonic  |
                          +--------+------------+
                          |   6    | SERVEZONES |
                          +--------+------------+






Daley                   Expires February 14, 2014               [Page 5]

Internet-Draft                 SERVEZONES                    August 2013


7.  Security Considerations

   Clearly the SERVEZONES message has the potential to be misused and
   such misuse would be likely to cause considerable issues.  It is
   therefore RECOMMENDED that:

   o  SERVEZONES messages are always protected by TSIG and implementors
      allow adminstrators to require this protection.

   o  Implementors do not enable processing of SERVEZONES messages by
      default.

8.  References

8.1.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997.

8.2.  Informative References

   [RFC2136]  Vixie, P., Thomson, S., Rekhter, Y., and J. Bound,
              "Dynamic Updates in the Domain Name System (DNS UPDATE)",
              RFC 2136, April 1997.

Author's Address

   Jay Daley (editor)
   .nz Registry Services
   PO Box 24361, Manners Street
   Wellington  6142
   New Zealand

   Phone: +64 4 931 6970
   Email: jay@nzrs.net.nz
















Daley                   Expires February 14, 2014               [Page 6]