Network Working Group K. Fujiwara Internet-Draft JPRS Intended status: Informational A. Kato Expires: September 11, 2015 Keio/WIDE March 10, 2015 Aggressive use of NSEC/NSEC3 draft-fujiwara-dnsop-nsec-aggressiveuse-00 Abstract DNS highly depends on cache, however, cache usage of non-existence information was limited to exact matching. This draft proposes the aggressive use of NSEC/NSEC3 resource record, which is able to express non-existence of range of names authoritatively. With this proposal, shorter latency to many of negative response is expected as well as some level of mitigation of random sub-domain attacks (referred to as "Water Torture" attacks). And more, non-existent TLD queries to Root DNS servers will decrease. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on September 11, 2015. Copyright Notice Copyright (c) 2015 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect Fujiwara & Kato Expires September 11, 2015 [Page 1] Internet-Draft NSEC/NSEC3 usage March 2015 to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Problem Statement . . . . . . . . . . . . . . . . . . . . . . 3 3. Possible Solution . . . . . . . . . . . . . . . . . . . . . . 3 4. Possible side effect . . . . . . . . . . . . . . . . . . . . 4 5. Another option . . . . . . . . . . . . . . . . . . . . . . . 5 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5 7. Security Considerations . . . . . . . . . . . . . . . . . . . 5 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 5 8.1. Normative References . . . . . . . . . . . . . . . . . . 5 8.2. Informative References . . . . . . . . . . . . . . . . . 6 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 6 1. Introduction While negative (non-existence) information of DNS caching mechanism has been known as DNS negative cache [RFC2308], it requires exact matching in most cases. Assume that "example.com" zone doesn't have names such as "a.example.com" and "b.example.com". When a full resolver receives a query "a.example.com" , it performs a DNS resolution process, and eventually gets NXDOMAIN and cache it into its negative cache. When the full resolver receives another query "b.example.com", it doesn't match with "a.example.com". So it will send a query to one of the authoritative servers of "example.com". This was because the NXDOMAIN response just says there is no such name "a.example.com" and it has no ability to tell that there is no such name "b.example.com". By the way, DNSSEC [RFC4035] [RFC5155] has been practically deployed recently. Two resource record types (NSEC and NSEC3) are used for authentic non-existence. For a zone signed with NSEC, it may be possible to use the information carried in NSEC resource records to indicate that the range of names where no valid name exists. Such use is discouraged by Section 4.5 of RFC 4035. This document proposes to make a minor change to RFC 4035 and the full resolver can use NSEC/NSEC3 resource records aggressively. Fujiwara & Kato Expires September 11, 2015 [Page 2] Internet-Draft NSEC/NSEC3 usage March 2015 2. Problem Statement Random sub-domain attacks (referred to as "Water Torture" attacks) send many non-existent queries to full resolvers. Their query names consist of random prefixes and a target domain name. As a result, the negative cache does not work well and target full resolvers result in sending queries to authoritative DNS servers of the target domain name. When number of queries is very large, the full resolver's outstanding queue will be full, and then, the full resolver will drop queries from both users and attackers. The countermeasures performed at present are rate limiting and disabling name resolution of target domain names. 3. Possible Solution If the target domain names are DNSSEC signed, aggressive use of NSEC/ NSEC3 resource records solves the problem. DNSSEC defines NSEC resource record. Section 4.5 of [RFC4035] shows that "In theory, a resolver could use wildcards or NSEC RRs to generate positive and negative responses (respectively) until the TTL or signatures on the records in question expire. However, it seems prudent for resolvers to avoid blocking new authoritative data or synthesizing new data on their own. Resolvers that follow this recommendation will have a more consistent view of the namespace". To reduce non-existent queries to authoritative DNS servers, the countermeasure is to relax this restriction. Then, DNSSEC enabled full resolvers MAY use NSEC/NSEC3 resource records to generate negative responses until their effective TTLs or signatures on the records in question expire. This technique is called as "NSEC/NSEC3 aggressive negative caching" in Unbound [Unbound] TODO file. Unbound has aggressive negative caching code in its DLV validator. The full resolver need to check the existence of wildcards. If the cache does not have an NSEC/NSEC3 resource record whose range includes a wildcard ('*') in a zone which the query name belongs to, wildcard may exist in the zone, then, the aggressive use of NSEC/ NSEC3 cannot be applied and the full resolver need to send the query to authoritative DNS servers. Fujiwara & Kato Expires September 11, 2015 [Page 3] Internet-Draft NSEC/NSEC3 usage March 2015 If the zone has a wildcard and it is in full resolver's cache, the full resolver may generate positive responses from the wildcard in the cache. This approach is effective for DNSSEC signed zones with NSEC or NSEC3, except zones with NSEC3 Opt-Out. NSEC/NSEC3 aggressive negative caching works as follows. When the query name has a matching NSEC or NSEC3 resource records in the cache and there is no wildcard in the zone which the query name belongs to, a full resolver is allowed to respond with NXDOMAIN error immediately. The matching procedure may be applied to all ancestor domain names of the query name. This function needs care on the TTL value of negative information because newly added domain names cannot be used while the negative information is effective. RFC 2308 states the maximum number of negative cache TTL value is 10800, and this value is reasonable small but still effective for the purpose of this document. It can eliminate significant amount of DNS queries when an attacker tries to send large number of DNS queries by using randomly generated names. The same discussion is applicable for wildcards. If a query name is covered by NSEC or NSEC3 resource records in the cache and there is a covering wildcard, full resolvers can use wildcards to generate positive responses until wildcard and NSEC/NSEC3 resource records in the cache are effective. Aggressive use of wildcards requires aggressive use of negative information because there may be other domain names. 4. Possible side effect Aggressive use of NSEC/NSEC3 resource records may decrease queries to Root DNS servers. People may generate many typos and they tend to generate DNS queries. Some implementations leak non-existent TLD queries whose second level domain are different each other. Well observed TLDs are ".local" and ".belkin". With this proposal, it is possible to return NXDOMAIN to such queries without further DNS recursive resolution process. It may reduces round trip time, as well as reduces the DNS queries to corresponding authoritative servers, including Root DNS servers. Fujiwara & Kato Expires September 11, 2015 [Page 4] Internet-Draft NSEC/NSEC3 usage March 2015 5. Another option The proposed technique is applicable to zones where there is a NSEC record to each owner name in the zone even without DNSSEC signed. And it is also applicable to full resolvers without DNSSEC validation. Full resolvers can set DNSSEC OK bit in query packets and they will cache NSEC/NSEC3 resource records. They can apply aggressive use of NSEC/NSEC3 resource records without DNSSEC validation. It is highly recommended to sign the zone, of course, and it is recommended to apply DNSSEC validation of NSEC record prior to cache it in the negative cache. 6. IANA Considerations This document has no effect on IANA registries. 7. Security Considerations Newly registered resource records may not be used immediately. However, choosing suitable TTL value will mitigate the problem and it is not a security problem. It is also suggested to limit the maximum TTL value of NSEC resource records in the negative cache to, for example, 10800 seconds (3hrs), to mitigate the issue. Implementations which comply with this proposal is suggested to have a configurable maximum value of NSEC RRs in the negative cache. Aggressive use of NSEC/NSEC3 resource records without DNSSEC validation may cause security problems. 8. References 8.1. Normative References [RFC2308] Andrews, M., "Negative Caching of DNS Queries (DNS NCACHE)", RFC 2308, March 1998. [RFC4035] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose, "Protocol Modifications for the DNS Security Extensions", RFC 4035, March 2005. [RFC5155] Laurie, B., Sisson, G., Arends, R., and D. Blacka, "DNS Security (DNSSEC) Hashed Authenticated Denial of Existence", RFC 5155, March 2008. Fujiwara & Kato Expires September 11, 2015 [Page 5] Internet-Draft NSEC/NSEC3 usage March 2015 8.2. Informative References [Unbound] NLnet Labs, "Unbound DNS validating resolver", . Authors' Addresses Kazunori Fujiwara Japan Registry Services Co., Ltd. Chiyoda First Bldg. East 13F, 3-8-1 Nishi-Kanda Chiyoda-ku, Tokyo 101-0065 Japan Phone: +81 3 5215 8451 Email: fujiwara@jprs.co.jp Akira Kato Keio University/WIDE Project Graduate School of Media Design, 4-1-1 Hiyoshi Kohoku, Yokohama 223-8526 Japan Phone: +81 45 564 2490 Email: kato@wide.ad.jp Fujiwara & Kato Expires September 11, 2015 [Page 6]