DNSOP S. Lee Internet-Draft Y. Ju Expires: April 20, 2006 W. Kim NIDA October 17, 2005 Default Well-known DNS Resolver IPv6 Address Using Anycast Status of this Memo By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with Section 6 of BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on April 20, 2006. Copyright Notice Copyright (C) The Internet Society (2005). Abstract A host needs to configure itself with its own global unicast IP addresses, default gateway IP addresses, and DNS resolver IP addresses. For the IPv6 address of DNS resolver, there is need to define alternative automatic configuration mechanism that enables for an IPv6 host to configure its own DNS resolver IPv6 addresses by itself, even when there is no other additional autoconfiguration mechanism applied. Lee, et al. Expires April 20, 2006 [Page 1] Internet-Draft Well-known DNS Resolver IPv6 address October 2005 This document proposes the use of address "::a:0:1" as the well-known IPv6 anycast address for DNS resolvers in global IPv6 Internet world. In addition, this document makes considerations on the automatic discovery mechanism for DNS resolver IPv6 address that is based on the well-known anycast address and its related specifications required. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 3. IPv6 DNS Resolver Discovery with the Well-Known IPv6 Address . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 3.1. Default IPv6 Address for DNS Resolvers . . . . . . . . . . 5 3.2. Routing Consideration . . . . . . . . . . . . . . . . . . 5 3.3. Inter-site Deployment Considerations . . . . . . . . . . . 6 3.4. EDNS0 Support Consideration . . . . . . . . . . . . . . . 7 3.5. Considerations for IPv6 Addresses of DNS Resolvers . . . . 7 3.6. Management of DNS Resolver IPv6 Addresses in IPv6 Host . . 8 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 5. Security Considerations . . . . . . . . . . . . . . . . . . . 8 6. References . . . . . . . . . . . . . . . . . . . . . . . . . . 9 6.1. Normative References . . . . . . . . . . . . . . . . . . . 9 6.2. Informative References . . . . . . . . . . . . . . . . . . 10 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 11 Intellectual Property and Copyright Statements . . . . . . . . . . 12 Lee, et al. Expires April 20, 2006 [Page 2] Internet-Draft Well-known DNS Resolver IPv6 address October 2005 1. Introduction A host needs to configure itself with its own global unicast IP addresses, default gateway IP addresses, and DNS resolver IP addresses. Among these three types of addresses, DNS resolver IP addresses are required for resolution of domain names. When an IPv6 host is concerned, automatic configuration mechanisms are defined in basic IPv6 specifications. An IPv6 host is able to set automatically its own global unicast IPv6 address using IPv6 stateless address autoconfiguration [1]. And default gateway router's IPv6 address can be obtained using neighbor discovery [2]. However, for the IPv6 address of DNS resolver, there is need to define alternative automatic configuration mechanism that enables for an IPv6 host to set its own DNS resolver IPv6 addresses by itself, even when there is no other additional autoconfiguration mechanism applied. There are three approaches that can provide IPv6 hosts with DNS resolver IPv6 addresses available at the connected site. For these three approaches, refer to "IPv6 Host Configuration of DNS Server Information Approaches" [6]. DHCPv6 [7] [8] can provide DNS resolver IPv6 addresses in addition to IPv6 host's global unicast address. However, this mechanism needs additional servers at each site. If a small site, such as home network, has no DHCPv6 servers, the IPv6 hosts in that site cannot obtain appropriate DNS resolver IPv6 addresses. RA option being defined in "IPv6 DNS Configuration based on Router Advertisement" [9] can also provide DNS resolver IPv6 addresses via RA message from neighbor routers. In this case, site administrators should configure site's all routers that have subnets for access, so that the routers can inform the appropriate site's DNS resolver IPv6 addresses in RA message. However, there may be networks with no professional management and the routers within them may not provide DNS resolver IPv6 address information in RA message. The last approach out of three approaches in "IPv6 Host Configuration of DNS Server Information Approaches" [6] is to use well-known anycast address for DNS resolver IPv6 addresses. This document specifies the automatic discovery mechanism for DNS resolver IPv6 address that is based on the well-known anycast address. There can be some requirements in defining the well-known anycast Lee, et al. Expires April 20, 2006 [Page 3] Internet-Draft Well-known DNS Resolver IPv6 address October 2005 address for DNS resolver with IPv6 support. First, this well-known IPv6 anycast address SHOULD be global-scope IPv6 address, which is independent of each site's specific DNS resolvers. This requirement makes possible that IPv6 host does not need to change the DNS resolver IPv6 addresses regardless of sites it moves to and is connected to. Second, this well-known IPv6 anycast address SHOULD not be selected out of global unicast address ranges that starts with prefix "2001::/3". This requirement makes it easy for network administrators to distinguish this anycast address from normal global unicast addresses, in managing routing system. Third, the well-known IPv6 anycast address SHOULD have simplest textual representation so that anyone easily remember and type in manual. This will help to both network administrators and users. This document proposes the use of address "::a:0:1" as the well-known IPv6 anycast address for DNS resolvers in global IPv6 Internet world. It may be also possible to use the well-known IPv6 anycast address defined in this document as the IPv6 addresses of DNS resolvers informed by DHCPv6 [7] or by routers via RA option being defined in [9]. This document does not define any specification on the well-known anycast address for IPv4 based DNS resolvers. This document assumes that IPv4 hosts can obtain DNS resolver IPv4 addresses or users can configure those addresses manually in IPv4 Internet environment, as it was before. 2. Terminology Default IPv6 Address for DNS Resolvers : the well-known IPv6 anycast address for DNS resolvers with IPv6 support. DNS resolver : in this document, indicates the implementation of DNS resolver routine defined in the section "2.2. Common configurations" of RFC1035 [3], which responses the recursive queries from stub resolvers of hosts. In normal usage, this term, DNS resolver, is also named as 'recursive DNS server'. DNS resolver IPv6 address : the IPv6 address with which DNS resolver serves recursive DNS query from IPv6 hosts. IPv6 host : refers to any host that supports IPv6, e.g. IPv6-only host, IPv4/IPv6 dual-stack host, in this document. Most Upstream Site : refers to the site that has any connection to IPv6 global backbone, in this document. Lee, et al. Expires April 20, 2006 [Page 4] Internet-Draft Well-known DNS Resolver IPv6 address October 2005 Upstream Site : refers to the site that provides upstream links to a certain site, in this document. Downstream Site : refers to the site that has upstream links to Upstream Site, in this document. 3. IPv6 DNS Resolver Discovery with the Well-Known IPv6 Address 3.1. Default IPv6 Address for DNS Resolvers The well-known IPv6 anycast address for DNS resolvers is defined with address, "::a:0:1". In this document, this address is termed 'Default IPv6 Address for DNS resolvers'. This address, "::a:0:1/128", is selected out of address range with prefix "::/8". At least, the address range "::a:0:0/112" SHOULD be reserved for anycast address range of DNS resolver IPv6 addresses. Reservation of address range "::a:0:0/96" is preferred and this range of addresses can be reserved as an anycast addresses range for another anycast applied services possibly defined in future. This Default IPv6 Address for DNS Resolvers is global-scope anycast address indicating any DNS resolvers reachable from any access point of IPv6 Internet. As for IPv6 hosts, this Default IPv6 Address for DNS Resolvers is global-scope address. 3.2. Routing Consideration The route to this Default IPv6 Address for DNS Resolvers SHOULD be the host route, e.g. route with prefix "::a:0:1/128". The route to this Default IPv6 Address for DNS Resolvers need to be injected into routing system in site-local bases, in principle. In global IPv6 backbone area, the route to this Default IPv6 Address for DNS Resolvers SHOULD be filtered out, so as to prevent problem possibly caused by rapid increase of IPv6 routing table size. Therefore, the route to the Default IPv6 Address for DNS Resolvers SHOULD be injected into IGP routing system, not into EGP routing system, in principle. Configuring anycast route into static routing system is not recommended for deploying anycast with the route to the Default IPv6 Address for DNS Resolvers. For the small networks that are not capable to deploy IGP, refer to 'Inter-site Deployment Considerations' (Section 3.3). The Default IPv6 Address for DNS Resolvers is the anycast addresses of DNS resolver service, which is the implementation of standard DNS Lee, et al. Expires April 20, 2006 [Page 5] Internet-Draft Well-known DNS Resolver IPv6 address October 2005 resolver defined in RFC1035 [3]. The stub resolver of IPv6 host does resolver of IPv6 host does not differentiate any DNS resolver from each site's specific DNS resolvers, as long as DNS resolvers function as standard DNS resolver routine. Each site's DNS resolvers with the Default IPv6 Address for DNS Resolvers are considered as presence instances of standard DNS resolver routine. Therefore any site's DNS resolvers that have conformation to the standard DNS resolver functionality and are authorized secure DNS resolvers is allowed to assign Default IPv6 Address for DNS Resolvers to its service interface and to advertise the route to this address into site's routing system. However, to prevent unauthorized DNS resolver that can intercept and response the recursive DNS queries, the site's network administrators SHOULD check out if the route to Default IPv6 Address for DNS Resolvers in routing system is legal information. 3.3. Inter-site Deployment Considerations The site that has any connection to IPv6 global backbone is termed 'Most Upstream Site' in this document. For a certain site, the site that provides upstream links to this site is termed 'Upstream Site'. And the site that has upstream links to Upstream Site is termed 'Downstream Site' for that Upstream Site. So that global-scope usage of Default IPv6 Address for DNS Resolvers is possible anywhere in IPv6 Internet, it is RECOMMENDED that Most Upstream Site deploy DNS resolvers with Default IPv6 Address for DNS Resolvers. Upstream Sites that are not Most Upstream Sites and have some Downstream Sites SHOULD deploy DNS resolvers with Default IPv6 Address for DNS Resolvers, especially when its Downstream Sites are so small and have to use Upstream Site's DNS resolvers. By special agreement between sites or by default, Upstream Sites may allow for Downstream Sites to have access to Upstream Site's DNS resolver with Default IPv6 Address for DNS Resolvers. Downstream Sites have upstream links to Most Upstream Sites for access to global IPv6 Internet. Among these Downstream Sites, the small sites that have no network management abilities need access to Upstream Site's DNS Resolvers using Default IPv6 Address for DNS Resolvers. In this case, the DNS query packets destined to Default IPv6 Address for DNS Resolvers can be routed via the default route in border routers of Downstream Site. In the case of Downstream Sites having DNS resolvers with Default IPv6 Address for DNS Resolvers, when the DNS resolvers does down in accident, the routes to DNS resolvers with Default IPv6 Address for DNS Resolvers can switched to Upstream Site's DNS resolvers by anycast mechanism. Lee, et al. Expires April 20, 2006 [Page 6] Internet-Draft Well-known DNS Resolver IPv6 address October 2005 However, with above configuration, concurrent malicious attacks on many Downstream Sites' DNS resolvers with Default IPv6 Address for DNS Resolvers cause systems may cause Upstream Site's DNS resolvers to get into unstable status. To avoid this possible problem, Upstream Sites need related security considerations when deploying DNS resolvers with Default IPv6 Address for DNS Resolvers that should support various Downstream Sites. 3.4. EDNS0 Support Consideration Between the IPv6 hosts and DNS resolvers with Default IPv6 Address for DNS Resolvers, the DNS message in IPv6 packet SHOULD contain EDNS0 option. IPv6 host MUST attach EDNS0 option to DNS query message when using IPv6 packet destined to Default IPv6 Address for DNS Resolvers. In this case, the minimum value of sender's UDP payload size in OPT pseudo-RR [4] SHOULD be 1024 octets. This is to avoid possible fallback DNS query using TCP connection due to oversize of DNS response message. The minimum size of 1024 octets can prevent happening of IPv6 fragmentation in IPv6 Internet that have minimum MTU of 1280 octets. DNS resolvers with Default IPv6 Address for DNS Resolvers MUST support ENDS0 option. IPv6 hosts may use the sender's UDP payload size in OPT pseudo-RR OPT pseudo-RR [4] with larger size than 1024 octets. However, in this case the IPv6 host is recommended to check out the available MTU size using IPv6 path MTU discovery [5]. EDNS0 option support in IPv6 node is also specified in "IPv6 Node Requirements" [10]. Above specification is applied only between IPv6 hosts and DNS resolvers with Default IPv6 Address for DNS Resolvers, and not applied between authoritative name servers and DNS resolvers with Default IPv6 Address for DNS Resolvers. 3.5. Considerations for IPv6 Addresses of DNS Resolvers DNS resolvers with Default IPv6 Address for DNS Resolvers SHOULD not use Default IPv6 Address for DNS Resolvers as source address in iterative DNS query to authoritative name servers. This makes unacceptable problems that the response from authoritative name server would be routed to another DNS resolver with Default IPv6 Address. If there is IPv6 global backbone between authoritative name server and DNS resolvers with Default IPv6 Address for DNS Resolvers, Lee, et al. Expires April 20, 2006 [Page 7] Internet-Draft Well-known DNS Resolver IPv6 address October 2005 the DNS resolver would never get the response. Therefore the DNS resolver SHOULD have at least one global unicast IPv6 address on its interfaces. DNS resolver with Default IPv6 Address for DNS Resolvers SHOULD response DNS queries with source address of that Default IPv6 Address for DNS Resolvers. If not, the IPv6 hosts receiving DNS response would get confused due to mismatch between destination address in DNS query and source address in DNS response. 3.6. Management of DNS Resolver IPv6 Addresses in IPv6 Host IPv6 host SHOULD implement additional function on managing available list of IPv6 addresses for DNS resolvers according to precedence policy. That is, when there is obtained information from connected site and information of Default IPv6 Address for DNS Resolvers that may be pre-configured, the IPv6 addresses for DNS resolvers obtained from the connected site has higher precedence than Default IPv6 Address for DNS Resolvers. This DNS resolver IPv6 address management function will raise the IPv6 addresses with highest precedence as the active DNS resolver IPv6 address so that stub resolver can use that address. The implementation of this function can be a part of DHCPv6 client process or a part of the client process for RA option defined in "IPv6 DNS Configuration based on Router Advertisement" [9]. Otherwise, it can be implemented as an independent process. The DNS resolver IPv6 addresses management function SHOULD raise the Default IPv6 Address for DNS Resolvers, as active DNS resolver IPv6 addresses being default and last resort address, as soon as the DNS resolver IPv6 addresses informed from a site are getting invalid in some condition. 4. IANA Considerations IANA needs reserve the address "::a:0:1/128" as the Default IPv6 Address for DNS Resolvers. IANA can consider the reservation of the address range "::a:0:0/96" as the Well-Known Anycast Addresses Range. 5. Security Considerations Routing system routes IPv6 packets destined to the well-known anycast Lee, et al. Expires April 20, 2006 [Page 8] Internet-Draft Well-known DNS Resolver IPv6 address October 2005 address by looking up its routing table. If there is a malicious route information that directs DNS requests to unauthorized DNS resolver with the Default IPv6 Address for DNS Resolvers, the IPv6 hosts may be led to fraud service servers without any notification. To avoid this possibility, the IGP that anycast mechanism is based on SHOULD have authentication mechanism between authorized routers and the site SHOULD enable this authentication mechanism in its routing system. For the case of allowing Downstream Sites' access to DNS resolvers with the Default IPv6 Address for DNS Resolvers and that Downstream Sites also deploying DNS resolvers with the Default IPv6 Address for DNS Resolvers, concurrent DoS attacks on various Downstream Sites' DNS resolvers may happen and when the Downstream Sites' DNS resolver goes down, the DoS attacking traffic may flow into Upstream Site resulting cascading breaking down of DNS resolvers. To avoid this problem, the Upstream Site give full considerations on this possibility when planning and deploying DNS resolvers with the Default IPv6 Address for DNS Resolvers to share with Downstream Sites. It is RECOMMENDED to deploy distributed DNS resolver instances using its own anycast mechanism so that DNS query traffic is distributed and processed in corresponding local servers so as not to propagate the crisis through the whole site. 6. References 6.1. Normative References [1] Thomson, S. and T. Narten, "IPv6 Stateless Address Autoconfiguration", RFC 2462, December 1998. [2] Narten, T., Nordmark, E., and W. Simpson, "Neighbor Discovery for IP Version 6 (IPv6)", RFC 2461, December 1998. [3] Mockapetris, P., "Domain names - implementation and specification", RFC 1035, November 1987. [4] Vixie, P., "Extension Mechanisms for DNS (EDNS0)", RFC 2671, August 1999. [5] McCann, J., Deering, S., and J. Mogul, "Path MTU Discovery for IP version 6", RFC 1981, August 1996. Lee, et al. Expires April 20, 2006 [Page 9] Internet-Draft Well-known DNS Resolver IPv6 address October 2005 6.2. Informative References [6] Jeong, J., "IPv6 Host Configuration of DNS Server Information Approaches", Work in Progress, May 2005. [7] Droms, R., Carney, M., Perkins, C., Lemon, T., Volz, B., and R. Droms, "DNS Configuration options for Dynamic Host Configuration Protocol for IPv6 (DHCPv6)", RFC 3646, December 2003. [8] Bound, J., Carney, M., Perkins, C., Lemon, T., Volz, B., and R. Droms, "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)", RFC 3315, May 2003. [9] Jeong, J., "IPv6 DNS Configuration based on Router Advertisement", Work in Progress, February 2005. [10] Loughney, J., "IPv6 Node Requirements", Work in Progress, August 2004. Lee, et al. Expires April 20, 2006 [Page 10] Internet-Draft Well-known DNS Resolver IPv6 address October 2005 Authors' Addresses Seunghoon Lee National Internet Development Agency of Korea 1321-11, Seocho2-dong, Seocho-gu Seoul Korea Phone: +82-2-2186-4585 Email: sehlee@nida.or.kr Youngwan Ju National Internet Development Agency of Korea 1321-11, Seocho2-dong, Seocho-gu Seoul Korea Phone: +82-2-2186-4536 Email: ywju@nida.or.kr Weon Kim National Internet Development Agency of Korea 1321-11, Seocho2-dong, Seocho-gu Seoul Korea Phone: +82-2-2186-4502 Email: wkim@nida.or.kr Lee, et al. Expires April 20, 2006 [Page 11] Internet-Draft Well-known DNS Resolver IPv6 address October 2005 Intellectual Property Statement The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79. Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org. Disclaimer of Validity This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Copyright Statement Copyright (C) The Internet Society (2005). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. Acknowledgment Funding for the RFC Editor function is currently provided by the Internet Society. Lee, et al. Expires April 20, 2006 [Page 12]