dnsop L. Pan Internet-Draft Intended status: Informational Y. Fu Expires: January 4, 2018 CNNIC July 3, 2017 SWILD RR Type (Wildcard on Intermediate Nameservers) draft-pan-dnsop-swild-rr-type-00 Abstract This document describes a new SWILD RR type for Intermediate Nameservers to cache subdomain wildcard record, in order to reduce the cache size and optimize the wildcard domain cache miss. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on January 4, 2018. Copyright Notice Copyright (c) 2017 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Pan & Fu Expires January 4, 2018 [Page 1] Internet-DraSWILD RR Type (Wildcard on Intermediate Nameserve July 2017 Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 3. The SWILD Resource Record . . . . . . . . . . . . . . . . . . 3 4. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 3 4.1. Authoritative Nameserver . . . . . . . . . . . . . . . . 3 4.2. Intermediate Nameserver: Recursive Resolver . . . . . . . 4 4.2.1. Recursive Resolvers that support SWILD RR . . . . . . 4 4.2.2. Recursive Resolvers that not support SWILD RR . . . . 4 4.3. Intermediate Nameserver: Forwarding Resolvers . . . . . . 4 5. DNS Cache . . . . . . . . . . . . . . . . . . . . . . . . . . 5 6. DNSSEC . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 5 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 5 8.1. Normative References . . . . . . . . . . . . . . . . . . 5 8.2. Informative References . . . . . . . . . . . . . . . . . 6 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 6 1. Introduction [RFC1034] and [RFC4592] described wildcard domain name. Nowadays wildcard domain is globally used, especially on CDN, P2P, advertise, anti-virus, DNSBLs service. Take "*.github.io" for example, foo.github.io. 3599 IN CNAME github.map.fastly.net. github.map.fastly.net. 25 IN A 151.101.0.133 github.map.fastly.net. 25 IN A 151.101.192.133 github.map.fastly.net. 25 IN A 151.101.64.133 github.map.fastly.net. 25 IN A 151.101.128.133 Wildcard domain is simple configured on Authoritative Nameserver, but Intermediate Nameservers have to cache various domains (xxx.github.io, yyy.github.io, ... ) of the same wildcard domain configuration. Moreover, [DNSNoise] found that many of wildcard domains are disposable (short live time), but with low cache hit rate, increase cache size. This document specifies a new SWILD RR type for Intermediate Nameservers to cache subdomain wildcard record, in order to reduce the cache size and optimize the wildcard domain cache miss. Pan & Fu Expires January 4, 2018 [Page 2] Internet-DraSWILD RR Type (Wildcard on Intermediate Nameserve July 2017 It is OPT-IN, Intermediate Nameservers can choose not to implement or enable it. 2. Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. Basic terms used in this specification are defined in the documents [RFC1034], [RFC1035], [RFC4592], [RFC7719], [RFC7871] and [RFC8020]. Authoritative Nameserver: Described in [RFC1035] Section 6. Intermediate Nameserver: Described in [RFC7871] Section 4. Recursive Resolver: Described in [RFC1035] Section 7. Forwarding Resolver: Described in [RFC2308] Section 1. 3. The SWILD Resource Record The presentation format of the SWILD RR is as follows: owner ttl class SWILD target The "target" is a subdomain of the owner, to indicate that all subdomains of the "owner" have the same configuration with the "target". 4. Overview We use a special character "_" to indicate the wildcard domain configuration on Intermediate Nameservers, make all the subdomains CNAME to the "_" subdomain, and generate a SWILD RR "_". If most of Recursive Resolvers support SWILD RR in the future, "_" special character is not strictly used for SWILD target. Take "*.foo.com" for example. 4.1. Authoritative Nameserver Authoritative Nameserver configures the zonefile of "foo.com": o add SWILD RR "_" to indicate subdomain wildcard. o configure "_.foo.com". Pan & Fu Expires January 4, 2018 [Page 3] Internet-DraSWILD RR Type (Wildcard on Intermediate Nameserve July 2017 o make "*.foo.com" CNAME to "_.foo.com". Note that, there is not any other subdomain configured in the "foo.com" zone except "_.foo.com". $ORIGIN foo.com. @ 86400 IN SWILD _ _ 3600 IN CNAME map.bar.net. * 600 IN CNAME _ 4.2. Intermediate Nameserver: Recursive Resolver 4.2.1. Recursive Resolvers that support SWILD RR Recursive Resolver sends "xxx.foo.com" A RR query to Authoritative Nameserver, get subdomain wildcard response: xxx.foo.com. 600 IN CNAME _.foo.com. _.foo.com. 3600 IN CNAME map.bar.net. map.bar.net. 600 IN A 202.38.64.10 foo.com. 86400 IN SWILD _.foo.com. Recursive Resolver knows that SWILD RR is for wildcard domain on recursive side, marks "_.foo.com" as wildcard domains of "*.foo.com". In TTL time, if Recursive Resolver receives a "yyy.foo.com" A RR query, it can directly return this subdomain wildcard response: yyy.foo.com. 600 IN CNAME _.foo.com. _.foo.com. 3600 IN CNAME map.bar.net. map.bar.net. 600 IN A 202.38.64.10 foo.com. 86400 IN SWILD _.foo.com. 4.2.2. Recursive Resolvers that not support SWILD RR Recursive Resolver can deal with DNS response as usual. The next time, Recursive Resolver receives a "yyy.foo.com" A RR query, it can send DNS query to Authoritative Nameserver. 4.3. Intermediate Nameserver: Forwarding Resolvers Forwarding Resolver sends query to its next-hop Resolver is similar with Recursive Resolver sends query to Authoritative Nameserver. Pan & Fu Expires January 4, 2018 [Page 4] Internet-DraSWILD RR Type (Wildcard on Intermediate Nameserve July 2017 5. DNS Cache Intermediate Nameservers' cache size can be reduced, avoid to cache various domains of the same wildcard domain configuration. Intermediate Nameservers' cache hit rate will rise, avoid to query Authoritative Nameserver for the same wildcard domain configuration. 6. DNSSEC Clients and DNSSEC-Enabled Intermediate Nameservers can use DNSSEC to validate all the responses with the Authoritative Nameserver. DNSSEC-Enabled Intermediate Nameservers can only validate the SWILD RRSIG of "foo.com" and the RRSIGs of "_.foo.com", not need to validate the CNAME RRSIG of "yyy.foo.com". 7. Acknowledgements Thanks to all in the DNSOP, DNSPRIV and DNSEXT mailing list. 8. References 8.1. Normative References [RFC1034] Mockapetris, P., "Domain Names - Concepts and Facilities", RFC 1034, November 1987. [RFC1035] Mockapetris, P., "Domain Names - Implementation and Specification", RFC 1035, November 1987. [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", RFC 2119, March 1997. [RFC2308] Andrews, M., "Negative Caching of DNS Queries (DNS NCACHE)", RFC 2308, March 1998. [RFC4592] Lewis, E., "The Role of Wildcards in the Domain Name System", RFC 4592, July 2006. [RFC7719] Hoffman, P., Sullivan, A., and K. Fujiwara, "DNS Terminology", RFC 7719, December 2015. [RFC7871] Contavalli, C., van der Gasst, W., Lawrence, D., and W. Kumari, "Client Subnet in DNS Queries", RFC 7871, May 2016. Pan & Fu Expires January 4, 2018 [Page 5] Internet-DraSWILD RR Type (Wildcard on Intermediate Nameserve July 2017 [RFC8020] Bortzmeyer, S. and S. Huque, "NXDOMAIN: There Really Is Nothing Underneath", RFC 8020, Nov 2016. 8.2. Informative References [DNSNoise] "DNS Noise: Measuring the Pervasiveness of Disposable Domains in Modern DNS Traffic", . Authors' Addresses Lanlan Pan Beijing China Email: abbypan@gmail.com URI: https://github.com/abbypan Yu Fu CNNIC No.4 South 4th Street, Zhongguancun Beijing China Email: fuyu@cnnic.cn Pan & Fu Expires January 4, 2018 [Page 6]