dnsop L. Pan Internet-Draft Intended status: Informational Y. Fu Expires: March 29, 2018 CNNIC September 25, 2017 SWILD RR Type (Wildcard on Intermediate Nameservers) draft-pan-dnsop-swild-rr-type-01 Abstract This document specifies a new SWILD RR type for Intermediate Nameservers to cache subdomain wildcard record, in order to optimize the wildcard domain cache miss, reduce the cache size, and help to defense the DDoS attack. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on March 29, 2018. Copyright Notice Copyright (c) 2017 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Pan & Fu Expires March 29, 2018 [Page 1] Internet-DraftSWILD RR Type (Wildcard on Intermediate NameSeptember 2017 Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 3. The SWILD Resource Record . . . . . . . . . . . . . . . . . . 3 4. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 3 4.1. Authoritative Nameserver . . . . . . . . . . . . . . . . 3 4.2. Intermediate Nameserver: Recursive Resolver . . . . . . . 4 4.2.1. Recursive Resolvers that support SWILD RR . . . . . . 4 4.2.2. Recursive Resolvers that not support SWILD RR . . . . 4 4.3. Intermediate Nameserver: Forwarding Resolvers . . . . . . 4 5. DNS Cache . . . . . . . . . . . . . . . . . . . . . . . . . . 5 6. DDoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 7. DNSSEC . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 7.1. Compare to NSEC aggressiveuse wildcard . . . . . . . . . 5 7.2. DNSSEC Deployment . . . . . . . . . . . . . . . . . . . . 6 7.3. Hijack Risk . . . . . . . . . . . . . . . . . . . . . . . 6 7.4. Stub Validation . . . . . . . . . . . . . . . . . . . . . 6 8. Disposable Domain . . . . . . . . . . . . . . . . . . . . . . 6 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 7 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 7 10.1. Normative References . . . . . . . . . . . . . . . . . . 7 10.2. Informative References . . . . . . . . . . . . . . . . . 8 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 8 1. Introduction [RFC1034] and [RFC4592] described wildcard domain name. Nowadays wildcard domain is globally used, take "*.github.io" for example, foo.github.io. 3600 IN CNAME sni.github.map.fastly.net. sni.github.map.fastly.net. 25 IN A 151.101.73.147 Wildcard domain is simple configured on Authoritative Nameserver, but Intermediate Nameservers have to cache various domains (xxx.github.io, yyy.github.io, ... ) of the same wildcard domain configuration, with low cache hit rate, increase cache size. This document specifies a new SWILD RR type for Intermediate Nameservers to cache subdomain wildcard record, in order to optimize the wildcard domain cache miss, reduce the cache size, and help to defense the DDoS attack. It is OPT-IN, Intermediate Nameservers can choose not to implement or enable it. Pan & Fu Expires March 29, 2018 [Page 2] Internet-DraftSWILD RR Type (Wildcard on Intermediate NameSeptember 2017 2. Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. Basic terms used in this specification are defined in the documents [RFC1034], [RFC1035], [RFC4592], [RFC7719], [RFC7871] and [RFC8020]. Authoritative Nameserver: Described in [RFC1035] Section 6. Intermediate Nameserver: Described in [RFC7871] Section 4. Recursive Resolver: Described in [RFC1035] Section 7. Forwarding Resolver: Described in [RFC2308] Section 1. 3. The SWILD Resource Record The presentation format of the SWILD RR is as follows: owner ttl class SWILD target The "target" is a subdomain of the owner, to indicate that all subdomains of the "owner" have the same configuration with the "target". 4. Overview Special character "_" to indicate the wildcard domain configuration on Intermediate Nameservers, make all the subdomains CNAME to the "_" subdomain, and generate a SWILD RR "_". If most of Recursive Resolvers support SWILD RR in the future, "_" special character is not strictly used for SWILD target. Take "*.foo.com" for example. 4.1. Authoritative Nameserver Authoritative Nameserver configures the zonefile of "foo.com": o add SWILD RR "_" to indicate subdomain wildcard. o configure "_.foo.com". o make "*.foo.com" CNAME to "_.foo.com". Pan & Fu Expires March 29, 2018 [Page 3] Internet-DraftSWILD RR Type (Wildcard on Intermediate NameSeptember 2017 Note that, there is not any other subdomain configured in the "foo.com" zone except "_.foo.com". $ORIGIN foo.com. @ 86400 IN SWILD _ _ 3600 IN CNAME map.bar.net. * 600 IN CNAME _ 4.2. Intermediate Nameserver: Recursive Resolver 4.2.1. Recursive Resolvers that support SWILD RR Recursive Resolver sends "xxx.foo.com" A RR query to Authoritative Nameserver, get subdomain wildcard response: xxx.foo.com. 600 IN CNAME _.foo.com. _.foo.com. 3600 IN CNAME map.bar.net. map.bar.net. 600 IN A 202.38.64.10 foo.com. 86400 IN SWILD _.foo.com. Recursive Resolver knows that SWILD RR is for wildcard domain on recursive side, marks "_.foo.com" as wildcard domains of "*.foo.com". In TTL time, if Recursive Resolver receives a "yyy.foo.com" A RR query, it can directly return this subdomain wildcard response: yyy.foo.com. 600 IN CNAME _.foo.com. _.foo.com. 3600 IN CNAME map.bar.net. map.bar.net. 600 IN A 202.38.64.10 foo.com. 86400 IN SWILD _.foo.com. 4.2.2. Recursive Resolvers that not support SWILD RR Recursive Resolver can deal with DNS response as usual. The next time, Recursive Resolver receives a "yyy.foo.com" A RR query, it can send DNS query to Authoritative Nameserver. 4.3. Intermediate Nameserver: Forwarding Resolvers Forwarding Resolver sends query to its next-hop Resolver is similar with Recursive Resolver sends query to Authoritative Nameserver. Pan & Fu Expires March 29, 2018 [Page 4] Internet-DraftSWILD RR Type (Wildcard on Intermediate NameSeptember 2017 5. DNS Cache Similar with [RFC8198] Section 6, SWILD can reduce latency and decrease server load: Intermediate Nameservers' cache hit rate will rise, avoid to query Authoritative Nameserver for the same wildcard domain configuration. Intermediate Nameservers' cache size can be reduced, avoid to cache various domains of the same wildcard domain configuration. 6. DDoS When Recursive Servers or Second Level Domain(SLD) Authoritative Servers encounter DDoS attack, it will be better for the defense if Recursive Servers know more information. o SWILD can help Recursive Servers to make a fast correct response when the queires of important subdomain wildcards rise suddenly and sharply, on condition that the source clients are hard to be deprecated. o SWILD can help Recursive Servers to response the unvisited important subdomain wildcards queries, when the SLD Authoritative Servers encounter an accident which may cause SERVFAIL, TIMEOUT, or hijack responses. 7. DNSSEC Clients and DNSSEC-Enabled Intermediate Nameservers can use DNSSEC to validate all the responses with the Authoritative Nameserver. DNSSEC-Enabled Intermediate Nameservers can only validate the SWILD RRSIG of "foo.com" and the RRSIGs of "_.foo.com", not need to validate the CNAME RRSIG of "yyy.foo.com". 7.1. Compare to NSEC aggressiveuse wildcard [RFC8198] wildcard could solve similar wildcard problem: o NSEC/NSEC3 RR: give "NOT EXIST SUBDOMAIN" information. o Cached deduced wildcard: give the default wildcard RR. SWILD: o Directly give "ALL SUBDOMAIN" information, and the default wildcard RR. Pan & Fu Expires March 29, 2018 [Page 5] Internet-DraftSWILD RR Type (Wildcard on Intermediate NameSeptember 2017 SWILD can work with NSEC aggressiveuse wildcard, Authoritative Servers can also return NSEC/NSEC3 RR. SWILD is applicable even when Authoritative Nameservers don't give NSEC/NSEC3 RR. SWILD is applicable on non-validating Forwarding Resolvers. 7.2. DNSSEC Deployment DNSSEC is designed to protect the integrity of DNS responses, avoid package tampering. How to encourge DNSSEC deployment is an old question, especially on important SLD Authoritative Severs such as google.com, amazon.com. Defense on domain hjiack such as [BankNSHijack] is the biggest motivation to deploy DNSSEC. NSEC aggressiveuse wildcard or SWILD can not make influnence on DNSSEC deployment, but they solve similar subdomain problem under different DNSSEC deployment prerequisites. 7.3. Hijack Risk There is concern that SWILD will rise the hijack risk, because it give a response on whole subdomain wildcards, but not a single subdomain. However, there is similar fatal hijack risk on NS and MX, which is configured for the whole zone. The hijack influnence of SWILD will not be larger than NS or MX. 7.4. Stub Validation SWILD does not support directly DNSSEC validation on single subdomain wildcard. Forwarding Resolvers must trigger a tranditional DNSSEC resolution if they receive a single subdomain wildcard query with DNSSEC validation option from Stub Resolvers. 8. Disposable Domain [DNSNoise] found that disposable domains are widely used by various industries, such as Anti-Virus, DNSBLs, CDN, P2P. Pan & Fu Expires March 29, 2018 [Page 6] Internet-DraftSWILD RR Type (Wildcard on Intermediate NameSeptember 2017 They are software-generated subdomains with small target A RRSets, which can be summaried by wildcards for passive DNS databases. Take [McAfeeGTI] for example, *.avqs.mcafee.com's response is from 127.0.0.0/16 network, which is a information about the reputation of the queried file. It can be optimized with a unique NAPTR RR, which can offer an service api of the file reputation information, but not use special A RR definition. 9. Acknowledgements Thanks comments for Tony Finch, Petr Špaček, Matthew Pounsett, Paul Hoffman, Richard Gibson, Paul Vixie, Dave Crocker, Peter van Dijk, Mark Andrews, Vernon Schryver, Ted Lemon, Mukund Sivaraman, Mikael Abrahamsson, Ralf Weber, Davey Song, Warren Kumari. Thanks to all in the DNSOP mailing list. 10. References 10.1. Normative References [RFC1034] Mockapetris, P., "Domain Names - Concepts and Facilities", RFC 1034, November 1987. [RFC1035] Mockapetris, P., "Domain Names - Implementation and Specification", RFC 1035, November 1987. [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", RFC 2119, March 1997. [RFC2308] Andrews, M., "Negative Caching of DNS Queries (DNS NCACHE)", RFC 2308, March 1998. [RFC4592] Lewis, E., "The Role of Wildcards in the Domain Name System", RFC 4592, July 2006. [RFC7719] Hoffman, P., Sullivan, A., and K. Fujiwara, "DNS Terminology", RFC 7719, December 2015. [RFC7871] Contavalli, C., van der Gasst, W., Lawrence, D., and W. Kumari, "Client Subnet in DNS Queries", RFC 7871, May 2016. [RFC8020] Bortzmeyer, S. and S. Huque, "NXDOMAIN: There Really Is Nothing Underneath", RFC 8020, Nov 2016. Pan & Fu Expires March 29, 2018 [Page 7] Internet-DraftSWILD RR Type (Wildcard on Intermediate NameSeptember 2017 [RFC8198] Fujiwara, K., Kato, A., and W. Kumari, "Aggressive Use of DNSSEC-Validated Cache", RFC 8198, July 2017. 10.2. Informative References [BankNSHijack] "Brazilians whacked: Crooks hijack bank's DNS to fleece victims", . [DNSNoise] "DNS Noise: Measuring the Pervasiveness of Disposable Domains in Modern DNS Traffic", . [McAfeeGTI] "McAfee Global Threat Intelligence (GTI) File Reputation", . Authors' Addresses Lanlan Pan Beijing China Email: abbypan@gmail.com URI: https://github.com/abbypan Yu Fu CNNIC No.4 South 4th Street, Zhongguancun Beijing China Email: fuyu@cnnic.cn Pan & Fu Expires March 29, 2018 [Page 8]