Internet Engineering Task Force Y. Wang Internet-Draft X. Lee Intended status: Informational CNNIC Expires: January 6, 2011 July 5, 2010 Improving the caching DNS resolvers against "authority failure" draft-wang-improve-dns-resolver-00 Abstract This document provides a new mechanism for caching DNS resolvers. When all the authoritative name servers for a zone fail, the caching DNS resolvers extend the lifetime of resource records in the zone in the cache to provide resolution service as far as possible. And when the request can't be found in the cache, during a period of time the caching DNS resolvers don't query the authoritative name servers, but directly return a NXDOMAIN to the clients to reduce the recursive name server load and the network load. Status of this Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on January 6, 2011. Copyright Notice Copyright (c) 2010 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must Wang & Lee Expires January 6, 2011 [Page 1] Internet-Draft Improve Caching Resolver July 2010 include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. This document may contain material from IETF Documents or IETF Contributions published or made publicly available before November 10, 2008. The person(s) controlling the copyright in some of this material may not have granted the IETF Trust the right to allow modifications of such material outside the IETF Standards Process. Without obtaining an adequate license from the person(s) controlling the copyright in such materials, this document may not be modified outside the IETF Standards Process, and derivative works of it may not be created outside the IETF Standards Process, except to format it for publication as an RFC or to translate it into languages other than English. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . 3 3. The authority failure status of a zone . . . . . . . . . . . . 3 4. New mechanism of the caching DNS resolver . . . . . . . . . . . 3 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 4 6. Security considerations . . . . . . . . . . . . . . . . . . . . 4 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 5 8. Normative References . . . . . . . . . . . . . . . . . . . . . 5 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 5 Wang & Lee Expires January 6, 2011 [Page 2] Internet-Draft Improve Caching Resolver July 2010 1. Introduction When a DNS caching DNS resolver receives a request from a client, first it tries to search in the cache and then query the authoritative name servers for the corresponding zone in case of cache miss. If all the authoritative name servers for a zone fail, the caching DNS resolvers can get no answers of queries for a domain name in that zone, and unable to answer the clients. However, the client may keep sending the requests which won't be answered anyway, which flood both the caching DNS resolver, the corresponding authoritative name servers and the networks. In this situation, the whole network may be out of domain name resolution service. This document specifies a mechanism for the caching DNS resolvers to keep the records longer in the caches and prevent hopeless queries from going to the authoritative name servers in case of cache miss when all authoritative name servers of the zone of the records are out of service. Therefore enhance the DNS reliability. 2. Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. 3. The authority failure status of a zone A list of status for all the authoritative name servers for a zone is maintained. When all the authoritative name servers of the zone are out of service, the queries from the caching DNS resolver can't be answered. We can call this zone in an "authority failure" status. After setting a zone in the authority failure status, a corresponding timer will be set for the zone. When anyone of the authoritative name servers of the zone recovers, the status should be changed back to normal status. If needed, the methods of determining and recording the all authoritative name servers failure status can be discussed here. 4. New mechanism of the caching DNS resolver 4.1 Receiving a query for a domain name/RRs from a client. Wang & Lee Expires January 6, 2011 [Page 3] Internet-Draft Improve Caching Resolver July 2010 4.2 If the RRs of domain name queried can be found in the cache of the caching DNS resolver, corresponding RRs are returned. 4.3 Otherwise, the status of the zone which the domain name belongs to is checked. a. In normal status, the caching DNS resolver will query the authoritative name servers as usual. b. In case of "authority failure", b.1 If the timer doesn't expire, the caching DNS resolver will not query the authoritative name servers and answer a NXDOMAIN directly to the clients. b.2. If the timer expires, the caching DNS resolver will query the authoritative name servers as usual. If the query succeeds, the status of the zone changes to the normal status. Otherwise, the status is still "authority failure" and the corresponding timer is reset. 4.4 When a RR in the cache will expire, the status of the zone the RR belonging to is checked. a. If the zone is in the normal status, the RR expires as usual. b. If the zone is in the "authority failure" status, the RR shouldn't expire. The TTL of the RR is extended by adding the current value of corresponding timer. The initial value of timer must be reasonable, keeping the balance between availability and stability, it is to be discussed and decided. 5. IANA Considerations 6. Security considerations This document is believed to introduce no additional security problems to the current DNS protocol. Wang & Lee Expires January 6, 2011 [Page 4] Internet-Draft Improve Caching Resolver July 2010 7. Acknowledgements 8. Normative References [RFC1034] Mockapetris, P., "Domain names - concepts and facilities", STD 13, RFC 1034, November 1987. [RFC1035] Mockapetris, P., "Domain names - implementation and specification", STD 13, RFC 1035, November 1987. [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. Authors' Addresses Yan Wang CNNIC 4 South 4th Street,Zhongguancun,Haidian District Beijing, Beijing 100190 China Phone: +86 10 5881 3315 Email: wangy@cnnic.cn Xiaodong Lee CNNIC 4 South 4th Street,Zhongguancun,Haidian District Beijing, Beijing 100190 China Phone: +86 10 5881 3020 Email: lee@cnnic.cn Wang & Lee Expires January 6, 2011 [Page 5]