Internet Engineering Task Force Y. Wang Internet-Draft X. Lee Intended status: Informational S. Shen Expires: April 28, 2011 CNNIC October 25, 2010 Improving the caching DNS resolvers on "authority failure" draft-wang-improve-dns-resolver-01 Abstract This document provides a new mechanism for caching DNS resolvers. When all the authoritative name servers for a zone fail, and the request can't be found in the cache, during a period of time the caching DNS resolvers won't query the authoritative name servers, but directly return a SERVFAIL to the clients to reduce the recursive name server load and the network load. Status of this Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on April 28, 2011. Copyright Notice Copyright (c) 2010 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of Wang, et al. Expires April 28, 2011 [Page 1] Internet-Draft Improve Caching Resolver October 2010 the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. This document may contain material from IETF Documents or IETF Contributions published or made publicly available before November 10, 2008. The person(s) controlling the copyright in some of this material may not have granted the IETF Trust the right to allow modifications of such material outside the IETF Standards Process. Without obtaining an adequate license from the person(s) controlling the copyright in such materials, this document may not be modified outside the IETF Standards Process, and derivative works of it may not be created outside the IETF Standards Process, except to format it for publication as an RFC or to translate it into languages other than English. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . 3 3. The status of a zone . . . . . . . . . . . . . . . . . . . . . 3 4. New mechanism of the caching DNS resolver . . . . . . . . . . . 4 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 4 6. Security considerations . . . . . . . . . . . . . . . . . . . . 4 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 4 8. Normative References . . . . . . . . . . . . . . . . . . . . . 4 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 5 Wang, et al. Expires April 28, 2011 [Page 2] Internet-Draft Improve Caching Resolver October 2010 1. Introduction When a DNS caching resolver receives a request from a client, first it tries to search in the cache and then query the authoritative name servers for the corresponding zone in case that the requested data is not cached. If all the authoritative name servers for a zone fail, that is they are dead or unreachable, the recursive server can get no answers of queries for a domain name in that zone, and can not answer the clients. However, the client may keep sending the requests which won't be answered before authoritative name servers resume. The repeated requests will flood recursive server, the corresponding authoritative name servers and the networks between them. In this situation, the DNS service of the network may be out of service because of the flood. [A similar case like Baofeng media Player Accident will cause massive network outage.] This document describes a mechanism for the caching DNS resolvers to prevent hopeless queries from going to the authoritative name servers when all authoritative name servers of the zone of the records are out of service. Therefore DNS reliability is enhanced. 2. Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. 3. The status of a zone A list of status for all the authoritative name servers for a zone is maintained. When all the authoritative name servers of the zone fail (dead,unreachable or answers SERVFAIL), the queries from the caching DNS resolver can't be answered or answered with SERVFAIL. We can call this zone in an "authority failure" status, otherwise the zone is in the "normal" status. After setting a zone in the authority failure status, a corresponding timer will be set for the zone. When anyone of the authoritative name servers of the zone recovers, the status should be changed back to normal status. According to [RFC2308], an authoritative name server may be deemed to be dead or unreachable if it has not responded to an outstanding query within 120 seconds. Wang, et al. Expires April 28, 2011 [Page 3] Internet-Draft Improve Caching Resolver October 2010 4. New mechanism of the caching DNS resolver 4.1 Receiving a query for a domain name/RR from a client. 4.2 If the RRs of domain name queried can be found in the cache of the caching DNS resolver, corresponding RRs are returned. 4.3 Otherwise, the status of the zone which the domain name belongs to is checked. a. In normal status, the caching DNS resolver will query the authoritative name servers as usual. b. In case of "authority failure", b.1 If the timer doesn't expire, the caching DNS resolver will not query the authoritative name servers and answer a SERVFAIL directly to the clients. b.2. If the timer expires, the caching DNS resolver will query the authoritative name servers as usual. If the query succeeds, the status of the zone changes to the normal status. Otherwise, the status is still "authority failure" and the corresponding timer is reset. The initial value of timer must be reasonable, keeping the balance between availability and stability, it should not be longer than 5 minutes. 5. IANA Considerations [no] 6. Security considerations This document is believed to introduce no additional security problems to the current DNS protocol. 7. Acknowledgements 8. Normative References [RFC1034] Mockapetris, P., "Domain names - concepts and facilities", STD 13, RFC 1034, November 1987. Wang, et al. Expires April 28, 2011 [Page 4] Internet-Draft Improve Caching Resolver October 2010 [RFC1035] Mockapetris, P., "Domain names - implementation and specification", STD 13, RFC 1035, November 1987. [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC2308] Andrews, M., "Negative Caching of DNS Queries (DNS NCACHE)", RFC 2308, March 1998. Authors' Addresses Yan Wang CNNIC 4 South 4th Street,Zhongguancun,Haidian District Beijing, Beijing 100190 China Phone: +86 10 5881 3315 Email: wangy@cnnic.cn Xiaodong Lee CNNIC 4 South 4th Street,Zhongguancun,Haidian District Beijing, Beijing 100190 China Phone: +86 10 5881 3020 Email: lee@cnnic.cn Sean Shen CNNIC 4 South 4th Street,Zhongguancun,Haidian District Beijing, Beijing 100190 China Phone: +86 10 5881 3038 Email: shenshuo@cnnic.cn Wang, et al. Expires April 28, 2011 [Page 5]