Internet Engineering Task Force Yasuhiro Orange Morishita, JPRS INTERNET-DRAFT Masato Minda, JPRS Expires: Jan 16, 2005 Jul 16, 2004 An Approach for Increasing Root And TLD DNS Servers draft-yasuhiro-dnsop-increasing-dns-server-01.txt Status of this Memo This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as ``work in progress.'' To view the list Internet-Draft Shadow Directories, see http://www.ietf.org/shadow.html. Distribution of this memo is unlimited. The internet-draft will expire in 6 months. The date of expiration will be Jan 16, 2005. Abstract Currently, it is thought that the maximum number of DNS servers for a zone is 13. In fact, current root and some TLD zones have 13 DNS servers. But this is not enough for DNS stability and robustness especially root and/or TLD server, therefore, IP anycast [Hardie, 2002] is introduced on some root servers. This draft proposes an another approach for increasing of DNS server hosts without changing DNS protocol by using 'multiple-addresses per host' method. And this draft also considers what is the most suitable number of the IP addresses for one DNS server name. 1. Introduction Currently, it is thought that the maximum number of DNS server hosts for a zone is 13. In fact, current root and some TLD zones have 13 DNS Morishita & Minda Expires: Jan 16, 2005 [Page 1] DRAFT An Approach for Increasing Root And TLD DNS Servers Jul 2004 servers. For example, .net zone, it has 13 DNS servers, known as A.GTLD- SERVERS.NET, B.GTLD-SERVERS.NET, ..., M.GTLD-SERVERS.NET. This limitation is derived from the maximum UDP message size of traditional DNS protocol. It defines 512 octets or less [Mockapetris, 1987] . Following is an example of 'dig' command output. This is the same as the packet exchanged between a DNS cache server and a root server, when the name of the maximum length is asked from a client. % dig +norec -t a 123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.net @a.root-servers.net ; <<>> DiG 9.3.0rc2 <<>> +norec -t a 123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.net @a.root-servers.net ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59794 ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 1 ;; QUESTION SECTION: ;123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.net. IN A ; AUTHORITY SECTION: net. 172800 IN NS A.GTLD-SERVERS.net. net. 172800 IN NS G.GTLD-SERVERS.net. net. 172800 IN NS H.GTLD-SERVERS.net. net. 172800 IN NS C.GTLD-SERVERS.net. net. 172800 IN NS I.GTLD-SERVERS.net. net. 172800 IN NS B.GTLD-SERVERS.net. net. 172800 IN NS D.GTLD-SERVERS.net. net. 172800 IN NS L.GTLD-SERVERS.net. net. 172800 IN NS F.GTLD-SERVERS.net. net. 172800 IN NS J.GTLD-SERVERS.net. net. 172800 IN NS K.GTLD-SERVERS.net. net. 172800 IN NS E.GTLD-SERVERS.net. net. 172800 IN NS M.GTLD-SERVERS.net. ;; ADDITIONAL SECTION: A.GTLD-SERVERS.net. 172800 IN A 192.5.6.30 ;; Query time: 172 msec ;; SERVER: 198.41.0.4#53(a.root-servers.net) ;; WHEN: Fri Jul 16 09:55:53 2004 ;; MSG SIZE rcvd: 508 In this case, 13 NS records of .net servers are in authority section, and 1 glue A record is in additional section, and the DNS message size Morishita & Minda Expires: Jan 16, 2005 [Page 2] DRAFT An Approach for Increasing Root And TLD DNS Servers Jul 2004 is 508. It means even at 'worst case' (querying the longest name), DNS cache server can get the information of at least 1 glue A within 512 octets. But, DNS protocol allows to have multiple A records at one host name. It is the basic specification of DNS. Of course it can be used for glue A records. So, we can introduce it without any DNS protocol extensions. For example, root zone contains the data for .net delegation as follows: NET. NS N.GTLD-SERVERS.NET. NET. NS O.GTLD-SERVERS.NET. NET. NS P.GTLD-SERVERS.NET. N.GTLD-SERVERS.NET. A 192.5.6.30 A 192.33.14.30 A 192.26.92.30 A 192.31.80.30 A 192.12.94.30 A 192.35.51.30 O.GTLD-SERVERS.NET. A 192.42.93.30 A 192.54.112.30 A 192.43.172.30 A 192.48.79.30 A 192.52.178.30 P.GTLD-SERVERS.NET. A 192.41.162.30 A 192.55.83.30 So, name server hosts of .net zone are 3 and each host has multiple IP address, in this case, N.GTLD-SERVERS.NET has 6 IP address, O.GTLD- SERVERS.NET has 5 IP address, and P.GTLD-SERVERS.NET has 2 IP address. This is an example of 'dig' command output of this case. % dig +norec -t a 123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.net @10.0.0.15 ; <<>> DiG 9.3.0rc2 <<>> +norec -t a 123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.net @10.0.0.15 ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20303 ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 11 ;; QUESTION SECTION: ;123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.net. IN A ;; AUTHORITY SECTION: net. 172800 IN NS O.GTLD-SERVERS.net. net. 172800 IN NS P.GTLD-SERVERS.net. net. 172800 IN NS N.GTLD-SERVERS.net. Morishita & Minda Expires: Jan 16, 2005 [Page 3] DRAFT An Approach for Increasing Root And TLD DNS Servers Jul 2004 ;; ADDITIONAL SECTION: N.GTLD-SERVERS.net. 172800 IN A 192.33.14.30 N.GTLD-SERVERS.net. 172800 IN A 192.35.51.30 N.GTLD-SERVERS.net. 172800 IN A 192.5.6.30 N.GTLD-SERVERS.net. 172800 IN A 192.12.94.30 N.GTLD-SERVERS.net. 172800 IN A 192.26.92.30 N.GTLD-SERVERS.net. 172800 IN A 192.31.80.30 O.GTLD-SERVERS.net. 172800 IN A 192.52.178.30 O.GTLD-SERVERS.net. 172800 IN A 192.54.112.30 O.GTLD-SERVERS.net. 172800 IN A 192.42.93.30 O.GTLD-SERVERS.net. 172800 IN A 192.43.172.30 O.GTLD-SERVERS.net. 172800 IN A 192.48.79.30 ;; Query time: 0 msec ;; SERVER: 10.0.0.15#53(10.0.0.15) ;; WHEN: Fri Jul 16 10:02:33 2004 ;; MSG SIZE rcvd: 508 In this case, 3 NS records of .net servers are in authority section, and 11 glue A records are in additional section, and the DNS message size is 508 (it is the same of previous case). It means that in this case, DNS cache server can get more glue A records than previous case. This technique is trivial, but the big possibility in DNS server operation is hidden. Especially, this makes it possible to add IPv6 (AAAA) glue, making minimum influence on existing IPv4 (A) glue. And it is also useful for signing zone for DNSSEC. We tested some various cases of combinations 'the number of DNS servers' and 'IPv4 and IPv6 addresses per name'. The result is attached to APPENDIX A. 2. Consideration Points There are some consideration points in this case. 2.1. 'Number of Addresses per Server' Issue If DNS operators try to apply this to their own zone, they should consider how many is the number of IP addresses given to per name the most suitable. DNS treats the resource records (RRs) on 'RRSet' basis, so if NS has only one name (and it has many IP addresses), when the name resolution to the RR is partially canceled by some reasons, cancellation of the whole RRSet will be carried out. Especially this makes direct influence on additional section in a DNS packet. Because, it is occured at NS query, all needed glue A records may be cancelled. This is harmful for name resolution and this must be avoided. Morishita & Minda Expires: Jan 16, 2005 [Page 4] DRAFT An Approach for Increasing Root And TLD DNS Servers Jul 2004 2.2. Server Selection Issue Some DNS implementations may search DNS server list at 'name basis', not an 'IP address basis'. So, if some troubles are occured at one of the host of 'DNS server set', it may be harmful for whole of server set. So, if so many IP addresses have been gathered to one name, it may be harmful for DNS server operation, for example, one bad server may block access to other good servers. 2.3. Registration Issue Some registries and/or registrars, this 'multiple IP addresses registration' for DNS server host may not be allowed. In this case, users can not register this. This is not good limitation and should be fixed. 3. IANA considerations IANA announces the beginning of registering IPv6 address information for root zone glue, so we consider IANA should support it its own registry system. It is useful for IPv6 deployment. 4. Acknowledgements This work was funded by the Telecommunications Advancement Organization of Japan (TAO) from September 2001 to March 2004. In April 2004, TAO and the Communications Research Laboratory (CRL) were merged and relaunched as the National Institute of Information and Communications Technology (NICT), an incorporated administrative agency. The authors would like to thank the members of the JPRS research and development department and system administration department for their important contribution to this work. APPENDIX A: Test Results This is the result of surveying the case of various number of NS, IPv4 addresses, and IPv6 addresses. "NS" is the number of NS records, "v4adr" and "v6adr" are the number of IPv4 and IPv6 address per NS, "psize" is the size of DNS response packet, "glue4" and "glue6" are the number of "returned" IP address of glue. Morishita & Minda Expires: Jan 16, 2005 [Page 5] DRAFT An Approach for Increasing Root And TLD DNS Servers Jul 2004 +-------------------+------------------------------+---------------------------+ | Test Pattern | Maximum Name Query | Minimum Name Query | |NS v4adr v6adr | psize glue4 glue6 | psize glue4 glue6 | +-------------------+------------------------------+---------------------------+ |1 1 7 | 504 1 7 | 254 1 7 | |1 3 6 | 508 3 6 | 258 3 6 | |1 5 5 | 512 5 5 | 262 5 5 | |1 6 4 | 500 6 4 | 250 6 4 | |1 8 3 | 504 8 3 | 254 8 3 | +-------------------+------------------------------+---------------------------+ |1 10 2 | 508 10 2 | 258 10 2 | |1 12 1 | 512 12 1 | 262 12 1 | |2 2 6 | 508 2 6 | 458 4 12 | |2 4 5 | 512 4 5 | 466 8 10 | |2 5 4 | 500 5 4 | 442 10 8 | +-------------------+------------------------------+---------------------------+ |2 7 3 | 504 7 3 | 450 14 6 | |2 9 2 | 508 9 2 | 458 18 4 | |2 11 1 | 512 11 1 | 466 22 2 | |3 2 4 | 500 4 4 | 506 6 12 | |3 3 3 | 504 6 3 | 470 9 9 | +-------------------+------------------------------+---------------------------+ |3 5 2 | 460 5 2 | 482 15 6 | |3 7 1 | 492 7 2 | 494 21 3 | |4 1 3 | 488 4 3 | 490 4 12 | |4 3 2 | 500 3 4 | 506 12 8 | |4 4 1 | 488 4 3 | 458 16 4 | +-------------------+------------------------------+---------------------------+ |5 1 2 | 500 2 4 | 466 5 10 | |5 3 1 | 508 6 2 | 486 15 5 | |6 2 1 | 492 4 2 | 482 12 6 | |7 1 1 | 504 2 3 | 446 7 7 | |8 1 1 | 508 3 2 | 506 8 8 | +-------------------+------------------------------+---------------------------+ Author's addresses Morishita & Minda Expires: Jan 16, 2005 [Page 6] DRAFT An Approach for Increasing Root And TLD DNS Servers Jul 2004 Yasuhiro Orange Morishita Research and Development Department Japan Registry Service Co.,Ltd. Chiyoda First Bldg. East 13F, 3-8-1 Nishi-Kanda Chiyoda-ku, Tokyo 101-0065, Japan Tel: +81-3-5215-8451 Email: yasuhiro@jprs.co.jp Masato Minda Research and Development Department Japan Registry Service Co.,Ltd. Chiyoda First Bldg. East 13F, 3-8-1 Nishi-Kanda Chiyoda-ku, Tokyo 101-0065, Japan Tel: +81-3-5215-8451 Email: minmin@jprs.co.jp References Hardie, 2002. T. Hardie, "Distributing Authoritative Name Servers via Shared Unicast Addresses" in RFC3258 (April 2002). ftp://ftp.isi.edu/in-notes/rfc3258.txt. Mockapetris, 1987. P. Mockapetris, "DOMAIN NAMES - IMPLEMENTATION AND SPECIFICATION" in RFC1035 (November 1987). http://www.ietf.org/rfc/rfc1035.txt. Morishita & Minda Expires: Jan 16, 2005 [Page 7]