-
Notifications
You must be signed in to change notification settings - Fork 7
/
draft-ietf-dprive-xfr-over-tls-12.txt
2352 lines (1506 loc) · 86.6 KB
/
draft-ietf-dprive-xfr-over-tls-12.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
dprive W. Toorop
Internet-Draft NLnet Labs
Updates: 1995, 5936, 7766 (if approved) S. Dickinson
Intended status: Standards Track Sinodun IT
Expires: 27 November 2021 S. Sahib
Brave Software
P. Aras
A. Mankin
Salesforce
26 May 2021
DNS Zone Transfer-over-TLS
draft-ietf-dprive-xfr-over-tls-12
Abstract
DNS zone transfers are transmitted in clear text, which gives
attackers the opportunity to collect the content of a zone by
eavesdropping on network connections. The DNS Transaction Signature
(TSIG) mechanism is specified to restrict direct zone transfer to
authorized clients only, but it does not add confidentiality. This
document specifies the use of TLS, rather than clear text, to prevent
zone content collection via passive monitoring of zone transfers:
XFR-over-TLS (XoT). Additionally, this specification updates RFC1995
and RFC5936 with respect to efficient use of TCP connections, and
RFC7766 with respect to the recommended number of connections between
a client and server for each transport.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on 27 November 2021.
Toorop, et al. Expires 27 November 2021 [Page 1]
Internet-Draft XFR-over-TLS May 2021
Copyright Notice
Copyright (c) 2021 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights
and restrictions with respect to this document. Code Components
extracted from this document must include Simplified BSD License text
as described in Section 4.e of the Trust Legal Provisions and are
provided without warranty as described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Document work via GitHub . . . . . . . . . . . . . . . . . . 6
3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 6
4. Threat Model . . . . . . . . . . . . . . . . . . . . . . . . 6
5. Design Considerations for XoT . . . . . . . . . . . . . . . . 7
6. Connection and Data Flows in Existing XFR Mechanisms . . . . 8
6.1. AXFR Mechanism . . . . . . . . . . . . . . . . . . . . . 8
6.2. IXFR Mechanism . . . . . . . . . . . . . . . . . . . . . 10
6.3. Data Leakage of NOTIFY and SOA Message Exchanges . . . . 11
6.3.1. NOTIFY . . . . . . . . . . . . . . . . . . . . . . . 11
6.3.2. SOA . . . . . . . . . . . . . . . . . . . . . . . . . 12
7. Updates to existing specifications . . . . . . . . . . . . . 12
7.1. Update to RFC1995 for IXFR-over-TCP . . . . . . . . . . . 13
7.2. Update to RFC5936 for AXFR-over-TCP . . . . . . . . . . . 14
7.3. Updates to RFC1995 and RFC5936 for XFR-over-TCP . . . . . 14
7.3.1. Connection reuse . . . . . . . . . . . . . . . . . . 14
7.3.2. AXFRs and IXFRs on the same connection . . . . . . . 15
7.3.3. XFR limits . . . . . . . . . . . . . . . . . . . . . 15
7.3.4. The edns-tcp-keepalive EDNS0 Option . . . . . . . . . 15
7.3.5. Backwards compatibility . . . . . . . . . . . . . . . 16
7.4. Update to RFC7766 . . . . . . . . . . . . . . . . . . . . 16
8. XoT specification . . . . . . . . . . . . . . . . . . . . . . 17
8.1. Connection establishment . . . . . . . . . . . . . . . . 17
8.2. TLS versions . . . . . . . . . . . . . . . . . . . . . . 17
8.3. Port selection . . . . . . . . . . . . . . . . . . . . . 18
8.4. High level XoT descriptions . . . . . . . . . . . . . . . 18
8.5. XoT transfers . . . . . . . . . . . . . . . . . . . . . . 20
8.6. XoT connections . . . . . . . . . . . . . . . . . . . . . 21
8.7. XoT vs ADoT . . . . . . . . . . . . . . . . . . . . . . . 21
8.8. Response RCODES . . . . . . . . . . . . . . . . . . . . . 22
8.9. AXoT specifics . . . . . . . . . . . . . . . . . . . . . 22
8.9.1. Padding AXoT responses . . . . . . . . . . . . . . . 22
Toorop, et al. Expires 27 November 2021 [Page 2]
Internet-Draft XFR-over-TLS May 2021
8.10. IXoT specifics . . . . . . . . . . . . . . . . . . . . . 23
8.10.1. Condensation of responses . . . . . . . . . . . . . 23
8.10.2. Fallback to AXFR . . . . . . . . . . . . . . . . . . 24
8.10.3. Padding of IXoT responses . . . . . . . . . . . . . 24
8.11. Name compression and maximum payload sizes . . . . . . . 24
9. Multi-primary Configurations . . . . . . . . . . . . . . . . 25
10. Authentication mechanisms . . . . . . . . . . . . . . . . . . 26
10.1. TSIG . . . . . . . . . . . . . . . . . . . . . . . . . . 26
10.2. SIG(0) . . . . . . . . . . . . . . . . . . . . . . . . . 26
10.3. TLS . . . . . . . . . . . . . . . . . . . . . . . . . . 26
10.3.1. Opportunistic TLS . . . . . . . . . . . . . . . . . 27
10.3.2. Strict TLS . . . . . . . . . . . . . . . . . . . . . 27
10.3.3. Mutual TLS . . . . . . . . . . . . . . . . . . . . . 27
10.4. IP Based ACL on the Primary . . . . . . . . . . . . . . 28
10.5. ZONEMD . . . . . . . . . . . . . . . . . . . . . . . . . 28
11. XoT authentication . . . . . . . . . . . . . . . . . . . . . 28
12. Policies for Both AXoT and IXoT . . . . . . . . . . . . . . . 29
13. Implementation Considerations . . . . . . . . . . . . . . . . 30
14. Operational Considerations . . . . . . . . . . . . . . . . . 30
15. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 31
16. Implementation Status . . . . . . . . . . . . . . . . . . . . 31
17. Security Considerations . . . . . . . . . . . . . . . . . . . 31
18. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 32
19. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 32
20. Changelog . . . . . . . . . . . . . . . . . . . . . . . . . . 32
21. Normative References . . . . . . . . . . . . . . . . . . . . 35
22. Informative References . . . . . . . . . . . . . . . . . . . 37
Appendix A. XoT server connection handling . . . . . . . . . . . 39
A.1. Only listen on TLS on a specific IP address . . . . . . . 39
A.2. Client specific TLS acceptance . . . . . . . . . . . . . 39
A.3. SNI based TLS acceptance . . . . . . . . . . . . . . . . 40
A.4. Transport specific response policies . . . . . . . . . . 40
A.4.1. SNI based response policies . . . . . . . . . . . . . 41
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 41
1. Introduction
DNS has a number of privacy vulnerabilities, as discussed in detail
in [I-D.ietf-dprive-rfc7626-bis]. Stub client to recursive resolver
query privacy has received the most attention to date, with standards
track documents for both DNS-over-TLS (DoT) [RFC7858] and DNS-over-
HTTPS (DoH) [RFC8484], and a proposal for DNS-over-QUIC
[I-D.ietf-dprive-dnsoquic]. There is ongoing work on DNS privacy
requirements for exchanges between recursive resolvers and
authoritative servers [I-D.ietf-dprive-phase2-requirements] and some
suggestions for how signaling of DoT support by authoritative
nameservers might work. However, there is currently no RFC that
specifically defines recursive to authoritative DNS-over-TLS (ADoT).
Toorop, et al. Expires 27 November 2021 [Page 3]
Internet-Draft XFR-over-TLS May 2021
[I-D.ietf-dprive-rfc7626-bis] established that stub client DNS query
transactions are not public and needed protection, but on zone
transfer [RFC1995] [RFC5936] it says only:
"Privacy risks for the holder of a zone (the risk that someone
gets the data) are discussed in [RFC5936] and [RFC5155]."
In what way is exposing the full contents of a zone a privacy risk?
The contents of the zone could include information such as names of
persons used in names of hosts. Best practice is not to use personal
information for domain names, but many such domain names exist. The
contents of the zone could also include references to locations that
allow inference about location information of the individuals
associated with the zone's organization. It could also include
references to other organizations. Examples of this could be:
* Person-laptop.example.org
* MX-for-Location.example.org
* Service-tenant-from-another-org.example.org
Additionally, the full zone contents expose all the IP addresses of
endpoints held in the DNS records which can make reconnaissance and
attack targeting easier, particularly for IPv6 addresses or private
networks. There may also be regulatory, policy or other reasons why
the zone contents in full must be treated as private.
Neither of the RFCs mentioned in [I-D.ietf-dprive-rfc7626-bis]
contemplates the risk that someone gets the data through
eavesdropping on network connections, only via enumeration or
unauthorized transfer as described in the following paragraphs.
Zone enumeration is trivially possible for DNSSEC zones which use
NSEC; i.e. queries for the authenticated denial of existence records
allow a client to walk through the entire zone contents. [RFC5155]
specifies NSEC3, a mechanism to provide measures against zone
enumeration for DNSSEC signed zones (a goal was to make it as hard to
enumerate a DNSSEC signed zone as an unsigned zone). Whilst this is
widely used, it has been demonstrated that zone walking is possible
for precomputed NSEC3 using attacks such as those described in
[NSEC3-attacks]. This prompted further work on an alternative
mechanism for DNSSEC authenticated denial of existence - NSEC5
[I-D.vcelak-nsec5] - however questions remain over the practicality
of this mechanism.
Toorop, et al. Expires 27 November 2021 [Page 4]
Internet-Draft XFR-over-TLS May 2021
[RFC5155] does not address data obtained outside zone enumeration
(nor does [I-D.vcelak-nsec5]). Preventing eavesdropping of zone
transfers (this document) is orthogonal to preventing zone
enumeration, though they aim to protect the same information.
[RFC5936] specifies using TSIG [RFC8945] for authorization of the
clients of a zone transfer and for data integrity, but does not
express any need for confidentiality, and TSIG does not offer
encryption.
Section 8 of the NIST guide on 'Secure Domain Name System (DNS)
Deployment' [nist-guide] discusses restricting access for zone
transfers using ACLs and TSIG in more detail. It also discusses the
possibility that specific deployments might choose to use a lower
level network layer to protect zone transfers, e.g., IPSec.
It is noted that in all the common open source implementations such
ACLs are applied on a per query basis (at the time of writing).
Since requests typically occur on TCP connections authoritatives must
therefore accept any TCP connection and then handling the
authentication of each zone transfer (XFR) request individually.
Because both AXFR (authoritative transfer) and IXFR (incremental
transfer) are typically carried out over TCP from authoritative DNS
protocol implementations, encrypting zone transfers using TLS
[RFC8499], based closely on DoT [RFC7858], seems like a simple step
forward. This document specifies how to use TLS (1.3 or later) as a
transport to prevent zone collection from zone transfers.
This document also updates the previous specifications for zone
transfers to clarify and extend them, mainly with respect to TCP
usage:
* RFC1995 (IXFR) and RFC5936 (AXFR) are both updated to add further
specification on efficient use of TCP connections
* Section 6.2.2 of RFC7766 (DNS Transport over TCP - Implementation
Requirements) is updated with a new recommendation about the
number of connections between a client and server for each
transport.
Toorop, et al. Expires 27 November 2021 [Page 5]
Internet-Draft XFR-over-TLS May 2021
2. Document work via GitHub
[THIS SECTION TO BE REMOVED BEFORE PUBLICATION] The Github repository
for this document is at https://github.com/hanzhang0116/hzpa-dprive-
xfr-over-tls (https://github.com/hanzhang0116/hzpa-dprive-xfr-over-
tls). Proposed text and editorial changes are very much welcomed
there, but any functional changes should always first be discussed on
the IETF DPRIVE WG (dns-privacy) mailing list.
3. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP
14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here.
Privacy terminology is as described in Section 3 of [RFC6973].
DNS terminology is as described in [RFC8499]. Note that as in
[RFC8499], the terms 'primary' and 'secondary' are used for two
servers engaged in zone transfers.
DoT: DNS-over-TLS as specified in [RFC7858]
XFR-over-TCP: Used to mean both IXFR-over-TCP [RFC1995] and AXFR-
over-TCP [RFC5936].
XoT: XFR-over-TLS mechanisms as specified in this document which
apply to both AXFR-over-TLS and IXFR-over-TLS
AXoT: AXFR-over-TLS
IXoT: IXFR over-TLS
4. Threat Model
The threat model considered here is one where the current contents
and size of the zone are considered sensitive and should be protected
during transfer.
The threat model does not, however, consider the existence of a zone,
the act of zone transfer between two entities, nor the identities of
the nameservers hosting a zone (including both those acting as hidden
primaries/secondaries or directly serving the zone) as sensitive
information. The proposed mechanism does not attempt to obscure such
information. The reasons for this include:
Toorop, et al. Expires 27 November 2021 [Page 6]
Internet-Draft XFR-over-TLS May 2021
* much of this information can be obtained by various methods,
including active scanning of the DNS
* an attacker who can monitor network traffic can relatively easily
infer relations between nameservers simply from traffic patterns,
even when some or all of the traffic is encrypted (in terms of
current deployments)
The model does not consider attacks on the mechanisms that trigger a
zone transfer, e.g., NOTIFY messages.
It is noted that simply using XoT will indicate a desire by the zone
owner that the contents of the zone remain confidential and so could
be subject to blocking (e.g., via blocking of port 853) if an
attacker had such capabilities. However this threat is likely true
of any such mechanism that attempts to encrypt data passed between
nameservers, e.g., IPsec.
5. Design Considerations for XoT
The following principles were considered in the design for XoT:
* Confidentiality. Clearly using an encrypted transport for zone
transfers will defeat zone content leakage that can occur via
passive surveillance.
* Authentication. Use of single or mutual TLS (mTLS) authentication
(in combination with access control lists (ACLs)) can complement
and potentially be an alternative to TSIG.
* Performance.
- Existing AXFR and IXFR mechanisms have the burden of backwards
compatibility with older implementations based on the original
specifications in [RFC1034] and [RFC1035]. For example, some
older AXFR servers don't support using a TCP connection for
multiple AXFR sessions or XFRs of different zones because they
have not been updated to follow the guidance in [RFC5936]. Any
implementation of XoT would obviously be required to implement
optimized and interoperable transfers as described in
[RFC5936], e.g., transfer of multiple zones over one
connection.
- Current usage of TCP for IXFR is sub-optimal in some cases i.e.
connections are frequently closed after a single IXFR.
Toorop, et al. Expires 27 November 2021 [Page 7]
Internet-Draft XFR-over-TLS May 2021
6. Connection and Data Flows in Existing XFR Mechanisms
The original specification for zone transfers in [RFC1034] and
[RFC1035] was based on a polling mechanism: a secondary performed a
periodic query for the SOA (start of zone authority) record (based on
the refresh timer) to determine if an AXFR was required.
[RFC1995] and [RFC1996] introduced the concepts of IXFR and NOTIFY
respectively, to provide for prompt propagation of zone updates.
This has largely replaced AXFR where possible, particularly for
dynamically updated zones.
[RFC5936] subsequently redefined the specification of AXFR to improve
performance and interoperability.
In this document we use the term "XFR mechanism" to describe the
entire set of message exchanges between a secondary and a primary
that concludes in a successful AXFR or IXFR request/response. This
set may or may not include
* NOTIFY messages
* SOA queries
* Fallback from IXFR to AXFR
* Fallback from IXFR-over-UDP to IXFR-over-TCP
The term is used to encompass the range of permutations that are
possible and is useful to distinguish the 'XFR mechanism' from a
single XFR request/response exchange.
6.1. AXFR Mechanism
The figure below provides an outline of an AXFR mechanism including
NOTIFYs.
Toorop, et al. Expires 27 November 2021 [Page 8]
Internet-Draft XFR-over-TLS May 2021
Secondary Primary
| NOTIFY |
| <-------------------------------- | UDP
| --------------------------------> |
| NOTIFY Response |
| |
| |
| SOA Request |
| --------------------------------> | UDP (or part of
| <-------------------------------- | a TCP session)
| SOA Response |
| |
| |
| |
| AXFR Request | ---
| --------------------------------> | |
| <-------------------------------- | |
| AXFR Response 1 | |
| (Zone data) | |
| | |
| <-------------------------------- | | TCP
| AXFR Response 2 | | Session
| (Zone data) | |
| | |
| <-------------------------------- | |
| AXFR Response 3 | |
| (Zone data) | ---
| |
Figure 1. AXFR Mechanism
1. An AXFR is often (but not always) preceded by a NOTIFY (over UDP)
from the primary to the secondary. A secondary may also initiate
an AXFR based on a refresh timer or scheduled/triggered zone
maintenance.
2. The secondary will normally (but not always) make a SOA query to
the primary to obtain the serial number of the zone held by the
primary.
3. If the primary serial is higher than the secondary's serial
(using Serial Number Arithmetic [RFC1982]), the secondary makes
an AXFR request (over TCP) to the primary after which the AXFR
data flows in one or more AXFR responses on the TCP connection.
[RFC5936] defines this specific step as an 'AXFR session' i.e. as
an AXFR query message and the sequence of AXFR response messages
returned for it.
Toorop, et al. Expires 27 November 2021 [Page 9]
Internet-Draft XFR-over-TLS May 2021
[RFC5936] re-specified AXFR providing additional guidance beyond that
provided in [RFC1034] and [RFC1035] and importantly specified that
AXFR must use TCP as the transport protocol.
Additionally, sections 4.1, 4.1.1 and 4.1.2 of [RFC5936] provide
improved guidance for AXFR clients and servers with regard to re-use
of TCP connections for multiple AXFRs and AXFRs of different zones.
However [RFC5936] was constrained by having to be backwards
compatible with some very early basic implementations of AXFR. For
example, it outlines that the SOA query can also happen on this
connection. However, this can cause interoperability problems with
older implementations that support only the trivial case of one AXFR
per connection.
6.2. IXFR Mechanism
The figure below provides an outline of the IXFR mechanism including
NOTIFYs.
Secondary Primary
| NOTIFY |
| <-------------------------------- | UDP
| --------------------------------> |
| NOTIFY Response |
| |
| |
| SOA Request |
| --------------------------------> | UDP or TCP
| <-------------------------------- |
| SOA Response |
| |
| |
| |
| IXFR Request |
| --------------------------------> | UDP or TCP
| <-------------------------------- |
| IXFR Response |
| (Zone data) |
| |
| | ---
| IXFR Request | |
| --------------------------------> | | Retry over
| <-------------------------------- | | TCP if
| IXFR Response | | required
| (Zone data) | ---
Figure 2. IXFR Mechanism
Toorop, et al. Expires 27 November 2021 [Page 10]
Internet-Draft XFR-over-TLS May 2021
1. An IXFR is normally (but not always) preceded by a NOTIFY (over
UDP) from the primary to the secondary. A secondary may also
initiate an IXFR based on a refresh timer or scheduled/triggered
zone maintenance.
2. The secondary will normally (but not always) make a SOA query to
the primary to obtain the serial number of the zone held by the
primary.
3. If the primary serial is higher than the secondaries serial
(using Serial Number Arithmetic [RFC1982]), the secondary makes
an IXFR request to the primary after which the primary sends an
IXFR response.
[RFC1995] specifies that Incremental Transfer may use UDP if the
entire IXFR response can be contained in a single DNS packet,
otherwise, TCP is used. In fact it says:
"Thus, a client should first make an IXFR query using UDP."
So there may be a fourth step above where the client falls back to
IXFR-over-TCP. There may also be a additional step where the
secondary must fall back to AXFR because, e.g., the primary does not
support IXFR.
However it is noted that most widely used open source authoritative
nameserver implementations (including both [BIND] and [NSD]) do IXFR
using TCP by default in their latest releases. For BIND, TCP
connections are sometimes used for SOA queries but in general they
are not used persistently and close after an IXFR is completed.
6.3. Data Leakage of NOTIFY and SOA Message Exchanges
This section presents a rationale for considering encrypting the
other messages in the XFR mechanism.
Since the SOA of the published zone can be trivially discovered by
simply querying the publicly available authoritative servers, leakage
of this resource record (RR) via such a direct query is not discussed
in the following sections.
6.3.1. NOTIFY
Unencrypted NOTIFY messages identify configured secondaries on the
primary.
[RFC1996] also states:
Toorop, et al. Expires 27 November 2021 [Page 11]
Internet-Draft XFR-over-TLS May 2021
"If ANCOUNT>0, then the answer section represents an
unsecure hint at the new RRset for this (QNAME,QCLASS,QTYPE).
But since the only QTYPE for NOTIFY defined at the time of this
writing is SOA, this does not pose a potential leak.
6.3.2. SOA
For hidden XFR servers (either primaries or secondaries), an SOA
response directly from that server only additionally leaks the degree
of SOA serial number lag of any downstream secondary of that server.
7. Updates to existing specifications
For convenience, the term 'XFR-over-TCP' is used in this document to
mean both IXFR-over-TCP and AXFR-over-TCP and therefore statements
that use that term update both [RFC1995] and [RFC5936], and
implicitly also apply to XoT. Differences in behavior specific to
XoT are discussed in Section 8.
Both [RFC1995] and [RFC5936] were published sometime before TCP was
considered a first class transport for DNS. [RFC1995], in fact, says
nothing with respect to optimizing IXFRs over TCP or re-using already
open TCP connections to perform IXFRs or other queries. Therefore,
there arguably is an implicit assumption that a TCP connection is
used for one and only one IXFR request. Indeed, many major open
source implementations take this approach (at the time of this
writing). And whilst [RFC5936] gives guidance on connection re-use
for AXFR, it pre-dates more recent specifications describing
persistent TCP connections (e.g., [RFC7766], [RFC7828]), and AXFR
implementations again often make less than optimal use of open
connections.
Given this, new implementations of XoT will clearly benefit from
specific guidance on TCP/TLS connection usage for XFR, because this
will:
* result in more consistent XoT implementations with better
interoperability
* remove any need for XoT implementations to support legacy behavior
for XoT connections that XFR-over-TCP implementations have
historically often supported
Therefore this document updates both the previous specifications for
XFR-over-TCP ([RFC1995] and [RFC5936]) to clarify that
Toorop, et al. Expires 27 November 2021 [Page 12]
Internet-Draft XFR-over-TLS May 2021
* Implementations MUST use [RFC7766] (DNS Transport over TCP -
Implementation Requirements) to optimize the use of TCP
connections.
* Whilst RFC7766 states that 'DNS clients SHOULD pipeline their
queries' on TCP connections, it did not distinguish between XFRs
and other queries for this behavior. It is now recognized that
XFRs are not as latency sensitive as other queries, and can be
significantly more complex for clients to handle, both because of
the large amount of state that must be kept and because there may
be multiple messages in the responses. For these reasons, it is
clarified here that a valid reason for not pipelining queries is
when they are all XFR queries i.e. clients sending multiple XFRs
MAY choose not to pipeline those queries. Clients that do not
pipeline XFR queries, therefore, have no additional requirements
to handle out-of-order or intermingled responses (as described
later), since they will never receive them.
* Implementations SHOULD use [RFC7828] (The edns-tcp-keepalive EDNS0
Option) to manage persistent connections (which is more flexible
than using just fixed timeouts).
The following sections include detailed clarifications on the updates
to XFR behavior implied in [RFC7766] and how the use of [RFC7828]
applies specifically to XFR exchanges. They also discuss how IXFR
and AXFR can reuse the same TCP connection.
For completeness, we also mention here the recent specification of
extended DNS error (EDE) codes [RFC8914]. For zone transfers, when
returning REFUSED to a zone transfer request from an 'unauthorized'
client (e.g., where the client is not listed in an ACL for zone
transfers or does not sign the request with a valid TSIG key), the
extended DNS error code 18 (Prohibited) can also be sent.
7.1. Update to RFC1995 for IXFR-over-TCP
For clarity - an IXFR-over-TCP server compliant with this
specification MUST be able to handle multiple concurrent IXoT
requests on a single TCP connection (for the same and different
zones) and SHOULD send the responses as soon as they are available,
which might be out-of-order compared to the requests.
Toorop, et al. Expires 27 November 2021 [Page 13]
Internet-Draft XFR-over-TLS May 2021
7.2. Update to RFC5936 for AXFR-over-TCP
For clarity - an AXFR-over-TCP server compliant with this
specification MUST be able to handle multiple concurrent AXoT
sessions on a single TCP connection (for the same and different
zones). The response streams for concurrent AXFRs MAY be
intermingled and AXFR-over-TCP clients compliant with this
specification which pipeline AXFR requests MUST be able to handle
this.
7.3. Updates to RFC1995 and RFC5936 for XFR-over-TCP
7.3.1. Connection reuse
As specified, XFR-over-TCP clients SHOULD re-use any existing open
TCP connection when starting any new XFR request to the same primary,
and for issuing SOA queries, instead of opening a new connection.
The number of TCP connections between a secondary and primary SHOULD
be minimized (also see Section 7.4).
Valid reasons for not re-using existing connections might include:
* as already noted in [RFC7766], separate connections for different
zones might be preferred for operational reasons. In this case,
the number of concurrent connections for zone transfers SHOULD be
limited to the total number of zones transferred between the
client and server.
* reaching a configured limit for the number of outstanding queries
or XFR requests allowed on a single TCP connection
* the message ID pool has already been exhausted on an open
connection
* a large number of timeouts or slow responses have occurred on an
open connection
* an edns-tcp-keepalive EDNS0 option with a timeout of 0 has been
received from the server and the client is in the process of
closing the connection (see Section 7.3.4)
If no TCP connections are currently open, XFR clients MAY send SOA
queries over UDP or a new TCP connection.
Toorop, et al. Expires 27 November 2021 [Page 14]
Internet-Draft XFR-over-TLS May 2021
7.3.2. AXFRs and IXFRs on the same connection
Neither [RFC1995] nor [RFC5936] explicitly discuss the use of a
single TCP connection for both IXFR and AXFR requests. [RFC5936]
does make the general statement:
"Non-AXFR session traffic can also use an open TCP connection."
We clarify here that implementations capable of both AXFR and IXFR
and compliant with this specification SHOULD
* use the same TCP connection for both AXFR and IXFR requests to the
same primary
* pipeline such requests (if they pipeline XFR requests in general)
and MAY intermingle them
* send the response(s) for each request as soon as they are
available i.e. responses MAY be sent intermingled
For some current implementations adding all the above functionality
would introduce significant code complexity. In such a case, there
will need to be an assessment of the trade-off between that and the
performance benefits of the above for XFR.
7.3.3. XFR limits
The server MAY limit the number of concurrent IXFRs, AXFRs or total
XFR transfers in progress, or from a given secondary, to protect
server resources. Servers SHOULD return SERVFAIL if this limit is
hit, since it is a transient error and a retry at a later time might
succeed (there is no previous specification for this behavior).
7.3.4. The edns-tcp-keepalive EDNS0 Option
XFR clients that send the edns-tcp-keepalive EDNS0 option on every
XFR request provide the server with maximum opportunity to update the
edns-tcp-keepalive timeout. The XFR server may use the frequency of
recent XFRs to calculate an average update rate as input to the
decision of what edns-tcp-keepalive timeout to use. If the server
does not support edns-tcp-keepalive, the client MAY keep the
connection open for a few seconds ([RFC7766] recommends that servers
use timeouts of at least a few seconds).
Whilst the specification for EDNS0 [RFC6891] does not specifically
mention AXFRs, it does say
Toorop, et al. Expires 27 November 2021 [Page 15]
Internet-Draft XFR-over-TLS May 2021
"If an OPT record is present in a received request, compliant
responders MUST include an OPT record in their respective
responses."
We clarify here that if an OPT record is present in a received AXFR
request, compliant responders MUST include an OPT record in each of
the subsequent AXFR responses. Note that this requirement, combined
with the use of edns-tcp-keepalive, enables AXFR servers to signal
the desire to close a connection (when existing transactions have
competed) due to low resources by sending an edns-tcp-keepalive EDNS0
option with a timeout of 0 on any AXFR response. This does not
signal that the AXFR is aborted, just that the server wishes to close
the connection as soon as possible.
7.3.5. Backwards compatibility
Certain legacy behaviors were noted in [RFC5936], with provisions
that implementations may want to offer options to fallback to legacy
behavior when interoperating with servers known to not support
[RFC5936]. For purposes of interoperability, IXFR and AXFR
implementations may want to continue offering such configuration
options, as well as supporting some behaviors that were
underspecified prior to this work (e.g., performing IXFR and AXFRs on
separate connections). However, XoT connections should have no need
to do so.
7.4. Update to RFC7766
[RFC7766] made general implementation recommendations with regard to
TCP/TLS connection handling:
"To mitigate the risk of unintentional server overload, DNS
clients MUST take care to minimize the number of concurrent TCP
connections made to any individual server. It is RECOMMENDED
that for any given client/server interaction there SHOULD be no
more than one connection for regular queries, one for zone
transfers, and one for each protocol that is being used on top
of TCP (for example, if the resolver was using TLS). However,
it is noted that certain primary/ secondary configurations with
many busy zones might need to use more than one TCP connection
for zone transfers for operational reasons (for example, to
support concurrent transfers of multiple zones)."
Toorop, et al. Expires 27 November 2021 [Page 16]
Internet-Draft XFR-over-TLS May 2021
Whilst this recommends a particular behavior for the clients using
TCP, it does not relax the requirement for servers to handle 'mixed'
traffic (regular queries and zone transfers) on any open TCP/TLS
connection. It also overlooks the potential that other transports
might want to take the same approach with regard to using separate
connections for different purposes.
This specification updates the above general guidance in [RFC7766] to
provide the same separation of connection purpose (regular queries
and zone transfers) for all transports being used on top of TCP.
Therefore, it is RECOMMENDED that for each protocol used on top of
TCP in any given client/server interaction, there SHOULD be no more
than one connection for regular queries and one for zone transfers.
As an illustration, it could be imagined that in future such an
interaction could hypothetically include one or all of the following:
* one TCP connection for regular queries
* one TCP connection for zone transfers
* one TLS connection for regular queries
* one TLS connection for zone transfers
* one DoH connection for regular queries
* one DoH connection for zone transfers
Section 7.3.1 has provided specific details of reasons where more
than one connection for a given transport might be required for zone
transfers from a particular client.
8. XoT specification
8.1. Connection establishment
During connection establishment the Application-Layer Protocol
Negotiation (ALPN) token "dot" [DoT-ALPN] MUST be selected in the TLS
handshake.
8.2. TLS versions
All implementations of this specification MUST use only TLS 1.3
[RFC8446] or later.
Toorop, et al. Expires 27 November 2021 [Page 17]
Internet-Draft XFR-over-TLS May 2021
8.3. Port selection
The connection for XoT SHOULD be established using port 853, as
specified in [RFC7858], unless there is mutual agreement between the
secondary and primary to use a port other than port 853 for XoT.
There MAY be agreement to use different ports for AXoT and IXoT, or
for different zones.
8.4. High level XoT descriptions
It is useful to note that in XoT, it is the secondary that initiates
the TLS connection to the primary for a XFR request, so that in terms
of connectivity, the secondary is the TLS client and the primary the
TLS server.
The figure below provides an outline of the AXoT mechanism including
NOTIFYs.