| rfc9077.original.xml | rfc9077.xml | |||
|---|---|---|---|---|
| <?xml version="1.0" encoding="utf-8"?> | <?xml version="1.0" encoding="UTF-8"?> | |||
| <!-- name="GENERATOR" content="github.com/mmarkdown/mmark Mmark Markdown Process | <!DOCTYPE rfc SYSTEM "rfc2629-xhtml.ent"> | |||
| or - mmark.miek.nl" --> | ||||
| <rfc version="3" ipr="trust200902" docName="draft-ietf-dnsop-nsec-ttl-05" submis | ||||
| sionType="IETF" category="std" xml:lang="en" xmlns:xi="http://www.w3.org/2001/XI | ||||
| nclude" updates="4034, 4035, 5155, 8198" consensus="true"> | ||||
| <front> | <rfc version="3" ipr="trust200902" docName="draft-ietf-dnsop-nsec-ttl-05" numbe | |||
| <title abbrev="nsec-ttl">NSEC and NSEC3 TTLs and NSEC Aggressive Use</title><ser | r="9077" submissionType="IETF" category="std" consensus="true" xml:lang="en" xml | |||
| iesInfo value="draft-ietf-dnsop-nsec-ttl-05" stream="IETF" status="standard" nam | ns:xi="http://www.w3.org/2001/XInclude" updates="4034, 4035, 5155, 8198" symRefs | |||
| e="Internet-Draft"></seriesInfo> | ="true" sortRefs="true" tocInclude="true"> | |||
| <author initials="P." surname="van Dijk" fullname="Peter van Dijk"><organization | ||||
| >PowerDNS</organization><address><postal><street></street> | ||||
| <city>Den Haag</city> | ||||
| <country>Netherlands</country> | ||||
| </postal><email>peter.van.dijk@powerdns.com</email> | ||||
| </address></author> | ||||
| <date/> | ||||
| <area>General</area> | ||||
| <workgroup>dnsop</workgroup> | ||||
| <keyword>Internet-Draft</keyword> | ||||
| <abstract> | <front> | |||
| <t>Due to a combination of unfortunate wording in earlier documents, aggressive | ||||
| use of NSEC and NSEC3 records may deny the existence of names far beyond the int | ||||
| ended lifetime of a denial. | ||||
| This document changes the definition of the NSEC and NSEC3 TTL (Time To Live) to | ||||
| correct that situation. | ||||
| This document updates RFC 4034, RFC 4035, RFC 5155, and RFC 8198.</t> | ||||
| </abstract> | ||||
| </front> | <title abbrev="NSEC TTL">NSEC and NSEC3: TTLs and Aggressive Use</title> | |||
| <middle> | <seriesInfo name="RFC" value="9077"/> | |||
| <section anchor="introduction"><name>Introduction</name> | <author initials="P." surname="van Dijk" fullname="Peter van Dijk"><organizatio | |||
| <t>[RFC editor: please remove this block before publication.</t> | n>PowerDNS</organization> | |||
| <t>Earlier notes on this:</t> | <address> | |||
| <postal> | ||||
| <street></street> | ||||
| <city>Den Haag</city> | ||||
| <country>Netherlands</country> | ||||
| </postal> | ||||
| <email>peter.van.dijk@powerdns.com</email> | ||||
| </address> | ||||
| </author> | ||||
| <date year="2021" month="July" /> | ||||
| <area>General</area> | ||||
| <workgroup>dnsop</workgroup> | ||||
| <keyword>DNSSEC</keyword> | ||||
| <keyword>negative cache</keyword> | ||||
| <keyword>Denial of Existence</keyword> | ||||
| <ul> | <abstract> | |||
| <li><eref target="https://indico.dns-oarc.net/event/29/sessions/98/#20181013">ht | <t>Due to a combination of unfortunate wording in earlier documents, aggressive | |||
| tps://indico.dns-oarc.net/event/29/sessions/98/#20181013</eref></li> | use of NSEC and NSEC3 records may deny the existence of names far beyond the in | |||
| <li><eref target="https://lists.dns-oarc.net/pipermail/dns-operations/2018-April | tended lifetime of a denial. | |||
| /thread.html#17420">https://lists.dns-oarc.net/pipermail/dns-operations/2018-Apr | This document changes the definition of the NSEC and NSEC3 TTL to correct that | |||
| il/thread.html#17420</eref></li> | situation. | |||
| <li><eref target="https://lists.dns-oarc.net/pipermail/dns-operations/2018-March | This document updates RFCs 4034, 4035, 5155, and 8198.</t> | |||
| /017416.html">https://lists.dns-oarc.net/pipermail/dns-operations/2018-March/017 | </abstract> | |||
| 416.html</eref></li> | ||||
| </ul> | ||||
| <t>This document lives <eref target="https://github.com/PowerDNS/draft-dnsop-nse | ||||
| c-ttl">on GitHub</eref>; proposed text and editorial changes are very much welco | ||||
| med there, but any functional changes should always first be discussed on the IE | ||||
| TF DNSOP WG mailing list.</t> | ||||
| <t>]</t> | ||||
| <t><xref target="RFC2308"></xref> defines the TTL of the SOA (Start Of Authority | ||||
| ) record that must be returned in negative answers (NXDOMAIN or NODATA):</t> | ||||
| <blockquote><t>The TTL of this record is set from the minimum of the MINIMUM fie | ||||
| ld of the SOA record and the TTL of the SOA itself, and indicates how long a res | ||||
| olver may cache the negative answer.</t> | ||||
| </blockquote><t>Thus, if the TTL of the SOA in the zone is lower than the SOA MI | ||||
| NIMUM value (the last number in the SOA record), | ||||
| the authoritative server sends that lower value as the TTL of the returned SOA r | ||||
| ecord. | ||||
| The resolver always uses the TTL of the returned SOA record when setting the neg | ||||
| ative TTL in its cache.</t> | ||||
| <t>However, <xref target="RFC4034"></xref> section 4 has this unfortunate text:< | ||||
| /t> | ||||
| <blockquote><t>The NSEC RR SHOULD have the same TTL value as the SOA minimum TTL | ||||
| field. This is in the spirit of negative caching ([RFC2308]).</t> | ||||
| </blockquote><t>This text, while referring to RFC2308, can cause NSEC records to | ||||
| have much higher TTLs than the appropriate negative TTL for a zone. | ||||
| <xref target="RFC5155"></xref> contains equivalent text.</t> | ||||
| <t><xref target="RFC8198"></xref> section 5.4 tries to correct this:</t> | ||||
| <blockquote><t>Section 5 of [RFC2308] also states that a negative cache entry TT | ||||
| L is taken from the minimum of the SOA.MINIMUM field and SOA's TTL. This can be | ||||
| less than the TTL of an NSEC or NSEC3 record, since their TTL is equal to the S | ||||
| OA.MINIMUM field (see <xref target="RFC4035"></xref>, Section 2.3 and [RFC5155], | ||||
| Section 3).</t> | ||||
| <t>A resolver that supports aggressive use of NSEC and NSEC3 SHOULD reduce the T | ||||
| TL of NSEC and NSEC3 records to match the SOA.MINIMUM field in the authority sec | ||||
| tion of a negative response, if SOA.MINIMUM is smaller.</t> | ||||
| </blockquote><t>But the NSEC and NSEC3 RRs should, according to RFC4034 and RFC5 | ||||
| 155, already be at the value of the MINIMUM field in the SOA. Thus, the advice f | ||||
| rom RFC8198 would not actually change the TTL used for the NSEC and NSEC3 RRs fo | ||||
| r authoritative servers that follow the RFCs.</t> | ||||
| <t>As a theoretical exercise, consider a TLD named <tt>.example</tt> with a SOA | ||||
| record like this:</t> | ||||
| <t><tt>example. 900 IN SOA primary.example. hostmaster.example. 1 1800 900 6 | ||||
| 04800 86400</tt></t> | ||||
| <t>The SOA record has a 900 second TTL, and a 86400 MINIMUM TTL. | ||||
| Negative responses from this zone have a 900 second TTL, but the NSEC or NSEC3 r | ||||
| ecords in those negative responses have a 86400 TTL. | ||||
| If a resolver were to use those NSEC or NSEC3 records aggressively, they would b | ||||
| e considered valid for a day, instead of the intended 15 minutes.</t> | ||||
| </section> | ||||
| <section anchor="conventions-and-definitions"><name>Conventions and Definitions< | </front> | |||
| /name> | ||||
| <t>The key words "MUST", "MUST NOT", "REQUIRED", & | ||||
| quot;SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT&qu | ||||
| ot;, "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | ||||
| "OPTIONAL" in this document are to be interpreted as described in BCP | ||||
| 14 <xref target="RFC2119"></xref> <xref target="RFC8174"></xref> when, and only | ||||
| when, they appear in all capitals, as shown here.</t> | ||||
| </section> | ||||
| <section anchor="nsec-and-nsec3-ttl-changes"><name>NSEC and NSEC3 TTL changes</n | <middle> | |||
| ame> | ||||
| <t>The existing texts in <xref target="RFC4034"></xref>, <xref target="RFC4035"> | ||||
| </xref>, and <xref target="RFC5155"></xref> use the SHOULD requirement level, bu | ||||
| t they were written when <xref target="RFC4035"></xref> still said 'However, it | ||||
| seems prudent for resolvers to avoid blocking new authoritative data or synthesi | ||||
| zing new data on their own'. | ||||
| <xref target="RFC8198"></xref> updated that text to contain 'DNSSEC-enabled vali | ||||
| dating resolvers SHOULD use wildcards and NSEC/NSEC3 resource records to generat | ||||
| e positive and negative responses until the effective TTLs or signatures for tho | ||||
| se records expire'. | ||||
| This means that correctness of NSEC and NSEC3 records, and their TTLs, has becom | ||||
| e much more important. | ||||
| Because of that, the updates in this document upgrade the requirement level to M | ||||
| UST.</t> | ||||
| <section anchor="updates-to-rfc4034"><name>Updates to RFC4034</name> | <section anchor="introduction"><name>Introduction</name> | |||
| <t>Where <xref target="RFC4034"></xref> says:</t> | <t><xref target="RFC2308"></xref> defines the TTL of the Start of Authority (SO | |||
| <blockquote><t>The NSEC RR SHOULD have the same TTL value as the SOA minimum TTL | A) record that must be returned in negative answers (NXDOMAIN or NODATA):</t> | |||
| field. This is in the spirit of negative caching ([RFC2308]).</t> | ||||
| <blockquote><t>The TTL of this record is set from the minimum of the MINIMUM fi | ||||
| eld of the SOA record and the TTL of the SOA itself, and indicates how long a re | ||||
| solver may cache the negative answer.</t> | ||||
| </blockquote> | ||||
| <t>Thus, if the TTL of the SOA in the zone is lower than the SOA MINIMUM value | ||||
| (the last number in the SOA record), | ||||
| the authoritative server sends that lower value as the TTL of the returned SOA | ||||
| record. | ||||
| The resolver always uses the TTL of the returned SOA record when setting the ne | ||||
| gative TTL in its cache.</t> | ||||
| <t>However, <xref target="RFC4034" sectionFormat="comma" section="4"></xref> ha | ||||
| s this unfortunate text:</t> | ||||
| <blockquote><t>The NSEC RR <bcp14>SHOULD</bcp14> have the same TTL value as the | ||||
| SOA minimum TTL field. This is in the spirit of negative caching (<xref target= | ||||
| "RFC2308"/>).</t> | ||||
| </blockquote> | ||||
| <t>This text, while referring to <xref target="RFC2308"/>, can cause NSEC recor | ||||
| ds to have much higher TTLs than the appropriate negative TTL for a zone. | ||||
| <xref target="RFC5155"></xref> contains equivalent text.</t> | ||||
| <t><xref target="RFC8198" sectionFormat="comma" section="5.4"></xref> tries to | ||||
| correct this:</t> | ||||
| <blockquote><t><xref target="RFC2308" sectionFormat="of" section="5"/> also sta | ||||
| tes that a negative cache entry TTL is taken from the minimum of the SOA.MINIMUM | ||||
| field and SOA's TTL. This can be less than the TTL of an NSEC or NSEC3 record, | ||||
| since their TTL is equal to the SOA.MINIMUM field (see <xref target="RFC4035" s | ||||
| ectionFormat="comma" section="2.3"></xref> and <xref target="RFC5155" sectionFor | ||||
| mat="comma" section="3"/>).</t> | ||||
| <t>A resolver that supports aggressive use of NSEC and NSEC3 <bcp14>SHOULD</bcp | ||||
| 14> reduce the TTL of NSEC and NSEC3 records to match the SOA.MINIMUM field in t | ||||
| he authority section of a negative response, if SOA.MINIMUM is smaller.</t> | ||||
| </blockquote> | ||||
| <t>But the NSEC and NSEC3 RRs should, according to <xref target="RFC4034"/> and | ||||
| <xref target="RFC5155"/>, already be at the value of the MINIMUM field in the | ||||
| SOA. Thus, the advice from <xref target="RFC8198"/> would not actually change t | ||||
| he TTL used for the NSEC and NSEC3 RRs for authoritative servers that follow the | ||||
| RFCs.</t> | ||||
| <t>As a theoretical exercise, consider a top-level domain (TLD) named .example w | ||||
| ith an SOA record like this:</t> | ||||
| <artwork name="" type="" align="left" alt=""><![CDATA[ | ||||
| example. 900 IN SOA primary.example. dnsadmin.example. ( | ||||
| 1 1800 900 604800 86400 ) | ||||
| ]]></artwork> | ||||
| <t>The SOA record has a 900-second TTL and an 86400-second MINIMUM TTL. | ||||
| Negative responses from this zone have a 900-second TTL, but the NSEC or NSEC3 | ||||
| records in those negative responses have an 86400-second TTL. | ||||
| If a resolver were to use those NSEC or NSEC3 records aggressively, they would | ||||
| be considered valid for a day instead of the intended 15 minutes.</t> | ||||
| </section> | ||||
| <section anchor="conventions-and-definitions"><name>Conventions and Definitions | ||||
| </name> | ||||
| <t> | ||||
| The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQ | ||||
| UIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL | ||||
| NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14 | ||||
| >RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>", | ||||
| "<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to | ||||
| be interpreted as | ||||
| described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> | ||||
| when, and only when, they appear in all capitals, as shown here. | ||||
| </t> | ||||
| </section> | ||||
| <section anchor="nsec-and-nsec3-ttl-changes"><name>NSEC and NSEC3 TTL Changes</ | ||||
| name> | ||||
| <t><xref target="RFC4034"></xref>, <xref target="RFC4035"></xref>, and <xref tar | ||||
| get="RFC5155"></xref> use the <bcp14>SHOULD</bcp14> requirement level, but they | ||||
| were written prior to the publication of <xref target="RFC8198"></xref> when <xr | ||||
| ef target="RFC4035"></xref> still said: </t> | ||||
| <blockquote><t>However, it seems prudent for resolvers to avoid blocking new aut | ||||
| horitative data or synthesizing new data on their own.</t></blockquote> | ||||
| <t> | ||||
| <xref target="RFC8198"></xref> updated that text to contain:</t> <blockquote><t> | ||||
| ...DNSSEC-enabled validating resolvers <bcp14>SHOULD</bcp14> use wildcards and N | ||||
| SEC/NSEC3 resource records to generate positive and negative responses until the | ||||
| effective TTLs or signatures for those records expire.</t></blockquote><t> | ||||
| This means that the correctness of NSEC and NSEC3 records and their TTLs has bec | ||||
| ome much more important. | ||||
| Because of that, the updates in this document upgrade the requirement level to < | ||||
| bcp14>MUST</bcp14>.</t> | ||||
| <section anchor="updates-to-rfc4034"><name>Updates to RFC 4034</name> | ||||
| <t><xref target="RFC4034"></xref> says:</t> | ||||
| <blockquote><t>The NSEC RR <bcp14>SHOULD</bcp14> have the same TTL value as the | ||||
| SOA minimum TTL field. This is in the spirit of negative caching (<xref target= | ||||
| "RFC2308"/>).</t> | ||||
| </blockquote><t>This is updated to say:</t> | </blockquote><t>This is updated to say:</t> | |||
| <blockquote><t>The TTL of the NSEC RR that is returned MUST be the lesser of the | <blockquote> | |||
| MINIMUM field of the SOA record and the TTL of the SOA itself. This matches th | ||||
| e definition of the TTL for negative responses in <xref target="RFC2308"></xref> | <t>The TTL of the NSEC RR that is returned <bcp14>MUST</bcp14> be the lesser o | |||
| . Because some signers incrementally update the NSEC chain, a transient inconsis | f the MINIMUM field of the SOA record and the TTL of the SOA itself. This match | |||
| tency between the observed and expected TTL MAY exist.</t> | es the definition of the TTL for negative responses in <xref target="RFC2308"></ | |||
| xref>. Because some signers incrementally update the NSEC chain, a transient inc | ||||
| onsistency between the observed and expected TTL <bcp14>MAY</bcp14> exist.</t> | ||||
| </blockquote></section> | </blockquote></section> | |||
| <section anchor="updates-to-rfc4035"><name>Updates to RFC4035</name> | <section anchor="updates-to-rfc4035"><name>Updates to RFC 4035</name> | |||
| <t>Where <xref target="RFC4035"></xref> says:</t> | <t><xref target="RFC4035"></xref> says:</t> | |||
| <blockquote><t>The TTL value for any NSEC RR SHOULD be the same as the minimum T | ||||
| TL value field in the zone SOA RR.</t> | <blockquote><t>The TTL value for any NSEC RR <bcp14>SHOULD</bcp14> be the same a | |||
| s the minimum TTL value field in the zone SOA RR.</t> | ||||
| </blockquote><t>This is updated to say:</t> | </blockquote><t>This is updated to say:</t> | |||
| <blockquote><t>The TTL of the NSEC RR that is returned MUST be the lesser of the | <blockquote> | |||
| MINIMUM field of the SOA record and the TTL of the SOA itself. This matches th | ||||
| e definition of the TTL for negative responses in <xref target="RFC2308"></xref> | <t>The TTL of the NSEC RR that is returned <bcp14>MUST</bcp14> be the lesser o | |||
| . Because some signers incrementally update the NSEC chain, a transient inconsis | f the MINIMUM field of the SOA record and the TTL of the SOA itself. This match | |||
| tency between the observed and expected TTL MAY exist.</t> | es the definition of the TTL for negative responses in <xref target="RFC2308"></ | |||
| xref>. Because some signers incrementally update the NSEC chain, a transient inc | ||||
| onsistency between the observed and expected TTL <bcp14>MAY</bcp14> exist.</t> | ||||
| </blockquote></section> | </blockquote></section> | |||
| <section anchor="updates-to-rfc5155"><name>Updates to RFC5155</name> | <section anchor="updates-to-rfc5155"><name>Updates to RFC 5155</name> | |||
| <t>Where <xref target="RFC5155"></xref> says:</t> | <t><xref target="RFC5155"></xref> says:</t> | |||
| <blockquote><t>The NSEC3 RR SHOULD have the same TTL value as the SOA minimum TT | <blockquote><t>The NSEC3 RR <bcp14>SHOULD</bcp14> have the same TTL value as the | |||
| L field. This is in the spirit of negative caching [RFC2308].</t> | SOA minimum TTL field. This is in the spirit of negative caching <xref target= | |||
| "RFC2308"/>.</t> | ||||
| </blockquote><t>This is updated to say:</t> | </blockquote><t>This is updated to say:</t> | |||
| <blockquote><t>The TTL of the NSEC3 RR that is returned MUST be the lesser of th e MINIMUM field of the SOA record and the TTL of the SOA itself. This matches t he definition of the TTL for negative responses in <xref target="RFC2308"></xref >. Because some signers incrementally update the NSEC3 chain, a transient incons istency between the observed and expected TTL MAY exist.</t> | <blockquote><t>The TTL of the NSEC3 RR that is returned <bcp14>MUST</bcp14> be t he lesser of the MINIMUM field of the SOA record and the TTL of the SOA itself. This matches the definition of the TTL for negative responses in <xref target=" RFC2308"></xref>. Because some signers incrementally update the NSEC3 chain, a t ransient inconsistency between the observed and expected TTL <bcp14>MAY</bcp14> exist.</t> | |||
| </blockquote><t>Where <xref target="RFC5155"></xref> says:</t> | </blockquote><t>Where <xref target="RFC5155"></xref> says:</t> | |||
| <blockquote><t>o The TTL value for any NSEC3 RR SHOULD be the same as the minim | <blockquote> | |||
| um TTL value field in the zone SOA RR.</t> | <ul empty="false"> | |||
| </blockquote><t>This is updated to say:</t> | <li>The TTL value for any NSEC3 RR <bcp14>SHOULD</bcp14> be the same as the mini | |||
| <blockquote><t>o The TTL value for each NSEC3 RR MUST be the lesser of the MINI | mum TTL value field in the zone SOA RR.</li> | |||
| MUM field of the zone SOA RR and the TTL of the zone SOA RR itself. Because some | </ul> | |||
| signers incrementally update the NSEC3 chain, a transient inconsistency between | </blockquote> | |||
| the observed and expected TTL MAY exist.</t> | <t>This is updated to say:</t> | |||
| <blockquote> | ||||
| <ul empty="false"> | ||||
| <li>The TTL value for each NSEC3 RR <bcp14>MUST</bcp14> be the lesser of the MIN | ||||
| IMUM field of the zone SOA RR and the TTL of the zone SOA RR itself. Because som | ||||
| e signers incrementally update the NSEC3 chain, a transient inconsistency betwee | ||||
| n the observed and expected TTL <bcp14>MAY</bcp14> exist.</li> | ||||
| </ul> | ||||
| </blockquote></section> | </blockquote></section> | |||
| <section anchor="updates-to-rfc8198"><name>Updates to RFC8198</name> | <section anchor="updates-to-rfc8198"><name>Updates to RFC 8198</name> | |||
| <t><xref target="RFC8198"></xref> section 5.4 (Consideration on TTL) is complete | <t><xref target="RFC8198" sectionFormat="comma" section="5.4"></xref> ("Consider | |||
| ly replaced by the following text:</t> | ation on TTL") is completely replaced by the following text:</t> | |||
| <blockquote><t>The TTL value of negative information is especially important, | <blockquote><t>The TTL value of negative information is especially important, | |||
| because newly added domain names cannot be used while the negative | because newly added domain names cannot be used while the negative | |||
| information is effective.</t> | information is effective.</t> | |||
| <t>Section 5 of [RFC2308] suggests a maximum default negative cache TTL | <t><xref target="RFC2308" sectionFormat="of" section="5"/> suggests a maximum de | |||
| value of 3 hours (10800). It is RECOMMENDED that validating | fault negative cache TTL | |||
| value of 3 hours (10800). It is <bcp14>RECOMMENDED</bcp14> that validating | ||||
| resolvers limit the maximum effective TTL value of negative responses | resolvers limit the maximum effective TTL value of negative responses | |||
| (NSEC/NSEC3 RRs) to this same value.</t> | (NSEC/NSEC3 RRs) to this same value.</t> | |||
| <t>A resolver that supports aggressive use of NSEC and NSEC3 MAY | <t>A resolver that supports aggressive use of NSEC and NSEC3 <bcp14>MAY</bcp14> | |||
| limit the TTL of NSEC and NSEC3 records to the lesser of the SOA.MINIMUM | limit the TTL of NSEC and NSEC3 records to the lesser of the SOA.MINIMUM | |||
| field and the TTL of the SOA in a response, if present. | field and the TTL of the SOA in a response, if present. | |||
| It MAY also use a previously cached SOA for a zone to find these values.</t> | It <bcp14>MAY</bcp14> also use a previously cached SOA for a zone to find the se values.</t> | |||
| </blockquote><t>(The third paragraph of the original is removed, and the fourth paragraph is updated to allow resolvers to also take the lesser of the SOA TTL a nd SOA MINIMUM.)</t> | </blockquote><t>(The third paragraph of the original is removed, and the fourth paragraph is updated to allow resolvers to also take the lesser of the SOA TTL a nd SOA MINIMUM.)</t> | |||
| </section> | </section> | |||
| </section> | </section> | |||
| <section anchor="zone-operator-considerations"><name>Zone Operator Consideration s</name> | <section anchor="zone-operator-considerations"><name>Zone Operator Consideration s</name> | |||
| <t>If signers and DNS servers for a zone cannot immediately be updated to confor m to this document, zone operators are encouraged to consider setting their SOA record TTL and the SOA MINIMUM field to the same value. | <t>If signers and DNS servers for a zone cannot immediately be updated to confor m to this document, zone operators are encouraged to consider setting their SOA record TTL and the SOA MINIMUM field to the same value. | |||
| That way, the TTL used for aggressive NSEC and NSEC3 use matches the SOA TTL for negative responses.</t> | That way, the TTL used for aggressive NSEC and NSEC3 use matches the SOA TTL for negative responses.</t> | |||
| <t>Note that some signers might use the SOA TTL or MINIMUM as a default for othe r values, such as the TTL for DNSKEY records. | <t>Note that some signers might use the SOA TTL or MINIMUM as a default for othe r values, such as the TTL for DNSKEY records. | |||
| Operators should consult documentation before changing values.</t> | Operators should consult documentation before changing values.</t> | |||
| <section anchor="a-note-on-wildcards"><name>A Note On Wildcards</name> | <section anchor="a-note-on-wildcards"><name>A Note on Wildcards</name> | |||
| <t>Validating resolvers consider an expanded wildcard valid for the wildcard's T TL, capped by the TTLs of the NSEC or NSEC3 proof that shows that the wildcard e xpansion is legal. | <t>Validating resolvers consider an expanded wildcard valid for the wildcard's T TL, capped by the TTLs of the NSEC or NSEC3 proof that shows that the wildcard e xpansion is legal. | |||
| Thus, changing the TTL of NSEC or NSEC3 records (explicitly, or by implementatio n of this document, implicitly) might affect (shorten) the lifetime of wildcards .</t> | Thus, changing the TTL of NSEC or NSEC3 records (explicitly, or by implementatio n of this document implicitly) might affect (shorten) the lifetime of wildcards. </t> | |||
| </section> | </section> | |||
| </section> | </section> | |||
| <section anchor="security-considerations"><name>Security Considerations</name> | <section anchor="security-considerations"><name>Security Considerations</name> | |||
| <t>An attacker can delay future records from appearing in a cache by seeding the cache with queries that cause NSEC or NSEC3 responses to be cached for aggressi ve use purposes. | <t>An attacker can delay future records from appearing in a cache by seeding the cache with queries that cause NSEC or NSEC3 responses to be cached for aggressi ve use purposes. | |||
| This document reduces the impact of that attack in cases where the NSEC or NSEC3 TTL is higher than the zone operator intended.</t> | This document reduces the impact of that attack in cases where the NSEC or NSEC3 TTL is higher than the zone operator intended.</t> | |||
| </section> | </section> | |||
| <section anchor="iana-considerations"><name>IANA Considerations</name> | <section anchor="iana-considerations"><name>IANA Considerations</name> | |||
| <t>IANA is requested to add a reference to this document in the "Resource R ecord (RR) TYPEs" subregistry of the "Domain Name System (DNS) Paramet ers" registry, for the NSEC and NSEC3 types.</t> | <t>IANA has added a reference to this document in the "Resource Record (RR) TYPEs" subregistry of the "Domain Name System (DNS) Parameters" registry for the NSEC and NSEC3 types.</t> | |||
| </section> | </section> | |||
| </middle> | </middle> | |||
| <back> | <back> | |||
| <references><name>Normative References</name> | <references><name>Normative References</name> | |||
| <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8174. xml"/> | <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8174. xml"/> | |||
| <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.2308. xml"/> | <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.2308. xml"/> | |||
| <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.4034. xml"/> | <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.4034. xml"/> | |||
| <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.5155. xml"/> | <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.5155. xml"/> | |||
| <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8198. xml"/> | <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8198. xml"/> | |||
| <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.4035. xml"/> | <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.4035. xml"/> | |||
| <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.2119. xml"/> | <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.2119. xml"/> | |||
| </references> | </references> | |||
| <section anchor="implementation-status"><name>Implementation Status</name> | ||||
| <t>[RFC Editor: please remove this section before publication]</t> | ||||
| <t>Implemented in PowerDNS Authoritative Server 4.3.0 <eref target="https://doc. | ||||
| powerdns.com/authoritative/dnssec/operational.html?highlight=ttl#some-notes-on-t | ||||
| tl-usage">https://doc.powerdns.com/authoritative/dnssec/operational.html?highlig | ||||
| ht=ttl#some-notes-on-ttl-usage</eref> .</t> | ||||
| <t>Implemented in BIND 9.16 and up, to be released early 2021 <eref target="http | ||||
| s://mailarchive.ietf.org/arch/msg/dnsop/ga41J2PPUbmc21--dqf3i7_IY6M">https://mai | ||||
| larchive.ietf.org/arch/msg/dnsop/ga41J2PPUbmc21--dqf3i7_IY6M</eref> <eref target | ||||
| ="https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/4506">https://gitla | ||||
| b.isc.org/isc-projects/bind9/-/merge_requests/4506</eref> .</t> | ||||
| <t>Implemented in Knot DNS 3.1, to be released in 2021 <eref target="https://git | ||||
| lab.nic.cz/knot/knot-dns/-/merge_requests/1219">https://gitlab.nic.cz/knot/knot- | ||||
| dns/-/merge_requests/1219</eref> .</t> | ||||
| <t>Implemented in ldns, patch under review <eref target="https://github.com/NLne | ||||
| tLabs/ldns/pull/118">https://github.com/NLnetLabs/ldns/pull/118</eref></t> | ||||
| <t>Implementation status is tracked at <eref target="https://trac.ietf.org/trac/ | ||||
| dnsop/wiki/draft-ietf-dnsop-nsec-ttl">https://trac.ietf.org/trac/dnsop/wiki/draf | ||||
| t-ietf-dnsop-nsec-ttl</eref></t> | ||||
| </section> | ||||
| <section anchor="document-history"><name>Document history</name> | ||||
| <t>[RFC editor: please remove this section before publication.]</t> | ||||
| <t>From draft-vandijk-dnsop-nsec-ttl-00 to draft-ietf-dnsop-nsec-ttl-00:</t> | ||||
| <ul> | ||||
| <li>document was adopted</li> | ||||
| <li>various minor editorial changes</li> | ||||
| <li>now also updates 4035</li> | ||||
| <li>use .example instead of .com for the example</li> | ||||
| <li>more words on 8198</li> | ||||
| <li>a note on wildcards</li> | ||||
| </ul> | ||||
| <t>From draft-ietf-dnsop-nsec-ttl-00 to draft-ietf-dnsop-nsec-ttl-01:</t> | ||||
| <ul> | ||||
| <li>various wording improvements</li> | ||||
| <li>added Implementation note from Knot, expanded the BIND one with the GitLab M | ||||
| R URL</li> | ||||
| <li>reduced requirement level from MUST to SHOULD, like the original texts</li> | ||||
| </ul> | ||||
| <t>From draft-ietf-dnsop-nsec-ttl-01 to draft-ietf-dnsop-nsec-ttl-02:</t> | ||||
| <ul> | ||||
| <li>updated the second bit of wrong text in 5155</li> | ||||
| </ul> | ||||
| <t>From draft-ietf-dnsop-nsec-ttl-02 to draft-ietf-dnsop-nsec-ttl-03:</t> | ||||
| <ul> | ||||
| <li>document now updates resolver behaviour in 8198</li> | ||||
| <li>lots of extra text to clarify what behaviour goes where (thanks Paul Hoffman | ||||
| )</li> | ||||
| <li>replace 'any' with 'each' (thanks Duane)</li> | ||||
| <li>upgraded requirement level to MUST, plus a note on incremental signers</li> | ||||
| </ul> | ||||
| <t>From draft-ietf-dnsop-nsec-ttl-03 to draft-ietf-dnsop-nsec-ttl-04:</t> | ||||
| <ul> | ||||
| <li>the 'incremental signer exception' is now part of all relevant document upda | ||||
| tes</li> | ||||
| <li>added an explanation for the upgraded requirement level</li> | ||||
| </ul> | ||||
| <t>From draft-ietf-dnsop-nsec-ttl-04 to draft-ietf-dnsop-nsec-ttl-05:</t> | ||||
| <ul> | ||||
| <li>various minor rewordings (from IESG review, and things I spotted while handl | ||||
| ing IESG review comments)</li> | ||||
| <li>added a note on the secondary impact of changing the SOA TTL and/or MINIMUM | ||||
| (IESG review)</li> | ||||
| </ul> | ||||
| </section> | ||||
| <section anchor="acknowledgements" numbered="false"><name>Acknowledgements</name > | <section anchor="acknowledgements" numbered="false"><name>Acknowledgements</name > | |||
| <t>This document was made possible with the help of the following people:</t> | <t>This document was made possible with the help of the following people:</t> | |||
| <ul> | <ul spacing="normal"> | |||
| <li>Ralph Dolmans</li> | <li><t><contact fullname="Ralph Dolmans"/></t></li> | |||
| <li>Warren Kumari</li> | <li><t><contact fullname="Warren Kumari"/></t></li> | |||
| <li>Matthijs Mekking</li> | <li><t><contact fullname="Matthijs Mekking"/></t></li> | |||
| <li>Vladimir Cunat</li> | <li><t><contact fullname="Vladimir Cunat"/></t></li> | |||
| <li>Matt Nordhoff</li> | <li><t><contact fullname="Matt Nordhoff"/></t></li> | |||
| <li>Josh Soref</li> | <li><t><contact fullname="Josh Soref"/></t></li> | |||
| <li>Tim Wicinski</li> | <li><t><contact fullname="Tim Wicinski"/></t></li> | |||
| </ul> | </ul> | |||
| <t>The author would like to explicitly thank Paul Hoffman for extensive reviews, text contributions, and help in navigating WG comments.</t> | <t>The author would like to explicitly thank <contact fullname="Paul Hoffman"/> for the extensive reviews, text contributions, and help in navigating WG comment s.</t> | |||
| </section> | </section> | |||
| </back> | </back> | |||
| </rfc> | </rfc> | |||
| End of changes. 26 change blocks. | ||||
| 234 lines changed or deleted | 202 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||