rfc9156.original   rfc9156.txt 
Network Working Group S. Bortzmeyer Internet Engineering Task Force (IETF) S. Bortzmeyer
Internet-Draft AFNIC Request for Comments: 9156 AFNIC
Obsoletes: 7816 (if approved) R. Dolmans Obsoletes: 7816 R. Dolmans
Intended status: Standards Track NLnet Labs Category: Standards Track NLnet Labs
Expires: 5 March 2022 P. Hoffman ISSN: 2070-1721 P. Hoffman
ICANN ICANN
1 September 2021 November 2021
DNS Query Name Minimisation to Improve Privacy DNS Query Name Minimisation to Improve Privacy
draft-ietf-dnsop-rfc7816bis-11
Abstract Abstract
This document describes a technique called "QNAME minimisation" to This document describes a technique called "QNAME minimisation" to
improve DNS privacy, where the DNS resolver no longer always sends improve DNS privacy, where the DNS resolver no longer always sends
the full original QNAME and original QTYPE to the upstream name the full original QNAME and original QTYPE to the upstream name
server. This document obsoletes RFC 7816. server. This document obsoletes RFC 7816.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This is an Internet Standards Track document.
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months This document is a product of the Internet Engineering Task Force
and may be updated, replaced, or obsoleted by other documents at any (IETF). It represents the consensus of the IETF community. It has
time. It is inappropriate to use Internet-Drafts as reference received public review and has been approved for publication by the
material or to cite them other than as "work in progress." Internet Engineering Steering Group (IESG). Further information on
Internet Standards is available in Section 2 of RFC 7841.
This Internet-Draft will expire on 5 March 2022. Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
https://www.rfc-editor.org/info/rfc9156.
Copyright Notice Copyright Notice
Copyright (c) 2021 IETF Trust and the persons identified as the Copyright (c) 2021 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/ Provisions Relating to IETF Documents
license-info) in effect on the date of publication of this document. (https://trustee.ietf.org/license-info) in effect on the date of
Please review these documents carefully, as they describe your rights publication of this document. Please review these documents
and restrictions with respect to this document. Code Components carefully, as they describe your rights and restrictions with respect
extracted from this document must include Simplified BSD License text to this document. Code Components extracted from this document must
as described in Section 4.e of the Trust Legal Provisions and are include Revised BSD License text as described in Section 4.e of the
provided without warranty as described in the Simplified BSD License. Trust Legal Provisions and are provided without warranty as described
in the Revised BSD License.
Table of Contents Table of Contents
1. Introduction and Background . . . . . . . . . . . . . . . . . 2 1. Introduction and Background
1.1. Experience From RFC 7816 . . . . . . . . . . . . . . . . 3 1.1. Experience from RFC 7816
1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 1.2. Terminology
2. Description of QNAME Minimisation . . . . . . . . . . . . . . 4 2. Description of QNAME Minimisation
2.1. QTYPE Selection . . . . . . . . . . . . . . . . . . . . . 4 2.1. QTYPE Selection
2.2. QNAME Selection . . . . . . . . . . . . . . . . . . . . . 5 2.2. QNAME Selection
2.3. Limit Number of Queries . . . . . . . . . . . . . . . . . 5 2.3. Limitation of the Number of Queries
2.4. Stub and Forwarding Resolvers . . . . . . . . . . . . . . 7 2.4. Implementation by Stub and Forwarding Resolvers
3. Algorithm to Perform QNAME Minimisation . . . . . . . . . . . 7 3. Algorithm to Perform QNAME Minimisation
4. QNAME Minimisation Examples . . . . . . . . . . . . . . . . . 8 4. QNAME Minimisation Examples
5. Performance Considerations . . . . . . . . . . . . . . . . . 9 5. Performance Considerations
6. Security Considerations . . . . . . . . . . . . . . . . . . . 10 6. Security Considerations
7. References . . . . . . . . . . . . . . . . . . . . . . . . . 10 7. References
7.1. Normative References . . . . . . . . . . . . . . . . . . 10 7.1. Normative References
7.2. Informative References . . . . . . . . . . . . . . . . . 11 7.2. Informative References
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 12 Acknowledgments
Changes from RFC 7816 . . . . . . . . . . . . . . . . . . . . . . 12 Authors' Addresses
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 13
1. Introduction and Background 1. Introduction and Background
The problem statement for this document is described in [RFC9076]. The problem statement for this document is described in [RFC9076].
This specific solution is not intended to fully solve the DNS privacy This specific solution is not intended to fully solve the DNS privacy
problem; instead, it should be viewed as one tool amongst many. problem; instead, it should be viewed as one tool amongst many.
QNAME minimisation follows the principle explained in Section 6.1 of QNAME minimisation follows the principle explained in Section 6.1 of
[RFC6973]: the less data you send out, the fewer privacy problems [RFC6973]: the less data you send out, the fewer privacy problems you
you have. have.
Before QNAME minimisation, when a resolver received the query "What Before QNAME minimisation, when a resolver received the query "What
is the AAAA record for www.example.com?", it sent to the root is the AAAA record for www.example.com?", it sent to the root
(assuming a resolver whose cache is empty) the very same question. (assuming a resolver, whose cache is empty) the very same question.
Sending the full QNAME to the authoritative name server was a Sending the full QNAME to the authoritative name server was a
tradition, not a protocol requirement. In a conversation with one of tradition, not a protocol requirement. In a conversation with one of
the authors in January 2015, Paul Mockapetris explained that this the authors in January 2015, Paul Mockapetris explained that this
tradition comes from a desire to optimise the number of requests, tradition comes from a desire to optimise the number of requests,
when the same name server is authoritative for many zones in a given when the same name server is authoritative for many zones in a given
name (something that was more common in the old days, where the same name (something that was more common in the old days, where the same
name servers served .com and the root) or when the same name server name servers served .com and the root) or when the same name server
is both recursive and authoritative (something that is strongly is both recursive and authoritative (something that is strongly
discouraged now). Whatever the merits of this choice at this time, discouraged now). Whatever the merits of this choice at this time,
the DNS is quite different now. the DNS is quite different now.
QNAME minimisation is compatible with the current DNS system and QNAME minimisation is compatible with the current DNS system and
therefore can easily be deployed. Because it is only a change to the therefore can easily be deployed. Because it is only a change to the
way that the resolver operates, it does not change the DNS protocol way that the resolver operates, it does not change the DNS protocol
itself. The behaviour suggested here (minimising the amount of data itself. The behaviour suggested here (minimising the amount of data
sent in QNAMEs from the resolver) is allowed by Section 5.3.3 of sent in QNAMEs from the resolver) is allowed by Section 5.3.3 of
[RFC1034] and Section 7.2 of [RFC1035]. [RFC1034] and Section 7.2 of [RFC1035].
1.1. Experience From RFC 7816 1.1. Experience from RFC 7816
This document obsoletes [RFC7816]. RFC 7816 was labelled This document obsoletes [RFC7816]. [RFC7816] was categorised
"experimental", but ideas from it were widely deployed since its "Experimental", but ideas from it were widely deployed since its
publication. Many resolver implementations now support QNAME publication. Many resolver implementations now support QNAME
minimisation. The lessons learned from implementing QNAME minimisation. The lessons learned from implementing QNAME
minimisation were used to create this new revision. minimisation were used to create this new revision.
Data from DNSThought [dnsthought-qnamemin], Verisign Data from DNSThought [dnsthought-qnamemin], Verisign
[verisign-qnamemin] and APNIC [apnic-qnamemin] shows that a large [verisign-qnamemin], and APNIC [apnic-qnamemin] shows that a large
percentage of the resolvers deployed on the Internet already support percentage of the resolvers deployed on the Internet already support
QNAME minimisation in some way. QNAME minimisation in some way.
Academic research has been performed on QNAME minimisation Academic research has been performed on QNAME minimisation
[devries-qnamemin]. This work shows that QNAME minimisation in [devries-qnamemin]. This work shows that QNAME minimisation in
relaxed mode causes almost no problems. The paper recommends using relaxed mode causes almost no problems. The paper recommends using
the A QTYPE, and limiting the number of queries in some way. Some of the A QTYPE and limiting the number of queries in some way. Some of
the issues that the paper found are covered in Section 5. the issues that the paper found are covered in Section 5.
1.2. Terminology 1.2. Terminology
The terminology used in this document is defined in [RFC8499]. The terminology used in this document is defined in [RFC8499].
In this document, a "cold" cache is one that is empty, having In this document, a "cold" cache is one that is empty, having
literally no entries in it. A "warm" cache is one that has some literally no entries in it. A "warm" cache is one that has some
entries in it. entries in it.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP "OPTIONAL" in this document are to be interpreted as described in
14 [RFC2119] [RFC8174] when, and only when, they appear in all BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here. capitals, as shown here.
2. Description of QNAME Minimisation 2. Description of QNAME Minimisation
The idea behind QNAME minimisation is to minimise the amount of The idea behind QNAME minimisation is to minimise the amount of
privacy-sensitive data sent from the DNS resolver to the privacy-sensitive data sent from the DNS resolver to the
authoritative name server. This section describes how to do QNAME authoritative name server. This section describes how to do QNAME
minimisation. The algorithm is summarised in Section 3. minimisation. The algorithm is summarised in Section 3.
When a resolver is not able to answer a query from cache it has to When a resolver is not able to answer a query from cache, it has to
send a query to an authoritative nameserver. Traditionally these send a query to an authoritative name server. Traditionally, these
queries would contain the full QNAME and the original QTYPE as queries would contain the full QNAME and the original QTYPE as
received in the client query. received in the client query.
The full QNAME and original QTYPE are only needed at the nameserver The full QNAME and original QTYPE are only needed at the name server
that is authoritative for the record requested by the client. All that is authoritative for the record requested by the client. All
other nameservers queried while resolving the query only need to other name servers queried while resolving the query only need to
receive enough of the QNAME to be able to answer with a delegation. receive enough of the QNAME to be able to answer with a delegation.
The QTYPE in these queries is not relevant, as the nameserver is not The QTYPE in these queries is not relevant, as the name server is not
able to authoritatively answer the records the client is looking for. able to authoritatively answer the records the client is looking for.
Sending the full QNAME and original QTYPE to these nameservers Sending the full QNAME and original QTYPE to these name servers
therefore exposes more privacy-sensitive data than necessary to therefore exposes more privacy-sensitive data than necessary to
resolve the client's request. resolve the client's request.
A resolver that implements QNAME minimisation obscures the QNAME and A resolver that implements QNAME minimisation obscures the QNAME and
QTYPE in queries directed to an authoritative nameserver that is not QTYPE in queries directed to an authoritative name server that is not
known to be responsible for the original QNAME. These queries known to be responsible for the original QNAME. These queries
contain: contain:
* a QTYPE selected by the resolver to possibly obscure the original * a QTYPE selected by the resolver to possibly obscure the original
QTYPE QTYPE
* the QNAME that is the original QNAME, stripped to just one label * the QNAME that is the original QNAME, stripped to just one label
more than the longest matching domain name for which the more than the longest matching domain name for which the name
nameserver is known to be authoritative server is known to be authoritative
2.1. QTYPE Selection 2.1. QTYPE Selection
Note that this document relaxes the recommendation in RFC 7816 to use Note that this document relaxes the recommendation in [RFC7816] to
the NS QTYPE to hide the original QTYPE. Using the NS QTYPE is still use the NS QTYPE to hide the original QTYPE. Using the NS QTYPE is
allowed. The authority of NS records lies at the child side. The still allowed. The authority of NS records lies at the child side.
parent side of the delegation will answer using a referral, like it The parent side of the delegation will answer using a referral, like
will do for queries with other QTYPEs. Using the NS QTYPE therefore it will do for queries with other QTYPEs. Using the NS QTYPE
has no added value over other QTYPEs. therefore has no added value over other QTYPEs.
The QTYPE to use while minimising queries can be any possible data The QTYPE to use while minimising queries can be any possible data
type (as defined in [RFC6895] Section 3.1) for which the authority type (as defined in Section 3.1 of [RFC6895]) for which the authority
always lies below the zone cut (i.e. not DS, NSEC, NSEC3, OPT, TSIG, always lies below the zone cut (i.e., not DS, NSEC, NSEC3, OPT, TSIG,
TKEY, ANY, MAILA, MAILB, AXFR, and IXFR), as long as there is no TKEY, ANY, MAILA, MAILB, AXFR, and IXFR), as long as there is no
relation between the incoming QTYPE and the selection of the QTYPE to relation between the incoming QTYPE and the selection of the QTYPE to
use while minimising. Good candidates are to always use the "A" or use while minimising. The A or AAAA QTYPEs are always good
"AAAA" QTYPE because these are the least likely to raise issues in candidates to use because these are the least likely to raise issues
DNS software and middleboxes that do not properly support all QTYPEs. in DNS software and middleboxes that do not properly support all
QTYPE=A or QTYPE=AAAA queries will also blend into traffic from non- QTYPEs. QTYPE=A or QTYPE=AAAA queries will also blend into traffic
minimising resolvers, making it in some cases harder to observe that from nonminimising resolvers, making it in some cases harder to
the resolver is using QNAME minimisation. Using a QTYPE that occurs observe that the resolver is using QNAME minimisation. Using a QTYPE
most in incoming queries will slightly reduce the number of queries, that occurs most in incoming queries will slightly reduce the number
as there is no extra check needed for delegations on non-apex of queries, as there is no extra check needed for delegations on non-
records. apex records.
2.2. QNAME Selection 2.2. QNAME Selection
The minimising resolver works perfectly when it knows the zone cut The minimising resolver works perfectly when it knows the zone cut
(zone cuts are described in Section 6 of [RFC2181]). But zone cuts (zone cuts are described in Section 6 of [RFC2181]). But zone cuts
do not necessarily exist at every label boundary. In the name do not necessarily exist at every label boundary. In the name
www.foo.bar.example, it is possible that there is a zone cut between www.foo.bar.example, it is possible that there is a zone cut between
"foo" and "bar" but not between "bar" and "example". So, assuming "foo" and "bar" but not between "bar" and "example". So, assuming
that the resolver already knows the name servers of example, when it that the resolver already knows the name servers of example, when it
receives the query "What is the AAAA record of www.foo.bar.example?", receives the query "What is the AAAA record of www.foo.bar.example?",
it does not always know where the zone cut will be. To find the it does not always know where the zone cut will be. To find the zone
zone cut, it will query the example name servers for a record for cut, it will query the example name servers for a record for
bar.example. It will get a non-referral answer, it has to query the bar.example. It will get a non-referral answer, so it has to query
example name servers again with one more label, and so on. the example name servers again with one more label, and so on.
(Section 3 describes this algorithm in deeper detail.) (Section 3 describes this algorithm in deeper detail.)
2.3. Limit Number of Queries 2.3. Limitation of the Number of Queries
When using QNAME minimisation, the number of labels in the received When using QNAME minimisation, the number of labels in the received
QNAME can influence the number of queries sent from the resolver. QNAME can influence the number of queries sent from the resolver.
This opens an attack vector and can decrease performance. Resolvers This opens an attack vector and can decrease performance. Resolvers
supporting QNAME minimisation MUST implement a mechanism to limit the supporting QNAME minimisation MUST implement a mechanism to limit the
number of outgoing queries per user request. number of outgoing queries per user request.
Take for example an incoming QNAME with many labels, like Take for example an incoming QNAME with many labels, like
www.host.group.department.example.com, where www.host.group.department.example.com, where
host.group.department.example.com is hosted on example.com's host.group.department.example.com is hosted on example.com's name
name servers. (Such deep domains are especially common under servers. (Such deep domains are especially common under ip6.arpa.)
ip6.arpa.) Assume a resolver that knows only the name servers of Assume a resolver that knows only the name servers of example.com.
example.com. Without QNAME minimisation, it would send these Without QNAME minimisation, it would send these example.com name
example.com name servers a query for servers a query for www.host.group.department.example.com and
www.host.group.department.example.com and immediately get a specific immediately get a specific referral or an answer, without the need
referral or an answer, without the need for more queries to probe for for more queries to probe for the zone cut. For such a name, a cold
the zone cut. For such a name, a cold resolver with QNAME resolver with QNAME minimisation will send more queries, one per
minimisation will send more queries, one per label. Once the cache label. Once the cache is warm, there will be less difference with a
is warm, there will be less difference with a traditional resolver. traditional resolver. Testing of this is described in
Testing of this is described in [Huque-QNAME-Min]. [Huque-QNAME-Min].
The behaviour of sending multiple queries can be exploited by sending The behaviour of sending multiple queries can be exploited by sending
queries with a large number of labels in the QNAME that will be queries with a large number of labels in the QNAME that will be
answered using a wildcard record. Take for example a record for answered using a wildcard record. Take for example a record for
*.example.com, hosted on example.com's name servers. An incoming *.example.com, hosted on example.com's name servers. An incoming
query containing a QNAME with more than 100 labels, ending in query containing a QNAME with more than 100 labels, ending in
example.com, will result in a query per label. By using random example.com, will result in a query per label. By using random
labels, the attacker can bypass the cache and always require the labels, the attacker can bypass the cache and always require the
resolver to send many queries upstream. Note that [RFC8198] can resolver to send many queries upstream. Note that [RFC8198] can
limit this attack in some cases. limit this attack in some cases.
One mechanism that MAY be used to reduce this attack vector is by One mechanism that MAY be used to reduce this attack vector is by
appending more than one label per iteration for QNAMEs with a large appending more than one label per iteration for QNAMEs with a large
number of labels. To do this, a maximum number of QNAME minimisation number of labels. To do this, a maximum number of QNAME minimisation
iterations MUST be selected (MAX_MINIMISE_COUNT); a RECOMMENDED value iterations MUST be selected (MAX_MINIMISE_COUNT); a RECOMMENDED value
is 10. Optionally, a value for the number of queries that should is 10. Optionally, a value for the number of queries that should
only have one label appended MAY be selected (MINIMISE_ONE_LAB), a only have one label appended MAY be selected (MINIMISE_ONE_LAB); a
good value is 4. The assumption here is that the number of labels on good value is 4. The assumption here is that the number of labels on
delegations higher in the hierarchy are rather small, therefore not delegations higher in the hierarchy are rather small; therefore, not
exposing too many labels early on has the most privacy benefit. exposing too many labels early on has the most privacy benefit.
Another potential, optional mechanism for limiting the number of Another potential, optional mechanism for limiting the number of
queries is to assume that labels that begin with an underscore (_) queries is to assume that labels that begin with an underscore (_)
character do not represent privacy-relevant administrative character do not represent privacy-relevant administrative
boundaries. For example, if the QNAME is "_25._tcp.mail.example.org" boundaries. For example, if the QNAME is "_25._tcp.mail.example.org"
and the algorithm has already searched for "mail.example.org", the and the algorithm has already searched for "mail.example.org", the
next query can be for all the underscore-prefixed names together, next query can be for all the underscore-prefixed names together,
namely "_25._tcp.mail.example.org". namely "_25._tcp.mail.example.org".
When a resolver needs to send out a query, it will look for the When a resolver needs to send out a query, it will look for the
closest known delegation point in its cache. The number of not yet closest-known delegation point in its cache. The number of not-yet-
exposed labels is the difference between this closest nameserver and exposed labels is the difference between this closest name server and
the incoming QNAME. The first MINIMISE_ONE_LAB labels will be the incoming QNAME. The first MINIMISE_ONE_LAB labels will be
handled as described in Section 2. The number of labels that are handled as described in Section 2. The number of labels that are
still not exposed now need to be divided proportionally over the still not exposed now need to be divided proportionally over the
remaining iterations (MAX_MINIMISE_COUNT - MINIMISE_ONE_LAB). If the remaining iterations (MAX_MINIMISE_COUNT - MINIMISE_ONE_LAB). If the
not yet exposed labels can not be equally divided over the remaining not-yet-exposed labels cannot be equally divided over the remaining
iterations, the remainder of the division should be added to the last iterations, the remainder of the division should be added to the last
iterations. For example, when resolving a QNAME with 18 labels with iterations. For example, when resolving a QNAME with 18 labels with
MAX_MINIMISE_COUNT set to 10 and MINIMISE_ONE_LAB set to 4, the MAX_MINIMISE_COUNT set to 10 and MINIMISE_ONE_LAB set to 4, the
number of labels added per iteration are: 1,1,1,1,2,2,2,2,3,3. number of labels added per iteration are: 1,1,1,1,2,2,2,2,3,3.
2.4. Stub and Forwarding Resolvers 2.4. Implementation by Stub and Forwarding Resolvers
Stub and forwarding resolvers MAY implement QNAME minimisation. Stub and forwarding resolvers MAY implement QNAME minimisation.
Minimising queries that will be sent to an upstream resolver does not Minimising queries that will be sent to an upstream resolver does not
help in hiding data from the upstream resolver because all help in hiding data from the upstream resolver because all
information will end up there anyway. It might, however, limit the information will end up there anyway. It might however limit the
data exposure between the upstream resolver and the authoritative data exposure between the upstream resolver and the authoritative
nameserver in the situation where the upstream resolver does not name server in the situation where the upstream resolver does not
support QNAME minimisation. Using QNAME minimisation in a stub or support QNAME minimisation. Using QNAME minimisation in a stub or
forwarding resolvers that does not have a mechanism to find and cache forwarding resolver that does not have a mechanism to find and cache
zone cuts will drastically increase the number of outgoing queries. zone cuts will drastically increase the number of outgoing queries.
3. Algorithm to Perform QNAME Minimisation 3. Algorithm to Perform QNAME Minimisation
This algorithm performs name resolution with QNAME minimisation in This algorithm performs name resolution with QNAME minimisation in
the presence of zone cuts that are not yet known. the presence of zone cuts that are not yet known.
Although a validating resolver already has the logic to find the Although a validating resolver already has the logic to find the zone
zone cuts, implementers of resolvers may want to use this algorithm cuts, implementers of resolvers may want to use this algorithm to
to locate the zone cuts. locate the zone cuts.
(0) If the query can be answered from the cache, do so; otherwise, (0) If the query can be answered from the cache, do so; otherwise,
iterate as follows: iterate as follows:
(1) Get the closest delegation point that can be used for the (1) Get the closest delegation point that can be used for the
original QNAME from the cache. original QNAME from the cache.
(1a) For queries with a QTYPE for which the authority only lies (1a) For queries with a QTYPE for which the authority only lies
at the parent side (like QTYPE=DS) this is the NS RRset with at the parent side (like QTYPE=DS), this is the NS RRset
the owner matching the most labels with QNAME stripped by with the owner matching the most labels with QNAME
one label. QNAME will be a subdomain of (but not equal to) stripped by one label. QNAME will be a subdomain of (but
this NS RRset. Call this ANCESTOR. not equal to) this NS RRset. Call this ANCESTOR.
(1b) For queries with other original QTYPEs this is the NS RRset (1b) For queries with other original QTYPEs, this is the NS
with the owner matching the most labels with QNAME. QNAME RRset with the owner matching the most labels with QNAME.
will be equal to or a subdomain of this NS RRset. Call this QNAME will be equal to or a subdomain of this NS RRset.
ANCESTOR. Call this ANCESTOR.
(2) Initialise CHILD to the same as ANCESTOR. (2) Initialise CHILD to the same as ANCESTOR.
(3) If CHILD is the same as QNAME, or if CHILD is one label shorter (3) If CHILD is the same as QNAME, or if CHILD is one label shorter
than QNAME and the original QTYPE can only be at the parent side than QNAME and the original QTYPE can only be at the parent side
(like QTYPE=DS), resolve the original query as normal starting (like QTYPE=DS), resolve the original query as normal, starting
from ANCESTOR's name servers. Start over from step 0 if new from ANCESTOR's name servers. Start over from step 0 if new
names need to be resolved as result of this answer, for example names need to be resolved as a result of this answer, for
when the answer contains a CNAME or DNAME [RFC6672] record. example, when the answer contains a CNAME or DNAME [RFC6672]
record.
(4) Otherwise, update the value of CHILD by adding the next relevant (4) Otherwise, update the value of CHILD by adding the next relevant
label or labels from QNAME to the start of CHILD. The number of label or labels from QNAME to the start of CHILD. The number of
labels to add is discussed in Section 2.3. labels to add is discussed in Section 2.3.
(5) Look for a cache entry for the RRset at CHILD with the original (5) Look for a cache entry for the RRset at CHILD with the original
QTYPE. If the cached response code is NXDOMAIN and the resolver QTYPE. If the cached response code is NXDOMAIN and the resolver
has support for [RFC8020], the NXDOMAIN can be used in response has support for [RFC8020], the NXDOMAIN can be used in response
to the original query, and stop. If the cached response code is to the original query, and stop. If the cached response code is
NOERROR (including NODATA), go back to step 3. If the cached NOERROR (including NODATA), go back to step 3. If the cached
response code is NXDOMAIN and the resolver does not support RFC response code is NXDOMAIN and the resolver does not support
8020, go back to step 3. [RFC8020], go back to step 3.
(6) Query for CHILD with the selected QTYPE using one of ANCESTOR's (6) Query for CHILD with the selected QTYPE using one of ANCESTOR's
name servers. The response can be: name servers. The response can be:
(6a) A referral. Cache the NS RRset from the authority section, (6a) A referral. Cache the NS RRset from the authority
and go back to step 1. section, and go back to step 1.
(6b) A DNAME response. Proceed as if a DNAME is received for (6b) A DNAME response. Proceed as if a DNAME is received for
the original query. Start over from step 0 to resolve the the original query. Start over from step 0 to resolve the
new name based on the DNAME target. new name based on the DNAME target.
(6c) All other NOERROR answers (including NODATA). Cache this (6c) All other NOERROR answers (including NODATA). Cache this
answer. Regardless of the answered RRset type, including answer. Regardless of the answered RRset type, including
CNAMEs, continue with the algorithm from step 3 by building CNAMEs, continue with the algorithm from step 3 by
the original QNAME. building the original QNAME.
(6d) An NXDOMAIN response. If the resolver supports RFC8020, (6d) An NXDOMAIN response. If the resolver supports [RFC8020],
return an NXDOMAIN response to the original query and stop. return an NXDOMAIN response to the original query, and
If the resolver does not support RFC8020, go to step 3. stop. If the resolver does not support [RFC8020], go to
step 3.
(6e) A timeout or response with another RCODE. The (6e) A timeout or response with another RCODE. The
implementation may choose to retry step (6) with a different implementation may choose to retry step 6 with a different
ANCESTOR name server. ANCESTOR name server.
4. QNAME Minimisation Examples 4. QNAME Minimisation Examples
As a first example, assume that a resolver receives a request to As a first example, assume that a resolver receives a request to
resolve foo.bar.baz.example. Assume that the resolver already knows resolve foo.bar.baz.example. Assume that the resolver already knows
that ns1.nic.example is authoritative for .example, and that the that ns1.nic.example is authoritative for .example and that the
resolver does not know a more specific authoritative name server. It resolver does not know a more specific authoritative name server. It
will send the query with QNAME=baz.example and the QTYPE selected to will send the query with QNAME=baz.example and the QTYPE selected to
hide the original QTYPE to ns1.nic.example. hide the original QTYPE to ns1.nic.example.
The following are more detailed examples of other queries with QNAME +=======+=================+=========================+======+
minimisation, using other names and authoritative servers: | QTYPE | QNAME | TARGET | NOTE |
+=======+=================+=========================+======+
| MX | a.b.example.org | root name server | |
+-------+-----------------+-------------------------+------+
| MX | a.b.example.org | org name server | |
+-------+-----------------+-------------------------+------+
| MX | a.b.example.org | example.org name server | |
+-------+-----------------+-------------------------+------+
Cold cache, traditional resolution algorithm without QNAME Table 1: Cold Cache, Traditional Resolution Algorithm
minimisation, request for MX record of a.b.example.org: without QNAME Minimisation, Request for MX Record of
a.b.example.org
QTYPE QNAME TARGET NOTE The following are more detailed examples of requests for an MX record
MX a.b.example.org root nameserver of a.b.example.org with QNAME minimisation, using A QTYPE to hide the
MX a.b.example.org org nameserver original QTYPE and using other names and authoritative servers:
MX a.b.example.org example.org nameserver
Cold cache, with QNAME minimisation, request for MX record of +=======+=================+=========================+============+
a.b.example.org, using the A QTYPE to hide the original QTYPE: | QTYPE | QNAME | TARGET | NOTE |
+=======+=================+=========================+============+
| A | org | root name server | |
+-------+-----------------+-------------------------+------------+
| A | example.org | org name server | |
+-------+-----------------+-------------------------+------------+
| A | b.example.org | example.org name server | |
+-------+-----------------+-------------------------+------------+
| A | a.b.example.org | example.org name server | "a" may be |
| | | | delegated |
+-------+-----------------+-------------------------+------------+
| MX | a.b.example.org | example.org name server | |
+-------+-----------------+-------------------------+------------+
QTYPE QNAME TARGET NOTE Table 2: Cold Cache with QNAME Minimisation
A org root nameserver
A example.org org nameserver
A b.example.org example.org nameserver
A a.b.example.org example.org nameserver "a" may be delegated
MX a.b.example.org example.org nameserver
Note that in above example one query would have been saved if the Note that, in the above example, one query would have been saved if
incoming QTYPE was the same as the QTYPE selected by the resolver to the incoming QTYPE was the same as the QTYPE selected by the resolver
hide the original QTYPE. Only one query for a.b.example.org would to hide the original QTYPE. Only one query for a.b.example.org would
have been needed if the original QTYPE would have been A. Using the have been needed if the original QTYPE would have been A. Using the
most used QTYPE to hide the original QTYPE therefore slightly reduces most-used QTYPE to hide the original QTYPE therefore slightly reduces
the number of outgoing queries compared to using any other QTYPE to the number of outgoing queries compared to using any other QTYPE to
hide the original QTYPE. hide the original QTYPE.
Warm cache with only org delegation known, (example.org's NS RRset is +=======+=================+=========================+============+
not known), request for MX record of a.b.example.org, using A QTYPE | QTYPE | QNAME | TARGET | NOTE |
to hide the original QTYPE: +=======+=================+=========================+============+
| A | example.org | org name server | |
+-------+-----------------+-------------------------+------------+
| A | b.example.org | example.org name server | |
+-------+-----------------+-------------------------+------------+
| A | a.b.example.org | example.org name server | "a" may be |
| | | | delegated |
+-------+-----------------+-------------------------+------------+
| MX | a.b.example.org | example.org name server | |
+-------+-----------------+-------------------------+------------+
QTYPE QNAME TARGET NOTE Table 3: Warm Cache with QNAME Minimisation
A example.org org nameserver
A b.example.org example.org nameserver
A a.b.example.org example.org nameserver "a" may be delegated
MX a.b.example.org example.org nameserver
5. Performance Considerations 5. Performance Considerations
The main goal of QNAME minimisation is to improve privacy by sending The main goal of QNAME minimisation is to improve privacy by sending
less data. However, it may have other advantages. For instance, if less data. However, it may have other advantages. For instance, if
a resolver sends a root name server queries for A.example followed by a resolver sends a root name server queries for A.example followed by
B.example followed by C.example, the result will be three NXDOMAINs, B.example followed by C.example, the result will be three NXDOMAINs,
since .example does not exist in the root zone. When using QNAME since .example does not exist in the root zone. When using QNAME
minimisation, the resolver would send only one question (for .example minimisation, the resolver would send only one question (for .example
itself) to which they could answer NXDOMAIN. The resolver can cache itself) to which they could answer NXDOMAIN. The resolver can cache
this answer and use it as to prove that nothing below .example exists this answer and use it to prove that nothing below .example exists
([RFC8020]). A resolver now knows a priori that neither B.example [RFC8020]. A resolver now knows a priori that neither B.example nor
nor C.example exist. Thus, in this common case, the total number of C.example exist. Thus, in this common case, the total number of
upstream queries under QNAME minimisation could counterintuitively be upstream queries under QNAME minimisation could be counterintuitively
less than the number of queries under the traditional iteration (as less than the number of queries under the traditional iteration (as
described in the DNS standard). described in the DNS standard).
QNAME minimisation can increase the number of queries based on the QNAME minimisation can increase the number of queries based on the
incoming QNAME. This is described in Section 2.3. As described in incoming QNAME. This is described in Section 2.3. As described in
[devries-qnamemin], QNAME minimisation both increases the number of [devries-qnamemin], QNAME minimisation both increases the number of
DNS lookups by up to 26% and leads to up to 5% more failed lookups. DNS lookups by up to 26% and leads to up to 5% more failed lookups.
Filling the cache in a production resolver will soften that overhead. Filling the cache in a production resolver will soften that overhead.
6. Security Considerations 6. Security Considerations
QNAME minimisation's benefits are clear in the case where you want to QNAME minimisation's benefits are clear in the case where you want to
decrease exposure of the queried name to the authoritative decrease exposure of the queried name to the authoritative name
name server. But minimising the amount of data sent also, in part, server. But minimising the amount of data sent also, in part,
addresses the case of a wire sniffer as well as the case of privacy addresses the case of a wire sniffer as well as the case of privacy
invasion by the authoritative name servers. (Encryption is of course invasion by the authoritative name servers. Encryption is of course
a better defense against wire sniffers, but, unlike QNAME a better defense against wire sniffers, but, unlike QNAME
minimisation, it changes the protocol and cannot be deployed minimisation, it changes the protocol and cannot be deployed
unilaterally. Also, the effect of QNAME minimisation on wire unilaterally. Also, the effect of QNAME minimisation on wire
sniffers depends on whether the sniffer is on the DNS path.) sniffers depends on whether the sniffer is on the DNS path.
QNAME minimisation offers no protection against the recursive QNAME minimisation offers no protection against the recursive
resolver, which still sees the full request coming from the stub resolver, which still sees the full request coming from the stub
resolver. resolver.
A resolver using QNAME minimisation can possibly be used to cause a A resolver using QNAME minimisation can possibly be used to cause a
query storm to be sent to servers when resolving queries containing a query storm to be sent to servers when resolving queries containing a
QNAME with a large number of labels, as described in Section 2.3. QNAME with a large number of labels, as described in Section 2.3.
That section proposes methods to significantly dampen the effects of That section proposes methods to significantly dampen the effects of
such attacks. such attacks.
skipping to change at page 11, line 29 skipping to change at line 504
7.2. Informative References 7.2. Informative References
[apnic-qnamemin] [apnic-qnamemin]
Huston, G. and J. Damas, "Measuring Query Name Huston, G. and J. Damas, "Measuring Query Name
Minimization", September 2020, <https://indico.dns- Minimization", September 2020, <https://indico.dns-
oarc.net/event/34/contributions/787/ oarc.net/event/34/contributions/787/
attachments/777/1326/2020-09-28-oarc33-qname- attachments/777/1326/2020-09-28-oarc33-qname-
minimisation.pdf>. minimisation.pdf>.
[devries-qnamemin] [devries-qnamemin]
"A First Look at QNAME Minimization in the Domain Name de Vries, W., Scheitle, Q., Müller, M., Toorop, W.,
System", March 2019, Dolmans, R., and R. van Rijswijk-Deij, "A First Look at
QNAME Minimization in the Domain Name System", March 2019,
<https://nlnetlabs.nl/downloads/publications/ <https://nlnetlabs.nl/downloads/publications/
devries2019.pdf>. devries2019.pdf>.
[dnsthought-qnamemin] [dnsthought-qnamemin]
"DNSThought QNAME minimisation results. Using Atlas "Qname Minimisation", October 2021,
probes", March 2020,
<https://dnsthought.nlnetlabs.nl/#qnamemin>. <https://dnsthought.nlnetlabs.nl/#qnamemin>.
[Huque-QNAME-Min] [Huque-QNAME-Min]
Huque, S., "Query name minimization and authoritative Huque, S., "Query name minimization and authoritative
server behavior", May 2015, server behavior", May 2015,
<https://indico.dns-oarc.net/event/21/contribution/9>. <https://indico.dns-oarc.net/event/21/contribution/9>.
[RFC2181] Elz, R. and R. Bush, "Clarifications to the DNS [RFC2181] Elz, R. and R. Bush, "Clarifications to the DNS
Specification", RFC 2181, DOI 10.17487/RFC2181, July 1997, Specification", RFC 2181, DOI 10.17487/RFC2181, July 1997,
<https://www.rfc-editor.org/info/rfc2181>. <https://www.rfc-editor.org/info/rfc2181>.
skipping to change at page 12, line 33 skipping to change at line 555
<https://www.rfc-editor.org/info/rfc9076>. <https://www.rfc-editor.org/info/rfc9076>.
[verisign-qnamemin] [verisign-qnamemin]
Thomas, M., "Maximizing Qname Minimization: A New Chapter Thomas, M., "Maximizing Qname Minimization: A New Chapter
in DNS Protocol Evolution", September 2020, in DNS Protocol Evolution", September 2020,
<https://blog.verisign.com/security/maximizing-qname- <https://blog.verisign.com/security/maximizing-qname-
minimization-a-new-chapter-in-dns-protocol-evolution/>. minimization-a-new-chapter-in-dns-protocol-evolution/>.
Acknowledgments Acknowledgments
The acknowledgements from RFC 7816 apply here. In addition, many The acknowledgments from RFC 7816 apply here. In addition, many
participants from the DNSOP Working Group helped with proposals for participants from the DNSOP Working Group helped with proposals for
simplification, clarification, and general editorial help. simplification, clarification, and general editorial help.
Changes from RFC 7816
Changed in -07
* Stopped using the term "aggressive" for the method described
* Clarified some terminology
* More reorganization
Changed in -06
* Removed lots of text from when this was experimental
* Lots of reorganization
Changed in -04
* Start structure for implementation section
* Add clarification why the used QTYPE does not matter
* Make algorithm DS QTYPE compatible
Changed in -03
* Drop recommendation to use the NS QTYPE to hide the incoming QTYPE
* Describe DoS attach vector for QNAME with large number of labels,
and propose a mitigation.
* Simplify examples and change qname to a.b.example.com to show the
change in number of queries.
Changed in -00, -01, and -02
* Made changes to deal with errata #4644
* Changed status to be on standards track
* Major reorganization
Authors' Addresses Authors' Addresses
Stephane Bortzmeyer Stephane Bortzmeyer
AFNIC AFNIC
1, rue Stephenson 1, rue Stephenson
78180 Montigny-le-Bretonneux 78180 Montigny-le-Bretonneux
France France
Phone: +33 1 39 30 83 46 Phone: +33 1 39 30 83 46
Email: bortzmeyer+ietf@nic.fr Email: bortzmeyer+ietf@nic.fr
 End of changes. 68 change blocks. 
231 lines changed or deleted 207 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/