From 4bfd864f10b68b71482b35c818559068ef8d5797 Mon Sep 17 00:00:00 2001 From: Thomas Voss Date: Wed, 27 Nov 2024 20:54:24 +0100 Subject: doc: Add RFC documents --- doc/rfc/rfc1536.txt | 675 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 675 insertions(+) create mode 100644 doc/rfc/rfc1536.txt (limited to 'doc/rfc/rfc1536.txt') diff --git a/doc/rfc/rfc1536.txt b/doc/rfc/rfc1536.txt new file mode 100644 index 0000000..33dd6eb --- /dev/null +++ b/doc/rfc/rfc1536.txt @@ -0,0 +1,675 @@ + + + + + + +Network Working Group A. Kumar +Request for Comments: 1536 J. Postel +Category: Informational C. Neuman + ISI + P. Danzig + S. Miller + USC + October 1993 + + + Common DNS Implementation Errors and Suggested Fixes + +Status of this Memo + + This memo provides information for the Internet community. It does + not specify an Internet standard. Distribution of this memo is + unlimited. + +Abstract + + This memo describes common errors seen in DNS implementations and + suggests some fixes. Where applicable, violations of recommendations + from STD 13, RFC 1034 and STD 13, RFC 1035 are mentioned. The memo + also describes, where relevant, the algorithms followed in BIND + (versions 4.8.3 and 4.9 which the authors referred to) to serve as an + example. + +Introduction + + The last few years have seen, virtually, an explosion of DNS traffic + on the NSFnet backbone. Various DNS implementations and various + versions of these implementations interact with each other, producing + huge amounts of unnecessary traffic. Attempts are being made by + researchers all over the internet, to document the nature of these + interactions, the symptomatic traffic patterns and to devise remedies + for the sick pieces of software. + + This draft is an attempt to document fixes for known DNS problems so + people know what problems to watch out for and how to repair broken + software. + +1. Fast Retransmissions + + DNS implements the classic request-response scheme of client-server + interaction. UDP is, therefore, the chosen protocol for communication + though TCP is used for zone transfers. The onus of requerying in case + no response is seen in a "reasonable" period of time, lies with the + client. Although RFC 1034 and 1035 do not recommend any + + + +Kumar, Postel, Neuman, Danzig & Miller [Page 1] + +RFC 1536 Common DNS Implementation Errors October 1993 + + + retransmission policy, RFC 1035 does recommend that the resolvers + should cycle through a list of servers. Both name servers and stub + resolvers should, therefore, implement some kind of a retransmission + policy based on round trip time estimates of the name servers. The + client should back-off exponentially, probably to a maximum timeout + value. + + However, clients might not implement either of the two. They might + not wait a sufficient amount of time before retransmitting or they + might not back-off their inter-query times sufficiently. + + Thus, what the server would see will be a series of queries from the + same querying entity, spaced very close together. Of course, a + correctly implemented server discards all duplicate queries but the + queries contribute to wide-area traffic, nevertheless. + + We classify a retransmission of a query as a pure Fast retry timeout + problem when a series of query packets meet the following conditions. + + a. Query packets are seen within a time less than a "reasonable + waiting period" of each other. + + b. No response to the original query was seen i.e., we see two or + more queries, back to back. + + c. The query packets share the same query identifier. + + d. The server eventually responds to the query. + +A GOOD IMPLEMENTATION: + + BIND (we looked at versions 4.8.3 and 4.9) implements a good + retransmission algorithm which solves or limits all of these + problems. The Berkeley stub-resolver queries servers at an interval + that starts at the greater of 4 seconds and 5 seconds divided by the + number of servers the resolver queries. The resolver cycles through + servers and at the end of a cycle, backs off the time out + exponentially. + + The Berkeley full-service resolver (built in with the program + "named") starts with a time-out equal to the greater of 4 seconds and + two times the round-trip time estimate of the server. The time-out + is backed off with each cycle, exponentially, to a ceiling value of + 45 seconds. + + + + + + + +Kumar, Postel, Neuman, Danzig & Miller [Page 2] + +RFC 1536 Common DNS Implementation Errors October 1993 + + +FIXES: + + a. Estimate round-trip times or set a reasonably high initial + time-out. + + b. Back-off timeout periods exponentially. + + c. Yet another fundamental though difficult fix is to send the + client an acknowledgement of a query, with a round-trip time + estimate. + + Since UDP is used, no response is expected by the client until the + query is complete. Thus, it is less likely to have information about + previous packets on which to estimate its back-off time. Unless, you + maintain state across queries, so subsequent queries to the same + server use information from previous queries. Unfortunately, such + estimates are likely to be inaccurate for chained requests since the + variance is likely to be high. + + The fix chosen in the ARDP library used by Prospero is that the + server will send an initial acknowledgement to the client in those + cases where the server expects the query to take a long time (as + might be the case for chained queries). This initial acknowledgement + can include an expected time to wait before retrying. + + This fix is more difficult since it requires that the client software + also be trained to expect the acknowledgement packet. This, in an + internet of millions of hosts is at best a hard problem. + +2. Recursion Bugs + + When a server receives a client request, it first looks up its zone + data and the cache to check if the query can be answered. If the + answer is unavailable in either place, the server seeks names of + servers that are more likely to have the information, in its cache or + zone data. It then does one of two things. If the client desires the + server to recurse and the server architecture allows recursion, the + server chains this request to these known servers closest to the + queried name. If the client doesn't seek recursion or if the server + cannot handle recursion, it returns the list of name servers to the + client assuming the client knows what to do with these records. + + The client queries this new list of name servers to get either the + answer, or names of another set of name servers to query. This + process repeats until the client is satisfied. Servers might also go + through this chaining process if the server returns a CNAME record + for the queried name. Some servers reprocess this name to try and get + the desired record type. + + + +Kumar, Postel, Neuman, Danzig & Miller [Page 3] + +RFC 1536 Common DNS Implementation Errors October 1993 + + + However, in certain cases, this chain of events may not be good. For + example, a broken or malicious name server might list itself as one + of the name servers to query again. The unsuspecting client resends + the same query to the same server. + + In another situation, more difficult to detect, a set of servers + might form a loop wherein A refers to B and B refers to A. This loop + might involve more than two servers. + + Yet another error is where the client does not know how to process + the list of name servers returned, and requeries the same server + since that is one (of the few) servers it knows. + + We, therefore, classify recursion bugs into three distinct + categories: + + a. Ignored referral: Client did not know how to handle NS records + in the AUTHORITY section. + + b. Too many referrals: Client called on a server too many times, + beyond a "reasonable" number, with same query. This is + different from a Fast retransmission problem and a Server + Failure detection problem in that a response is seen for every + query. Also, the identifiers are always different. It implies + client is in a loop and should have detected that and broken + it. (RFC 1035 mentions that client should not recurse beyond + a certain depth.) + + c. Malicious Server: a server refers to itself in the authority + section. If a server does not have an answer now, it is very + unlikely it will be any better the next time you query it, + specially when it claims to be authoritative over a domain. + + RFC 1034 warns against such situations, on page 35. + + "Bound the amount of work (packets sent, parallel processes + started) so that a request can't get into an infinite loop or + start off a chain reaction of requests or queries with other + implementations EVEN IF SOMEONE HAS INCORRECTLY CONFIGURED + SOME DATA." + +A GOOD IMPLEMENTATION: + + BIND fixes at least one of these problems. It places an upper limit + on the number of recursive queries it will make, to answer a + question. It chases a maximum of 20 referral links and 8 canonical + name translations. + + + + +Kumar, Postel, Neuman, Danzig & Miller [Page 4] + +RFC 1536 Common DNS Implementation Errors October 1993 + + +FIXES: + + a. Set an upper limit on the number of referral links and CNAME + links you are willing to chase. + + Note that this is not guaranteed to break only recursion loops. + It could, in a rare case, prune off a very long search path, + prematurely. We know, however, with high probability, that if + the number of links cross a certain metric (two times the depth + of the DNS tree), it is a recursion problem. + + b. Watch out for self-referring servers. Avoid them whenever + possible. + + c. Make sure you never pass off an authority NS record with your + own name on it! + + d. Fix clients to accept iterative answers from servers not built + to provide recursion. Such clients should either be happy with + the non-authoritative answer or be willing to chase the + referral links themselves. + +3. Zero Answer Bugs: + + Name servers sometimes return an authoritative NOERROR with no + ANSWER, AUTHORITY or ADDITIONAL records. This happens when the + queried name is valid but it does not have a record of the desired + type. Of course, the server has authority over the domain. + + However, once again, some implementations of resolvers do not + interpret this kind of a response reasonably. They always expect an + answer record when they see an authoritative NOERROR. These entities + continue to resend their queries, possibly endlessly. + +A GOOD IMPLEMENTATION + + BIND resolver code does not query a server more than 3 times. If it + is unable to get an answer from 4 servers, querying them three times + each, it returns error. + + Of course, it treats a zero-answer response the way it should be + treated; with respect! + +FIXES: + + a. Set an upper limit on the number of retransmissions for a given + query, at the very least. + + + + +Kumar, Postel, Neuman, Danzig & Miller [Page 5] + +RFC 1536 Common DNS Implementation Errors October 1993 + + + b. Fix resolvers to interpret such a response as an authoritative + statement of non-existence of the record type for the given + name. + +4. Inability to detect server failure: + + Servers in the internet are not very reliable (they go down every + once in a while) and resolvers are expected to adapt to the changed + scenario by not querying the server for a while. Thus, when a server + does not respond to a query, resolvers should try another server. + Also, non-stub resolvers should update their round trip time estimate + for the server to a large value so that server is not tried again + before other, faster servers. + + Stub resolvers, however, cycle through a fixed set of servers and if, + unfortunately, a server is down while others do not respond for other + reasons (high load, recursive resolution of query is taking more time + than the resolver's time-out, ....), the resolver queries the dead + server again! In fact, some resolvers might not set an upper limit on + the number of query retransmissions they will send and continue to + query dead servers indefinitely. + + Name servers running system or chained queries might also suffer from + the same problem. They store names of servers they should query for a + given domain. They cycle through these names and in case none of them + answers, hit each one more than one. It is, once again, important + that there be an upper limit on the number of retransmissions, to + prevent network overload. + + This behavior is clearly in violation of the dictum in RFC 1035 (page + 46) + + "If a resolver gets a server error or other bizarre response + from a name server, it should remove it from SLIST, and may + wish to schedule an immediate transmission to the next + candidate server address." + + Removal from SLIST implies that the server is not queried again for + some time. + + Correctly implemented full-service resolvers should, as pointed out + before, update round trip time values for servers that do not respond + and query them only after other, good servers. Full-service resolvers + might, however, not follow any of these common sense directives. They + query dead servers, and they query them endlessly. + + + + + + +Kumar, Postel, Neuman, Danzig & Miller [Page 6] + +RFC 1536 Common DNS Implementation Errors October 1993 + + +A GOOD IMPLEMENTATION: + + BIND places an upper limit on the number of times it queries a + server. Both the stub-resolver and the full-service resolver code do + this. Also, since the full-service resolver estimates round-trip + times and sorts name server addresses by these estimates, it does not + query a dead server again, until and unless all the other servers in + the list are dead too! Further, BIND implements exponential back-off + too. + +FIXES: + + a. Set an upper limit on number of retransmissions. + + b. Measure round-trip time from servers (some estimate is better + than none). Treat no response as a "very large" round-trip + time. + + c. Maintain a weighted rtt estimate and decay the "large" value + slowly, with time, so that the server is eventually tested + again, but not after an indefinitely long period. + + d. Follow an exponential back-off scheme so that even if you do + not restrict the number of queries, you do not overload the + net excessively. + +5. Cache Leaks: + + Every resource record returned by a server is cached for TTL seconds, + where the TTL value is returned with the RR. Full-service (or stub) + resolvers cache the RR and answer any queries based on this cached + information, in the future, until the TTL expires. After that, one + more query to the wide-area network gets the RR in cache again. + + Full-service resolvers might not implement this caching mechanism + well. They might impose a limit on the cache size or might not + interpret the TTL value correctly. In either case, queries repeated + within a TTL period of a RR constitute a cache leak. + +A GOOD/BAD IMPLEMENTATION: + + BIND has no restriction on the cache size and the size is governed by + the limits on the virtual address space of the machine it is running + on. BIND caches RRs for the duration of the TTL returned with each + record. + + It does, however, not follow the RFCs with respect to interpretation + of a 0 TTL value. If a record has a TTL value of 0 seconds, BIND uses + + + +Kumar, Postel, Neuman, Danzig & Miller [Page 7] + +RFC 1536 Common DNS Implementation Errors October 1993 + + + the minimum TTL value, for that zone, from the SOA record and caches + it for that duration. This, though it saves some traffic on the + wide-area network, is not correct behavior. + +FIXES: + + a. Look over your caching mechanism to ensure TTLs are interpreted + correctly. + + b. Do not restrict cache sizes (come on, memory is cheap!). + Expired entries are reclaimed periodically, anyway. Of course, + the cache size is bound to have some physical limit. But, when + possible, this limit should be large (run your name server on + a machine with a large amount of physical memory). + + c. Possibly, a mechanism is needed to flush the cache, when it is + known or even suspected that the information has changed. + +6. Name Error Bugs: + + This bug is very similar to the Zero Answer bug. A server returns an + authoritative NXDOMAIN when the queried name is known to be bad, by + the server authoritative for the domain, in the absence of negative + caching. This authoritative NXDOMAIN response is usually accompanied + by the SOA record for the domain, in the authority section. + + Resolvers should recognize that the name they queried for was a bad + name and should stop querying further. + + Some resolvers might, however, not interpret this correctly and + continue to query servers, expecting an answer record. + + Some applications, in fact, prompt NXDOMAIN answers! When given a + perfectly good name to resolve, they append the local domain to it + e.g., an application in the domain "foo.bar.com", when trying to + resolve the name "usc.edu" first tries "usc.edu.foo.bar.com", then + "usc.edu.bar.com" and finally the good name "usc.edu". This causes at + least two queries that return NXDOMAIN, for every good query. The + problem is aggravated since the negative answers from the previous + queries are not cached. When the same name is sought again, the + process repeats. + + Some DNS resolver implementations suffer from this problem, too. They + append successive sub-parts of the local domain using an implicit + searchlist mechanism, when certain conditions are satisfied and try + the original name, only when this first set of iterations fails. This + behavior recently caused pandemonium in the Internet when the domain + "edu.com" was registered and a wildcard "CNAME" record placed at the + + + +Kumar, Postel, Neuman, Danzig & Miller [Page 8] + +RFC 1536 Common DNS Implementation Errors October 1993 + + + top level. All machines from "com" domains trying to connect to hosts + in the "edu" domain ended up with connections to the local machine in + the "edu.com" domain! + +GOOD/BAD IMPLEMENTATIONS: + + Some local versions of BIND already implement negative caching. They + typically cache negative answers with a very small TTL, sufficient to + answer a burst of queries spaced close together, as is typically + seen. + + The next official public release of BIND (4.9.2) will have negative + caching as an ifdef'd feature. + + The BIND resolver appends local domain to the given name, when one of + two conditions is met: + + i. The name has no periods and the flag RES_DEFNAME is set. + ii. There is no trailing period and the flag RES_DNSRCH is set. + + The flags RES_DEFNAME and RES_DNSRCH are default resolver options, in + BIND, but can be changed at compile time. + + Only if the name, so generated, returns an NXDOMAIN is the original + name tried as a Fully Qualified Domain Name. And only if it contains + at least one period. + +FIXES: + + a. Fix the resolver code. + + b. Negative Caching. Negative caching servers will restrict the + traffic seen on the wide-area network, even if not curb it + altogether. + + c. Applications and resolvers should not append the local domain to + names they seek to resolve, as far as possible. Names + interspersed with periods should be treated as Fully Qualified + Domain Names. + + In other words, Use searchlists only when explicitly specified. + No implicit searchlists should be used. A name that contains + any dots should first be tried as a FQDN and if that fails, with + the local domain name (or searchlist if specified) appended. A + name containing no dots can be appended with the searchlist right + away, but once again, no implicit searchlists should be used. + + + + + +Kumar, Postel, Neuman, Danzig & Miller [Page 9] + +RFC 1536 Common DNS Implementation Errors October 1993 + + + Associated with the name error bug is another problem where a server + might return an authoritative NXDOMAIN, although the name is valid. A + secondary server, on start-up, reads the zone information from the + primary, through a zone transfer. While it is in the process of + loading the zones, it does not have information about them, although + it is authoritative for them. Thus, any query for a name in that + domain is answered with an NXDOMAIN response code. This problem might + not be disastrous were it not for negative caching servers that cache + this answer and so propagate incorrect information over the internet. + +BAD IMPLEMENTATION: + + BIND apparently suffers from this problem. + + Also, a new name added to the primary database will take a while to + propagate to the secondaries. Until that time, they will return + NXDOMAIN answers for a good name. Negative caching servers store this + answer, too and aggravate this problem further. This is probably a + more general DNS problem but is apparently more harmful in this + situation. + +FIX: + + a. Servers should start answering only after loading all the zone + data. A failed server is better than a server handing out + incorrect information. + + b. Negative cache records for a very small time, sufficient only + to ward off a burst of requests for the same bad name. This + could be related to the round-trip time of the server from + which the negative answer was received. Alternatively, a + statistical measure of the amount of time for which queries + for such names are received could be used. Minimum TTL value + from the SOA record is not advisable since they tend to be + pretty large. + + c. A "PUSH" (or, at least, a "NOTIFY") mechanism should be allowed + and implemented, to allow the primary server to inform + secondaries that the database has been modified since it last + transferred zone data. To alleviate the problem of "too many + zone transfers" that this might cause, Incremental Zone + Transfers should also be part of DNS. Also, the primary should + not NOTIFY/PUSH with every update but bunch a good number + together. + + + + + + + +Kumar, Postel, Neuman, Danzig & Miller [Page 10] + +RFC 1536 Common DNS Implementation Errors October 1993 + + +7. Format Errors: + + Some resolvers issue query packets that do not necessarily conform to + standards as laid out in the relevant RFCs. This unnecessarily + increases net traffic and wastes server time. + +FIXES: + + a. Fix resolvers. + + b. Each resolver verify format of packets before sending them out, + using a mechanism outside of the resolver. This is, obviously, + needed only if step 1 cannot be followed. + +References + + [1] Mockapetris, P., "Domain Names Concepts and Facilities", STD 13, + RFC 1034, USC/Information Sciences Institute, November 1987. + + [2] Mockapetris, P., "Domain Names Implementation and Specification", + STD 13, RFC 1035, USC/Information Sciences Institute, November + 1987. + + [3] Partridge, C., "Mail Routing and the Domain System", STD 14, RFC + 974, CSNET CIC BBN, January 1986. + + [4] Gavron, E., "A Security Problem and Proposed Correction With + Widely Deployed DNS Software", RFC 1535, ACES Research Inc., + October 1993. + + [5] Beertema, P., "Common DNS Data File Configuration Errors", RFC + 1537, CWI, October 1993. + +Security Considerations + + Security issues are not discussed in this memo. + + + + + + + + + + + + + + + +Kumar, Postel, Neuman, Danzig & Miller [Page 11] + +RFC 1536 Common DNS Implementation Errors October 1993 + + +Authors' Addresses + + Anant Kumar + USC Information Sciences Institute + 4676 Admiralty Way + Marina Del Rey CA 90292-6695 + + Phone:(310) 822-1511 + FAX: (310) 823-6741 + EMail: anant@isi.edu + + + Jon Postel + USC Information Sciences Institute + 4676 Admiralty Way + Marina Del Rey CA 90292-6695 + + Phone:(310) 822-1511 + FAX: (310) 823-6714 + EMail: postel@isi.edu + + + Cliff Neuman + USC Information Sciences Institute + 4676 Admiralty Way + Marina Del Rey CA 90292-6695 + + Phone:(310) 822-1511 + FAX: (310) 823-6714 + EMail: bcn@isi.edu + + + Peter Danzig + Computer Science Department + University of Southern California + University Park + + EMail: danzig@caldera.usc.edu + + + Steve Miller + Computer Science Department + University of Southern California + University Park + Los Angeles CA 90089 + + EMail: smiller@caldera.usc.edu + + + + +Kumar, Postel, Neuman, Danzig & Miller [Page 12] + \ No newline at end of file -- cgit v1.2.3