1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
1479
1480
1481
1482
1483
1484
1485
1486
1487
1488
1489
1490
1491
1492
1493
1494
1495
1496
1497
1498
1499
1500
1501
1502
1503
1504
1505
1506
1507
1508
1509
1510
1511
1512
1513
1514
1515
1516
1517
1518
1519
1520
1521
1522
1523
1524
1525
1526
1527
1528
1529
1530
1531
1532
1533
1534
1535
1536
1537
1538
1539
1540
1541
1542
1543
1544
1545
1546
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556
1557
1558
1559
1560
1561
1562
1563
1564
1565
1566
1567
1568
1569
1570
1571
1572
1573
1574
1575
1576
|
Internet Engineering Task Force (IETF) J. Kristoff
Request for Comments: 9210 Dataplane.org
BCP: 235 D. Wessels
Updates: 1123, 1536 Verisign
Category: Best Current Practice March 2022
ISSN: 2070-1721
DNS Transport over TCP - Operational Requirements
Abstract
This document updates RFCs 1123 and 1536. This document requires the
operational practice of permitting DNS messages to be carried over
TCP on the Internet as a Best Current Practice. This operational
requirement is aligned with the implementation requirements in RFC
7766. The use of TCP includes both DNS over unencrypted TCP as well
as over an encrypted TLS session. The document also considers the
consequences of this form of DNS communication and the potential
operational issues that can arise when this Best Current Practice is
not upheld.
Status of This Memo
This memo documents an Internet Best Current Practice.
This document is a product of the Internet Engineering Task Force
(IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by the
Internet Engineering Steering Group (IESG). Further information on
BCPs is available in Section 2 of RFC 7841.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
https://www.rfc-editor.org/info/rfc9210.
Copyright Notice
Copyright (c) 2022 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Revised BSD License text as described in Section 4.e of the
Trust Legal Provisions and are provided without warranty as described
in the Revised BSD License.
Table of Contents
1. Introduction
1.1. Requirements Language
2. History of DNS over TCP
2.1. Uneven Transport Usage and Preference
2.2. Waiting for Large Messages and Reliability
2.3. EDNS(0)
2.4. Fragmentation and Truncation
2.5. "Only Zone Transfers Use TCP"
2.6. Reuse, Pipelining, and Out-of-Order Processing
3. DNS-over-TCP Requirements
4. Network and System Considerations
4.1. Connection Establishment and Admission
4.2. Connection Management
4.3. Connection Termination
4.4. DNS over TLS
4.5. Defaults and Recommended Limits
5. DNS-over-TCP Filtering Risks
5.1. Truncation, Retries, and Timeouts
5.2. DNS Root Zone KSK Rollover
6. Logging and Monitoring
7. IANA Considerations
8. Security Considerations
9. Privacy Considerations
10. References
10.1. Normative References
10.2. Informative References
Appendix A. RFCs Related to DNS Transport over TCP
A.1. RFC 1035 - DOMAIN NAMES - IMPLEMENTATION AND SPECIFICATION
A.2. RFC 1536 - Common DNS Implementation Errors and Suggested
Fixes
A.3. RFC 1995 - Incremental Zone Transfer in DNS
A.4. RFC 1996 - A Mechanism for Prompt Notification of Zone
Changes (DNS NOTIFY)
A.5. RFC 2181 - Clarifications to the DNS Specification
A.6. RFC 2694 - DNS extensions to Network Address Translators
(DNS_ALG)
A.7. RFC 3225 - Indicating Resolver Support of DNSSEC
A.8. RFC 3226 - DNSSEC and IPv6 A6 aware server/resolver message
size requirements
A.9. RFC 4472 - Operational Considerations and Issues with IPv6
DNS
A.10. RFC 5452 - Measures for Making DNS More Resilient against
Forged Answers
A.11. RFC 5507 - Design Choices When Expanding the DNS
A.12. RFC 5625 - DNS Proxy Implementation Guidelines
A.13. RFC 5936 - DNS Zone Transfer Protocol (AXFR)
A.14. RFC 7534 - AS112 Nameserver Operations
A.15. RFC 6762 - Multicast DNS
A.16. RFC 6891 - Extension Mechanisms for DNS (EDNS(0))
A.17. IAB RFC 6950 - Architectural Considerations on Application
Features in the DNS
A.18. RFC 7477 - Child-to-Parent Synchronization in DNS
A.19. RFC 7720 - DNS Root Name Service Protocol and Deployment
Requirements
A.20. RFC 7766 - DNS Transport over TCP - Implementation
Requirements
A.21. RFC 7828 - The edns-tcp-keepalive EDNS(0) Option
A.22. RFC 7858 - Specification for DNS over Transport Layer
Security (TLS)
A.23. RFC 7873 - Domain Name System (DNS) Cookies
A.24. RFC 7901 - CHAIN Query Requests in DNS
A.25. RFC 8027 - DNSSEC Roadblock Avoidance
A.26. RFC 8094 - DNS over Datagram Transport Layer Security
(DTLS)
A.27. RFC 8162 - Using Secure DNS to Associate Certificates with
Domain Names for S/MIME
A.28. RFC 8324 - DNS Privacy, Authorization, Special Uses,
Encoding, Characters, Matching, and Root Structure: Time for
Another Look?
A.29. RFC 8467 - Padding Policies for Extension Mechanisms for
DNS (EDNS(0))
A.30. RFC 8482 - Providing Minimal-Sized Responses to DNS Queries
That Have QTYPE=ANY
A.31. RFC 8483 - Yeti DNS Testbed
A.32. RFC 8484 - DNS Queries over HTTPS (DoH)
A.33. RFC 8490 - DNS Stateful Operations
A.34. RFC 8501 - Reverse DNS in IPv6 for Internet Service
Providers
A.35. RFC 8806 - Running a Root Server Local to a Resolver
A.36. RFC 8906 - A Common Operational Problem in DNS Servers:
Failure to Communicate
A.37. RFC 8932 - Recommendations for DNS Privacy Service
Operators
A.38. RFC 8945 - Secret Key Transaction Authentication for DNS
(TSIG)
Acknowledgments
Authors' Addresses
1. Introduction
DNS messages are delivered using UDP or TCP communications. While
most DNS transactions are carried over UDP, some operators have been
led to believe that any DNS-over-TCP traffic is unwanted or
unnecessary for general DNS operation. When DNS over TCP has been
restricted, a variety of communication failures and debugging
challenges often arise. As DNS and new naming system features have
evolved, TCP as a transport has become increasingly important for the
correct and safe operation of an Internet DNS. Reflecting modern
usage, the DNS standards declare that support for TCP is a required
part of the DNS implementation specifications [RFC7766]. This
document is the equivalent of formal requirements for the operational
community, encouraging system administrators, network engineers, and
security staff to ensure DNS-over-TCP communications support is on
par with DNS-over-UDP communications. It updates [RFC1123],
Section 6.1.3.2 to clarify that all DNS resolvers and recursive
servers MUST support and service both TCP and UDP queries and also
updates [RFC1536] to remove the misconception that TCP is only useful
for zone transfers.
1.1. Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in
BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here.
2. History of DNS over TCP
The curious state of disagreement between operational best practices
and guidance for DNS transport protocols derives from conflicting
messages operators have received from other operators, implementors,
and even the IETF. Sometimes these mixed signals have been explicit;
on other occasions, conflicting messages have been implicit. This
section presents an interpretation of the storied and conflicting
history that led to this document. This section is included for
informational purposes only.
2.1. Uneven Transport Usage and Preference
In the original suite of DNS specifications, [RFC1034] and [RFC1035]
clearly specify that DNS messages could be carried in either UDP or
TCP, but they also state that there is a preference for UDP as the
best transport for queries in the general case. As stated in
[RFC1035]:
| While virtual circuits can be used for any DNS activity, datagrams
| are preferred for queries due to their lower overhead and better
| performance.
Another early, important, and influential document, [RFC1123], marks
the preference for a transport protocol more explicitly:
| DNS resolvers and recursive servers MUST support UDP, and SHOULD
| support TCP, for sending (non-zone-transfer) queries.
and it further stipulates that:
| A name server MAY limit the resources it devotes to TCP queries,
| but it SHOULD NOT refuse to service a TCP query just because it
| would have succeeded with UDP.
Culminating in [RFC1536], DNS over TCP came to be associated
primarily with the zone transfer mechanism, while most DNS queries
and responses were seen as the dominion of UDP.
2.2. Waiting for Large Messages and Reliability
In the original specifications, the maximum DNS-over-UDP message size
was enshrined at 512 bytes. However, even while [RFC1123] prefers
UDP for non-zone transfer queries, it foresaw that DNS over TCP would
become more popular in the future to overcome this limitation:
| [...] it is also clear that some new DNS record types defined in
| the future will contain information exceeding the 512 byte limit
| that applies to UDP, and hence will require TCP.
At least two new, widely anticipated developments were set to elevate
the need for DNS-over-TCP transactions. The first was dynamic
updates defined in [RFC2136], and the second was the set of
extensions collectively known as "DNSSEC", whose operational
considerations were originally given in [RFC2541] (note that
[RFC2541] has been obsoleted by [RFC6781]). The former suggests that
| ...requestors who require an accurate response code must use TCP.
while the latter warns that
| ... larger keys increase the size of the KEY and SIG RRs. This
| increases the chance of DNS UDP packet overflow and the possible
| necessity for using higher overhead TCP in responses.
Yet, defying some expectations, DNS over TCP remained little used in
real traffic across the Internet in the late 1990s. Dynamic updates
saw little deployment between autonomous networks. Around the time
DNSSEC was first defined, another new feature helped solidify UDP
transport dominance for message transactions.
2.3. EDNS(0)
In 1999, the IETF published the Extension Mechanisms for DNS
(EDNS(0)) in [RFC2671] (which was obsoleted by [RFC6891] in 2013).
That document standardized a way for communicating DNS nodes to
perform rudimentary capabilities negotiation. One such capability
written into the base specification and present in every EDNS(0)-
compatible message is the value of the maximum UDP payload size the
sender can support. This unsigned 16-bit field specifies, in bytes,
the maximum (possibly fragmented) DNS message size a node is capable
of receiving over UDP. In practice, typical values are a subset of
the 512- to 4096-byte range. EDNS(0) became widely deployed over the
next several years, and numerous surveys (see [CASTRO2010] and
[NETALYZR]) have shown that many systems support larger UDP MTUs with
EDNS(0).
The natural effect of EDNS(0) deployment meant DNS messages larger
than 512 bytes would be less reliant on TCP than they might otherwise
have been. While a non-negligible population of DNS systems lacked
EDNS(0) or fell back to TCP when necessary, DNS clients still
strongly prefer UDP to TCP. For example, as of 2014, DNS-over-TCP
transactions remained a very small fraction of overall DNS traffic
received by root name servers [VERISIGN].
2.4. Fragmentation and Truncation
Although EDNS(0) provides a way for endpoints to signal support for
DNS messages exceeding 512 bytes, the realities of a diverse and
inconsistently deployed Internet may result in some large messages
being unable to reach their destination. Any IP datagram whose size
exceeds the MTU of a link it transits will be fragmented and then
reassembled by the receiving host. Unfortunately, it is not uncommon
for middleboxes and firewalls to block IP fragments. If one or more
fragments do not arrive, the application does not receive the
message, and the request times out.
For IPv4-connected hosts, the MTU is often an Ethernet payload size
of 1500 bytes. This means that the largest unfragmented UDP DNS
message that can be sent over IPv4 is likely 1472 bytes, although
tunnel encapsulation may reduce that maximum message size in some
cases.
For IPv6, the situation is a little more complicated. First, IPv6
headers are 40 bytes (versus 20 without options in IPv4). Second,
approximately one-third of DNS recursive resolvers use the minimum
MTU of 1280 bytes [APNIC]. Third, fragmentation in IPv6 can only be
done by the host originating the datagram. The need to fragment is
conveyed in an ICMPv6 "Packet Too Big" message. The originating host
indicates a fragmented datagram with IPv6 extension headers.
Unfortunately, it is quite common for both ICMPv6 and IPv6 extension
headers to be blocked by middleboxes. According to [HUSTON], some
35% of IPv6-capable recursive resolvers were unable to receive a
fragmented IPv6 packet. When the originating host receives a signal
that fragmentation is required, it is expected to populate its path
MTU cache for that destination. The application will then retry the
query after a timeout since the host does not generally retain copies
of messages sent over UDP for potential retransmission.
The practical consequence of all this is that DNS requestors must be
prepared to retry queries with different EDNS(0) maximum message size
values. Administrators of [BIND] are likely to be familiar with
seeing the following message in their system logs: "success resolving
... after reducing the advertised EDNS(0) UDP packet size to 512
octets".
Often, reducing the EDNS(0) UDP packet size leads to a successful
response. That is, the necessary data fits within the smaller
message size. However, when the data does not fit, the server sets
the truncated flag in its response, indicating the client should
retry over TCP to receive the whole response. This is undesirable
from the client's point of view because it adds more latency and is
potentially undesirable from the server's point of view due to the
increased resource requirements of TCP.
Note that a receiver is unable to differentiate between packets lost
due to congestion and packets (fragments) intentionally dropped by
firewalls or middleboxes. Over network paths with non-trivial
amounts of packet loss, larger, fragmented DNS responses are more
likely to never arrive and time out compared to smaller, unfragmented
responses. Clients might be misled into retrying queries with
different EDNS(0) UDP packet size values for the wrong reason.
The issues around fragmentation, truncation, and TCP are driving
certain implementation and policy decisions in the DNS. Notably,
Cloudflare implemented a technique that minimizes the number of
DNSSEC denial-of-existence records (for its online signing platform)
[CLOUDFLARE] and uses an Elliptic Curve Digital Signature Algorithm
(ECDSA) such that its signed responses fit easily in 512 bytes. The
Key Signing Key (KSK) Rollover Design Team [DESIGNTEAM] spent a lot
of time thinking and worrying about response sizes. There is growing
sentiment in the DNSSEC community that RSA key sizes beyond 2048 bits
are impractical and that critical infrastructure zones should
transition to elliptic curve algorithms to keep response sizes
manageable [ECDSA].
More recently, renewed security concerns about fragmented DNS
messages (see [AVOID_FRAGS] and [FRAG_POISON]) are leading
implementors to consider smaller responses and lower default EDNS(0)
UDP payload size values for both queriers and responders
[FLAGDAY2020].
2.5. "Only Zone Transfers Use TCP"
Today, the majority of the DNS community expects, or at least has a
desire, to see DNS-over-TCP transactions occur without interference
[FLAGDAY2020]. However, there has also been a long-held belief by
some operators, particularly for security-related reasons, that DNS-
over-TCP services should be purposely limited or not provided at all
[CHES94] [DJBDNS]. A popular meme is that DNS over TCP is only ever
used for zone transfers and is generally unnecessary otherwise, with
filtering all DNS-over-TCP traffic even described as a best practice.
The position on restricting DNS over TCP had some justification given
that historical implementations of DNS name servers provided very
little in the way of TCP connection management (for example, see
Section 6.1.2 of [RFC7766] for more details). However, modern
standards and implementations are nearing parity with the more
sophisticated TCP management techniques employed by, for example,
HTTP(S) servers and load balancers.
2.6. Reuse, Pipelining, and Out-of-Order Processing
The idea that a TCP connection can support multiple transactions goes
back as far as [RFC0883], which states: "Multiple messages may be
sent over a virtual circuit." Although [RFC1035], which updates the
former, omits this particular detail, it has been generally accepted
that a TCP connection can be used for more than one query and
response.
[RFC5966] clarifies that servers are not required to preserve the
order of queries and responses over any transport. [RFC7766], which
updates the former, further encourages query pipelining over TCP to
achieve performance on par with UDP. A server that sends out-of-
order responses to pipelined queries avoids head-of-line blocking
when the response for a later query is ready before the response to
an earlier query.
However, TCP can potentially suffer from a different head-of-line
blocking problem due to packet loss. Since TCP itself enforces
ordering, a single lost segment delays delivery of data in any
following segments until the lost segment is retransmitted and
successfully received.
3. DNS-over-TCP Requirements
An average increase in DNS message size (e.g., due to DNSSEC), the
continued development of new DNS features (Appendix A), and a denial-
of-service mitigation technique (Section 8) all show that DNS-over-
TCP transactions are as important to the correct and safe operation
of the Internet DNS as ever, if not more so. Furthermore, there has
been research that argues connection-oriented DNS transactions may
provide security and privacy advantages over UDP transport [TDNS].
In fact, the standard for DNS over TLS [RFC7858] is just this sort of
specification. Therefore, this document makes explicit that it is
undesirable for network operators to artificially inhibit DNS-over-
TCP transport.
Section 6.1.3.2 of [RFC1123] is updated as follows:
OLD:
| DNS resolvers and recursive servers MUST support UDP, and SHOULD
| support TCP, for sending (non-zone-transfer) queries.
NEW:
| All DNS resolvers and servers MUST support and service both UDP
| and TCP queries.
Note that:
* DNS servers (including forwarders) MUST support and service TCP
for receiving queries so that clients can reliably receive
responses that are larger than what either side considers too
large for UDP.
* DNS clients MUST support TCP for sending queries so that they can
retry truncated UDP responses as necessary.
Furthermore, the requirement in Section 6.1.3.2 of [RFC1123] around
limiting the resources a server devotes to queries is hereby updated:
OLD:
| A name server MAY limit the resources it devotes to TCP queries,
| but it SHOULD NOT refuse to service a TCP query just because it
| would have succeeded with UDP.
NEW:
| A name server MAY limit the resources it devotes to queries, but
| it MUST NOT refuse to service a query just because it would have
| succeeded with another transport protocol.
Lastly, Section 1 of [RFC1536] is updated to eliminate the
misconception that TCP is only useful for zone transfers:
OLD:
| DNS implements the classic request-response scheme of client-
| server interaction. UDP is, therefore, the chosen protocol for
| communication though TCP is used for zone transfers.
NEW:
| DNS implements the classic request-response scheme of client-
| server interaction.
The filtering of DNS over TCP is harmful in the general case. DNS
resolver and server operators MUST support and provide DNS service
over both UDP and TCP transports. Likewise, network operators MUST
allow DNS service over both UDP and TCP transports. It is
acknowledged that DNS-over-TCP service can pose operational
challenges that are not present when running DNS over UDP alone, and
vice versa. However, the potential damage incurred by prohibiting
DNS-over-TCP service is more detrimental to the continued utility and
success of the DNS than when its usage is allowed.
4. Network and System Considerations
This section describes measures that systems and applications can
take to optimize performance over TCP and to protect themselves from
TCP-based resource exhaustion and attacks.
4.1. Connection Establishment and Admission
Resolvers and other DNS clients should be aware that some servers
might not be reachable over TCP. For this reason, clients MAY track
and limit the number of TCP connections and connection attempts to a
single server. Reachability problems can be caused by network
elements close to the server, close to the client, or anywhere along
the path between them. Mobile clients that cache connection failures
MAY do so on a per-network basis or MAY clear such a cache upon
change of network.
Additionally, DNS clients MAY enforce a short timeout on
unestablished connections rather than rely on the host operating
system's TCP connection timeout, which is often around 60-120 seconds
(i.e., due to an initial retransmission timeout of 1 second, the
exponential back-off rules of [RFC6298], and a limit of six retries
as is the default in Linux).
The SYN flooding attack is a denial-of-service method affecting hosts
that run TCP server processes [RFC4987]. This attack can be very
effective if not mitigated. One of the most effective mitigation
techniques is SYN cookies, described in Section 3.6 of [RFC4987],
which allows the server to avoid allocating any state until the
successful completion of the three-way handshake.
Services not intended for use by the public Internet, such as most
recursive name servers, SHOULD be protected with access controls.
Ideally, these controls are placed in the network, well before any
unwanted TCP packets can reach the DNS server host or application.
If this is not possible, the controls can be placed in the
application itself. In some situations (e.g., attacks), it may be
necessary to deploy access controls for DNS services that should
otherwise be globally reachable. See also [RFC5358].
The FreeBSD and NetBSD operating systems have an "accept filter"
feature ([accept_filter]) that postpones delivery of TCP connections
to applications until a complete, valid request has been received.
The dns_accf(9) filter ensures that a valid DNS message is received.
If not, the bogus connection never reaches the application. The
Linux TCP_DEFER_ACCEPT feature, while more limited in scope, can
provide some of the same benefits as the BSD accept filter feature.
These features are implemented as low-level socket options and are
not activated automatically. If applications wish to use these
features, they need to make specific calls to set the right options,
and administrators may also need to configure the applications to
appropriately use the features.
Per [RFC7766], applications and administrators are advised to
remember that TCP MAY be used before sending any UDP queries.
Networks and applications MUST NOT be configured to refuse TCP
queries that were not preceded by a UDP query.
TCP Fast Open (TFO) [RFC7413] allows TCP clients to shorten the
handshake for subsequent connections to the same server. TFO saves
one round-trip time in the connection setup. DNS servers SHOULD
enable TFO when possible. Furthermore, DNS servers clustered behind
a single service address (e.g., anycast or load balancing) SHOULD
either use the same TFO server key on all instances or disable TFO
for all members of the cluster.
DNS clients MAY also enable TFO. At the time of this writing, it is
not implemented or is disabled by default on some operating systems.
[WIKIPEDIA_TFO] describes applications and operating systems that
support TFO.
4.2. Connection Management
Since host memory for TCP state is a finite resource, DNS clients and
servers SHOULD actively manage their connections. Applications that
do not actively manage their connections can encounter resource
exhaustion leading to denial of service. For DNS, as in other
protocols, there is a trade-off between keeping connections open for
potential future use and the need to free up resources for new
connections that will arrive.
Operators of DNS server software SHOULD be aware that operating
system and application vendors MAY impose a limit on the total number
of established connections. These limits may be designed to protect
against DDoS attacks or performance degradation. Operators SHOULD
understand how to increase these limits if necessary and the
consequences of doing so. Limits imposed by the application SHOULD
be lower than limits imposed by the operating system so that the
application can apply its own policy to connection management, such
as closing the oldest idle connections first.
DNS server software MAY provide a configurable limit on the number of
established connections per source IP address or subnet. This can be
used to ensure that a single or small set of users cannot consume all
TCP resources and deny service to other users. Note, however, that
if this limit is enabled, it possibly limits client performance while
leaving some TCP resources unutilized. Operators SHOULD be aware of
these trade-offs and ensure this limit, if configured, is set
appropriately based on the number and diversity of their users and
whether users connect from unique IP addresses or through a shared
Network Address Translator (NAT) [RFC3022].
DNS server software SHOULD provide a configurable timeout for idle
TCP connections. This can be used to free up resources for new
connections and to ensure that idle connections are eventually
closed. At the same time, it possibly limits client performance
while leaving some TCP resources unutilized. For very busy name
servers, this might be set to a low value, such as a few seconds.
For less busy servers, it might be set to a higher value, such as
tens of seconds. DNS clients and servers SHOULD signal their timeout
values using the edns-tcp-keepalive EDNS(0) option [RFC7828].
DNS server software MAY provide a configurable limit on the number of
transactions per TCP connection. This can help protect against
unfair connection use (e.g., not releasing connection slots to other
clients) and network evasion attacks.
Similarly, DNS server software MAY provide a configurable limit on
the total duration of a TCP connection. This can help protect
against unfair connection use, slow read attacks, and network evasion
attacks.
Since clients may not be aware of server-imposed limits, clients
utilizing TCP for DNS need to always be prepared to re-establish
connections or otherwise retry outstanding queries.
4.3. Connection Termination
The TCP peer that initiates a connection close retains the socket in
the TIME_WAIT state for some amount of time, possibly a few minutes.
It is generally preferable for clients to initiate the close of a TCP
connection so that busy servers do not accumulate many sockets in the
TIME_WAIT state, which can cause performance problems or even denial
of service. The edns-tcp-keepalive EDNS(0) option [RFC7828] can be
used to encourage clients to close connections.
On systems where large numbers of sockets in TIME_WAIT are observed
(as either a client or a server) and are affecting an application's
performance, it may be tempting to tune local TCP parameters. For
example, the Linux kernel has a "sysctl" parameter named
net.ipv4.tcp_tw_reuse, which allows connections in the TIME_WAIT
state to be reused in specific circumstances. Note, however, that
this affects only outgoing (client) connections and has no impact on
servers. In most cases, it is NOT RECOMMENDED to change parameters
related to the TIME_WAIT state. It should only be done by those with
detailed knowledge of both TCP and the affected application.
4.4. DNS over TLS
DNS messages may be sent over TLS to provide privacy between stubs
and recursive resolvers. [RFC7858] is a Standards Track document
describing how this works. Although DNS over TLS utilizes TCP port
853 instead of port 53, this document applies equally well to DNS
over TLS. Note, however, that DNS over TLS is only defined between
stubs and recursives at the time of this writing.
The use of TLS places even stronger operational burdens on DNS
clients and servers. Cryptographic functions for authentication and
encryption require additional processing. Unoptimized connection
setup with TLS 1.3 [RFC8446] takes one additional round trip compared
to TCP. Connection setup times can be reduced with TCP Fast Open and
TLS False Start [RFC7918] for TLS 1.2. TLS 1.3 session resumption
does not reduce round-trip latency because no application profile for
use of TLS 0-RTT data with DNS has been published at the time of this
writing. However, TLS session resumption can reduce the number of
cryptographic operations, and in TLS 1.2, session resumption does
reduce the number of additional round trips from two to one.
4.5. Defaults and Recommended Limits
A survey of features and defaults was conducted for popular open-
source DNS server implementations at the time of writing. This
section documents those defaults and makes recommendations for
configurable limits that can be used in the absence of any other
information. Any recommended values in this document are only
intended as a starting point for administrators that are unsure of
what sorts of limits might be reasonable. Operators SHOULD use
application-specific monitoring, system logs, and system monitoring
tools to gauge whether their service is operating within or exceeding
these limits and adjust accordingly.
Most open-source DNS server implementations provide a configurable
limit on the total number of established connections. Default values
range from 20 to 150. In most cases, where the majority of queries
take place over UDP, 150 is a reasonable limit. For services or
environments where most queries take place over TCP or TLS, 5000 is a
more appropriate limit.
Only some open-source implementations provide a way to limit the
number of connections per source IP address or subnet, but the
default is to have no limit. For environments or situations where it
may be necessary to enable this limit, 25 connections per source IP
address is a reasonable starting point. The limit should be
increased when aggregated by subnet or for services where most
queries take place over TCP or TLS.
Most open-source implementations provide a configurable idle timeout
on connections. Default values range from 2 to 30 seconds. In most
cases, 10 seconds is a reasonable default for this limit. Longer
timeouts improve connection reuse, but busy servers may need to use a
lower limit.
Only some open-source implementations provide a way to limit the
number of transactions per connection, but the default is to have no
limit. This document does not offer advice on particular values for
such a limit.
Only some open-source implementations provide a way to limit the
duration of connection, but the default is to have no limit. This
document does not offer advice on particular values for such a limit.
5. DNS-over-TCP Filtering Risks
Networks that filter DNS over TCP risk losing access to significant
or important pieces of the DNS namespace. For a variety of reasons,
a DNS answer may require a DNS-over-TCP query. This may include
large message sizes, lack of EDNS(0) support, or DDoS mitigation
techniques (including Response Rate Limiting [RRL]); additionally,
perhaps some future capability that is as yet unforeseen will also
demand TCP transport.
For example, [RFC7901] describes a latency-avoiding technique that
sends extra data in DNS responses. This makes responses larger and
potentially increases the effectiveness of DDoS reflection attacks.
The specification mandates the use of TCP or DNS cookies [RFC7873].
Even if any or all particular answers have consistently been returned
successfully with UDP in the past, this continued behavior cannot be
guaranteed when DNS messages are exchanged between autonomous
systems. Therefore, filtering of DNS over TCP is considered harmful
and contrary to the safe and successful operation of the Internet.
This section enumerates some of the known risks at the time of this
writing when networks filter DNS over TCP.
5.1. Truncation, Retries, and Timeouts
Networks that filter DNS over TCP may inadvertently cause problems
for third-party resolvers as experienced by [TOYAMA]. For example, a
resolver receives queries for a moderately popular domain. The
resolver forwards the queries to the domain's authoritative name
servers, but those servers respond with the TC bit set. The resolver
retries over TCP, but the authoritative server blocks DNS over TCP.
The pending connections consume resources on the resolver until they
time out. If the number and frequency of these truncated-and-then-
blocked queries are sufficiently high, the resolver wastes valuable
resources on queries that can never be answered. This condition is
generally not easily or completely mitigated by the affected DNS
resolver operator.
5.2. DNS Root Zone KSK Rollover
The plans for deploying DNSSEC KSK for the root zone highlighted a
potential problem in retrieving the root zone key set [LEWIS].
During some phases of the KSK rollover process, root zone DNSKEY
responses were larger than 1280 bytes, the IPv6 minimum MTU for links
carrying IPv6 traffic [RFC8200]. There was some concern that any DNS
server unable to receive large DNS messages over UDP, or any DNS
message over TCP, would experience disruption while performing DNSSEC
validation [KSK_ROLLOVER_ARCHIVES].
However, during the year-long postponement of the KSK rollover, there
were no reported problems that could be attributed to the 1414 octet
DNSKEY response when both the old and new keys were published in the
zone. Additionally, there were no reported problems during the two-
month period when the old key was published as revoked and the DNSKEY
response was 1425 octets in size [ROLL_YOUR_ROOT].
6. Logging and Monitoring
Developers of applications that log or monitor DNS SHOULD NOT ignore
TCP due to the perception that it is rarely used or is hard to
process. Operators SHOULD ensure that their monitoring and logging
applications properly capture DNS messages over TCP. Otherwise,
attacks, exfiltration attempts, and normal traffic may go undetected.
DNS messages over TCP are in no way guaranteed to arrive in single
segments. In fact, a clever attacker might attempt to hide certain
messages by forcing them over very small TCP segments. Applications
that capture network packets (e.g., with libpcap [libpcap]) SHOULD
implement and perform full TCP stream reassembly and analyze the
reassembled stream instead of the individual packets. Otherwise,
they are vulnerable to network evasion attacks [phrack].
Furthermore, such applications need to protect themselves from
resource exhaustion attacks by limiting the amount of memory
allocated to tracking unacknowledged connection state data. dnscap
[dnscap] is an open-source example of a DNS logging program that
implements TCP stream reassembly.
Developers SHOULD also keep in mind connection reuse, query
pipelining, and out-of-order responses when building and testing DNS
monitoring applications.
As an alternative to packet capture, some DNS server software
supports dnstap [dnstap] as an integrated monitoring protocol
intended to facilitate wide-scale DNS monitoring.
7. IANA Considerations
This document has no IANA actions.
8. Security Considerations
This document, providing operational requirements, is the companion
to the implementation requirements of DNS over TCP provided in
[RFC7766]. The security considerations from [RFC7766] still apply.
Ironically, returning truncated DNS-over-UDP answers in order to
induce a client query to switch to DNS over TCP has become a common
response to source-address-spoofed, DNS denial-of-service attacks
[RRL]. Historically, operators have been wary of TCP-based attacks,
but in recent years, UDP-based flooding attacks have proven to be the
most common protocol attack on the DNS. Nevertheless, a high rate of
short-lived DNS transactions over TCP may pose challenges. In fact,
[DAI21] details a class of IP fragmentation attacks on DNS
transactions if the IP Identifier field (16 bits in IPv4 and 32 bits
in IPv6) can be predicted and a system is coerced to fragment rather
than retransmit messages. While many operators have provided DNS-
over-TCP service for many years without duress, past experience is no
guarantee of future success.
DNS over TCP is similar to many other Internet TCP services. TCP
threats and many mitigation strategies have been well documented in a
series of documents such as [RFC4953], [RFC4987], [RFC5927], and
[RFC5961].
As mentioned in Section 6, applications that implement TCP stream
reassembly need to limit the amount of memory allocated to connection
tracking. A failure to do so could lead to a total failure of the
logging or monitoring application. Imposition of resource limits
creates a trade-off between allowing some stream reassembly to
continue and allowing some evasion attacks to succeed.
This document recommends that DNS servers enable TFO when possible.
[RFC7413] recommends that a pool of servers behind a load balancer
with a shared server IP address also share the key used to generate
Fast Open cookies to prevent inordinate fallback to the three-way
handshake (3WHS). This guidance remains accurate but comes with a
caveat: compromise of one server would reveal this group-shared key
and allow for attacks involving the other servers in the pool by
forging invalid Fast Open cookies.
9. Privacy Considerations
Since DNS over both UDP and TCP uses the same underlying message
format, the use of one transport instead of the other does not change
the privacy characteristics of the message content (i.e., the name
being queried). A number of protocols have recently been developed
to provide DNS privacy, including DNS over TLS [RFC7858], DNS over
DTLS [RFC8094], DNS over HTTPS [RFC8484], with even more on the way.
Because TCP is somewhat more complex than UDP, some characteristics
of a TCP conversation may enable DNS client fingerprinting and
tracking that is not possible with UDP. For example, the choice of
initial sequence numbers, window size, and options might be able to
identify a particular TCP implementation or even individual hosts
behind shared resources such as NATs.
10. References
10.1. Normative References
[RFC1035] Mockapetris, P., "Domain names - implementation and
specification", STD 13, RFC 1035, DOI 10.17487/RFC1035,
November 1987, <https://www.rfc-editor.org/info/rfc1035>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>.
[RFC2181] Elz, R. and R. Bush, "Clarifications to the DNS
Specification", RFC 2181, DOI 10.17487/RFC2181, July 1997,
<https://www.rfc-editor.org/info/rfc2181>.
[RFC6891] Damas, J., Graff, M., and P. Vixie, "Extension Mechanisms
for DNS (EDNS(0))", STD 75, RFC 6891,
DOI 10.17487/RFC6891, April 2013,
<https://www.rfc-editor.org/info/rfc6891>.
[RFC7766] Dickinson, J., Dickinson, S., Bellis, R., Mankin, A., and
D. Wessels, "DNS Transport over TCP - Implementation
Requirements", RFC 7766, DOI 10.17487/RFC7766, March 2016,
<https://www.rfc-editor.org/info/rfc7766>.
[RFC7828] Wouters, P., Abley, J., Dickinson, S., and R. Bellis, "The
edns-tcp-keepalive EDNS0 Option", RFC 7828,
DOI 10.17487/RFC7828, April 2016,
<https://www.rfc-editor.org/info/rfc7828>.
[RFC7873] Eastlake 3rd, D. and M. Andrews, "Domain Name System (DNS)
Cookies", RFC 7873, DOI 10.17487/RFC7873, May 2016,
<https://www.rfc-editor.org/info/rfc7873>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>.
10.2. Informative References
[accept_filter]
FreeBSD, "FreeBSD accept_filter(9)", June 2000,
<https://www.freebsd.org/cgi/man.cgi?query=accept_filter>.
[APNIC] Huston, G., "DNS XL", October 2020,
<https://labs.apnic.net/?p=1380>.
[AVOID_FRAGS]
Fujiwara, K. and P. Vixie, "Fragmentation Avoidance in
DNS", Work in Progress, Internet-Draft, draft-ietf-dnsop-
avoid-fragmentation-06, 23 December 2021,
<https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-
avoid-fragmentation-06>.
[BIND] Internet Systems Consortium, "BIND 9",
<https://www.isc.org/bind/>.
[CASTRO2010]
Castro, S., Zhang, M., John, W., Wessels, D., and K.
claffy, "Understanding and Preparing for DNS Evolution",
DOI 10.1007/978-3-642-12365-8_1, April 2010,
<https://doi.org/10.1007/978-3-642-12365-8_1>.
[CHES94] Cheswick, W. and S. Bellovin, "Firewalls and Internet
Security: Repelling the Wily Hacker", First Edition, 1994.
[CLOUDFLARE]
Grant, D., "Economical With The Truth: Making DNSSEC
Answers Cheap", June 2016,
<https://blog.cloudflare.com/black-lies/>.
[DAI21] Dai, T., Shulman, H., and M. Waidner, "DNS-over-TCP
Considered Vulnerable", DOI 10.1145/3472305.3472884, July
2021, <https://doi.org/10.1145/3472305.3472884>.
[DESIGNTEAM]
ICANN, "Root Zone KSK Rollover Plan", March 2016,
<https://www.iana.org/reports/2016/root-ksk-rollover-
design-20160307.pdf>.
[DJBDNS] Bernstein, D., "When are TCP queries sent?", November
2002, <https://cr.yp.to/djbdns/tcp.html#why>.
[dnscap] DNS-OARC, "DNSCAP", February 2014,
<https://www.dns-oarc.net/tools/dnscap>.
[dnstap] "dnstap", <https://dnstap.info>.
[ECDSA] van Rijswijk-Deij, R., Sperotto, A., and A. Pras, "Making
the Case for Elliptic Curves in DNSSEC",
DOI 10.1145/2831347.2831350, October 2015,
<https://dl.acm.org/doi/10.1145/2831347.2831350>.
[FLAGDAY2020]
DNS Software and Service Providers, "DNS Flag Day 2020",
October 2020, <https://dnsflagday.net/2020/>.
[FRAG_POISON]
Herzberg, A. and H. Shulman, "Fragmentation Considered
Poisonous", May 2012,
<https://arxiv.org/pdf/1205.4011.pdf>.
[HUSTON] Huston, G., "Dealing with IPv6 fragmentation in the DNS",
August 2017, <https://blog.apnic.net/2017/08/22/dealing-
ipv6-fragmentation-dns/>.
[KSK_ROLLOVER_ARCHIVES]
ICANN, "KSK Rollover List Archives", January 2019,
<https://mm.icann.org/pipermail/ksk-rollover/2019-January/
date.html>.
[LEWIS] Lewis, E., "2017 DNSSEC KSK Rollover", RIPE 74, May 2017,
<https://ripe74.ripe.net/presentations/25-RIPE74-lewis-
submission.pdf>.
[libpcap] The Tcpdump Group, "Tcpdump and Libpcap",
<https://www.tcpdump.org>.
[NETALYZR] Kreibich, C., Weaver, N., Nechaev, B., and V. Paxson,
"Netalyzr: Illuminating The Edge Network",
DOI 10.1145/1879141.1879173, November 2010,
<https://doi.org/10.1145/1879141.1879173>.
[phrack] horizon, "Defeating Sniffers and Intrusion Detection
Systems", Phrack Magazine, December 1998,
<http://phrack.org/issues/54/10.html>.
[RFC0768] Postel, J., "User Datagram Protocol", STD 6, RFC 768,
DOI 10.17487/RFC0768, August 1980,
<https://www.rfc-editor.org/info/rfc768>.
[RFC0793] Postel, J., "Transmission Control Protocol", STD 7,
RFC 793, DOI 10.17487/RFC0793, September 1981,
<https://www.rfc-editor.org/info/rfc793>.
[RFC0883] Mockapetris, P., "Domain names: Implementation
specification", RFC 883, DOI 10.17487/RFC0883, November
1983, <https://www.rfc-editor.org/info/rfc883>.
[RFC1034] Mockapetris, P., "Domain names - concepts and facilities",
STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987,
<https://www.rfc-editor.org/info/rfc1034>.
[RFC1123] Braden, R., Ed., "Requirements for Internet Hosts -
Application and Support", STD 3, RFC 1123,
DOI 10.17487/RFC1123, October 1989,
<https://www.rfc-editor.org/info/rfc1123>.
[RFC1536] Kumar, A., Postel, J., Neuman, C., Danzig, P., and S.
Miller, "Common DNS Implementation Errors and Suggested
Fixes", RFC 1536, DOI 10.17487/RFC1536, October 1993,
<https://www.rfc-editor.org/info/rfc1536>.
[RFC1995] Ohta, M., "Incremental Zone Transfer in DNS", RFC 1995,
DOI 10.17487/RFC1995, August 1996,
<https://www.rfc-editor.org/info/rfc1995>.
[RFC1996] Vixie, P., "A Mechanism for Prompt Notification of Zone
Changes (DNS NOTIFY)", RFC 1996, DOI 10.17487/RFC1996,
August 1996, <https://www.rfc-editor.org/info/rfc1996>.
[RFC2136] Vixie, P., Ed., Thomson, S., Rekhter, Y., and J. Bound,
"Dynamic Updates in the Domain Name System (DNS UPDATE)",
RFC 2136, DOI 10.17487/RFC2136, April 1997,
<https://www.rfc-editor.org/info/rfc2136>.
[RFC2541] Eastlake 3rd, D., "DNS Security Operational
Considerations", RFC 2541, DOI 10.17487/RFC2541, March
1999, <https://www.rfc-editor.org/info/rfc2541>.
[RFC2671] Vixie, P., "Extension Mechanisms for DNS (EDNS0)",
RFC 2671, DOI 10.17487/RFC2671, August 1999,
<https://www.rfc-editor.org/info/rfc2671>.
[RFC2694] Srisuresh, P., Tsirtsis, G., Akkiraju, P., and A.
Heffernan, "DNS extensions to Network Address Translators
(DNS_ALG)", RFC 2694, DOI 10.17487/RFC2694, September
1999, <https://www.rfc-editor.org/info/rfc2694>.
[RFC3022] Srisuresh, P. and K. Egevang, "Traditional IP Network
Address Translator (Traditional NAT)", RFC 3022,
DOI 10.17487/RFC3022, January 2001,
<https://www.rfc-editor.org/info/rfc3022>.
[RFC3225] Conrad, D., "Indicating Resolver Support of DNSSEC",
RFC 3225, DOI 10.17487/RFC3225, December 2001,
<https://www.rfc-editor.org/info/rfc3225>.
[RFC3226] Gudmundsson, O., "DNSSEC and IPv6 A6 aware server/resolver
message size requirements", RFC 3226,
DOI 10.17487/RFC3226, December 2001,
<https://www.rfc-editor.org/info/rfc3226>.
[RFC4472] Durand, A., Ihren, J., and P. Savola, "Operational
Considerations and Issues with IPv6 DNS", RFC 4472,
DOI 10.17487/RFC4472, April 2006,
<https://www.rfc-editor.org/info/rfc4472>.
[RFC4953] Touch, J., "Defending TCP Against Spoofing Attacks",
RFC 4953, DOI 10.17487/RFC4953, July 2007,
<https://www.rfc-editor.org/info/rfc4953>.
[RFC4987] Eddy, W., "TCP SYN Flooding Attacks and Common
Mitigations", RFC 4987, DOI 10.17487/RFC4987, August 2007,
<https://www.rfc-editor.org/info/rfc4987>.
[RFC5358] Damas, J. and F. Neves, "Preventing Use of Recursive
Nameservers in Reflector Attacks", BCP 140, RFC 5358,
DOI 10.17487/RFC5358, October 2008,
<https://www.rfc-editor.org/info/rfc5358>.
[RFC5452] Hubert, A. and R. van Mook, "Measures for Making DNS More
Resilient against Forged Answers", RFC 5452,
DOI 10.17487/RFC5452, January 2009,
<https://www.rfc-editor.org/info/rfc5452>.
[RFC5507] IAB, Faltstrom, P., Ed., Austein, R., Ed., and P. Koch,
Ed., "Design Choices When Expanding the DNS", RFC 5507,
DOI 10.17487/RFC5507, April 2009,
<https://www.rfc-editor.org/info/rfc5507>.
[RFC5625] Bellis, R., "DNS Proxy Implementation Guidelines",
BCP 152, RFC 5625, DOI 10.17487/RFC5625, August 2009,
<https://www.rfc-editor.org/info/rfc5625>.
[RFC5927] Gont, F., "ICMP Attacks against TCP", RFC 5927,
DOI 10.17487/RFC5927, July 2010,
<https://www.rfc-editor.org/info/rfc5927>.
[RFC5936] Lewis, E. and A. Hoenes, Ed., "DNS Zone Transfer Protocol
(AXFR)", RFC 5936, DOI 10.17487/RFC5936, June 2010,
<https://www.rfc-editor.org/info/rfc5936>.
[RFC5961] Ramaiah, A., Stewart, R., and M. Dalal, "Improving TCP's
Robustness to Blind In-Window Attacks", RFC 5961,
DOI 10.17487/RFC5961, August 2010,
<https://www.rfc-editor.org/info/rfc5961>.
[RFC5966] Bellis, R., "DNS Transport over TCP - Implementation
Requirements", RFC 5966, DOI 10.17487/RFC5966, August
2010, <https://www.rfc-editor.org/info/rfc5966>.
[RFC6298] Paxson, V., Allman, M., Chu, J., and M. Sargent,
"Computing TCP's Retransmission Timer", RFC 6298,
DOI 10.17487/RFC6298, June 2011,
<https://www.rfc-editor.org/info/rfc6298>.
[RFC6762] Cheshire, S. and M. Krochmal, "Multicast DNS", RFC 6762,
DOI 10.17487/RFC6762, February 2013,
<https://www.rfc-editor.org/info/rfc6762>.
[RFC6781] Kolkman, O., Mekking, W., and R. Gieben, "DNSSEC
Operational Practices, Version 2", RFC 6781,
DOI 10.17487/RFC6781, December 2012,
<https://www.rfc-editor.org/info/rfc6781>.
[RFC6950] Peterson, J., Kolkman, O., Tschofenig, H., and B. Aboba,
"Architectural Considerations on Application Features in
the DNS", RFC 6950, DOI 10.17487/RFC6950, October 2013,
<https://www.rfc-editor.org/info/rfc6950>.
[RFC7413] Cheng, Y., Chu, J., Radhakrishnan, S., and A. Jain, "TCP
Fast Open", RFC 7413, DOI 10.17487/RFC7413, December 2014,
<https://www.rfc-editor.org/info/rfc7413>.
[RFC7477] Hardaker, W., "Child-to-Parent Synchronization in DNS",
RFC 7477, DOI 10.17487/RFC7477, March 2015,
<https://www.rfc-editor.org/info/rfc7477>.
[RFC7534] Abley, J. and W. Sotomayor, "AS112 Nameserver Operations",
RFC 7534, DOI 10.17487/RFC7534, May 2015,
<https://www.rfc-editor.org/info/rfc7534>.
[RFC7720] Blanchet, M. and L-J. Liman, "DNS Root Name Service
Protocol and Deployment Requirements", BCP 40, RFC 7720,
DOI 10.17487/RFC7720, December 2015,
<https://www.rfc-editor.org/info/rfc7720>.
[RFC7858] Hu, Z., Zhu, L., Heidemann, J., Mankin, A., Wessels, D.,
and P. Hoffman, "Specification for DNS over Transport
Layer Security (TLS)", RFC 7858, DOI 10.17487/RFC7858, May
2016, <https://www.rfc-editor.org/info/rfc7858>.
[RFC7901] Wouters, P., "CHAIN Query Requests in DNS", RFC 7901,
DOI 10.17487/RFC7901, June 2016,
<https://www.rfc-editor.org/info/rfc7901>.
[RFC7918] Langley, A., Modadugu, N., and B. Moeller, "Transport
Layer Security (TLS) False Start", RFC 7918,
DOI 10.17487/RFC7918, August 2016,
<https://www.rfc-editor.org/info/rfc7918>.
[RFC8027] Hardaker, W., Gudmundsson, O., and S. Krishnaswamy,
"DNSSEC Roadblock Avoidance", BCP 207, RFC 8027,
DOI 10.17487/RFC8027, November 2016,
<https://www.rfc-editor.org/info/rfc8027>.
[RFC8094] Reddy, T., Wing, D., and P. Patil, "DNS over Datagram
Transport Layer Security (DTLS)", RFC 8094,
DOI 10.17487/RFC8094, February 2017,
<https://www.rfc-editor.org/info/rfc8094>.
[RFC8162] Hoffman, P. and J. Schlyter, "Using Secure DNS to
Associate Certificates with Domain Names for S/MIME",
RFC 8162, DOI 10.17487/RFC8162, May 2017,
<https://www.rfc-editor.org/info/rfc8162>.
[RFC8200] Deering, S. and R. Hinden, "Internet Protocol, Version 6
(IPv6) Specification", STD 86, RFC 8200,
DOI 10.17487/RFC8200, July 2017,
<https://www.rfc-editor.org/info/rfc8200>.
[RFC8324] Klensin, J., "DNS Privacy, Authorization, Special Uses,
Encoding, Characters, Matching, and Root Structure: Time
for Another Look?", RFC 8324, DOI 10.17487/RFC8324,
February 2018, <https://www.rfc-editor.org/info/rfc8324>.
[RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol
Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018,
<https://www.rfc-editor.org/info/rfc8446>.
[RFC8467] Mayrhofer, A., "Padding Policies for Extension Mechanisms
for DNS (EDNS(0))", RFC 8467, DOI 10.17487/RFC8467,
October 2018, <https://www.rfc-editor.org/info/rfc8467>.
[RFC8482] Abley, J., Gudmundsson, O., Majkowski, M., and E. Hunt,
"Providing Minimal-Sized Responses to DNS Queries That
Have QTYPE=ANY", RFC 8482, DOI 10.17487/RFC8482, January
2019, <https://www.rfc-editor.org/info/rfc8482>.
[RFC8483] Song, L., Ed., Liu, D., Vixie, P., Kato, A., and S. Kerr,
"Yeti DNS Testbed", RFC 8483, DOI 10.17487/RFC8483,
October 2018, <https://www.rfc-editor.org/info/rfc8483>.
[RFC8484] Hoffman, P. and P. McManus, "DNS Queries over HTTPS
(DoH)", RFC 8484, DOI 10.17487/RFC8484, October 2018,
<https://www.rfc-editor.org/info/rfc8484>.
[RFC8490] Bellis, R., Cheshire, S., Dickinson, J., Dickinson, S.,
Lemon, T., and T. Pusateri, "DNS Stateful Operations",
RFC 8490, DOI 10.17487/RFC8490, March 2019,
<https://www.rfc-editor.org/info/rfc8490>.
[RFC8501] Howard, L., "Reverse DNS in IPv6 for Internet Service
Providers", RFC 8501, DOI 10.17487/RFC8501, November 2018,
<https://www.rfc-editor.org/info/rfc8501>.
[RFC8806] Kumari, W. and P. Hoffman, "Running a Root Server Local to
a Resolver", RFC 8806, DOI 10.17487/RFC8806, June 2020,
<https://www.rfc-editor.org/info/rfc8806>.
[RFC8906] Andrews, M. and R. Bellis, "A Common Operational Problem
in DNS Servers: Failure to Communicate", BCP 231,
RFC 8906, DOI 10.17487/RFC8906, September 2020,
<https://www.rfc-editor.org/info/rfc8906>.
[RFC8932] Dickinson, S., Overeinder, B., van Rijswijk-Deij, R., and
A. Mankin, "Recommendations for DNS Privacy Service
Operators", BCP 232, RFC 8932, DOI 10.17487/RFC8932,
October 2020, <https://www.rfc-editor.org/info/rfc8932>.
[RFC8945] Dupont, F., Morris, S., Vixie, P., Eastlake 3rd, D.,
Gudmundsson, O., and B. Wellington, "Secret Key
Transaction Authentication for DNS (TSIG)", STD 93,
RFC 8945, DOI 10.17487/RFC8945, November 2020,
<https://www.rfc-editor.org/info/rfc8945>.
[ROLL_YOUR_ROOT]
Müller, M., Thomas, M., Wessels, D., Hardaker, W., Chung,
T., Toorop, W., and R. van Rijswijk-Deij, "Roll, Roll,
Roll Your Root: A Comprehensive Analysis of the First Ever
DNSSEC Root KSK Rollover", DOI 10.1145/3355369.3355570,
October 2019,
<https://dl.acm.org/doi/10.1145/3355369.3355570>.
[RRL] Vixie, P. and V. Schryver, "DNS Response Rate Limiting
(DNS RRL)", ISC-TN-2012-1-Draft1, April 2012.
[TDNS] Zhu, L., Heidemann, J., Wessels, D., Mankin, A., and N.
Somaiya, "Connection-Oriented DNS to Improve Privacy and
Security", DOI 10.1109/SP.2015.18, May 2015,
<https://doi.org/10.1109/SP.2015.18>.
[TOYAMA] Toyama, K., Ishibashi, K., Toyono, T., Ishino, M.,
Yoshimura, C., and K. Fujiwara, "DNS Anomalies and Their
Impacts on DNS Cache Servers", NANOG 32, October 2004.
[VERISIGN] Thomas, M. and D. Wessels, "An Analysis of TCP Traffic in
Root Server DITL Data", DNS-OARC 2014 Fall Workshop,
October 2014.
[WIKIPEDIA_TFO]
Wikipedia, "TCP Fast Open", February 2022,
<https://en.wikipedia.org/w/
index.php?title=TCP_Fast_Open&oldid=1071397204>.
Appendix A. RFCs Related to DNS Transport over TCP
This section enumerates all known RFCs with a status of Internet
Standard, Proposed Standard, Informational, Best Current Practice, or
Experimental that either implicitly or explicitly make assumptions or
statements about the use of TCP as a transport for the DNS germane to
this document.
A.1. RFC 1035 - DOMAIN NAMES - IMPLEMENTATION AND SPECIFICATION
The Internet Standard [RFC1035] is the base DNS specification that
explicitly defines support for DNS over TCP.
A.2. RFC 1536 - Common DNS Implementation Errors and Suggested Fixes
The Informational document [RFC1536] states that UDP is "the chosen
protocol for communication though TCP is used for zone transfers."
That statement should now be considered in its historical context and
is no longer a proper reflection of modern expectations.
A.3. RFC 1995 - Incremental Zone Transfer in DNS
The Proposed Standard [RFC1995] documents the use of TCP as the
fallback transport when Incremental Zone Transfer (IXFR) responses do
not fit into a single UDP response. As with Authoritative Transfer
(AXFR), IXFR messages are typically delivered over TCP by default in
practice.
A.4. RFC 1996 - A Mechanism for Prompt Notification of Zone Changes
(DNS NOTIFY)
The Proposed Standard [RFC1996] suggests that a primary server may
decide to issue NOTIFY messages over TCP. In practice, NOTIFY
messages are generally sent over UDP, but this specification leaves
open the possibility that the choice of transport protocol is up to
the primary server; therefore, a secondary server ought to be able to
operate over both UDP and TCP.
A.5. RFC 2181 - Clarifications to the DNS Specification
The Proposed Standard [RFC2181] includes clarifying text on how a
client should react to the TC bit set on responses. It is advised
that the response be discarded and the query resent using TCP.
A.6. RFC 2694 - DNS extensions to Network Address Translators (DNS_ALG)
The Informational document [RFC2694] enumerates considerations for
NAT devices to properly handle DNS traffic. This document is
noteworthy in its suggestion that "[t]ypically, TCP is used for AXFR
requests," as further evidence that helps explain why DNS over TCP
may have often been treated very differently than DNS over UDP in
operational networks.
A.7. RFC 3225 - Indicating Resolver Support of DNSSEC
The Proposed Standard [RFC3225] makes statements indicating that DNS
over TCP is "detrimental" as a result of increased traffic, latency,
and server load. This document is a companion to the next document
in the RFC Series that describes the requirement for EDNS(0) support
for DNSSEC.
A.8. RFC 3226 - DNSSEC and IPv6 A6 aware server/resolver message size
requirements
Although updated by later DNSSEC RFCs, the Proposed Standard
[RFC3226] strongly argues in favor of UDP messages instead of TCP,
largely for performance reasons. The document declares EDNS(0) a
requirement for DNSSEC servers and advocates that packet
fragmentation may be preferable to TCP in certain situations.
A.9. RFC 4472 - Operational Considerations and Issues with IPv6 DNS
The Informational document [RFC4472] notes that IPv6 data may
increase DNS responses beyond what would fit in a UDP message. What
is particularly noteworthy, but perhaps less common today than when
this document was written, is that it refers to implementations that
truncate data without setting the TC bit to encourage the client to
resend the query using TCP.
A.10. RFC 5452 - Measures for Making DNS More Resilient against Forged
Answers
The Proposed Standard [RFC5452] arose as public DNS systems began to
experience widespread abuse from spoofed queries, resulting in
amplification and reflection attacks against unwitting victims. One
of the leading justifications for supporting DNS over TCP to thwart
these attacks is briefly described in Section 9.3 of [RFC5452]
("Spoof Detection and Countermeasure").
A.11. RFC 5507 - Design Choices When Expanding the DNS
The Informational document [RFC5507] was largely an attempt to
dissuade new DNS data types from overloading the TXT resource record
type. In so doing, it summarizes the conventional wisdom of DNS
design and implementation practices. The authors suggest TCP
overhead and stateful properties pose challenges compared to UDP and
imply that UDP is generally preferred for performance and robustness.
A.12. RFC 5625 - DNS Proxy Implementation Guidelines
The Best Current Practice document [RFC5625] provides DNS proxy
implementation guidance including the mandate that a proxy "MUST
[...] be prepared to receive and forward queries over TCP" even
though it suggests that, historically, TCP transport has not been
strictly mandatory in stub resolvers or recursive servers.
A.13. RFC 5936 - DNS Zone Transfer Protocol (AXFR)
The Proposed Standard [RFC5936] provides a detailed specification for
the zone transfer protocol, as originally outlined in the early DNS
standards. AXFR operation is limited to TCP and not specified for
UDP. This document discusses TCP usage at length.
A.14. RFC 7534 - AS112 Nameserver Operations
The Informational document [RFC7534] enumerates the requirements for
operation of AS112 project DNS servers. New AS112 nodes are tested
for their ability to provide service on both UDP and TCP transports,
with the implication that TCP service is an expected part of normal
operations.
A.15. RFC 6762 - Multicast DNS
In the Proposed Standard [RFC6762], the TC bit is deemed to have
essentially the same meaning as described in the original DNS
specifications. That is, if a response with the TC bit set is
received, "[...] the querier SHOULD reissue its query using TCP in
order to receive the larger response."
A.16. RFC 6891 - Extension Mechanisms for DNS (EDNS(0))
The Internet Standard [RFC6891] helped slow the use of and need for
DNS-over-TCP messages. This document highlights concerns over server
load and scalability in widespread use of DNS over TCP.
A.17. IAB RFC 6950 - Architectural Considerations on Application
Features in the DNS
The Informational document [RFC6950] draws attention to large data in
the DNS. TCP is referenced in the context as a common fallback
mechanism and counter to some spoofing attacks.
A.18. RFC 7477 - Child-to-Parent Synchronization in DNS
The Proposed Standard [RFC7477] specifies an RRType and a protocol to
signal and synchronize NS, A, and AAAA resource record changes from a
child-to-parent zone. Since this protocol may require multiple
requests and responses, it recommends utilizing DNS over TCP to
ensure the conversation takes place between a consistent pair of end
nodes.
A.19. RFC 7720 - DNS Root Name Service Protocol and Deployment
Requirements
The Best Current Practice document [RFC7720] declares that root name
service "MUST support UDP [RFC0768] and TCP [RFC0793] transport of
DNS queries and responses."
A.20. RFC 7766 - DNS Transport over TCP - Implementation Requirements
The Proposed Standard [RFC7766] instructs DNS implementors to provide
support for carrying DNS-over-TCP messages in their software and
might be considered the direct ancestor of this operational
requirements document. The implementation requirements document
codifies mandatory support for DNS-over-TCP in compliant DNS software
but makes no recommendations to operators, which we seek to address
here.
A.21. RFC 7828 - The edns-tcp-keepalive EDNS(0) Option
The Proposed Standard [RFC7828] defines an EDNS(0) option to
negotiate an idle timeout value for long-lived DNS-over-TCP
connections. Consequently, this document is only applicable and
relevant to DNS-over-TCP sessions and between implementations that
support this option.
A.22. RFC 7858 - Specification for DNS over Transport Layer Security
(TLS)
The Proposed Standard [RFC7858] defines a method for putting DNS
messages into a TCP-based encrypted channel using TLS. This
specification is noteworthy for explicitly targeting the stub-to-
recursive traffic but does not preclude its application from
recursive-to-authoritative traffic.
A.23. RFC 7873 - Domain Name System (DNS) Cookies
The Proposed Standard [RFC7873] describes an EDNS(0) option to
provide additional protection against query and answer forgery. This
specification mentions DNS over TCP as an alternative mechanism when
DNS cookies are not available. The specification does make mention
of DNS-over-TCP processing in two specific situations. In one, when
a server receives only a client cookie in a request, the server
should consider whether the request arrived over TCP, and if so, it
should consider accepting TCP as sufficient to authenticate the
request and respond accordingly. In another, when a client receives
a BADCOOKIE reply using a fresh server cookie, the client should
retry using TCP as the transport.
A.24. RFC 7901 - CHAIN Query Requests in DNS
The Experimental specification [RFC7901] describes an EDNS(0) option
that can be used by a security-aware validating resolver to request
and obtain a complete DNSSEC validation path for any single query.
This document requires the use of DNS over TCP or a transport
mechanism verified by a source IP address such as EDNS-COOKIE
[RFC7873].
A.25. RFC 8027 - DNSSEC Roadblock Avoidance
The Best Current Practice document [RFC8027] details observed
problems with DNSSEC deployment and mitigation techniques. Network
traffic blocking and restrictions, including DNS-over-TCP messages,
are highlighted as one reason for DNSSEC deployment issues. While
this document suggests these sorts of problems are due to "non-
compliant infrastructure", the scope of the document is limited to
detection and mitigation techniques to avoid so-called DNSSEC
roadblocks.
A.26. RFC 8094 - DNS over Datagram Transport Layer Security (DTLS)
The Experimental specification [RFC8094] details a protocol that uses
a datagram transport (UDP) but stipulates that "DNS clients and
servers that implement DNS over DTLS MUST also implement DNS over TLS
in order to provide privacy for clients that desire Strict Privacy
[...]." This requirement implies DNS over TCP must be supported in
case the message size is larger than the path MTU.
A.27. RFC 8162 - Using Secure DNS to Associate Certificates with Domain
Names for S/MIME
The Experimental specification [RFC8162] describes a technique to
authenticate user X.509 certificates in an S/MIME system via the DNS.
The document points out that the new experimental resource record
types are expected to carry large payloads, resulting in the
suggestion that "applications SHOULD use TCP -- not UDP -- to perform
queries for the SMIMEA resource record."
A.28. RFC 8324 - DNS Privacy, Authorization, Special Uses, Encoding,
Characters, Matching, and Root Structure: Time for Another Look?
The Informational document [RFC8324] briefly discusses the common
role and challenges of DNS over TCP throughout the history of DNS.
A.29. RFC 8467 - Padding Policies for Extension Mechanisms for DNS
(EDNS(0))
The Experimental document [RFC8467] reminds implementors to consider
the underlying transport protocol (e.g., TCP) when calculating the
padding length when artificially increasing the DNS message size with
an EDNS(0) padding option.
A.30. RFC 8482 - Providing Minimal-Sized Responses to DNS Queries That
Have QTYPE=ANY
The Proposed Standard [RFC8482] describes alternative ways that DNS
servers can respond to queries of type ANY, which are sometimes used
to provide amplification in DDoS attacks. The specification notes
that responders may behave differently, depending on the transport.
For example, minimal-sized responses may be used over UDP transport,
while full responses may be given over TCP.
A.31. RFC 8483 - Yeti DNS Testbed
The Informational document [RFC8483] describes a testbed environment
that highlights some DNS-over-TCP behaviors, including issues
involving packet fragmentation and operational requirements for TCP
stream assembly in order to conduct DNS measurement and analysis.
A.32. RFC 8484 - DNS Queries over HTTPS (DoH)
The Proposed Standard [RFC8484] defines a protocol for sending DNS
queries and responses over HTTPS. This specification assumes TLS and
TCP for the underlying security and transport layers, respectively.
Self-described as a technique that more closely resembles a tunneling
mechanism, DoH nevertheless likely implies DNS over TCP in some
sense, if not directly.
A.33. RFC 8490 - DNS Stateful Operations
The Proposed Standard [RFC8490] updates the base protocol
specification with a new OPCODE to help manage stateful operations in
persistent sessions, such as those that might be used by DNS over
TCP.
A.34. RFC 8501 - Reverse DNS in IPv6 for Internet Service Providers
The Informational document [RFC8501] identifies potential operational
challenges with dynamic DNS, including denial-of-service threats.
The document suggests TCP may provide some advantages but that
updating hosts would need to be explicitly configured to use TCP
instead of UDP.
A.35. RFC 8806 - Running a Root Server Local to a Resolver
The Informational document [RFC8806] describes how to obtain and
operate a local copy of the root zone with examples showing how to
pull from authoritative sources using a DNS-over-TCP zone transfer.
A.36. RFC 8906 - A Common Operational Problem in DNS Servers: Failure
to Communicate
The Best Current Practice document [RFC8906] discusses a number of
DNS operational failure scenarios and how to avoid them. This
includes discussions involving DNS-over-TCP queries, EDNS over TCP,
and a testing methodology that includes a section on verifying DNS-
over-TCP functionality.
A.37. RFC 8932 - Recommendations for DNS Privacy Service Operators
The Best Current Practice document [RFC8932] presents privacy
considerations to DNS privacy service operators. These mechanisms
sometimes include the use of TCP and are therefore susceptible to
information leakage such as TCP-based fingerprinting. This document
also references an earlier draft version of this document.
A.38. RFC 8945 - Secret Key Transaction Authentication for DNS (TSIG)
The Internet Standard [RFC8945] recommends that a client use TCP if
truncated TSIG messages are received.
Acknowledgments
This document was initially motivated by feedback from students who
pointed out that they were hearing contradictory information about
filtering DNS-over-TCP messages. Thanks in particular to a teaching
colleague, JPL, who perhaps unknowingly encouraged the initial
research into the differences between what the community has
historically said and did. Thanks to all the NANOG 63 attendees who
provided feedback for an early talk on this subject.
The following individuals provided an array of feedback to help
improve this document: Joe Abley, Piet Barber, Sara Dickinson, Tony
Finch, Bob Harold, Paul Hoffman, Geoff Huston, Tatuya Jinmei, Puneet
Sood, and Richard Wilhelm. The authors are also indebted to the
contributions stemming from discussion in the TCPM Working Group
meeting at IETF 104. Any remaining errors or imperfections are the
sole responsibility of the document authors.
Authors' Addresses
John Kristoff
Dataplane.org
Chicago, IL 60605
United States of America
Phone: +1 312 493 0305
Email: jtk@dataplane.org
URI: https://dataplane.org/jtk/
Duane Wessels
Verisign
12061 Bluemont Way
Reston, VA 20190
United States of America
Phone: +1 703 948 3200
Email: dwessels@verisign.com
URI: https://verisign.com
|