> > this initiates a Working Group Last Call for > > > > draft-ietf-dnsop-default-local-zones-00.txt
(* no hats, still not counting for the five reviewer threshold *) I support the document being moved forward to reach BCP status, with some changes to the text. Suggestions below. > Locally-served Zones A reference to the DNS is needed in the title. > 1. Introduction > Additionally, queries from clients behind badly configured firewalls > that allow outgoing queries but drop responses for these name spaces > also puts a significant load on the root servers. They also cause > operational load for the root server operators as they have to reply > to queries about why the root servers are "attacking" these clients. > Changing the default configuration will address all these issues for > the zones below. Direct reference to section 4 instead of "below" might be more clear. > handled locally. This document extends the recommendation to cover > the IN-ADDR.ARPA zones for [RFC 1918] and other well known IN- > ADDR.ARPA and IP6.ARPA zones for which queries should not appear on > the Internet. s/Internet/public Internet/ to be consistent with RFC 1918. > It should also help DNS responsiveness for sites which are using [RFC > 1918] addresses but are misconfigured. Sites ... that are misconfigured -> "not follow the last paragraph in sectioon 3 of RFC 1918" The same caveat also holds for users of 169.254/16 address space, should someone really do dynamic updates with it. > 2. Effects on sites using RFC 1918 addresses. > > Sites using [RFC 1918] addresses should already be serving these > queries internally, without referring them to public name servers on > the Internet. "Queries" is an ambiguous term since it could refer to anything with QR=0 or to OPCODE=0. I think it's important to explain that many of the "queries" seen - at least at AS112 instances - are currently DNS dynamic update attempts. E.g., "should already be serving the corresponding reverse mapping namespace authoritatively without leaking DNS queries or DNS dynamic update messages [RFC 2136] to public name servers ..." > The main impact will be felt on sites that make use of recursion for "on" -> "at"? > reverse lookups for [RFC 1918] addresses and have populated these > zones. Typically, such sites will be fully disconnected from the > Internet and have their own root servers for their own non-Internet I'd rather not engange into these speculations. > DNS tree or make use of local delegation overrides (otherwise known > as "forwarding") to reach the private servers for these reverse > zones. These sites will need to override the default configuration > proposed in this draft to allow resolution to continue. Suggestion for clarification: Sites that use [RFC 1918] and depend upon a sophisticated DNS resolving infrastructure involving so called forwarders will need to override these new default values on their forwarders. The authoritative servers for their copies of [RFC 1918] reverse space provide for this "override" already. > Other sites that use [RFC 1918] addresses and either have local > copies of the reverse zones or don't have reverse zones configured > should see no difference other than the name error appearing to come > from a different source. "name error" should be clarified to mean "RCODE=3". > 3. Changes Iterative Resolver Behaviour. Changes _to_ > > Unless configured otherwise, a iterative resolver will return name > errors for queries within the lists of zones covered below. One > common way to do this is to serve empty (SOA and NS only) zones. Only the usual QNAMEs for PTR queries result in NXDOMAIN, queries for SOA and maybe NS RRs will (now) receive positive responses. > A server doing this MUST provide a mechanism to disable this s/A server doing this/An implementation following this recommendation/ > behaviour, preferably on a zone by zone basis. > > If using empty zones one should not use the same NS and SOA records > as used on the public Internet servers as that will make it harder to > detect leakage from the public Internet servers. This document > recommends that the NS record default to the name of the zone and the > SOA MNAME default to the name of the zone. The SOA RNAME should To emphasize that the zone name is not a good default MNAME in general: s/to the name of the zone/the name of the only NS RR's target/ > default to ".". Implementations SHOULD provide a mechanism to set > these values. No address records need to be provided for the name > server. > > @ 10800 IN SOA @ . 1 3600 1200 604800 10800 > @ 10800 IN NS @ Some more explanatory text is necessary here: The SOA RR is needed to support negative caching [RFC 2308] of name error responses and to point clients to the primary master for DNS dynamic updates. SOA values of particular importance are the MNAME, the SOA RR's TTL and the negTTL value. Both TTL values SHOULD match. (actually I think 3600 would be sufficient, it only affects the site internal traffic anyway). The rest of the SOA timer values may be chosen arbitrarily since it they are not intended to control any zone transfer activity. With AS112 we see lots of updates messages aimed at the master named in MNAME. With the setup suggested above, that name will not resolve into an A RR (resulting in NOERROR/NODATA). Do we have evidence that dynamic update clients will treat this gracefully and _not_ climb the tree further up? Why do we need the NS RR at all? I'm not too comfortable to see RNAME=="." as an indication of a non existing mail address, especially since proposals like this have been flurrying around for MX RRs. The "additional section processing" problem should be smaller for the SOA RR, but I fear the bad precedent. RFC 2606 defined the "invalid" TLD, so nobody.invalid. or, to avoid search path issues with "invalid", nobody.rfc<this number>.invalid. seem clearer to me (of course that toches the issue of "serving" the RFC 2606 zones ...). > 4.2. RFC 3330 Zones A (normative) reference to RFC 3330 should be added here. A question that will likely be raised in Last Call is whether 1.0.0.127.IN-ADDR.ARPA shouldn't own a PTR RR by default. I think we should have an answer to this if we agree that it shouldn't. > 4.3. Local IPv6 Unicast Addresses Add (normative) reference to RFC 4291, 2.4, 2.5.2, 2.5.3. > 4.4. IPv6 Locally Assigned Local Addresses Another reference needed. > 4.5. IPv6 Link Local Addresses Add (normative) reference to RFC 4291, sections 2.4 and 2.5.6. > 5. Zones that are Out-Of-Scope > > IPv6 site-local addresses and IPv6 Globally Assigned Local addresses > are not covered here. It is expected that IPv6 site-local addresses Appropriate references should be added. > will be self correcting as IPv6 implementations remove support for > site-local addresses however, sacrificial servers for C.E.F.IP6.ARPA > to F.E.F.IP6.ARPA may still need to be deployed in the short term if > the traffic becomes excessive. > > For IPv6 Globally Assigned Local addresses there has been no decision > made about whether the registries will provide delegations in this Is there any reference to this discussion? Are the "registries" mentioned here the RIRs? > This document is also ignoring the IP6.INT counterpart for the > IP6.ARPA addresses above. IP6.INT is in the process of being wound > up with clients already not querying for this suffix. IP6.INT is dead, I'd suggest to remove this paragraph. > This document has also deliberately ignored zones immediately under > the root. The author believes other methods would be more applicable > for dealing with the excess / bogus traffic these generate. While I often trust Mark's wisdom, reference to the author's belief is not appropriate for a BCP ;-) As others suggested before: add some reference to how those "other methods" look like. > 6. IANA Considerations > > This document recommends that IANA establish a registry of zones s/recommends/asks/ > which require this default behaviour, the initial contents are above. s/above/section 4/ > More zones are expected to be added, and possibly deleted from this > registry over time. Name server implementors are encouraged to check s/name server/recursive name server/ > this registry and adjust their implementations to reflect changes > therein. > > This registry can be amended through IESG reviewed RFC publication. That is "IETF Consensus" as per RFC 2434 or IETF Review in 2434bis; a reference to RFC 2434 is needed. > 7. Security Considerations > > During the initial deployment phase, particularly where [RFC 1918] > addresses are in use, there may be some clients that unexpectedly > receive name error rather than a PTR record. This may cause some > service disruption until full service resolvers have been re- > configured. Now we have the third term where consistent terminology would be helpful: 1) recursive name server 2) iterative resolver 3) full resolver My interpretation of the difference between (1) and (2) is that (1) is anything that accepts DNS queries with RD=1 and acts upon them to serve the final answer, either by using another recursive name server (making this a recursive definition) or by acting as (2). It's not completely clear to me whether our target objects are (1) and (2) or only (2). Also, some text should be added to recommend against implementing this BCP in stub resolvers or name caches (like nscd or similar). -Peter . dnsop resources:_____________________________________________________ web user interface: http://darkwing.uoregon.edu/~llynch/dnsop.html mhonarc archive: http://darkwing.uoregon.edu/~llynch/dnsop/index.html
