Network Working Group | S. Bortzmeyer |
Internet-Draft | AFNIC |
Intended status: Informational | March 20, 2014 |
Expires: September 21, 2014 |
DNS query name minimisation to improve privacy
draft-bortzmeyer-dns-qname-minimisation-00
This document describes one of the techniques that could be used to improve DNS privacy (see [I-D.bortzmeyer-dnsop-dns-privacy]), a technique called "qname minimisation".
Discussions of the document should currently take place on the dns-privacy mailing list [dns-privacy].
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 21, 2014.
Copyright (c) 2014 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
The problem statement is exposed in [I-D.bortzmeyer-dnsop-dns-privacy]. The terminology ("qname", "resolver", etc) is also defined in this companion document. This specific solution is not intended to completely solve the problem, far from it. It is better to see it as one tool among a toolbox.
It follows the principle explained in section 6.1 of [RFC6973]: the less data you send out, the less privacy problems you'll get.
The idea is to minimise the amount of data sent from the DNS resolver. When a resolver receives the query "What is the AAAA record for www.example.com?", it sends to the root (assuming a cold resolver, whose cache is empty) the very same question. Sending "What are the NS records for .com?" would be sufficient (since it will be the answer from the root anyway). To do so would be compatible with the current DNS system and therefore could be easily deployable, since it is an unilateral change to the resolvers.
To do such minimisation, the resolver needs to know the zone cut [RFC2181]. There is not a zone cut at every label boundary. If we take the name www.foo.bar.example, it is possible that there is a zone cut between "foo" and "bar" but not between "bar" and "example". So, assuming the resolver already knows the name servers of .example, when it receives the query "What is the AAAA record of www.foo.bar.example", it does not always know if the request should be sent to the name servers of bar.example or to those of example. [RFC2181] suggests an algorithm to find the zone cut, so resolvers may try it.
Note that DNSSEC-validating resolvers already have access to this information, since they have to find the zone cut (the DNSKEY record set is just below, the DS record set just above).
It can be noted that minimising the amount of data sent also partially addresses the case of a wire sniffer, not just the case of privacy invasion by the servers.
One should note that the behaviour suggested here (minimising the amount of data sent in qnames) is NOT forbidden by the [RFC1034] (section 5.3.3) or [RFC1035] (section 7.2). Sending the full qname to the authoritative name server is a tradition, not a protocol requirment.
Another note is that the answer to the NS query, unlike the referral sent when the question is a full qname, is in the Answer section, not in the Authoritative section. It has probably no practical consequences.
The administrators of the forwarders, and of the authoritative name servers, will get less data, which will reduce the utility of the statistics they can produce (such as the percentage of the various qtypes). On the other hand, it will decrease their legal responsability, in many cases.
Some broken name servers do not react properly to qtype=NS requests. As an example, look at www.ratp.fr (not ratp.fr), which is delegated to two name servers that reply properly to "A www.ratp.fr" queries but send REFUSED to queries "NS www.ratp.fr". This behaviour is a gross protocol violation and there is no need to stop improving the DNS because of such brokenness. However, qname minimisation may still work with such domains since they are only leaf domains (no need to send them NS requests).
Thanks to Olaf Kolkman, Mark Andrews and Francis Dupont for the interesting discussions on this qname minimisation. Thanks to Mohsen Souissi for proofreading.
[RFC1034] | Mockapetris, P., "Domain names - concepts and facilities", STD 13, RFC 1034, November 1987. |
[RFC1035] | Mockapetris, P., "Domain names - implementation and specification", STD 13, RFC 1035, November 1987. |
[RFC2119] | Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. |
[RFC6973] | Cooper, A., Tschofenig, H., Aboba, B., Peterson, J., Morris, J., Hansen, M. and R. Smith, "Privacy Considerations for Internet Protocols", RFC 6973, July 2013. |
[I-D.bortzmeyer-dnsop-dns-privacy] | Bortzmeyer, S., "DNS privacy problem statement", Internet-Draft draft-bortzmeyer-dnsop-dns-privacy-01, December 2013. |
[RFC2181] | Elz, R. and R. Bush, "Clarifications to the DNS Specification", RFC 2181, July 1997. |
[dns-privacy] | IETF, , "The dns-privacy mailing list", March 2014. |