Internet DRAFT - draft-lee-dnsop-resolver-wellknown-ipv6addr
draft-lee-dnsop-resolver-wellknown-ipv6addr
DNSOP S. Lee
Internet-Draft Y. Ju
Expires: April 20, 2006 W. Kim
NIDA
October 17, 2005
Default Well-known DNS Resolver IPv6 Address Using Anycast
<draft-lee-dnsop-resolver-wellknown-ipv6addr-00.txt>
Status of this Memo
By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on April 20, 2006.
Copyright Notice
Copyright (C) The Internet Society (2005).
Abstract
A host needs to configure itself with its own global unicast IP
addresses, default gateway IP addresses, and DNS resolver IP
addresses. For the IPv6 address of DNS resolver, there is need to
define alternative automatic configuration mechanism that enables for
an IPv6 host to configure its own DNS resolver IPv6 addresses by
itself, even when there is no other additional autoconfiguration
mechanism applied.
Lee, et al. Expires April 20, 2006 [Page 1]
Internet-Draft Well-known DNS Resolver IPv6 address October 2005
This document proposes the use of address "::a:0:1" as the well-known
IPv6 anycast address for DNS resolvers in global IPv6 Internet world.
In addition, this document makes considerations on the automatic
discovery mechanism for DNS resolver IPv6 address that is based on
the well-known anycast address and its related specifications
required.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4
3. IPv6 DNS Resolver Discovery with the Well-Known IPv6
Address . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
3.1. Default IPv6 Address for DNS Resolvers . . . . . . . . . . 5
3.2. Routing Consideration . . . . . . . . . . . . . . . . . . 5
3.3. Inter-site Deployment Considerations . . . . . . . . . . . 6
3.4. EDNS0 Support Consideration . . . . . . . . . . . . . . . 7
3.5. Considerations for IPv6 Addresses of DNS Resolvers . . . . 7
3.6. Management of DNS Resolver IPv6 Addresses in IPv6 Host . . 8
4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8
5. Security Considerations . . . . . . . . . . . . . . . . . . . 8
6. References . . . . . . . . . . . . . . . . . . . . . . . . . . 9
6.1. Normative References . . . . . . . . . . . . . . . . . . . 9
6.2. Informative References . . . . . . . . . . . . . . . . . . 10
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 11
Intellectual Property and Copyright Statements . . . . . . . . . . 12
Lee, et al. Expires April 20, 2006 [Page 2]
Internet-Draft Well-known DNS Resolver IPv6 address October 2005
1. Introduction
A host needs to configure itself with its own global unicast IP
addresses, default gateway IP addresses, and DNS resolver IP
addresses. Among these three types of addresses, DNS resolver IP
addresses are required for resolution of domain names.
When an IPv6 host is concerned, automatic configuration mechanisms
are defined in basic IPv6 specifications. An IPv6 host is able to
set automatically its own global unicast IPv6 address using IPv6
stateless address autoconfiguration [1]. And default gateway
router's IPv6 address can be obtained using neighbor discovery [2].
However, for the IPv6 address of DNS resolver, there is need to
define alternative automatic configuration mechanism that enables for
an IPv6 host to set its own DNS resolver IPv6 addresses by itself,
even when there is no other additional autoconfiguration mechanism
applied.
There are three approaches that can provide IPv6 hosts with DNS
resolver IPv6 addresses available at the connected site. For these
three approaches, refer to "IPv6 Host Configuration of DNS Server
Information Approaches" [6].
DHCPv6 [7] [8] can provide DNS resolver IPv6 addresses in addition to
IPv6 host's global unicast address. However, this mechanism needs
additional servers at each site. If a small site, such as home
network, has no DHCPv6 servers, the IPv6 hosts in that site cannot
obtain appropriate DNS resolver IPv6 addresses.
RA option being defined in "IPv6 DNS Configuration based on Router
Advertisement" [9] can also provide DNS resolver IPv6 addresses via
RA message from neighbor routers. In this case, site administrators
should configure site's all routers that have subnets for access, so
that the routers can inform the appropriate site's DNS resolver IPv6
addresses in RA message. However, there may be networks with no
professional management and the routers within them may not provide
DNS resolver IPv6 address information in RA message.
The last approach out of three approaches in "IPv6 Host Configuration
of DNS Server Information Approaches" [6] is to use well-known
anycast address for DNS resolver IPv6 addresses.
This document specifies the automatic discovery mechanism for DNS
resolver IPv6 address that is based on the well-known anycast
address.
There can be some requirements in defining the well-known anycast
Lee, et al. Expires April 20, 2006 [Page 3]
Internet-Draft Well-known DNS Resolver IPv6 address October 2005
address for DNS resolver with IPv6 support. First, this well-known
IPv6 anycast address SHOULD be global-scope IPv6 address, which is
independent of each site's specific DNS resolvers. This requirement
makes possible that IPv6 host does not need to change the DNS
resolver IPv6 addresses regardless of sites it moves to and is
connected to. Second, this well-known IPv6 anycast address SHOULD
not be selected out of global unicast address ranges that starts with
prefix "2001::/3". This requirement makes it easy for network
administrators to distinguish this anycast address from normal global
unicast addresses, in managing routing system. Third, the well-known
IPv6 anycast address SHOULD have simplest textual representation so
that anyone easily remember and type in manual. This will help to
both network administrators and users.
This document proposes the use of address "::a:0:1" as the well-known
IPv6 anycast address for DNS resolvers in global IPv6 Internet world.
It may be also possible to use the well-known IPv6 anycast address
defined in this document as the IPv6 addresses of DNS resolvers
informed by DHCPv6 [7] or by routers via RA option being defined in
[9].
This document does not define any specification on the well-known
anycast address for IPv4 based DNS resolvers. This document assumes
that IPv4 hosts can obtain DNS resolver IPv4 addresses or users can
configure those addresses manually in IPv4 Internet environment, as
it was before.
2. Terminology
Default IPv6 Address for DNS Resolvers : the well-known IPv6 anycast
address for DNS resolvers with IPv6 support.
DNS resolver : in this document, indicates the implementation of DNS
resolver routine defined in the section "2.2. Common configurations"
of RFC1035 [3], which responses the recursive queries from stub
resolvers of hosts. In normal usage, this term, DNS resolver, is
also named as 'recursive DNS server'.
DNS resolver IPv6 address : the IPv6 address with which DNS resolver
serves recursive DNS query from IPv6 hosts.
IPv6 host : refers to any host that supports IPv6, e.g. IPv6-only
host, IPv4/IPv6 dual-stack host, in this document.
Most Upstream Site : refers to the site that has any connection to
IPv6 global backbone, in this document.
Lee, et al. Expires April 20, 2006 [Page 4]
Internet-Draft Well-known DNS Resolver IPv6 address October 2005
Upstream Site : refers to the site that provides upstream links to a
certain site, in this document.
Downstream Site : refers to the site that has upstream links to
Upstream Site, in this document.
3. IPv6 DNS Resolver Discovery with the Well-Known IPv6 Address
3.1. Default IPv6 Address for DNS Resolvers
The well-known IPv6 anycast address for DNS resolvers is defined with
address, "::a:0:1". In this document, this address is termed
'Default IPv6 Address for DNS resolvers'.
This address, "::a:0:1/128", is selected out of address range with
prefix "::/8". At least, the address range "::a:0:0/112" SHOULD be
reserved for anycast address range of DNS resolver IPv6 addresses.
Reservation of address range "::a:0:0/96" is preferred and this range
of addresses can be reserved as an anycast addresses range for
another anycast applied services possibly defined in future.
This Default IPv6 Address for DNS Resolvers is global-scope anycast
address indicating any DNS resolvers reachable from any access point
of IPv6 Internet. As for IPv6 hosts, this Default IPv6 Address for
DNS Resolvers is global-scope address.
3.2. Routing Consideration
The route to this Default IPv6 Address for DNS Resolvers SHOULD be
the host route, e.g. route with prefix "::a:0:1/128".
The route to this Default IPv6 Address for DNS Resolvers need to be
injected into routing system in site-local bases, in principle. In
global IPv6 backbone area, the route to this Default IPv6 Address for
DNS Resolvers SHOULD be filtered out, so as to prevent problem
possibly caused by rapid increase of IPv6 routing table size.
Therefore, the route to the Default IPv6 Address for DNS Resolvers
SHOULD be injected into IGP routing system, not into EGP routing
system, in principle. Configuring anycast route into static routing
system is not recommended for deploying anycast with the route to the
Default IPv6 Address for DNS Resolvers. For the small networks that
are not capable to deploy IGP, refer to 'Inter-site Deployment
Considerations' (Section 3.3).
The Default IPv6 Address for DNS Resolvers is the anycast addresses
of DNS resolver service, which is the implementation of standard DNS
Lee, et al. Expires April 20, 2006 [Page 5]
Internet-Draft Well-known DNS Resolver IPv6 address October 2005
resolver defined in RFC1035 [3]. The stub resolver of IPv6 host does
resolver of IPv6 host does not differentiate any DNS resolver from
each site's specific DNS resolvers, as long as DNS resolvers function
as standard DNS resolver routine. Each site's DNS resolvers with the
Default IPv6 Address for DNS Resolvers are considered as presence
instances of standard DNS resolver routine. Therefore any site's DNS
resolvers that have conformation to the standard DNS resolver
functionality and are authorized secure DNS resolvers is allowed to
assign Default IPv6 Address for DNS Resolvers to its service
interface and to advertise the route to this address into site's
routing system. However, to prevent unauthorized DNS resolver that
can intercept and response the recursive DNS queries, the site's
network administrators SHOULD check out if the route to Default IPv6
Address for DNS Resolvers in routing system is legal information.
3.3. Inter-site Deployment Considerations
The site that has any connection to IPv6 global backbone is termed
'Most Upstream Site' in this document. For a certain site, the site
that provides upstream links to this site is termed 'Upstream Site'.
And the site that has upstream links to Upstream Site is termed
'Downstream Site' for that Upstream Site.
So that global-scope usage of Default IPv6 Address for DNS Resolvers
is possible anywhere in IPv6 Internet, it is RECOMMENDED that Most
Upstream Site deploy DNS resolvers with Default IPv6 Address for DNS
Resolvers.
Upstream Sites that are not Most Upstream Sites and have some
Downstream Sites SHOULD deploy DNS resolvers with Default IPv6
Address for DNS Resolvers, especially when its Downstream Sites are
so small and have to use Upstream Site's DNS resolvers.
By special agreement between sites or by default, Upstream Sites may
allow for Downstream Sites to have access to Upstream Site's DNS
resolver with Default IPv6 Address for DNS Resolvers. Downstream
Sites have upstream links to Most Upstream Sites for access to global
IPv6 Internet. Among these Downstream Sites, the small sites that
have no network management abilities need access to Upstream Site's
DNS Resolvers using Default IPv6 Address for DNS Resolvers. In this
case, the DNS query packets destined to Default IPv6 Address for DNS
Resolvers can be routed via the default route in border routers of
Downstream Site. In the case of Downstream Sites having DNS
resolvers with Default IPv6 Address for DNS Resolvers, when the DNS
resolvers does down in accident, the routes to DNS resolvers with
Default IPv6 Address for DNS Resolvers can switched to Upstream
Site's DNS resolvers by anycast mechanism.
Lee, et al. Expires April 20, 2006 [Page 6]
Internet-Draft Well-known DNS Resolver IPv6 address October 2005
However, with above configuration, concurrent malicious attacks on
many Downstream Sites' DNS resolvers with Default IPv6 Address for
DNS Resolvers cause systems may cause Upstream Site's DNS resolvers
to get into unstable status. To avoid this possible problem,
Upstream Sites need related security considerations when deploying
DNS resolvers with Default IPv6 Address for DNS Resolvers that should
support various Downstream Sites.
3.4. EDNS0 Support Consideration
Between the IPv6 hosts and DNS resolvers with Default IPv6 Address
for DNS Resolvers, the DNS message in IPv6 packet SHOULD contain
EDNS0 option.
IPv6 host MUST attach EDNS0 option to DNS query message when using
IPv6 packet destined to Default IPv6 Address for DNS Resolvers. In
this case, the minimum value of sender's UDP payload size in OPT
pseudo-RR [4] SHOULD be 1024 octets. This is to avoid possible
fallback DNS query using TCP connection due to oversize of DNS
response message. The minimum size of 1024 octets can prevent
happening of IPv6 fragmentation in IPv6 Internet that have minimum
MTU of 1280 octets.
DNS resolvers with Default IPv6 Address for DNS Resolvers MUST
support ENDS0 option.
IPv6 hosts may use the sender's UDP payload size in OPT pseudo-RR OPT
pseudo-RR [4] with larger size than 1024 octets. However, in this
case the IPv6 host is recommended to check out the available MTU size
using IPv6 path MTU discovery [5].
EDNS0 option support in IPv6 node is also specified in "IPv6 Node
Requirements" [10].
Above specification is applied only between IPv6 hosts and DNS
resolvers with Default IPv6 Address for DNS Resolvers, and not
applied between authoritative name servers and DNS resolvers with
Default IPv6 Address for DNS Resolvers.
3.5. Considerations for IPv6 Addresses of DNS Resolvers
DNS resolvers with Default IPv6 Address for DNS Resolvers SHOULD not
use Default IPv6 Address for DNS Resolvers as source address in
iterative DNS query to authoritative name servers. This makes
unacceptable problems that the response from authoritative name
server would be routed to another DNS resolver with Default IPv6
Address. If there is IPv6 global backbone between authoritative name
server and DNS resolvers with Default IPv6 Address for DNS Resolvers,
Lee, et al. Expires April 20, 2006 [Page 7]
Internet-Draft Well-known DNS Resolver IPv6 address October 2005
the DNS resolver would never get the response.
Therefore the DNS resolver SHOULD have at least one global unicast
IPv6 address on its interfaces.
DNS resolver with Default IPv6 Address for DNS Resolvers SHOULD
response DNS queries with source address of that Default IPv6 Address
for DNS Resolvers. If not, the IPv6 hosts receiving DNS response
would get confused due to mismatch between destination address in DNS
query and source address in DNS response.
3.6. Management of DNS Resolver IPv6 Addresses in IPv6 Host
IPv6 host SHOULD implement additional function on managing available
list of IPv6 addresses for DNS resolvers according to precedence
policy. That is, when there is obtained information from connected
site and information of Default IPv6 Address for DNS Resolvers that
may be pre-configured, the IPv6 addresses for DNS resolvers obtained
from the connected site has higher precedence than Default IPv6
Address for DNS Resolvers. This DNS resolver IPv6 address management
function will raise the IPv6 addresses with highest precedence as the
active DNS resolver IPv6 address so that stub resolver can use that
address.
The implementation of this function can be a part of DHCPv6 client
process or a part of the client process for RA option defined in
"IPv6 DNS Configuration based on Router Advertisement" [9].
Otherwise, it can be implemented as an independent process.
The DNS resolver IPv6 addresses management function SHOULD raise the
Default IPv6 Address for DNS Resolvers, as active DNS resolver IPv6
addresses being default and last resort address, as soon as the DNS
resolver IPv6 addresses informed from a site are getting invalid in
some condition.
4. IANA Considerations
IANA needs reserve the address "::a:0:1/128" as the Default IPv6
Address for DNS Resolvers.
IANA can consider the reservation of the address range "::a:0:0/96"
as the Well-Known Anycast Addresses Range.
5. Security Considerations
Routing system routes IPv6 packets destined to the well-known anycast
Lee, et al. Expires April 20, 2006 [Page 8]
Internet-Draft Well-known DNS Resolver IPv6 address October 2005
address by looking up its routing table. If there is a malicious
route information that directs DNS requests to unauthorized DNS
resolver with the Default IPv6 Address for DNS Resolvers, the IPv6
hosts may be led to fraud service servers without any notification.
To avoid this possibility, the IGP that anycast mechanism is based on
SHOULD have authentication mechanism between authorized routers and
the site SHOULD enable this authentication mechanism in its routing
system.
For the case of allowing Downstream Sites' access to DNS resolvers
with the Default IPv6 Address for DNS Resolvers and that Downstream
Sites also deploying DNS resolvers with the Default IPv6 Address for
DNS Resolvers, concurrent DoS attacks on various Downstream Sites'
DNS resolvers may happen and when the Downstream Sites' DNS resolver
goes down, the DoS attacking traffic may flow into Upstream Site
resulting cascading breaking down of DNS resolvers.
To avoid this problem, the Upstream Site give full considerations on
this possibility when planning and deploying DNS resolvers with the
Default IPv6 Address for DNS Resolvers to share with Downstream
Sites. It is RECOMMENDED to deploy distributed DNS resolver
instances using its own anycast mechanism so that DNS query traffic
is distributed and processed in corresponding local servers so as not
to propagate the crisis through the whole site.
6. References
6.1. Normative References
[1] Thomson, S. and T. Narten, "IPv6 Stateless Address
Autoconfiguration", RFC 2462, December 1998.
[2] Narten, T., Nordmark, E., and W. Simpson, "Neighbor Discovery
for IP Version 6 (IPv6)", RFC 2461, December 1998.
[3] Mockapetris, P., "Domain names - implementation and
specification", RFC 1035, November 1987.
[4] Vixie, P., "Extension Mechanisms for DNS (EDNS0)", RFC 2671,
August 1999.
[5] McCann, J., Deering, S., and J. Mogul, "Path MTU Discovery for
IP version 6", RFC 1981, August 1996.
Lee, et al. Expires April 20, 2006 [Page 9]
Internet-Draft Well-known DNS Resolver IPv6 address October 2005
6.2. Informative References
[6] Jeong, J., "IPv6 Host Configuration of DNS Server Information
Approaches", Work in Progress, May 2005.
[7] Droms, R., Carney, M., Perkins, C., Lemon, T., Volz, B., and R.
Droms, "DNS Configuration options for Dynamic Host
Configuration Protocol for IPv6 (DHCPv6)", RFC 3646,
December 2003.
[8] Bound, J., Carney, M., Perkins, C., Lemon, T., Volz, B., and R.
Droms, "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)",
RFC 3315, May 2003.
[9] Jeong, J., "IPv6 DNS Configuration based on Router
Advertisement", Work in Progress, February 2005.
[10] Loughney, J., "IPv6 Node Requirements", Work in Progress,
August 2004.
Lee, et al. Expires April 20, 2006 [Page 10]
Internet-Draft Well-known DNS Resolver IPv6 address October 2005
Authors' Addresses
Seunghoon Lee
National Internet Development Agency of Korea
1321-11, Seocho2-dong, Seocho-gu
Seoul
Korea
Phone: +82-2-2186-4585
Email: sehlee@nida.or.kr
Youngwan Ju
National Internet Development Agency of Korea
1321-11, Seocho2-dong, Seocho-gu
Seoul
Korea
Phone: +82-2-2186-4536
Email: ywju@nida.or.kr
Weon Kim
National Internet Development Agency of Korea
1321-11, Seocho2-dong, Seocho-gu
Seoul
Korea
Phone: +82-2-2186-4502
Email: wkim@nida.or.kr
Lee, et al. Expires April 20, 2006 [Page 11]
Internet-Draft Well-known DNS Resolver IPv6 address October 2005
Intellectual Property Statement
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at
ietf-ipr@ietf.org.
Disclaimer of Validity
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Copyright Statement
Copyright (C) The Internet Society (2005). This document is subject
to the rights, licenses and restrictions contained in BCP 78, and
except as set forth therein, the authors retain all their rights.
Acknowledgment
Funding for the RFC Editor function is currently provided by the
Internet Society.
Lee, et al. Expires April 20, 2006 [Page 12]