Network Working Group W. Hardaker Internet-Draft USC/ISI Intended status: Standards Track November 20, 2019 Expires: May 23, 2020 Dropped Remaining Other Propaganda in DNS Responses draft-hardaker-dnsop-drop-00 Abstract When DNS replies to be sent over UDP exceed the requestor's UDP payload size, servers are expected to set the Truncated bit (TC) and remove remove additional information from the response. Clients receiving the TC bit might choose to retry the request over TCP to fetch the removed information. Sometimes this extra information is not important to the DNS resolution process and retrying over TCP may not be needed. This document defines the DP bit to indicate that the dropped information that caused the TC bit was supplemental information. This is useful, for example, in the case of Extended DNS Error information which may be mostly debugging related information. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on May 23, 2020. Copyright Notice Copyright (c) 2019 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of Hardaker Expires May 23, 2020 [Page 1] Internet-Draft DROP DNS November 2019 publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Modifications to DNS Processing . . . . . . . . . . . . . . . 2 3. Applicable Use Cases . . . . . . . . . . . . . . . . . . . . 2 3.1. Extended DNS Errors . . . . . . . . . . . . . . . . . . . 3 4. Security Considerations . . . . . . . . . . . . . . . . . . . 3 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 3 6. Informative References . . . . . . . . . . . . . . . . . . . 3 Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . 3 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction When DNS replies to be sent over UDP exceed the requestor's UDP payload size [EDNS0], servers are expected to set the Truncated bit (TC) [DOMANINAMES] and remove remove additional information from the response. Clients receiving the TC bit might choose to retry the request over TCP to fetch the removed information. Sometimes this extra information is not important to the DNS resolution process and retrying over TCP may not be needed. This document defines the "drop" bit (DP) to indicate that the dropped information that caused the TC bit was supplemental information. This is useful, for example, in the case of Extended DNS Error information which may be mostly debugging related information. 2. Modifications to DNS Processing Servers returning a UDP response containing supplemental information (such as Extended DNS Error information (xxx: need non-RFC here)) that caused the TC bit to be set SHOULD set the DP bit. Clients receiving a UDP response with both the TC bit and the DP bit set may choose to not resend their request over TCP since DP bit indicates the extra information is ignorable. 3. Applicable Use Cases The removal of any other information from a DNS response that would set the TC bit should not set the DP bit unless a specification Hardaker Expires May 23, 2020 [Page 2] Internet-Draft DROP DNS November 2019 indicates it should be set. This specification lists the following scenarios where this should be set. 3.1. Extended DNS Errors DNS servers setting the TC bit when EDE information was removed from a response SHOULD set both the TC bit and the DP bit. 4. Security Considerations Bits are unsigned unless sent over TLS. If a malicious device-in- the-middle attacker set the DP bit, it may cause a client not to re- query for the dropped information. However, an attacker could just as easily unset the TC bit as they could set the DP bit, thus the security exposure of the bits are no worse than before. 5. IANA Considerations This document (will) adds the BD bit to the IANA EDNS0 flag registry. 6. Informative References [DOMANINAMES] Mockapetris, P., "Domain names - implementation and specification", STD 13, RFC 1035, DOI 10.17487/RFC1035, November 1987, . [EDNS0] Damas, J., Graff, M., and P. Vixie, "Extension Mechanisms for DNS (EDNS(0))", STD 75, RFC 6891, DOI 10.17487/RFC6891, April 2013, . Appendix A. Acknowledgments The creation of an extra bit was first suggested by Viktor Dukuhvni's associate and later refined by Brian Dickson. Author's Address Wes Hardaker USC/ISI Email: ietf@hardakers.net Hardaker Expires May 23, 2020 [Page 3]