3
IETF DNSOP Working Group Y. Morishita
5
Expires: July 11, 2004 T. Jinmei
10
Common Misbehavior against DNS Queries for IPv6 Addresses
11
draft-ietf-dnsop-misbehavior-against-aaaa-00.txt
15
This document is an Internet-Draft and is in full conformance with
16
all provisions of Section 10 of RFC2026.
18
Internet-Drafts are working documents of the Internet Engineering
19
Task Force (IETF), its areas, and its working groups. Note that other
20
groups may also distribute working documents as Internet-Drafts.
22
Internet-Drafts are draft documents valid for a maximum of six months
23
and may be updated, replaced, or obsoleted by other documents at any
24
time. It is inappropriate to use Internet-Drafts as reference
25
material or to cite them other than as "work in progress."
27
The list of current Internet-Drafts can be accessed at http://
28
www.ietf.org/ietf/1id-abstracts.txt.
30
The list of Internet-Draft Shadow Directories can be accessed at
31
http://www.ietf.org/shadow.html.
33
This Internet-Draft will expire on July 11, 2004.
37
Copyright (C) The Internet Society (2004). All Rights Reserved.
41
There is some known misbehavior of DNS authoritative servers when
42
they are queried for AAAA resource records. Such behavior can block
43
IPv4 communication which should actually be available, cause a
44
significant delay in name resolution, or even make a denial of
45
service attack. This memo describes details of the known cases and
46
discusses the effect of the cases.
50
Many DNS clients (resolvers) that support IPv6 first search for AAAA
51
Resource Records (RRs) of a target host name, and then for A RRs of
55
Morishita & Jinmei Expires July 11, 2004 [Page 1]
57
Internet-Draft Common Misbehavior against AAAA Queries January 2004
60
the same name. This fallback mechanism is based on the DNS
61
specifications, which if not obeyed by authoritative servers can
62
produce unpleasant results. In some cases, for example, a web browser
63
fails to connect to a web server it could otherwise. In the following
64
sections, this memo describes some typical cases of the misbehavior
65
and its (bad) effects.
67
Note that the misbehavior is not specific to AAAA RRs. In fact, all
68
known examples also apply to the cases of queries for MX, NS, and SOA
69
RRs. The authors even believe this can be generalized for all types
70
of queries other than those for A RRs. In this memo, however, we
71
concentrate on the case for AAAA queries, since the problem is
72
particularly severe for resolvers that support IPv6, which thus
73
affects many end users. Resolvers at end users normally send A and/or
74
AAAA queries only, and so the problem for the other cases is
79
In this memo, we assume a typical network model of name resolution
80
environment using DNS. It consists of three components; stub
81
resolvers, caching servers, and authoritative servers. A stub
82
resolver issues a recursive query to a caching server, which then
83
handles the entire name resolution procedure recursively. The caching
84
server caches the result of the query as well as sends the result to
85
the stub resolver. The authoritative servers respond to queries for
86
names for which they have the authority, normally in a non-recursive
91
Suppose that an authoritative server has an A RR but not a AAAA RR
92
for a host name. Then the server should return a response to a query
93
for a AAAA RR of the name with the RCODE being 0 (indicating no
94
error) and with an empty answer section [1]. Such a response
95
indicates that there is at least one RR of a different type than AAAA
96
for the queried name, and the stub resolver can then look for A RRs.
98
This way, the caching server can cache the fact that the queried name
99
does not have a AAAA RR (but may have other types of RRs), and thus
100
can improve the response time to further queries for a AAAA RR of the
103
4. Problematic Behaviors
105
There are some known cases at authoritative servers that do not
106
conform to the expected behavior. This section describes those
111
Morishita & Jinmei Expires July 11, 2004 [Page 2]
113
Internet-Draft Common Misbehavior against AAAA Queries January 2004
118
This type of server returns a response with the RCODE being 3
119
(NXDOMAIN) to a query for a AAAA RR, indicating it does not have any
120
RRs of any type for the queried name.
122
With this response, the stub resolver may immediately give up and
123
never fall back. Even if the resolver retries with a query for an A
124
RR, the negative response for the name has been cached in the caching
125
server, and the caching server will simply return the negative
126
response. As a result, the stub resolver considers this as a fatal
127
error in name resolution.
129
There have been several known examples of this behavior, but all the
130
examples that the authors know have changed their behavior as of this
135
Other authoritative servers return a response with the RCODE being 4
136
(NOTIMP), indicating the servers do not support the requested type of
139
This case is less harmful than the previous one; if the stub resolver
140
falls back to querying for an A RR, the caching server will process
141
the query correctly and return an appropriate response.
143
In this case, the caching server does not cache the fact that the
144
queried name has no AAAA RR, resulting in redundant queries for AAAA
145
RRs in the future. The behavior will waste network bandwidth and
146
increase the load of the authoritative server.
148
Using SERVFAIL or FORMERR would cause the same effect, though the
149
authors have not seen such implementations yet.
151
4.3 Return a Broken Response
153
Another different type of authoritative servers returns broken
154
responses to AAAA queries. A known behavior of this category is to
155
return a response whose RR type is AAAA, but the length of the RDATA
156
is 4 bytes. The 4-byte data looks like the IPv4 address of the
157
queried host name. That is, the RR in the answer section would be
160
www.bad.example. 600 IN AAAA 192.0.2.1
162
which is, of course, bogus (or at least meaningless).
167
Morishita & Jinmei Expires July 11, 2004 [Page 3]
169
Internet-Draft Common Misbehavior against AAAA Queries January 2004
172
A widely deployed caching server implementation transparently returns
173
the broken response (as well as caches it) to the stub resolver.
174
Another known server implementation parses the response by
175
themselves, and sends a separate response with the RCODE being 2
178
In either case, the broken response does not affect queries for an A
179
RR of the same name. If the stub resolver falls back to A queries, it
180
will get an appropriate response.
182
The latter case, however, causes the same bad effect as that
183
described in the previous section: redundant queries for AAAA RRs.
185
4.4 Make Lame Delegation
187
Some authoritative servers respond to AAAA queries in a way causing
188
lame delegation. In this case the parent zone specifies that the
189
authoritative server should have the authority of a zone, but the
190
server does not return an authoritative response for AAAA queries
191
within the zone (i.e., the AA bit in the response is not set). On the
192
other hand, the authoritative server returns an authoritative
193
response for A queries.
195
When a caching server asks the server for AAAA RRs in the zone, it
196
recognizes the delegation is lame, and return a response with the
197
RCODE being 2 (SERVFAIL) to the stub resolver.
199
Furthermore, some caching servers record the authoritative server as
200
lame for the zone and will not use it for a certain period of time.
201
With this type of caching server, even if the stub resolver falls
202
back to querying for an A RR, the caching server will simply return a
203
response with the RCODE being SERVFAIL, since all the servers are
206
There is also an implementation that relaxes the behavior a little
207
bit. It basically tries to avoid using the lame server, but still
208
continues to try it as a last resort. With this type of caching
209
server, the stub resolver will get a correct response if it falls
210
back after SERVFAIL. However, this still causes redundant AAAA
211
queries as explained in the previous sections.
213
4.5 Ignore Queries for AAAA
215
Some authoritative severs seem to ignore queries for a AAAA RR,
216
causing a delay at the stub resolver to fall back to a query for an A
217
RR. This behavior may even cause a fatal timeout at the resolver.
223
Morishita & Jinmei Expires July 11, 2004 [Page 4]
225
Internet-Draft Common Misbehavior against AAAA Queries January 2004
228
5. Security Considerations
230
The CERT/CC pointed out that the response with NXDOMAIN described in
231
Section 4.1 can be used for a denial of service attack [2]. The same
232
argument applies to the case of "lame delegation" described in
233
Section 4.4 with a certain type of caching server.
237
Erik Nordmark encouraged the authors to publish this document as an
238
Internet Draft. Akira Kato and Paul Vixie reviewed a preliminary
239
version of this document. Pekka Savola carefully reviewed a previous
240
version and provided detailed comments.
242
Informative References
244
[1] Mockapetris, P., "DOMAIN NAMES - CONCEPTS AND FACILITIES", RFC
247
[2] The CERT Coordination Center, "Incorrect NXDOMAIN responses from
248
AAAA queries could cause denial-of-service conditions", March
249
2003, <http://www.kb.cert.org/vuls/id/714121>.
254
MORISHITA Orange Yasuhiro
255
Research and Development Department, Japan Registry Service Co.,Ltd.
256
Fuundo Bldg 3F, 1-2 Kanda-Ogawamachi
257
Chiyoda-ku, Tokyo 101-0052
260
EMail: yasuhiro@jprs.co.jp
264
Corporate Research & Development Center, Toshiba Corporation
265
1 Komukai Toshiba-cho, Saiwai-ku
266
Kawasaki-shi, Kanagawa 212-8582
269
EMail: jinmei@isl.rdc.toshiba.co.jp
271
Appendix A. Live Examples
273
In this appendix, we show concrete implementations and domain names
274
that may cause problematic cases so that the behavior can be
275
reproduced in a practical environment. The examples are for
279
Morishita & Jinmei Expires July 11, 2004 [Page 5]
281
Internet-Draft Common Misbehavior against AAAA Queries January 2004
284
informational purposes only, and the authors do not intend to accuse
285
any implementations or zone administrators.
287
The behavior described in Section 4.2 (return NOTIMP) can be found by
288
looking for a AAAA RR of www.css.vtext.com at 66.174.3.4.
290
The behavior described in Section 4.3 (broken responses) can be seen
291
by querying for a AAAA RR of "www.gslb.mainichi.co.jp," which is an
292
alias of "www.mainichi.co.jp," at 210.173.172.2. The same behavior
293
can be found with the name "vip.alt.ihp.sony.co.jp," an alias of
294
"www.sony.co.jp," at 210.139.255.204.
296
The behavior described in Section 4.4 (lame delegation) can be found
297
by querying for a AAAA RR of "www.ual.com" at 209.87.113.4.
299
The behavior described in Section 4.5 (ignore queries) can be seen by
300
trying to ask for a AAAA RR of "ad.3jp.doubleclick.net," which is an
301
alias of "ad.jp.doubleclick.net," at 210.153.90.9.
303
Many authoritative server implementations show the expected behavior
304
described in Section 3. Some DNS load balancers reportedly have a
305
problematic behavior shown in Section 4, but the authors do not have
306
a concrete example. The CERT/CC provides a list of implementations
307
that behave as described in Section 4.1 [2].
309
The BIND9 caching server implementation is an example of the latter
310
cases described in Section 4.3 and Section 4.4, respectively. The
311
BIND8 caching server implementation is an example of the former case
312
described in Section 4.3. As for the issue shown in Section 4.4,
313
BIND8 caching servers prior to 8.3.5 show the behavior described as
314
the former case in this section. The versions 8.3.5 and later of
315
BIND8 caching server behave like the BIND9 caching server
316
implementation with this matter.
318
Regarding resolver implementations, the authors are only familiar
319
with the ones derived from the BIND implementation. These
320
implementations always fall back regardless of the RCODE; NXDOMAIN,
321
NOTIMP, or SERVFAIL. It even falls back when getting a broken
322
response. However, the behavior does not help the situation in the
323
NXDOMAIN case (see Section 4.1). Lame delegation (Section 4.4) also
324
causes a fatal error at the resolver side if the resolver is using
325
some older versions of BIND8 caching server.
327
The authors hear that a stub resolver routine implemented in some web
328
browsers interprets the broken response described in Section 4.3 as a
329
fatal error and does not fall back to A queries. However, we have not
330
confirmed this information.
335
Morishita & Jinmei Expires July 11, 2004 [Page 6]
337
Internet-Draft Common Misbehavior against AAAA Queries January 2004
340
Appendix B. Change History
342
Changes since draft-morishita-dnsop-misbehavior-against-aaaa-00 are:
344
o Made a separate appendix and moved live examples to appendix so
345
that we can remove them when this document is (ever) officially
348
o Revised some live examples based on the recent status.
350
o Noted in introduction that the misbehavior is not specific to AAAA
351
and that this document still concentrates on the AAAA case.
353
o Changed the section title of "delegation loop" to "lame
354
delegation" in order to reflect the essential point of the issue.
355
Wording on this matter was updated accordingly.
357
o Updated the Acknowledgements list.
359
o Changed the reference category from normative to informative (this
360
is an informational document after all).
362
o Changed the draft name to an IETF dnsop working group document (as
365
o Applied several editorial fixes.
391
Morishita & Jinmei Expires July 11, 2004 [Page 7]
393
Internet-Draft Common Misbehavior against AAAA Queries January 2004
396
Intellectual Property Statement
398
The IETF takes no position regarding the validity or scope of any
399
intellectual property or other rights that might be claimed to
400
pertain to the implementation or use of the technology described in
401
this document or the extent to which any license under such rights
402
might or might not be available; neither does it represent that it
403
has made any effort to identify any such rights. Information on the
404
IETF's procedures with respect to rights in standards-track and
405
standards-related documentation can be found in BCP-11. Copies of
406
claims of rights made available for publication and any assurances of
407
licenses to be made available, or the result of an attempt made to
408
obtain a general license or permission for the use of such
409
proprietary rights by implementors or users of this specification can
410
be obtained from the IETF Secretariat.
412
The IETF invites any interested party to bring to its attention any
413
copyrights, patents or patent applications, or other proprietary
414
rights which may cover technology that may be required to practice
415
this standard. Please address the information to the IETF Executive
419
Full Copyright Statement
421
Copyright (C) The Internet Society (2004). All Rights Reserved.
423
This document and translations of it may be copied and furnished to
424
others, and derivative works that comment on or otherwise explain it
425
or assist in its implementation may be prepared, copied, published
426
and distributed, in whole or in part, without restriction of any
427
kind, provided that the above copyright notice and this paragraph are
428
included on all such copies and derivative works. However, this
429
document itself may not be modified in any way, such as by removing
430
the copyright notice or references to the Internet Society or other
431
Internet organizations, except as needed for the purpose of
432
developing Internet standards in which case the procedures for
433
copyrights defined in the Internet Standards process must be
434
followed, or as required to translate it into languages other than
437
The limited permissions granted above are perpetual and will not be
438
revoked by the Internet Society or its successors or assignees.
440
This document and the information contained herein is provided on an
441
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
442
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
443
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
447
Morishita & Jinmei Expires July 11, 2004 [Page 8]
449
Internet-Draft Common Misbehavior against AAAA Queries January 2004
452
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
453
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
458
Funding for the RFC Editor function is currently provided by the
503
Morishita & Jinmei Expires July 11, 2004 [Page 9]