4. Resolving
This section describes the behavior of entities that include
security-aware resolver functions. In many cases such functions will
be part of a security-aware recursive name server, but a stand-alone
security-aware resolver has many of the same requirements. Functions
specific to security-aware recursive name servers are described in
Section 3.2.
4.1. EDNS Support
A security-aware resolver MUST include an EDNS ([RFC2671]) OPT
pseudo-RR with the DO ([RFC3225]) bit set when sending queries.
A security-aware resolver MUST support a message size of at least
1220 octets, SHOULD support a message size of 4000 octets, and MUST
use the "sender's UDP payload size" field in the EDNS OPT pseudo-RR
to advertise the message size that it is willing to accept. A
security-aware resolver's IP layer MUST handle fragmented UDP packets
correctly regardless of whether any such fragmented packets were
received via IPv4 or IPv6. Please see [RFC1122], [RFC2460], and
[RFC3226] for discussion of these requirements.
A security-aware resolver MUST support the signature verification
mechanisms described in Section 5 and SHOULD apply them to every
received response, except when:
o the security-aware resolver is part of a security-aware recursive
name server, and the response is the result of recursion on behalf
of a query received with the CD bit set;
o the response is the result of a query generated directly via some
form of application interface that instructed the security-aware
resolver not to perform validation for this query; or
o validation for this query has been disabled by local policy.
A security-aware resolver's support for signature verification MUST
include support for verification of wildcard owner names.
Security-aware resolvers MAY query for missing security RRs in an
attempt to perform validation; implementations that choose to do so
must be aware that the answers received may not be sufficient to
validate the original response. For example, a zone update may have
changed (or deleted) the desired information between the original and
follow-up queries.
When attempting to retrieve missing NSEC RRs that reside on the
parental side at a zone cut, a security-aware iterative-mode resolver
MUST query the name servers for the parent zone, not the child zone.
When attempting to retrieve a missing DS, a security-aware
iterative-mode resolver MUST query the name servers for the parent
zone, not the child zone. As explained in Section 3.1.4.1,
security-aware name servers need to apply special processing rules to
handle the DS RR, and in some situations the resolver may also need
to apply special rules to locate the name servers for the parent zone
if the resolver does not already have the parent's NS RRset. To
locate the parent NS RRset, the resolver can start with the
delegation name, strip off the leftmost label, and query for an NS
RRset by that name. If no NS RRset is present at that name, the
resolver then strips off the leftmost remaining label and retries the
query for that name, repeating this process of walking up the tree
until it either finds the NS RRset or runs out of labels.
A security-aware resolver MUST be able to determine whether it should
expect a particular RRset to be signed. More precisely, a
security-aware resolver must be able to distinguish between four
cases:
Secure: An RRset for which the resolver is able to build a chain of
signed DNSKEY and DS RRs from a trusted security anchor to the
RRset. In this case, the RRset should be signed and is subject to
signature validation, as described above.
Insecure: An RRset for which the resolver knows that it has no chain
of signed DNSKEY and DS RRs from any trusted starting point to the
RRset. This can occur when the target RRset lies in an unsigned
zone or in a descendent of an unsigned zone. In this case, the
RRset may or may not be signed, but the resolver will not be able
to verify the signature.
Bogus: An RRset for which the resolver believes that it ought to be
able to establish a chain of trust but for which it is unable to
do so, either due to signatures that for some reason fail to
validate or due to missing data that the relevant DNSSEC RRs
indicate should be present. This case may indicate an attack but
may also indicate a configuration error or some form of data
corruption.
Indeterminate: An RRset for which the resolver is not able to
determine whether the RRset should be signed, as the resolver is
not able to obtain the necessary DNSSEC RRs. This can occur when
the security-aware resolver is not able to contact security-aware
name servers for the relevant zones.
A security-aware resolver MUST be capable of being configured with at
least one trusted public key or DS RR and SHOULD be capable of being
configured with multiple trusted public keys or DS RRs. Since a
security-aware resolver will not be able to validate signatures
without such a configured trust anchor, the resolver SHOULD have some
reasonably robust mechanism for obtaining such keys when it boots;
examples of such a mechanism would be some form of non-volatile
storage (such as a disk drive) or some form of trusted local network
configuration mechanism.
Note that trust anchors also cover key material that is updated in a
secure manner. This secure manner could be through physical media, a
key exchange protocol, or some other out-of-band means.
4.5. Response Caching
A security-aware resolver SHOULD cache each response as a single
atomic entry containing the entire answer, including the named RRset
and any associated DNSSEC RRs. The resolver SHOULD discard the
entire atomic entry when any of the RRs contained in it expire. In
most cases the appropriate cache index for the atomic entry will be
the triple <QNAME, QTYPE, QCLASS>, but in cases such as the response
form described in Section 3.1.3.2 the appropriate cache index will be
the double <QNAME,QCLASS>.
The reason for these recommendations is that, between the initial
query and the expiration of the data from the cache, the
authoritative data might have been changed (for example, via dynamic
update).
There are two situations for which this is relevant:
1. By using the RRSIG record, it is possible to deduce that an
answer was synthesized from a wildcard. A security-aware
recursive name server could store this wildcard data and use it
to generate positive responses to queries other than the name for
which the original answer was first received.
2. NSEC RRs received to prove the non-existence of a name could be
reused by a security-aware resolver to prove the non-existence of
any name in the name range it spans.
In theory, a resolver could use wildcards or NSEC RRs to generate
positive and negative responses (respectively) until the TTL or
signatures on the records in question expire. However, it seems
prudent for resolvers to avoid blocking new authoritative data or
synthesizing new data on their own. Resolvers that follow this
recommendation will have a more consistent view of the namespace.
4.6. Handling of the CD and AD Bits
A security-aware resolver MAY set a query's CD bit in order to
indicate that the resolver takes responsibility for performing
whatever authentication its local policy requires on the RRsets in
the response. See Section 3.2 for the effect this bit has on the
behavior of security-aware recursive name servers.
A security-aware resolver MUST clear the AD bit when composing query
messages to protect against buggy name servers that blindly copy
header bits that they do not understand from the query message to the
response message.
A resolver MUST disregard the meaning of the CD and AD bits in a
response unless the response was obtained by using a secure channel
or the resolver was specifically configured to regard the message
header bits without using a secure channel.
While many validation errors will be transient, some are likely to be
more persistent, such as those caused by administrative error
(failure to re-sign a zone, clock skew, and so forth). Since
requerying will not help in these cases, validating resolvers might
generate a significant amount of unnecessary DNS traffic as a result
of repeated queries for RRsets with persistent validation failures.
To prevent such unnecessary DNS traffic, security-aware resolvers MAY
cache data with invalid signatures, with some restrictions.
Conceptually, caching such data is similar to negative caching
([RFC2308]), except that instead of caching a valid negative
response, the resolver is caching the fact that a particular answer
failed to validate. This document refers to a cache of data with
invalid signatures as a "BAD cache".
Resolvers that implement a BAD cache MUST take steps to prevent the
cache from being useful as a denial-of-service attack amplifier,
particularly the following:
o Since RRsets that fail to validate do not have trustworthy TTLs,
the implementation MUST assign a TTL. This TTL SHOULD be small,
in order to mitigate the effect of caching the results of an
attack.
o In order to prevent caching of a transient validation failure
(which might be the result of an attack), resolvers SHOULD track
queries that result in validation failures and SHOULD only answer
from the BAD cache after the number of times that responses to
queries for that particular <QNAME, QTYPE, QCLASS> have failed to
validate exceeds a threshold value.
Resolvers MUST NOT return RRsets from the BAD cache unless the
resolver is not required to validate the signatures of the RRsets in
question under the rules given in Section 4.2 of this document. See
Section 3.2.2 for discussion of how the responses returned by a
security-aware recursive name server interact with a BAD cache.
4.8. Synthesized CNAMEs
A validating security-aware resolver MUST treat the signature of a
valid signed DNAME RR as also covering unsigned CNAME RRs that could
have been synthesized from the DNAME RR, as described in [RFC2672],
at least to the extent of not rejecting a response message solely
because it contains such CNAME RRs. The resolver MAY retain such
CNAME RRs in its cache or in the answers it hands back, but is not
required to do so.
4.9. Stub Resolvers
A security-aware stub resolver MUST support the DNSSEC RR types, at
least to the extent of not mishandling responses just because they
contain DNSSEC RRs.
4.9.1. Handling of the DO Bit
A non-validating security-aware stub resolver MAY include the DNSSEC
RRs returned by a security-aware recursive name server as part of the
data that the stub resolver hands back to the application that
invoked it, but is not required to do so. A non-validating stub
resolver that seeks to do this will need to set the DO bit in order
to receive DNSSEC RRs from the recursive name server.
A validating security-aware stub resolver MUST set the DO bit,
because otherwise it will not receive the DNSSEC RRs it needs to
perform signature validation.
4.9.2. Handling of the CD Bit
A non-validating security-aware stub resolver SHOULD NOT set the CD
bit when sending queries unless it is requested by the application
layer, as by definition, a non-validating stub resolver depends on
the security-aware recursive name server to perform validation on its
behalf.
A validating security-aware stub resolver SHOULD set the CD bit,
because otherwise the security-aware recursive name server will
answer the query using the name server's local policy, which may
prevent the stub resolver from receiving data that would be
acceptable to the stub resolver's local policy.
4.9.3. Handling of the AD Bit
A non-validating security-aware stub resolver MAY chose to examine
the setting of the AD bit in response messages that it receives in
order to determine whether the security-aware recursive name server
that sent the response claims to have cryptographically verified the
data in the Answer and Authority sections of the response message.
Note, however, that the responses received by a security-aware stub
resolver are heavily dependent on the local policy of the
security-aware recursive name server. Therefore, there may be little
practical value in checking the status of the AD bit, except perhaps
as a debugging aid. In any case, a security-aware stub resolver MUST
NOT place any reliance on signature validation allegedly performed on
its behalf, except when the security-aware stub resolver obtained the
data in question from a trusted security-aware recursive name server
via a secure channel.
A validating security-aware stub resolver SHOULD NOT examine the
setting of the AD bit in response messages, as, by definition, the
stub resolver performs its own signature validation regardless of the
setting of the AD bit.
