1 Internet Engineering Task Force (IETF) M. Andrews
2 Request for Comments: 6303 ISC
3 BCP: 163 July 2011
4 Category: Best Current Practice
5 ISSN: 2070-1721
6
7
8 Locally Served DNS Zones
9
10 Abstract
11
12 Experience with the Domain Name System (DNS) has shown that there are
13 a number of DNS zones that all iterative resolvers and recursive
14 nameservers should automatically serve, unless configured otherwise.
15 RFC 4193 specifies that this should occur for D.F.IP6.ARPA. This
16 document extends the practice to cover the IN-ADDR.ARPA zones for RFC
17 1918 address space and other well-known zones with similar
18 characteristics.
19
20 Status of This Memo
21
22 This memo documents an Internet Best Current Practice.
23
24 This document is a product of the Internet Engineering Task Force
25 (IETF). It represents the consensus of the IETF community. It has
26 received public review and has been approved for publication by the
27 Internet Engineering Steering Group (IESG). Further information on
28 BCPs is available in Section 2 of RFC 5741.
29
30 Information about the current status of this document, any errata,
31 and how to provide feedback on it may be obtained at
32 http://www.rfc-editor.org/info/rfc6303.
33
34 Copyright Notice
35
36 Copyright (c) 2011 IETF Trust and the persons identified as the
37 document authors. All rights reserved.
38
39 This document is subject to BCP 78 and the IETF Trust's Legal
40 Provisions Relating to IETF Documents
41 (http://trustee.ietf.org/license-info) in effect on the date of
42 publication of this document. Please review these documents
43 carefully, as they describe your rights and restrictions with respect
44 to this document. Code Components extracted from this document must
45 include Simplified BSD License text as described in Section 4.e of
46 the Trust Legal Provisions and are provided without warranty as
47 described in the Simplified BSD License.
48
49
50
51
52 Andrews Best Current Practice [Page 1]
53 RFC 6303 Locally Served DNS Zones July 2011
54
55
56 This document may contain material from IETF Documents or IETF
57 Contributions published or made publicly available before November
58 10, 2008. The person(s) controlling the copyright in some of this
59 material may not have granted the IETF Trust the right to allow
60 modifications of such material outside the IETF Standards Process.
61 Without obtaining an adequate license from the person(s) controlling
62 the copyright in such materials, this document may not be modified
63 outside the IETF Standards Process, and derivative works of it may
64 not be created outside the IETF Standards Process, except to format
65 it for publication as an RFC or to translate it into languages other
66 than English.
67
68 Table of Contents
69
70 1. Introduction ....................................................2
71 1.1. Reserved Words .............................................3
72 2. Effects on Sites Using RFC 1918 Addresses .......................3
73 3. Changes to Iterative Resolver Behaviour .........................4
74 4. Lists Of Zones Covered ..........................................5
75 4.1. RFC 1918 Zones .............................................5
76 4.2. RFC 5735 and RFC 5737 Zones ................................5
77 4.3. Local IPv6 Unicast Addresses ...............................6
78 4.4. IPv6 Locally Assigned Local Addresses ......................6
79 4.5. IPv6 Link-Local Addresses ..................................7
80 4.6. IPv6 Example Prefix ........................................7
81 5. Zones That Are Out of Scope .....................................7
82 6. IANA Considerations .............................................8
83 7. Security Considerations .........................................8
84 8. Acknowledgements ................................................9
85 9. References ......................................................9
86 9.1. Normative References .......................................9
87 9.2. Informative References ....................................10
88
89 1. Introduction
90
91 Experience with the Domain Name System (DNS, [RFC1034] and [RFC1035])
92 has shown that there are a number of DNS zones that all iterative
93 resolvers and recursive nameservers SHOULD automatically serve,
94 unless intentionally configured otherwise. These zones include, but
95 are not limited to, the IN-ADDR.ARPA zones for the address space
96 allocated by [RFC1918] and the IP6.ARPA zones for locally assigned
97 unique local IPv6 addresses defined in [RFC4193].
98
99
100
101
102
103
104
105
106
107 Andrews Best Current Practice [Page 2]
108 RFC 6303 Locally Served DNS Zones July 2011
109
110
111 This recommendation is made because data has shown that significant
112 leakage of queries for these namespaces is occurring, despite
113 instructions to restrict them, and because it has therefore become
114 necessary to deploy sacrificial nameservers to protect the immediate
115 parent nameservers for these zones from excessive, unintentional
116 query load [AS112] [RFC6304] [RFC6305]. There is every expectation
117 that the query load will continue to increase unless steps are taken
118 as outlined here.
119
120 Additionally, queries from clients behind badly configured firewalls
121 that allow outgoing queries for these namespaces, but drop the
122 responses, put a significant load on the root servers (forward zones
123 but not reverse zones are configured). They also cause operational
124 load for the root server operators, as they have to reply to
125 enquiries about why the root servers are "attacking" these clients.
126 Changing the default configuration will address all these issues for
127 the zones listed in Section 4.
128
129 [RFC4193] recommends that queries for D.F.IP6.ARPA be handled
130 locally. This document extends the recommendation to cover the
131 IN-ADDR.ARPA zones for [RFC1918] and other well-known IN-ADDR.ARPA
132 and IP6.ARPA zones for which queries should not appear on the public
133 Internet.
134
135 It is hoped that by doing this the number of sacrificial servers
136 [AS112] will not have to be increased, and may in time be reduced.
137
138 This recommendation should also help DNS responsiveness for sites
139 that are using [RFC1918] addresses but do not follow the last
140 paragraph in Section 3 of [RFC1918].
141
142 1.1. Reserved Words
143
144 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
145 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
146 document are to be interpreted as described in [RFC2119].
147
148 2. Effects on Sites Using RFC 1918 Addresses
149
150 For most sites using [RFC1918] addresses, the changes here will have
151 little or no detrimental effect. If the site does not already have
152 the reverse tree populated, the only effect will be that the name
153 error responses will be generated locally rather than remotely.
154
155 For sites that do have the reverse tree populated, most will either
156 have a local copy of the zones or will be forwarding the queries to
157 servers that have local copies of the zone. Therefore, this
158 recommendation will not be relevant.
159
160
161
162 Andrews Best Current Practice [Page 3]
163 RFC 6303 Locally Served DNS Zones July 2011
164
165
166 The most significant impact will be felt at sites that make use of
167 delegations for [RFC1918] addresses and have populated these zones.
168 These sites will need to override the default configuration expressed
169 in this document to allow resolution to continue. Typically, such
170 sites will be fully disconnected from the Internet and have their own
171 root servers for their own non-Internet DNS tree.
172
173 3. Changes to Iterative Resolver Behaviour
174
175 Unless configured otherwise, an iterative resolver will now return
176 authoritatively (AA=1) name errors (RCODE=3) for queries within the
177 zones in Section 4, with the obvious exception of queries for the
178 zone name itself where SOA, NS, and "no data" responses will be
179 returned as appropriate to the query type. One common way to do this
180 all at once is to serve empty (SOA and NS only) zones.
181
182 An implementation of this recommendation MUST provide a mechanism to
183 disable this new behaviour, and SHOULD allow this decision on a zone-
184 by-zone basis.
185
186 If using empty zones one SHOULD NOT use the same NS and SOA records
187 as used on the public Internet servers, as that will make it harder
188 to detect the origin of the responses and thus any leakage to the
189 public Internet servers. It is RECOMMENDED that the NS record
190 defaults to the name of the zone and the SOA MNAME defaults to the
191 name of the only NS RR's (Resource Record's) target. The SOA RNAME
192 SHOULD default to "nobody.invalid." [RFC2606]. Implementations
193 SHOULD provide a mechanism to set these values. No address records
194 need to be provided for the nameserver.
195
196 Below is an example of a generic empty zone in master file format.
197 It will produce a negative cache Time to Live (TTL) of 3 hours.
198
199 @ 10800 IN SOA @ nobody.invalid. 1 3600 1200 604800 10800
200 @ 10800 IN NS @
201
202 The SOA RR is needed to support negative caching [RFC2308] of name
203 error responses and to point clients to the primary master for DNS
204 dynamic updates.
205
206 SOA values of particular importance are the MNAME, the SOA RR's TTL,
207 and the negTTL value. Both TTL values SHOULD match. The rest of the
208 SOA timer values MAY be chosen arbitrarily since they are not
209 intended to control any zone transfer activity.
210
211 The NS RR is needed as some UPDATE [RFC2136] clients use NS queries
212 to discover the zone to be updated. Having no address records for
213 the nameserver is expected to abort UPDATE processing in the client.
214
215
216
217 Andrews Best Current Practice [Page 4]
218 RFC 6303 Locally Served DNS Zones July 2011
219
220
221 4. Lists Of Zones Covered
222
223 The following subsections are the initial contents of the IANA
224 registry as described in the IANA Considerations section. Following
225 the caveat in that section, the list contains only reverse zones
226 corresponding to permanently assigned address space. The zone name
227 is the entity to be registered.
228
229 4.1. RFC 1918 Zones
230
231 The following zones correspond to the IPv4 address space reserved in
232 [RFC1918].
233
234 +----------------------+
235 | Zone |
236 +----------------------+
237 | 10.IN-ADDR.ARPA |
238 | 16.172.IN-ADDR.ARPA |
239 | 17.172.IN-ADDR.ARPA |
240 | 18.172.IN-ADDR.ARPA |
241 | 19.172.IN-ADDR.ARPA |
242 | 20.172.IN-ADDR.ARPA |
243 | 21.172.IN-ADDR.ARPA |
244 | 22.172.IN-ADDR.ARPA |
245 | 23.172.IN-ADDR.ARPA |
246 | 24.172.IN-ADDR.ARPA |
247 | 25.172.IN-ADDR.ARPA |
248 | 26.172.IN-ADDR.ARPA |
249 | 27.172.IN-ADDR.ARPA |
250 | 28.172.IN-ADDR.ARPA |
251 | 29.172.IN-ADDR.ARPA |
252 | 30.172.IN-ADDR.ARPA |
253 | 31.172.IN-ADDR.ARPA |
254 | 168.192.IN-ADDR.ARPA |
255 +----------------------+
256
257 4.2. RFC 5735 and RFC 5737 Zones
258
259 The following zones correspond to those address ranges from [RFC5735]
260 and [RFC5737] that are not expected to appear as source or
261 destination addresses on the public Internet; as such, there are no
262 globally unique names associated with the addresses in these ranges.
263
264
265
266
267
268
269
270
271
272 Andrews Best Current Practice [Page 5]
273 RFC 6303 Locally Served DNS Zones July 2011
274
275
276 The recommendation to serve an empty zone 127.IN-ADDR.ARPA is not an
277 attempt to discourage any practice to provide a PTR RR for
278 1.0.0.127.IN-ADDR.ARPA locally. In fact, a meaningful reverse
279 mapping should exist, but the exact setup is out of the scope of this
280 document. Similar logic applies to the reverse mapping for ::1
281 (Section 4.3). The recommendations made here simply assume that no
282 other coverage for these domains exists.
283
284 +------------------------------+-----------------------+
285 | Zone | Description |
286 +------------------------------+-----------------------+
287 | 0.IN-ADDR.ARPA | IPv4 "THIS" NETWORK |
288 | 127.IN-ADDR.ARPA | IPv4 Loopback NETWORK |
289 | 254.169.IN-ADDR.ARPA | IPv4 LINK LOCAL |
290 | 2.0.192.IN-ADDR.ARPA | IPv4 TEST-NET-1 |
291 | 100.51.198.IN-ADDR.ARPA | IPv4 TEST-NET-2 |
292 | 113.0.203.IN-ADDR.ARPA | IPv4 TEST-NET-3 |
293 | 255.255.255.255.IN-ADDR.ARPA | IPv4 BROADCAST |
294 +------------------------------+-----------------------+
295
296 4.3. Local IPv6 Unicast Addresses
297
298 The reverse mappings ([RFC3596], Section 2.5 ("IP6.ARPA Domain")) for
299 the IPv6 Unspecified (::) and Loopback (::1) addresses ([RFC4291],
300 Sections 2.4, 2.5.2, and 2.5.3) are covered by these two zones:
301
302 +-------------------------------------------+
303 | Zone |
304 +-------------------------------------------+
305 | 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.\ |
306 | 0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA |
307 | 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.\ |
308 | 0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA |
309 +-------------------------------------------+
310
311 Note: Line breaks and escapes ('\') have been inserted above for
312 readability and to adhere to line width constraints. They are not
313 parts of the zone names.
314
315 4.4. IPv6 Locally Assigned Local Addresses
316
317 Section 4.4 of [RFC4193] already required special treatment of:
318
319 +--------------+
320 | Zone |
321 +--------------+
322 | D.F.IP6.ARPA |
323 +--------------+
324
325
326
327 Andrews Best Current Practice [Page 6]
328 RFC 6303 Locally Served DNS Zones July 2011
329
330
331 4.5. IPv6 Link-Local Addresses
332
333 IPv6 Link-Local Addresses as described in [RFC4291], Section 2.5.6
334 are covered by four distinct reverse DNS zones:
335
336 +----------------+
337 | Zone |
338 +----------------+
339 | 8.E.F.IP6.ARPA |
340 | 9.E.F.IP6.ARPA |
341 | A.E.F.IP6.ARPA |
342 | B.E.F.IP6.ARPA |
343 +----------------+
344
345 4.6. IPv6 Example Prefix
346
347 IPv6 example prefix [RFC3849].
348
349 +--------------------------+
350 | Zone |
351 +--------------------------+
352 | 8.B.D.0.1.0.0.2.IP6.ARPA |
353 +--------------------------+
354
355 Note: 8.B.D.0.1.0.0.2.IP6.ARPA is not being used as an example here.
356
357 5. Zones That Are Out of Scope
358
359 IPv6 site-local addresses (deprecated, see [RFC4291] Sections 2.4 and
360 2.5.7), and IPv6 non-locally assigned local addresses ([RFC4193]) are
361 not covered here.
362
363 It is expected that IPv6 site-local addresses will be self correcting
364 as IPv6 implementations remove support for site-local addresses.
365 However, sacrificial servers for the zones C.E.F.IP6.ARPA through
366 F.E.F.IP6.ARPA may still need to be deployed in the short term if the
367 traffic becomes excessive.
368
369 For IPv6 non-locally assigned local addresses (L = 0) [RFC4193],
370 there has been no decision made about whether the Regional Internet
371 Registries (RIRs) will provide delegations in this space or not. If
372 they don't, then C.F.IP6.ARPA will need to be added to the list in
373 Section 4.4. If they do, then registries will need to take steps to
374 ensure that nameservers are provided for these addresses.
375
376
377
378
379
380
381
382 Andrews Best Current Practice [Page 7]
383 RFC 6303 Locally Served DNS Zones July 2011
384
385
386 IP6.INT was once used to provide reverse mapping for IPv6. IP6.INT
387 was deprecated in [RFC4159] and the delegation removed from the INT
388 zone in June 2006. While it is possible that legacy software
389 continues to send queries for names under the IP6.INT domain, this
390 document does not specify that IP6.INT be considered a local zone.
391
392 This document has also deliberately ignored names immediately under
393 the root domain. While there is a subset of queries to the root
394 nameservers that could be addressed using the techniques described
395 here (e.g., .local, .workgroup, and IPv4 addresses), there is also a
396 vast amount of traffic that requires a different strategy (e.g.,
397 lookups for unqualified hostnames, IPv6 addresses).
398
The IETF is responsible for the creation and maintenance of the DNS RFCs. The ICANN DNS RFC annotation project provides a forum for collecting community annotations on these RFCs as an aid to understanding for implementers and any interested parties. The annotations displayed here are not the result of the IETF consensus process.
This RFC is included in the DNS RFCs annotation project whose home page is here.
399 6. IANA Considerations
400
401 IANA has established a registry of zones that require this default
402 behaviour. The initial contents of this registry are defined in
403 Section 4. Implementors are encouraged to periodically check this
404 registry and adjust their implementations to reflect changes therein.
405
406 This registry can be amended through "IETF Review" as per [RFC5226].
407 As part of this review process, it should be noted that once a zone
408 is added it is effectively added permanently; once an address range
409 starts being configured as a local zone in systems on the Internet,
410 it will be impossible to reverse those changes.
411
412 IANA should coordinate with the RIRs to ensure that, as DNS Security
413 (DNSSEC) is deployed in the reverse tree, delegations for these zones
414 are made in the manner described in Section 7.
415
416 7. Security Considerations
417
418 During the initial deployment phase, particularly where [RFC1918]
419 addresses are in use, there may be some clients that unexpectedly
420 receive a name error rather than a PTR record. This may cause some
421 service disruption until their recursive nameserver(s) have been
422 re-configured.
423
424 As DNSSEC is deployed within the IN-ADDR.ARPA and IP6.ARPA
425 namespaces, the zones listed above will need to be delegated as
426 insecure delegations, or be within insecure zones. This will allow
427 DNSSEC validation to succeed for queries in these spaces despite not
428 being answered from the delegated servers.
429
430 It is recommended that sites actively using these namespaces secure
431 them using DNSSEC [RFC4035] by publishing and using DNSSEC trust
432 anchors. This will protect the clients from accidental import of
433 unsigned responses from the Internet.
434
435
436
437 Andrews Best Current Practice [Page 8]
438 RFC 6303 Locally Served DNS Zones July 2011
439
440
441 8. Acknowledgements
442
443 This work was supported by the US National Science Foundation
444 (research grant SCI-0427144) and DNS-OARC.
445
446 9. References
447
448 9.1. Normative References
449
450 [RFC1034] Mockapetris, P., "DOMAIN NAMES - CONCEPTS AND FACILITIES",
451 STD 13, RFC 1034, November 1987.
452
453 [RFC1035] Mockapetris, P., "DOMAIN NAMES - IMPLEMENTATION AND
454 SPECIFICATION", STD 13, RFC 1035, November 1987.
455
456 [RFC1918] Rekhter, Y., Moskowitz, B., Karrenberg, D., de Groot, G.,
457 and E. Lear, "Address Allocation for Private Internets",
458 BCP 5, RFC 1918, February 1996.
459
460 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
461 Requirement Levels", BCP 14, RFC 2119, March 1997.
462
463 [RFC2136] Vixie, P., Ed., Thomson, S., Rekhter, Y., and J. Bound,
464 "Dynamic Updates in the Domain Name System (DNS UPDATE)",
465 RFC 2136, April 1997.
466
467 [RFC2308] Andrews, M., "Negative Caching of DNS Queries (DNS
468 NCACHE)", RFC 2308, March 1998.
469
470 [RFC2606] Eastlake 3rd, D. and A. Panitz, "Reserved Top Level DNS
471 Names", BCP 32, RFC 2606, June 1999.
472
473 [RFC3596] Thomson, S., Huitema, C., Ksinant, V., and M. Souissi,
474 "DNS Extensions to Support IP Version 6", RFC 3596,
475 October 2003.
476
477 [RFC4035] Arends, R., Austein, R., Larson, M., Massey, D., and S.
478 Rose, "Protocol Modifications for the DNS Security
479 Extensions", RFC 4035, March 2005.
480
481 [RFC4159] Huston, G., "Deprecation of "ip6.int"", BCP 109, RFC 4159,
482 August 2005.
483
484 [RFC4193] Hinden, R. and B. Haberman, "Unique Local IPv6 Unicast
485 Addresses", RFC 4193, October 2005.
486
487
488
489
490
491
492 Andrews Best Current Practice [Page 9]
493 RFC 6303 Locally Served DNS Zones July 2011
494
495
496 [RFC4291] Hinden, R. and S. Deering, "IP Version 6 Addressing
497 Architecture", RFC 4291, February 2006.
498
499 [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an
500 IANA Considerations Section in RFCs", BCP 26, RFC 5226,
501 May 2008.
502
503 9.2. Informative References
504
505 [AS112] "AS112 Project", <http://www.as112.net/>.
506
507 [RFC3849] Huston, G., Lord, A., and P. Smith, "IPv6 Address Prefix
508 Reserved for Documentation", RFC 3849, July 2004.
509
510 [RFC5735] Cotton, M. and L. Vegoda, "Special Use IPv4 Addresses",
511 BCP 153, RFC 5735, January 2010.
512
513 [RFC5737] Arkko, J., Cotton, M., and L. Vegoda, "IPv4 Address Blocks
514 Reserved for Documentation", RFC 5737, January 2010.
515
516 [RFC6304] Abley, J. and W. Maton, "AS112 Nameserver Operations",
517 RFC 6304, July 2011.
518
519 [RFC6305] Abley, J. and W. Maton, "I'm Being Attacked by
520 PRISONER.IANA.ORG!", RFC 6305, July 2011.
521
522 Author's Address
523
524 Mark P. Andrews
525 Internet Systems Consortium
526 950 Charter Street
527 Redwood City, CA 94063
528 US
529
530 EMail: marka@isc.org
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547 Andrews Best Current Practice [Page 10]
548
The IANA registry is at https://www.iana.org/assignments/locally-served-dns-zones/locally-served-dns-zones.xhtml