1 Internet Engineering Task Force (IETF) M. Andrews
2 Request for Comments: 9471 ISC
3 Updates: 1034 S. Huque
4 Category: Standards Track Salesforce
5 ISSN: 2070-1721 P. Wouters
6 Aiven
7 D. Wessels
8 Verisign
9 September 2023
10
11
12 DNS Glue Requirements in Referral Responses
13
14 Abstract
15
16 The DNS uses glue records to allow iterative clients to find the
17 addresses of name servers that are contained within a delegated zone.
18 Authoritative servers are expected to return all available glue
19 records for in-domain name servers in a referral response. If
20 message size constraints prevent the inclusion of all glue records
21 for in-domain name servers, the server must set the TC (Truncated)
22 flag to inform the client that the response is incomplete and that
23 the client should use another transport to retrieve the full
24 response. This document updates RFC 1034 to clarify correct server
25 behavior.
26
27 Status of This Memo
28
29 This is an Internet Standards Track document.
30
31 This document is a product of the Internet Engineering Task Force
32 (IETF). It represents the consensus of the IETF community. It has
33 received public review and has been approved for publication by the
34 Internet Engineering Steering Group (IESG). Further information on
35 Internet Standards is available in Section 2 of RFC 7841.
36
37 Information about the current status of this document, any errata,
38 and how to provide feedback on it may be obtained at
39 https://www.rfc-editor.org/info/rfc9471.
40
41 Copyright Notice
42
43 Copyright (c) 2023 IETF Trust and the persons identified as the
44 document authors. All rights reserved.
45
46 This document is subject to BCP 78 and the IETF Trust's Legal
47 Provisions Relating to IETF Documents
48 (https://trustee.ietf.org/license-info) in effect on the date of
49 publication of this document. Please review these documents
50 carefully, as they describe your rights and restrictions with respect
51 to this document. Code Components extracted from this document must
52 include Revised BSD License text as described in Section 4.e of the
53 Trust Legal Provisions and are provided without warranty as described
54 in the Revised BSD License.
55
56 Table of Contents
57
58 1. Introduction
59 1.1. Requirements Language
60 2. Types of Glue in Referral Responses
61 2.1. Glue for In-Domain Name Servers
62 2.2. Glue for Sibling Domain Name Servers
63 2.3. Glue for Cyclic Sibling Domain Name Servers
64 2.4. Missing Glue
65 3. Requirements
66 3.1. Glue for In-Domain Name Servers
67 3.2. Glue for Sibling Domain Name Servers
68 3.3. Update to RFC 1034
69 4. Security Considerations
70 5. Operational Considerations
71 6. IANA Considerations
72 7. References
73 7.1. Normative References
74 7.2. Informative References
75 Acknowledgements
76 Authors' Addresses
77
78 1. Introduction
79
80 The Domain Name System (DNS) [RFC1034] [RFC1035] uses glue records to
81 allow iterative clients to find the addresses of name servers that
82 are contained within a delegated zone. Glue records are added to the
83 parent zone as part of the delegation process and returned in
84 referral responses; otherwise, a resolver following the referral has
85 no way of finding these addresses. Authoritative servers are
86 expected to return all available glue records for in-domain name
87 servers in a referral response. If message size constraints prevent
88 the inclusion of all glue records for in-domain name servers over the
89 chosen transport, the server MUST set the TC (Truncated) flag to
90 inform the client that the response is incomplete and that the client
91 SHOULD use another transport to retrieve the full response. This
92 document clarifies that expectation.
93
94 DNS responses sometimes contain optional data in the additional
95 section. In-domain glue records, however, are not optional. Several
96 other protocol extensions, when used, are also not optional. This
97 includes TSIG [RFC8945], OPT [RFC6891], and SIG(0) [RFC2931].
98
99 At the time of this writing, addresses (A or AAAA records) for a
100 delegation's authoritative name servers are the only type of glue
101 defined for the DNS.
102
103 Note that this document only clarifies requirements for name server
104 software implementations. It does not introduce or change any
105 requirements regarding data placed in DNS zones or registries. In
106 other words, this document only makes requirements regarding
107 "available glue records" (i.e., those given in a zone) but does not
108 make requirements regarding their presence in a zone. If some glue
109 records are absent from a given zone, an authoritative name server
110 may be unable to return a useful referral response for the
111 corresponding domain. The IETF may want to consider a separate
112 update to the requirements for including glue in zone data, beyond
113 those given in [RFC1034] and [RFC1035].
114
115 This document assumes a reasonable level of familiarity with DNS
116 operations and protocol terms. Much of the terminology is explained
117 in further detail in "DNS Terminology" [RFC8499].
118
119 1.1. Requirements Language
120
121 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
122 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
123 "OPTIONAL" in this document are to be interpreted as described in
124 BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
125 capitals, as shown here.
126
127 2. Types of Glue in Referral Responses
128
129 This section describes different types of glue that may be found in
130 DNS referral responses. Note that the type of glue depends on the
131 QNAME. A particular name server (and its corresponding glue record)
132 can be in-domain for one response and in a sibling domain for
133 another.
134
135 2.1. Glue for In-Domain Name Servers
136
137 The following is a simple example of glue records present in the
138 delegating zone "test" for the child zone "foo.test". The name
139 servers for foo.test (ns1.foo.test and ns2.foo.test) are both below
140 the delegation point. They are configured as glue records in the
141 "test" zone:
142
143 foo.test. 86400 IN NS ns1.foo.test.
144 foo.test. 86400 IN NS ns2.foo.test.
145 ns1.foo.test. 86400 IN A 192.0.2.1
146 ns2.foo.test. 86400 IN AAAA 2001:db8::2:2
147
148 A referral response from "test" for "foo.test" with glue for in-
149 domain name servers looks like this:
150
151 ;; QUESTION SECTION:
152 ;www.foo.test. IN A
153
154 ;; AUTHORITY SECTION:
155 foo.test. 86400 IN NS ns1.foo.test.
156 foo.test. 86400 IN NS ns2.foo.test.
157
158 ;; ADDITIONAL SECTION:
159 ns1.foo.test. 86400 IN A 192.0.2.1
160 ns2.foo.test. 86400 IN AAAA 2001:db8::2:2
161
162 2.2. Glue for Sibling Domain Name Servers
163
164 Sibling domain name servers are NS records that are not contained in
165 the delegated zone itself but rather are contained in another zone
166 delegated from the same parent. In many cases, glue for sibling
167 domain name servers is not strictly required for resolution, since
168 the resolver can make follow-on queries to the sibling zone to
169 resolve the name server addresses (after following the referral to
170 the sibling zone). However, most name server implementations today
171 provide them as an optimization to obviate the need for extra traffic
172 from iterative resolvers.
173
174 Here, the delegating zone "test" contains two delegations for the
175 child zones "bar.test" and "foo.test":
176
177 bar.test. 86400 IN NS ns1.bar.test.
178 bar.test. 86400 IN NS ns2.bar.test.
179 ns1.bar.test. 86400 IN A 192.0.2.1
180 ns2.bar.test. 86400 IN AAAA 2001:db8::2:2
181
182 foo.test. 86400 IN NS ns1.bar.test.
183 foo.test. 86400 IN NS ns2.bar.test.
184
185 A referral response from "test" for "foo.test" with glue for sibling
186 domain name servers looks like this:
187
188 ;; QUESTION SECTION:
189 ;www.foo.test. IN A
190
191 ;; AUTHORITY SECTION:
192 foo.test. 86400 IN NS ns1.bar.test.
193 foo.test. 86400 IN NS ns2.bar.test.
194
195 ;; ADDITIONAL SECTION:
196 ns1.bar.test. 86400 IN A 192.0.2.1
197 ns2.bar.test. 86400 IN AAAA 2001:db8::2:2
198
199 2.3. Glue for Cyclic Sibling Domain Name Servers
200
201 The use of sibling domain name servers can introduce cyclic
202 dependencies. This happens when one domain specifies name servers
203 from a sibling domain, and vice versa. This type of cyclic
204 dependency can only be broken when the delegating name server
205 includes glue for the sibling domain in a referral response.
206
207 Here, the delegating zone "test" contains two delegations for the
208 child zones "bar.test" and "foo.test", and each uses name servers
209 under the other:
210
211 bar.test. 86400 IN NS ns1.foo.test.
212 bar.test. 86400 IN NS ns2.foo.test.
213 ns1.bar.test. 86400 IN A 192.0.2.1
214 ns2.bar.test. 86400 IN AAAA 2001:db8::2:2
215
216 foo.test. 86400 IN NS ns1.bar.test.
217 foo.test. 86400 IN NS ns2.bar.test.
218 ns1.foo.test. 86400 IN A 192.0.2.3
219 ns2.foo.test. 86400 IN AAAA 2001:db8::2:4
220
221 A referral response from "test" for "bar.test" with glue for sibling
222 domain name servers looks like this:
223
224 ;; QUESTION SECTION:
225 ;www.bar.test. IN A
226
227 ;; AUTHORITY SECTION:
228 bar.test. 86400 IN NS ns1.foo.test.
229 bar.test. 86400 IN NS ns2.foo.test.
230
231 ;; ADDITIONAL SECTION:
232 ns1.foo.test. 86400 IN A 192.0.2.3
233 ns2.foo.test. 86400 IN AAAA 2001:db8::2:4
234
235 In late 2021, the authors analyzed zone file data available from
236 ICANN's Centralized Zone Data Service [CZDS] and found 222 out of
237 approximately 209,000,000 total delegations that had only sibling
238 domain NS Resource Records (RRs) in a cyclic dependency as above.
239
240 2.4. Missing Glue
241
242 An example of missing glue is included here, even though it cannot be
243 considered as a type of glue. While not common, real examples of
244 responses that lack required glue, and with TC=0, have been shown to
245 occur and cause resolution failures.
246
247 The example below, from the dig command [DIG], is based on a response
248 observed in June 2020. The names have been altered to fall under
249 documentation domains. It shows a case where none of the glue
250 records present in the zone fit into the available space of the UDP
251 response, and the TC flag was not set. While this example shows a
252 referral with DNSSEC records [RFC4033] [RFC4034] [RFC4035], this
253 behavior has been seen with plain DNS responses as well. Some
254 records have been truncated for display purposes. Note that at the
255 time of this writing, the servers originally responsible for this
256 example have been updated and now correctly set the TC flag.
257
258 % dig +norec +dnssec +bufsize=512 +ignore @ns.example.net \
259 rh202ns2.355.foo.example
260
261 ; <<>> DiG 9.15.4 <<>> +norec +dnssec +bufsize +ignore \
262 @ns.example.net rh202ns2.355.foo.example
263 ; (2 servers found)
264 ;; global options: +cmd
265 ;; Got answer:
266 ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8798
267 ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 9, ADDITIONAL: 1
268
269 ;; OPT PSEUDOSECTION:
270 ; EDNS: version: 0, flags: do; udp: 4096
271 ;; QUESTION SECTION:
272 ;rh202ns2.355.foo.example. IN A
273
274 ;; AUTHORITY SECTION:
275 foo.example. 86400 IN NS rh120ns2.368.foo.example.
276 foo.example. 86400 IN NS rh202ns2.355.foo.example.
277 foo.example. 86400 IN NS rh120ns1.368.foo.example.
278 foo.example. 86400 IN NS rh202ns1.355.foo.example.
279 foo.example. 3600 IN DS 51937 8 1 ...
280 foo.example. 3600 IN DS 635 8 2 ...
281 foo.example. 3600 IN DS 51937 8 2 ...
282 foo.example. 3600 IN DS 635 8 1 ...
283 foo.example. 3600 IN RRSIG DS 8 2 3600 ...
284
285 3. Requirements
286
287 This section describes updated requirements for including glue in DNS
288 referral responses.
289
290 3.1. Glue for In-Domain Name Servers
291
292 This document clarifies that when a name server generates a referral
293 response, it MUST include all available glue records for in-domain
294 name servers in the additional section or MUST set TC=1 if
295 constrained by message size.
296
297 At the time of this writing, most iterative clients send initial
298 queries over UDP and retry over TCP upon receiving a response with
299 the TC flag set. UDP responses are generally limited to between 1232
300 and 4096 bytes, due to values commonly used for the EDNS0 UDP Message
301 Size field [RFC6891] [FLAGDAY2020]. TCP responses are limited to
302 65,535 bytes.
303
304 3.2. Glue for Sibling Domain Name Servers
305
306 This document clarifies that when a name server generates a referral
307 response, it SHOULD include all available glue records in the
308 additional section. If, after adding glue for all in-domain name
309 servers, the glue for all sibling domain name servers does not fit
310 due to message size constraints, the name server MAY set TC=1 but is
311 not obligated to do so.
312
313 Note that users may experience resolution failures for domains with
314 cyclically dependent sibling name servers when the delegating name
315 server chooses to omit the corresponding glue in a referral response.
316 As described in Section 2.3, such domains are rare.
317
318 3.3. Update to RFC 1034
319
320 OLD:
321
322 | Copy the NS RRs for the subzone into the authority section of the
323 | reply. Put whatever addresses are available into the additional
324 | section, using glue RRs if the addresses are not available from
325 | authoritative data or the cache. Go to step 4.
326
327 NEW:
328
329 | Copy the NS RRs for the subzone into the authority section of the
330 | reply. Put whatever NS addresses are available into the
331 | additional section, using glue RRs if the addresses are not
332 | available from authoritative data or the cache. If all glue RRs
333 | for in-domain name servers do not fit, set TC=1 in the header. Go
334 | to step 4.
335
336 4. Security Considerations
337
338 This document clarifies correct DNS server behavior and does not
339 introduce any changes or new security considerations.
340
341 5. Operational Considerations
342
343 At the time of this writing, the behavior of most DNS server
344 implementations is to set the TC flag only if none of the available
345 glue records fit in a response over UDP transport. The updated
346 requirements in this document might lead to an increase in the
347 fraction of UDP responses with the TC flag set and, consequently, an
348 increase in the number of queries received over TCP transport.
349
350 6. IANA Considerations
351
352 This document has no IANA actions.
353
354 7. References
355
356 7.1. Normative References
357
358 [RFC1034] Mockapetris, P., "Domain names - concepts and facilities",
359 STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987,
360 <https://www.rfc-editor.org/info/rfc1034>.
361
362 [RFC1035] Mockapetris, P., "Domain names - implementation and
363 specification", STD 13, RFC 1035, DOI 10.17487/RFC1035,
364 November 1987, <https://www.rfc-editor.org/info/rfc1035>.
365
366 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
367 Requirement Levels", BCP 14, RFC 2119,
368 DOI 10.17487/RFC2119, March 1997,
369 <https://www.rfc-editor.org/info/rfc2119>.
370
371 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
372 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
373 May 2017, <https://www.rfc-editor.org/info/rfc8174>.
374
375 7.2. Informative References
376
377 [CZDS] ICANN, "Centralized Zone Data Service",
378 <https://czds.icann.org/>.
379
380 [DIG] Wikipedia, "dig (command)", September 2023,
381 <https://en.wikipedia.org/wiki/Dig_(command)>.
382
383 [FLAGDAY2020]
384 Various DNS software and service providers, "DNS Flag Day
385 2020", October 2020, <https://dnsflagday.net/2020/>.
386
387 [RFC2931] Eastlake 3rd, D., "DNS Request and Transaction Signatures
388 ( SIG(0)s )", RFC 2931, DOI 10.17487/RFC2931, September
389 2000, <https://www.rfc-editor.org/info/rfc2931>.
390
391 [RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S.
392 Rose, "DNS Security Introduction and Requirements",
393 RFC 4033, DOI 10.17487/RFC4033, March 2005,
394 <https://www.rfc-editor.org/info/rfc4033>.
395
396 [RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S.
397 Rose, "Resource Records for the DNS Security Extensions",
398 RFC 4034, DOI 10.17487/RFC4034, March 2005,
399 <https://www.rfc-editor.org/info/rfc4034>.
400
401 [RFC4035] Arends, R., Austein, R., Larson, M., Massey, D., and S.
402 Rose, "Protocol Modifications for the DNS Security
403 Extensions", RFC 4035, DOI 10.17487/RFC4035, March 2005,
404 <https://www.rfc-editor.org/info/rfc4035>.
405
406 [RFC6891] Damas, J., Graff, M., and P. Vixie, "Extension Mechanisms
407 for DNS (EDNS(0))", STD 75, RFC 6891,
408 DOI 10.17487/RFC6891, April 2013,
409 <https://www.rfc-editor.org/info/rfc6891>.
410
411 [RFC8499] Hoffman, P., Sullivan, A., and K. Fujiwara, "DNS
412 Terminology", BCP 219, RFC 8499, DOI 10.17487/RFC8499,
413 January 2019, <https://www.rfc-editor.org/info/rfc8499>.
414
415 [RFC8945] Dupont, F., Morris, S., Vixie, P., Eastlake 3rd, D.,
416 Gudmundsson, O., and B. Wellington, "Secret Key
417 Transaction Authentication for DNS (TSIG)", STD 93,
418 RFC 8945, DOI 10.17487/RFC8945, November 2020,
419 <https://www.rfc-editor.org/info/rfc8945>.
420
421 Acknowledgements
422
423 The authors wish to thank Joe Abley, David Blacka, Brian Dickson,
424 Kazunori Fujiwara, Paul Hoffman, Geoff Huston, John R. Levine, Jared
425 Mauch, George Michaelson, Yasuhiro Orange Morishita, Benno
426 Overeinder, Hugo Salgado, Shinta Sato, Puneet Sood, Petr Spacek, Ralf
427 Weber, Tim Wicinski, Suzanne Woolf, and other members of the DNSOP
428 Working Group for their input.
429
430 Authors' Addresses
431
432 M. Andrews
433 ISC
434 Email: marka@isc.org
435
436
437 Shumon Huque
438 Salesforce
439 Email: shuque@gmail.com
440
441
442 Paul Wouters
443 Aiven
444 Email: paul.wouters@aiven.io
445
446
447 Duane Wessels
448 Verisign
449 Email: dwessels@verisign.com
450
The IETF is responsible for the creation and maintenance of the DNS RFCs. The ICANN DNS RFC annotation project provides a forum for collecting community annotations on these RFCs as an aid to understanding for implementers and any interested parties. The annotations displayed here are not the result of the IETF consensus process.
This RFC is included in the DNS RFCs annotation project whose home page is here.