1 Internet Engineering Task Force (IETF)                        M. Andrews   
    2 Request for Comments: 9471                                           ISC   
    3 Updates: 1034                                                   S. Huque   
    4 Category: Standards Track                                     Salesforce   
    5 ISSN: 2070-1721                                               P. Wouters   
    6                                                                    Aiven   
    7                                                               D. Wessels   
    8                                                                 Verisign   
    9                                                           September 2023   
   10                                                                            
   11                                                                            
   12               DNS Glue Requirements in Referral Responses                  
   13                                                                            
   14 Abstract                                                                   
   15                                                                            
   16    The DNS uses glue records to allow iterative clients to find the        
   17    addresses of name servers that are contained within a delegated zone.   
   18    Authoritative servers are expected to return all available glue         
   19    records for in-domain name servers in a referral response.  If          
   20    message size constraints prevent the inclusion of all glue records      
   21    for in-domain name servers, the server must set the TC (Truncated)      
   22    flag to inform the client that the response is incomplete and that      
   23    the client should use another transport to retrieve the full            
   24    response.  This document updates RFC 1034 to clarify correct server     
   25    behavior.                                                               
   26                                                                            
   27 Status of This Memo                                                        
   28                                                                            
   29    This is an Internet Standards Track document.                           
   30                                                                            
   31    This document is a product of the Internet Engineering Task Force       
   32    (IETF).  It represents the consensus of the IETF community.  It has     
   33    received public review and has been approved for publication by the     
   34    Internet Engineering Steering Group (IESG).  Further information on     
   35    Internet Standards is available in Section 2 of RFC 7841.               
   36                                                                            
   37    Information about the current status of this document, any errata,      
   38    and how to provide feedback on it may be obtained at                    
   39    https://www.rfc-editor.org/info/rfc9471.                                
   40                                                                            
   41 Copyright Notice                                                           
   42                                                                            
   43    Copyright (c) 2023 IETF Trust and the persons identified as the         
   44    document authors.  All rights reserved.                                 
   45                                                                            
   46    This document is subject to BCP 78 and the IETF Trust's Legal           
   47    Provisions Relating to IETF Documents                                   
   48    (https://trustee.ietf.org/license-info) in effect on the date of        
   49    publication of this document.  Please review these documents            
   50    carefully, as they describe your rights and restrictions with respect   
   51    to this document.  Code Components extracted from this document must    
   52    include Revised BSD License text as described in Section 4.e of the     
   53    Trust Legal Provisions and are provided without warranty as described   
   54    in the Revised BSD License.                                             
   55                                                                            
   56 Table of Contents                                                          
   57                                                                            
   58    1.  Introduction                                                        
   59      1.1.  Requirements Language                                           
   60    2.  Types of Glue in Referral Responses                                 
   61      2.1.  Glue for In-Domain Name Servers                                 
   62      2.2.  Glue for Sibling Domain Name Servers                            
   63      2.3.  Glue for Cyclic Sibling Domain Name Servers                     
   64      2.4.  Missing Glue                                                    
   65    3.  Requirements                                                        
   66      3.1.  Glue for In-Domain Name Servers                                 
   67      3.2.  Glue for Sibling Domain Name Servers                            
   68      3.3.  Update to RFC 1034                                              
   69    4.  Security Considerations                                             
   70    5.  Operational Considerations                                          
   71    6.  IANA Considerations                                                 
   72    7.  References                                                          
   73      7.1.  Normative References                                            
   74      7.2.  Informative References                                          
   75    Acknowledgements                                                        
   76    Authors' Addresses                                                      
   77                                                                            
   78 1.  Introduction                                                           
   79                                                                            
   80    The Domain Name System (DNS) [RFC1034] [RFC1035] uses glue records to   
   81    allow iterative clients to find the addresses of name servers that      
   82    are contained within a delegated zone.  Glue records are added to the   
   83    parent zone as part of the delegation process and returned in           
   84    referral responses; otherwise, a resolver following the referral has    
   85    no way of finding these addresses.  Authoritative servers are           
   86    expected to return all available glue records for in-domain name        
   87    servers in a referral response.  If message size constraints prevent    
   88    the inclusion of all glue records for in-domain name servers over the   
   89    chosen transport, the server MUST set the TC (Truncated) flag to        
   90    inform the client that the response is incomplete and that the client   
   91    SHOULD use another transport to retrieve the full response.  This       
   92    document clarifies that expectation.                                    
   93                                                                            
   94    DNS responses sometimes contain optional data in the additional         
   95    section.  In-domain glue records, however, are not optional.  Several   
   96    other protocol extensions, when used, are also not optional.  This      
   97    includes TSIG [RFC8945], OPT [RFC6891], and SIG(0) [RFC2931].           
   98                                                                            
   99    At the time of this writing, addresses (A or AAAA records) for a        
  100    delegation's authoritative name servers are the only type of glue       
  101    defined for the DNS.                                                    
  102                                                                            
  103    Note that this document only clarifies requirements for name server     
  104    software implementations.  It does not introduce or change any          
  105    requirements regarding data placed in DNS zones or registries.  In      
  106    other words, this document only makes requirements regarding            
  107    "available glue records" (i.e., those given in a zone) but does not     
  108    make requirements regarding their presence in a zone.  If some glue     
  109    records are absent from a given zone, an authoritative name server      
  110    may be unable to return a useful referral response for the              
  111    corresponding domain.  The IETF may want to consider a separate         
  112    update to the requirements for including glue in zone data, beyond      
  113    those given in [RFC1034] and [RFC1035].                                 
  114                                                                            
  115    This document assumes a reasonable level of familiarity with DNS        
  116    operations and protocol terms.  Much of the terminology is explained    
  117    in further detail in "DNS Terminology" [RFC8499].                       
  118                                                                            
  119 1.1.  Requirements Language                                                
  120                                                                            
  121    The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",     
  122    "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and    
  123    "OPTIONAL" in this document are to be interpreted as described in       
  124    BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all      
  125    capitals, as shown here.                                                
  126                                                                            
  127 2.  Types of Glue in Referral Responses                                    
  128                                                                            
  129    This section describes different types of glue that may be found in     
  130    DNS referral responses.  Note that the type of glue depends on the      
  131    QNAME.  A particular name server (and its corresponding glue record)    
  132    can be in-domain for one response and in a sibling domain for           
  133    another.                                                                
  134                                                                            
  135 2.1.  Glue for In-Domain Name Servers                                      
  136                                                                            
  137    The following is a simple example of glue records present in the        
  138    delegating zone "test" for the child zone "foo.test".  The name         
  139    servers for foo.test (ns1.foo.test and ns2.foo.test) are both below     
  140    the delegation point.  They are configured as glue records in the       
  141    "test" zone:                                                            
  142                                                                            
  143       foo.test.                  86400   IN NS      ns1.foo.test.          
  144       foo.test.                  86400   IN NS      ns2.foo.test.          
  145       ns1.foo.test.              86400   IN A       192.0.2.1              
  146       ns2.foo.test.              86400   IN AAAA    2001:db8::2:2          
  147                                                                            
  148    A referral response from "test" for "foo.test" with glue for in-        
  149    domain name servers looks like this:                                    
  150                                                                            
  151       ;; QUESTION SECTION:                                                 
  152       ;www.foo.test.       IN      A                                       
  153                                                                            
  154       ;; AUTHORITY SECTION:                                                
  155       foo.test.               86400        IN      NS      ns1.foo.test.   
  156       foo.test.               86400        IN      NS      ns2.foo.test.   
  157                                                                            
  158       ;; ADDITIONAL SECTION:                                               
  159       ns1.foo.test.           86400        IN      A       192.0.2.1       
  160       ns2.foo.test.           86400        IN      AAAA    2001:db8::2:2   
  161                                                                            
  162 2.2.  Glue for Sibling Domain Name Servers                                 
  163                                                                            
  164    Sibling domain name servers are NS records that are not contained in    
  165    the delegated zone itself but rather are contained in another zone      
  166    delegated from the same parent.  In many cases, glue for sibling        
  167    domain name servers is not strictly required for resolution, since      
  168    the resolver can make follow-on queries to the sibling zone to          
  169    resolve the name server addresses (after following the referral to      
  170    the sibling zone).  However, most name server implementations today     
  171    provide them as an optimization to obviate the need for extra traffic   
  172    from iterative resolvers.                                               
  173                                                                            
  174    Here, the delegating zone "test" contains two delegations for the       
  175    child zones "bar.test" and "foo.test":                                  
  176                                                                            
  177       bar.test.                  86400   IN NS      ns1.bar.test.          
  178       bar.test.                  86400   IN NS      ns2.bar.test.          
  179       ns1.bar.test.              86400   IN A       192.0.2.1              
  180       ns2.bar.test.              86400   IN AAAA    2001:db8::2:2          
  181                                                                            
  182       foo.test.                  86400   IN NS      ns1.bar.test.          
  183       foo.test.                  86400   IN NS      ns2.bar.test.          
  184                                                                            
  185    A referral response from "test" for "foo.test" with glue for sibling    
  186    domain name servers looks like this:                                    
  187                                                                            
  188       ;; QUESTION SECTION:                                                 
  189       ;www.foo.test.       IN      A                                       
  190                                                                            
  191       ;; AUTHORITY SECTION:                                                
  192       foo.test.               86400        IN      NS      ns1.bar.test.   
  193       foo.test.               86400        IN      NS      ns2.bar.test.   
  194                                                                            
  195       ;; ADDITIONAL SECTION:                                               
  196       ns1.bar.test.           86400        IN      A       192.0.2.1       
  197       ns2.bar.test.           86400        IN      AAAA    2001:db8::2:2   
  198                                                                            
  199 2.3.  Glue for Cyclic Sibling Domain Name Servers                          
  200                                                                            
  201    The use of sibling domain name servers can introduce cyclic             
  202    dependencies.  This happens when one domain specifies name servers      
  203    from a sibling domain, and vice versa.  This type of cyclic             
  204    dependency can only be broken when the delegating name server           
  205    includes glue for the sibling domain in a referral response.            
  206                                                                            
  207    Here, the delegating zone "test" contains two delegations for the       
  208    child zones "bar.test" and "foo.test", and each uses name servers       
  209    under the other:                                                        
  210                                                                            
  211       bar.test.                  86400   IN NS      ns1.foo.test.          
  212       bar.test.                  86400   IN NS      ns2.foo.test.          
  213       ns1.bar.test.              86400   IN A       192.0.2.1              
  214       ns2.bar.test.              86400   IN AAAA    2001:db8::2:2          
  215                                                                            
  216       foo.test.                  86400   IN NS      ns1.bar.test.          
  217       foo.test.                  86400   IN NS      ns2.bar.test.          
  218       ns1.foo.test.              86400   IN A       192.0.2.3              
  219       ns2.foo.test.              86400   IN AAAA    2001:db8::2:4          
  220                                                                            
  221    A referral response from "test" for "bar.test" with glue for sibling    
  222    domain name servers looks like this:                                    
  223                                                                            
  224       ;; QUESTION SECTION:                                                 
  225       ;www.bar.test.       IN      A                                       
  226                                                                            
  227       ;; AUTHORITY SECTION:                                                
  228       bar.test.               86400        IN      NS      ns1.foo.test.   
  229       bar.test.               86400        IN      NS      ns2.foo.test.   
  230                                                                            
  231       ;; ADDITIONAL SECTION:                                               
  232       ns1.foo.test.           86400        IN      A       192.0.2.3       
  233       ns2.foo.test.           86400        IN      AAAA    2001:db8::2:4   
  234                                                                            
  235    In late 2021, the authors analyzed zone file data available from        
  236    ICANN's Centralized Zone Data Service [CZDS] and found 222 out of       
  237    approximately 209,000,000 total delegations that had only sibling       
  238    domain NS Resource Records (RRs) in a cyclic dependency as above.       
  239                                                                            
  240 2.4.  Missing Glue                                                         
  241                                                                            
  242    An example of missing glue is included here, even though it cannot be   
  243    considered as a type of glue.  While not common, real examples of       
  244    responses that lack required glue, and with TC=0, have been shown to    
  245    occur and cause resolution failures.                                    
  246                                                                            
  247    The example below, from the dig command [DIG], is based on a response   
  248    observed in June 2020.  The names have been altered to fall under       
  249    documentation domains.  It shows a case where none of the glue          
  250    records present in the zone fit into the available space of the UDP     
  251    response, and the TC flag was not set.  While this example shows a      
  252    referral with DNSSEC records [RFC4033] [RFC4034] [RFC4035], this        
  253    behavior has been seen with plain DNS responses as well.  Some          
  254    records have been truncated for display purposes.  Note that at the     
  255    time of this writing, the servers originally responsible for this       
  256    example have been updated and now correctly set the TC flag.            
  257                                                                            
  258       % dig +norec +dnssec +bufsize=512 +ignore @ns.example.net \          
  259              rh202ns2.355.foo.example                                      
  260                                                                            
  261       ; <<>> DiG 9.15.4 <<>> +norec +dnssec +bufsize +ignore \             
  262              @ns.example.net rh202ns2.355.foo.example                      
  263       ; (2 servers found)                                                  
  264       ;; global options: +cmd                                              
  265       ;; Got answer:                                                       
  266       ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8798             
  267       ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 9, ADDITIONAL: 1       
  268                                                                            
  269       ;; OPT PSEUDOSECTION:                                                
  270       ; EDNS: version: 0, flags: do; udp: 4096                             
  271       ;; QUESTION SECTION:                                                 
  272       ;rh202ns2.355.foo.example.         IN A                              
  273                                                                            
  274       ;; AUTHORITY SECTION:                                                
  275       foo.example.          86400   IN NS      rh120ns2.368.foo.example.   
  276       foo.example.          86400   IN NS      rh202ns2.355.foo.example.   
  277       foo.example.          86400   IN NS      rh120ns1.368.foo.example.   
  278       foo.example.          86400   IN NS      rh202ns1.355.foo.example.   
  279       foo.example.          3600    IN DS      51937 8 1 ...               
  280       foo.example.          3600    IN DS      635 8 2 ...                 
  281       foo.example.          3600    IN DS      51937 8 2 ...               
  282       foo.example.          3600    IN DS      635 8 1 ...                 
  283       foo.example.          3600    IN RRSIG   DS 8 2 3600 ...             
  284                                                                            
  285 3.  Requirements                                                           
  286                                                                            
  287    This section describes updated requirements for including glue in DNS   
  288    referral responses.                                                     
  289                                                                            
  290 3.1.  Glue for In-Domain Name Servers                                      
  291                                                                            
  292    This document clarifies that when a name server generates a referral    
  293    response, it MUST include all available glue records for in-domain      
  294    name servers in the additional section or MUST set TC=1 if              
  295    constrained by message size.                                            
  296                                                                            
  297    At the time of this writing, most iterative clients send initial        
  298    queries over UDP and retry over TCP upon receiving a response with      
  299    the TC flag set.  UDP responses are generally limited to between 1232   
  300    and 4096 bytes, due to values commonly used for the EDNS0 UDP Message   
  301    Size field [RFC6891] [FLAGDAY2020].  TCP responses are limited to       
  302    65,535 bytes.                                                           
  303                                                                            
  304 3.2.  Glue for Sibling Domain Name Servers                                 
  305                                                                            
  306    This document clarifies that when a name server generates a referral    
  307    response, it SHOULD include all available glue records in the           
  308    additional section.  If, after adding glue for all in-domain name       
  309    servers, the glue for all sibling domain name servers does not fit      
  310    due to message size constraints, the name server MAY set TC=1 but is    
  311    not obligated to do so.                                                 
  312                                                                            
  313    Note that users may experience resolution failures for domains with     
  314    cyclically dependent sibling name servers when the delegating name      
  315    server chooses to omit the corresponding glue in a referral response.   
  316    As described in Section 2.3, such domains are rare.                     
  317                                                                            
  318 3.3.  Update to RFC 1034                                                   
  319                                                                            
  320    OLD:                                                                    
  321                                                                            
  322    |  Copy the NS RRs for the subzone into the authority section of the    
  323    |  reply.  Put whatever addresses are available into the additional     
  324    |  section, using glue RRs if the addresses are not available from      
  325    |  authoritative data or the cache.  Go to step 4.                      
  326                                                                            
  327    NEW:                                                                    
  328                                                                            
  329    |  Copy the NS RRs for the subzone into the authority section of the    
  330    |  reply.  Put whatever NS addresses are available into the             
  331    |  additional section, using glue RRs if the addresses are not          
  332    |  available from authoritative data or the cache.  If all glue RRs     
  333    |  for in-domain name servers do not fit, set TC=1 in the header.  Go   
  334    |  to step 4.                                                           
  335                                                                            
  336 4.  Security Considerations                                                
  337                                                                            
  338    This document clarifies correct DNS server behavior and does not        
  339    introduce any changes or new security considerations.                   
  340                                                                            
  341 5.  Operational Considerations                                             
  342                                                                            
  343    At the time of this writing, the behavior of most DNS server            
  344    implementations is to set the TC flag only if none of the available     
  345    glue records fit in a response over UDP transport.  The updated         
  346    requirements in this document might lead to an increase in the          
  347    fraction of UDP responses with the TC flag set and, consequently, an    
  348    increase in the number of queries received over TCP transport.          
  349                                                                            
  350 6.  IANA Considerations                                                    
  351                                                                            
  352    This document has no IANA actions.                                      
  353                                                                            
  354 7.  References                                                             
  355                                                                            
  356 7.1.  Normative References                                                 
  357                                                                            
  358    [RFC1034]  Mockapetris, P., "Domain names - concepts and facilities",   
  359               STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987,       
  360               <https://www.rfc-editor.org/info/rfc1034>.                   
  361                                                                            
  362    [RFC1035]  Mockapetris, P., "Domain names - implementation and          
  363               specification", STD 13, RFC 1035, DOI 10.17487/RFC1035,      
  364               November 1987, <https://www.rfc-editor.org/info/rfc1035>.    
  365                                                                            
  366    [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate          
  367               Requirement Levels", BCP 14, RFC 2119,                       
  368               DOI 10.17487/RFC2119, March 1997,                            
  369               <https://www.rfc-editor.org/info/rfc2119>.                   
  370                                                                            
  371    [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC       
  372               2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,     
  373               May 2017, <https://www.rfc-editor.org/info/rfc8174>.         
  374                                                                            
  375 7.2.  Informative References                                               
  376                                                                            
  377    [CZDS]     ICANN, "Centralized Zone Data Service",                      
  378               <https://czds.icann.org/>.                                   
  379                                                                            
  380    [DIG]      Wikipedia, "dig (command)", September 2023,                  
  381               <https://en.wikipedia.org/wiki/Dig_(command)>.               
  382                                                                            
  383    [FLAGDAY2020]                                                           
  384               Various DNS software and service providers, "DNS Flag Day    
  385               2020", October 2020, <https://dnsflagday.net/2020/>.         
  386                                                                            
  387    [RFC2931]  Eastlake 3rd, D., "DNS Request and Transaction Signatures    
  388               ( SIG(0)s )", RFC 2931, DOI 10.17487/RFC2931, September      
  389               2000, <https://www.rfc-editor.org/info/rfc2931>.             
  390                                                                            
  391    [RFC4033]  Arends, R., Austein, R., Larson, M., Massey, D., and S.      
  392               Rose, "DNS Security Introduction and Requirements",          
  393               RFC 4033, DOI 10.17487/RFC4033, March 2005,                  
  394               <https://www.rfc-editor.org/info/rfc4033>.                   
  395                                                                            
  396    [RFC4034]  Arends, R., Austein, R., Larson, M., Massey, D., and S.      
  397               Rose, "Resource Records for the DNS Security Extensions",    
  398               RFC 4034, DOI 10.17487/RFC4034, March 2005,                  
  399               <https://www.rfc-editor.org/info/rfc4034>.                   
  400                                                                            
  401    [RFC4035]  Arends, R., Austein, R., Larson, M., Massey, D., and S.      
  402               Rose, "Protocol Modifications for the DNS Security           
  403               Extensions", RFC 4035, DOI 10.17487/RFC4035, March 2005,     
  404               <https://www.rfc-editor.org/info/rfc4035>.                   
  405                                                                            
  406    [RFC6891]  Damas, J., Graff, M., and P. Vixie, "Extension Mechanisms    
  407               for DNS (EDNS(0))", STD 75, RFC 6891,                        
  408               DOI 10.17487/RFC6891, April 2013,                            
  409               <https://www.rfc-editor.org/info/rfc6891>.                   
  410                                                                            
  411    [RFC8499]  Hoffman, P., Sullivan, A., and K. Fujiwara, "DNS             
  412               Terminology", BCP 219, RFC 8499, DOI 10.17487/RFC8499,       
  413               January 2019, <https://www.rfc-editor.org/info/rfc8499>.     
  414                                                                            
  415    [RFC8945]  Dupont, F., Morris, S., Vixie, P., Eastlake 3rd, D.,         
  416               Gudmundsson, O., and B. Wellington, "Secret Key              
  417               Transaction Authentication for DNS (TSIG)", STD 93,          
  418               RFC 8945, DOI 10.17487/RFC8945, November 2020,               
  419               <https://www.rfc-editor.org/info/rfc8945>.                   
  420                                                                            
  421 Acknowledgements                                                           
  422                                                                            
  423    The authors wish to thank Joe Abley, David Blacka, Brian Dickson,       
  424    Kazunori Fujiwara, Paul Hoffman, Geoff Huston, John R. Levine, Jared    
  425    Mauch, George Michaelson, Yasuhiro Orange Morishita, Benno              
  426    Overeinder, Hugo Salgado, Shinta Sato, Puneet Sood, Petr Spacek, Ralf   
  427    Weber, Tim Wicinski, Suzanne Woolf, and other members of the DNSOP      
  428    Working Group for their input.                                          
  429                                                                            
  430 Authors' Addresses                                                         
  431                                                                            
  432    M. Andrews                                                              
  433    ISC                                                                     
  434    Email: marka@isc.org                                                    
  435                                                                            
  436                                                                            
  437    Shumon Huque                                                            
  438    Salesforce                                                              
  439    Email: shuque@gmail.com                                                 
  440                                                                            
  441                                                                            
  442    Paul Wouters                                                            
  443    Aiven                                                                   
  444    Email: paul.wouters@aiven.io                                            
  445                                                                            
  446                                                                            
  447    Duane Wessels                                                           
  448    Verisign                                                                
  449    Email: dwessels@verisign.com                                            
  450                                                                            

The IETF is responsible for the creation and maintenance of the DNS RFCs. The ICANN DNS RFC annotation project provides a forum for collecting community annotations on these RFCs as an aid to understanding for implementers and any interested parties. The annotations displayed here are not the result of the IETF consensus process.

This RFC is included in the DNS RFCs annotation project whose home page is here.