c7ddab7655021d96211a26f99d9f694396c53284Bob HalleyNetwork Working Group A. Kumar
c7ddab7655021d96211a26f99d9f694396c53284Bob HalleyRequest for Comments: 1536 J. Postel
c7ddab7655021d96211a26f99d9f694396c53284Bob HalleyCategory: Informational C. Neuman
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley October 1993
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley Common DNS Implementation Errors and Suggested Fixes
c7ddab7655021d96211a26f99d9f694396c53284Bob HalleyStatus of this Memo
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley This memo provides information for the Internet community. It does
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley not specify an Internet standard. Distribution of this memo is
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley This memo describes common errors seen in DNS implementations and
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley suggests some fixes. Where applicable, violations of recommendations
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley from STD 13, RFC 1034 and STD 13, RFC 1035 are mentioned. The memo
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley also describes, where relevant, the algorithms followed in BIND
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley (versions 4.8.3 and 4.9 which the authors referred to) to serve as an
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley The last few years have seen, virtually, an explosion of DNS traffic
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley on the NSFnet backbone. Various DNS implementations and various
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley versions of these implementations interact with each other, producing
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley huge amounts of unnecessary traffic. Attempts are being made by
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley researchers all over the internet, to document the nature of these
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley interactions, the symptomatic traffic patterns and to devise remedies
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley for the sick pieces of software.
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley This draft is an attempt to document fixes for known DNS problems so
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley people know what problems to watch out for and how to repair broken
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley1. Fast Retransmissions
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley DNS implements the classic request-response scheme of client-server
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley interaction. UDP is, therefore, the chosen protocol for communication
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley though TCP is used for zone transfers. The onus of requerying in case
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley no response is seen in a "reasonable" period of time, lies with the
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley client. Although RFC 1034 and 1035 do not recommend any
c7ddab7655021d96211a26f99d9f694396c53284Bob HalleyKumar, Postel, Neuman, Danzig & Miller [Page 1]
c7ddab7655021d96211a26f99d9f694396c53284Bob HalleyRFC 1536 Common DNS Implementation Errors October 1993
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley retransmission policy, RFC 1035 does recommend that the resolvers
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley should cycle through a list of servers. Both name servers and stub
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley resolvers should, therefore, implement some kind of a retransmission
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley policy based on round trip time estimates of the name servers. The
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley client should back-off exponentially, probably to a maximum timeout
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley However, clients might not implement either of the two. They might
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley not wait a sufficient amount of time before retransmitting or they
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley might not back-off their inter-query times sufficiently.
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley Thus, what the server would see will be a series of queries from the
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley same querying entity, spaced very close together. Of course, a
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley correctly implemented server discards all duplicate queries but the
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley queries contribute to wide-area traffic, nevertheless.
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley We classify a retransmission of a query as a pure Fast retry timeout
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley problem when a series of query packets meet the following conditions.
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley a. Query packets are seen within a time less than a "reasonable
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley waiting period" of each other.
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley b. No response to the original query was seen i.e., we see two or
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley more queries, back to back.
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley c. The query packets share the same query identifier.
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley d. The server eventually responds to the query.
c7ddab7655021d96211a26f99d9f694396c53284Bob HalleyA GOOD IMPLEMENTATION:
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley BIND (we looked at versions 4.8.3 and 4.9) implements a good
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley retransmission algorithm which solves or limits all of these
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley problems. The Berkeley stub-resolver queries servers at an interval
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley that starts at the greater of 4 seconds and 5 seconds divided by the
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley number of servers the resolver queries. The resolver cycles through
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley servers and at the end of a cycle, backs off the time out
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley exponentially.
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley The Berkeley full-service resolver (built in with the program
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley "named") starts with a time-out equal to the greater of 4 seconds and
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley two times the round-trip time estimate of the server. The time-out
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley is backed off with each cycle, exponentially, to a ceiling value of
c7ddab7655021d96211a26f99d9f694396c53284Bob HalleyKumar, Postel, Neuman, Danzig & Miller [Page 2]
c7ddab7655021d96211a26f99d9f694396c53284Bob HalleyRFC 1536 Common DNS Implementation Errors October 1993
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley a. Estimate round-trip times or set a reasonably high initial
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley b. Back-off timeout periods exponentially.
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley c. Yet another fundamental though difficult fix is to send the
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley client an acknowledgement of a query, with a round-trip time
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley Since UDP is used, no response is expected by the client until the
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley query is complete. Thus, it is less likely to have information about
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley previous packets on which to estimate its back-off time. Unless, you
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley maintain state across queries, so subsequent queries to the same
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley server use information from previous queries. Unfortunately, such
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley estimates are likely to be inaccurate for chained requests since the
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley variance is likely to be high.
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley The fix chosen in the ARDP library used by Prospero is that the
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley server will send an initial acknowledgement to the client in those
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley cases where the server expects the query to take a long time (as
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley might be the case for chained queries). This initial acknowledgement
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley can include an expected time to wait before retrying.
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley This fix is more difficult since it requires that the client software
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley also be trained to expect the acknowledgement packet. This, in an
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley internet of millions of hosts is at best a hard problem.
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley2. Recursion Bugs
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley When a server receives a client request, it first looks up its zone
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley data and the cache to check if the query can be answered. If the
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley answer is unavailable in either place, the server seeks names of
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley servers that are more likely to have the information, in its cache or
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley zone data. It then does one of two things. If the client desires the
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley server to recurse and the server architecture allows recursion, the
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley server chains this request to these known servers closest to the
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley queried name. If the client doesn't seek recursion or if the server
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley cannot handle recursion, it returns the list of name servers to the
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley client assuming the client knows what to do with these records.
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley The client queries this new list of name servers to get either the
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley answer, or names of another set of name servers to query. This
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley process repeats until the client is satisfied. Servers might also go
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley through this chaining process if the server returns a CNAME record
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley for the queried name. Some servers reprocess this name to try and get
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley the desired record type.
c7ddab7655021d96211a26f99d9f694396c53284Bob HalleyKumar, Postel, Neuman, Danzig & Miller [Page 3]
c7ddab7655021d96211a26f99d9f694396c53284Bob HalleyRFC 1536 Common DNS Implementation Errors October 1993
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley However, in certain cases, this chain of events may not be good. For
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley example, a broken or malicious name server might list itself as one
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley of the name servers to query again. The unsuspecting client resends
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley the same query to the same server.
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley In another situation, more difficult to detect, a set of servers
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley might form a loop wherein A refers to B and B refers to A. This loop
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley might involve more than two servers.
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley Yet another error is where the client does not know how to process
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley the list of name servers returned, and requeries the same server
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley since that is one (of the few) servers it knows.
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley We, therefore, classify recursion bugs into three distinct
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley a. Ignored referral: Client did not know how to handle NS records
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley in the AUTHORITY section.
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley b. Too many referrals: Client called on a server too many times,
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley beyond a "reasonable" number, with same query. This is
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley different from a Fast retransmission problem and a Server
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley Failure detection problem in that a response is seen for every
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley query. Also, the identifiers are always different. It implies
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley client is in a loop and should have detected that and broken
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley it. (RFC 1035 mentions that client should not recurse beyond
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley a certain depth.)
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley c. Malicious Server: a server refers to itself in the authority
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley section. If a server does not have an answer now, it is very
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley unlikely it will be any better the next time you query it,
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley specially when it claims to be authoritative over a domain.
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley RFC 1034 warns against such situations, on page 35.
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley "Bound the amount of work (packets sent, parallel processes
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley started) so that a request can't get into an infinite loop or
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley start off a chain reaction of requests or queries with other
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley implementations EVEN IF SOMEONE HAS INCORRECTLY CONFIGURED
c7ddab7655021d96211a26f99d9f694396c53284Bob HalleyA GOOD IMPLEMENTATION:
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley BIND fixes at least one of these problems. It places an upper limit
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley on the number of recursive queries it will make, to answer a
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley question. It chases a maximum of 20 referral links and 8 canonical
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley name translations.
c7ddab7655021d96211a26f99d9f694396c53284Bob HalleyKumar, Postel, Neuman, Danzig & Miller [Page 4]
c7ddab7655021d96211a26f99d9f694396c53284Bob HalleyRFC 1536 Common DNS Implementation Errors October 1993
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley a. Set an upper limit on the number of referral links and CNAME
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley links you are willing to chase.
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley Note that this is not guaranteed to break only recursion loops.
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley It could, in a rare case, prune off a very long search path,
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley prematurely. We know, however, with high probability, that if
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley the number of links cross a certain metric (two times the depth
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley of the DNS tree), it is a recursion problem.
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley b. Watch out for self-referring servers. Avoid them whenever
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley c. Make sure you never pass off an authority NS record with your
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley own name on it!
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley d. Fix clients to accept iterative answers from servers not built
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley to provide recursion. Such clients should either be happy with
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley the non-authoritative answer or be willing to chase the
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley referral links themselves.
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley3. Zero Answer Bugs:
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley Name servers sometimes return an authoritative NOERROR with no
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley ANSWER, AUTHORITY or ADDITIONAL records. This happens when the
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley queried name is valid but it does not have a record of the desired
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley type. Of course, the server has authority over the domain.
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley However, once again, some implementations of resolvers do not
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley interpret this kind of a response reasonably. They always expect an
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley answer record when they see an authoritative NOERROR. These entities
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley continue to resend their queries, possibly endlessly.
c7ddab7655021d96211a26f99d9f694396c53284Bob HalleyA GOOD IMPLEMENTATION
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley BIND resolver code does not query a server more than 3 times. If it
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley is unable to get an answer from 4 servers, querying them three times
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley each, it returns error.
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley Of course, it treats a zero-answer response the way it should be
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley treated; with respect!
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley a. Set an upper limit on the number of retransmissions for a given
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley query, at the very least.
c7ddab7655021d96211a26f99d9f694396c53284Bob HalleyKumar, Postel, Neuman, Danzig & Miller [Page 5]
c7ddab7655021d96211a26f99d9f694396c53284Bob HalleyRFC 1536 Common DNS Implementation Errors October 1993
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley b. Fix resolvers to interpret such a response as an authoritative
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley statement of non-existence of the record type for the given
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley4. Inability to detect server failure:
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley Servers in the internet are not very reliable (they go down every
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley once in a while) and resolvers are expected to adapt to the changed
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley scenario by not querying the server for a while. Thus, when a server
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley does not respond to a query, resolvers should try another server.
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley Also, non-stub resolvers should update their round trip time estimate
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley for the server to a large value so that server is not tried again
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley before other, faster servers.
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley Stub resolvers, however, cycle through a fixed set of servers and if,
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley unfortunately, a server is down while others do not respond for other
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley reasons (high load, recursive resolution of query is taking more time
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley than the resolver's time-out, ....), the resolver queries the dead
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley server again! In fact, some resolvers might not set an upper limit on
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley the number of query retransmissions they will send and continue to
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley query dead servers indefinitely.
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley Name servers running system or chained queries might also suffer from
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley the same problem. They store names of servers they should query for a
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley given domain. They cycle through these names and in case none of them
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley answers, hit each one more than one. It is, once again, important
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley that there be an upper limit on the number of retransmissions, to
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley prevent network overload.
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley This behavior is clearly in violation of the dictum in RFC 1035 (page
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley "If a resolver gets a server error or other bizarre response
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley from a name server, it should remove it from SLIST, and may
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley wish to schedule an immediate transmission to the next
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley candidate server address."
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley Removal from SLIST implies that the server is not queried again for
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley Correctly implemented full-service resolvers should, as pointed out
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley before, update round trip time values for servers that do not respond
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley and query them only after other, good servers. Full-service resolvers
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley might, however, not follow any of these common sense directives. They
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley query dead servers, and they query them endlessly.
c7ddab7655021d96211a26f99d9f694396c53284Bob HalleyKumar, Postel, Neuman, Danzig & Miller [Page 6]
c7ddab7655021d96211a26f99d9f694396c53284Bob HalleyRFC 1536 Common DNS Implementation Errors October 1993
c7ddab7655021d96211a26f99d9f694396c53284Bob HalleyA GOOD IMPLEMENTATION:
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley BIND places an upper limit on the number of times it queries a
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley server. Both the stub-resolver and the full-service resolver code do
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley this. Also, since the full-service resolver estimates round-trip
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley times and sorts name server addresses by these estimates, it does not
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley query a dead server again, until and unless all the other servers in
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley the list are dead too! Further, BIND implements exponential back-off
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley a. Set an upper limit on number of retransmissions.
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley b. Measure round-trip time from servers (some estimate is better
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley than none). Treat no response as a "very large" round-trip
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley c. Maintain a weighted rtt estimate and decay the "large" value
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley slowly, with time, so that the server is eventually tested
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley again, but not after an indefinitely long period.
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley d. Follow an exponential back-off scheme so that even if you do
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley not restrict the number of queries, you do not overload the
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley net excessively.
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley5. Cache Leaks:
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley Every resource record returned by a server is cached for TTL seconds,
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley where the TTL value is returned with the RR. Full-service (or stub)
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley resolvers cache the RR and answer any queries based on this cached
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley information, in the future, until the TTL expires. After that, one
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley more query to the wide-area network gets the RR in cache again.
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley Full-service resolvers might not implement this caching mechanism
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley well. They might impose a limit on the cache size or might not
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley interpret the TTL value correctly. In either case, queries repeated
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley within a TTL period of a RR constitute a cache leak.
c7ddab7655021d96211a26f99d9f694396c53284Bob HalleyA GOOD/BAD IMPLEMENTATION:
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley BIND has no restriction on the cache size and the size is governed by
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley the limits on the virtual address space of the machine it is running
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley on. BIND caches RRs for the duration of the TTL returned with each
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley It does, however, not follow the RFCs with respect to interpretation
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley of a 0 TTL value. If a record has a TTL value of 0 seconds, BIND uses
c7ddab7655021d96211a26f99d9f694396c53284Bob HalleyKumar, Postel, Neuman, Danzig & Miller [Page 7]
c7ddab7655021d96211a26f99d9f694396c53284Bob HalleyRFC 1536 Common DNS Implementation Errors October 1993
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley the minimum TTL value, for that zone, from the SOA record and caches
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley it for that duration. This, though it saves some traffic on the
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley wide-area network, is not correct behavior.
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley a. Look over your caching mechanism to ensure TTLs are interpreted
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley b. Do not restrict cache sizes (come on, memory is cheap!).
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley Expired entries are reclaimed periodically, anyway. Of course,
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley the cache size is bound to have some physical limit. But, when
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley possible, this limit should be large (run your name server on
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley a machine with a large amount of physical memory).
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley c. Possibly, a mechanism is needed to flush the cache, when it is
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley known or even suspected that the information has changed.
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley6. Name Error Bugs:
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley This bug is very similar to the Zero Answer bug. A server returns an
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley authoritative NXDOMAIN when the queried name is known to be bad, by
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley the server authoritative for the domain, in the absence of negative
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley caching. This authoritative NXDOMAIN response is usually accompanied
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley by the SOA record for the domain, in the authority section.
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley Resolvers should recognize that the name they queried for was a bad
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley name and should stop querying further.
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley Some resolvers might, however, not interpret this correctly and
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley continue to query servers, expecting an answer record.
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley Some applications, in fact, prompt NXDOMAIN answers! When given a
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley perfectly good name to resolve, they append the local domain to it
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley e.g., an application in the domain "foo.bar.com", when trying to
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley resolve the name "usc.edu" first tries "usc.edu.foo.bar.com", then
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley "usc.edu.bar.com" and finally the good name "usc.edu". This causes at
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley least two queries that return NXDOMAIN, for every good query. The
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley problem is aggravated since the negative answers from the previous
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley queries are not cached. When the same name is sought again, the
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley process repeats.
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley Some DNS resolver implementations suffer from this problem, too. They
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley append successive sub-parts of the local domain using an implicit
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley searchlist mechanism, when certain conditions are satisfied and try
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley the original name, only when this first set of iterations fails. This
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley behavior recently caused pandemonium in the Internet when the domain
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley "edu.com" was registered and a wildcard "CNAME" record placed at the
c7ddab7655021d96211a26f99d9f694396c53284Bob HalleyKumar, Postel, Neuman, Danzig & Miller [Page 8]
c7ddab7655021d96211a26f99d9f694396c53284Bob HalleyRFC 1536 Common DNS Implementation Errors October 1993
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley top level. All machines from "com" domains trying to connect to hosts
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley in the "edu" domain ended up with connections to the local machine in
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley the "edu.com" domain!
c7ddab7655021d96211a26f99d9f694396c53284Bob HalleyGOOD/BAD IMPLEMENTATIONS:
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley Some local versions of BIND already implement negative caching. They
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley typically cache negative answers with a very small TTL, sufficient to
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley answer a burst of queries spaced close together, as is typically
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley The next official public release of BIND (4.9.2) will have negative
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley caching as an ifdef'd feature.
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley The BIND resolver appends local domain to the given name, when one of
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley two conditions is met:
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley i. The name has no periods and the flag RES_DEFNAME is set.
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley ii. There is no trailing period and the flag RES_DNSRCH is set.
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley The flags RES_DEFNAME and RES_DNSRCH are default resolver options, in
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley BIND, but can be changed at compile time.
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley Only if the name, so generated, returns an NXDOMAIN is the original
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley name tried as a Fully Qualified Domain Name. And only if it contains
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley at least one period.
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley a. Fix the resolver code.
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley b. Negative Caching. Negative caching servers will restrict the
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley traffic seen on the wide-area network, even if not curb it
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley c. Applications and resolvers should not append the local domain to
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley names they seek to resolve, as far as possible. Names
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley interspersed with periods should be treated as Fully Qualified
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley Domain Names.
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley In other words, Use searchlists only when explicitly specified.
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley No implicit searchlists should be used. A name that contains
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley any dots should first be tried as a FQDN and if that fails, with
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley the local domain name (or searchlist if specified) appended. A
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley name containing no dots can be appended with the searchlist right
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley away, but once again, no implicit searchlists should be used.
c7ddab7655021d96211a26f99d9f694396c53284Bob HalleyKumar, Postel, Neuman, Danzig & Miller [Page 9]
c7ddab7655021d96211a26f99d9f694396c53284Bob HalleyRFC 1536 Common DNS Implementation Errors October 1993
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley Associated with the name error bug is another problem where a server
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley might return an authoritative NXDOMAIN, although the name is valid. A
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley secondary server, on start-up, reads the zone information from the
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley primary, through a zone transfer. While it is in the process of
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley loading the zones, it does not have information about them, although
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley it is authoritative for them. Thus, any query for a name in that
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley domain is answered with an NXDOMAIN response code. This problem might
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley not be disastrous were it not for negative caching servers that cache
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley this answer and so propagate incorrect information over the internet.
c7ddab7655021d96211a26f99d9f694396c53284Bob HalleyBAD IMPLEMENTATION:
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley BIND apparently suffers from this problem.
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley Also, a new name added to the primary database will take a while to
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley propagate to the secondaries. Until that time, they will return
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley NXDOMAIN answers for a good name. Negative caching servers store this
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley answer, too and aggravate this problem further. This is probably a
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley more general DNS problem but is apparently more harmful in this
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley a. Servers should start answering only after loading all the zone
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley data. A failed server is better than a server handing out
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley incorrect information.
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley b. Negative cache records for a very small time, sufficient only
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley to ward off a burst of requests for the same bad name. This
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley could be related to the round-trip time of the server from
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley which the negative answer was received. Alternatively, a
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley statistical measure of the amount of time for which queries
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley for such names are received could be used. Minimum TTL value
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley from the SOA record is not advisable since they tend to be
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley pretty large.
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley c. A "PUSH" (or, at least, a "NOTIFY") mechanism should be allowed
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley and implemented, to allow the primary server to inform
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley secondaries that the database has been modified since it last
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley transferred zone data. To alleviate the problem of "too many
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley zone transfers" that this might cause, Incremental Zone
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley Transfers should also be part of DNS. Also, the primary should
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley not NOTIFY/PUSH with every update but bunch a good number
c7ddab7655021d96211a26f99d9f694396c53284Bob HalleyKumar, Postel, Neuman, Danzig & Miller [Page 10]
c7ddab7655021d96211a26f99d9f694396c53284Bob HalleyRFC 1536 Common DNS Implementation Errors October 1993
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley7. Format Errors:
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley Some resolvers issue query packets that do not necessarily conform to
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley standards as laid out in the relevant RFCs. This unnecessarily
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley increases net traffic and wastes server time.
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley a. Fix resolvers.
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley b. Each resolver verify format of packets before sending them out,
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley using a mechanism outside of the resolver. This is, obviously,
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley needed only if step 1 cannot be followed.
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley [1] Mockapetris, P., "Domain Names Concepts and Facilities", STD 13,
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley RFC 1034, USC/Information Sciences Institute, November 1987.
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley [2] Mockapetris, P., "Domain Names Implementation and Specification",
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley STD 13, RFC 1035, USC/Information Sciences Institute, November
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley [3] Partridge, C., "Mail Routing and the Domain System", STD 14, RFC
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley 974, CSNET CIC BBN, January 1986.
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley [4] Gavron, E., "A Security Problem and Proposed Correction With
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley Widely Deployed DNS Software", RFC 1535, ACES Research Inc.,
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley October 1993.
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley [5] Beertema, P., "Common DNS Data File Configuration Errors", RFC
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley 1537, CWI, October 1993.
c7ddab7655021d96211a26f99d9f694396c53284Bob HalleySecurity Considerations
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley Security issues are not discussed in this memo.
c7ddab7655021d96211a26f99d9f694396c53284Bob HalleyKumar, Postel, Neuman, Danzig & Miller [Page 11]
c7ddab7655021d96211a26f99d9f694396c53284Bob HalleyRFC 1536 Common DNS Implementation Errors October 1993
c7ddab7655021d96211a26f99d9f694396c53284Bob HalleyAuthors' Addresses
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley USC Information Sciences Institute
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley 4676 Admiralty Way
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley Marina Del Rey CA 90292-6695
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley Phone:(310) 822-1511
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley FAX: (310) 823-6741
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley EMail: anant@isi.edu
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley USC Information Sciences Institute
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley 4676 Admiralty Way
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley Marina Del Rey CA 90292-6695
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley Phone:(310) 822-1511
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley FAX: (310) 823-6714
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley EMail: postel@isi.edu
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley Cliff Neuman
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley USC Information Sciences Institute
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley 4676 Admiralty Way
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley Marina Del Rey CA 90292-6695
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley Phone:(310) 822-1511
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley FAX: (310) 823-6714
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley EMail: bcn@isi.edu
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley Peter Danzig
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley Computer Science Department
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley University of Southern California
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley University Park
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley EMail: danzig@caldera.usc.edu
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley Steve Miller
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley Computer Science Department
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley University of Southern California
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley University Park
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley Los Angeles CA 90089
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley EMail: smiller@caldera.usc.edu
c7ddab7655021d96211a26f99d9f694396c53284Bob HalleyKumar, Postel, Neuman, Danzig & Miller [Page 12]