mirror of
https://gitee.com/acl-dev/acl.git
synced 2024-12-14 17:00:52 +08:00
370 lines
15 KiB
Plaintext
370 lines
15 KiB
Plaintext
|
||
Network Working Group P. Vixie
|
||
Request for Comments: 1996 ISC
|
||
Updates: 1035 August 1996
|
||
Category: Standards Track
|
||
|
||
|
||
A Mechanism for Prompt Notification of Zone Changes (DNS NOTIFY)
|
||
|
||
Status of this Memo
|
||
|
||
This document specifies an Internet standards track protocol for the
|
||
Internet community, and requests discussion and suggestions for
|
||
improvements. Please refer to the current edition of the "Internet
|
||
Official Protocol Standards" (STD 1) for the standardization state
|
||
and status of this protocol. Distribution of this memo is unlimited.
|
||
|
||
Abstract
|
||
|
||
This memo describes the NOTIFY opcode for DNS, by which a master
|
||
server advises a set of slave servers that the master's data has been
|
||
changed and that a query should be initiated to discover the new
|
||
data.
|
||
|
||
1. Rationale and Scope
|
||
|
||
1.1. Slow propagation of new and changed data in a DNS zone can be
|
||
due to a zone's relatively long refresh times. Longer refresh times
|
||
are beneficial in that they reduce load on the master servers, but
|
||
that benefit comes at the cost of long intervals of incoherence among
|
||
authority servers whenever the zone is updated.
|
||
|
||
1.2. The DNS NOTIFY transaction allows master servers to inform slave
|
||
servers when the zone has changed -- an interrupt as opposed to poll
|
||
model -- which it is hoped will reduce propagation delay while not
|
||
unduly increasing the masters' load. This specification only allows
|
||
slaves to be notified of SOA RR changes, but the architechture of
|
||
NOTIFY is intended to be extensible to other RR types.
|
||
|
||
1.3. This document intentionally gives more definition to the roles
|
||
of "Master," "Slave" and "Stealth" servers, their enumeration in NS
|
||
RRs, and the SOA MNAME field. In that sense, this document can be
|
||
considered an addendum to [RFC1035].
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Vixie Standards Track [Page 1]
|
||
|
||
RFC 1996 DNS NOTIFY August 1996
|
||
|
||
|
||
2. Definitions and Invariants
|
||
|
||
2.1. The following definitions are used in this document:
|
||
|
||
Slave an authoritative server which uses zone transfer to
|
||
retrieve the zone. All slave servers are named in
|
||
the NS RRs for the zone.
|
||
|
||
Master any authoritative server configured to be the source
|
||
of zone transfer for one or more slave servers.
|
||
|
||
Primary Master master server at the root of the zone transfer
|
||
dependency graph. The primary master is named in the
|
||
zone's SOA MNAME field and optionally by an NS RR.
|
||
There is by definition only one primary master server
|
||
per zone.
|
||
|
||
Stealth like a slave server except not listed in an NS RR for
|
||
the zone. A stealth server, unless explicitly
|
||
configured to do otherwise, will set the AA bit in
|
||
responses and be capable of acting as a master. A
|
||
stealth server will only be known by other servers if
|
||
they are given static configuration data indicating
|
||
its existence.
|
||
|
||
Notify Set set of servers to be notified of changes to some
|
||
zone. Default is all servers named in the NS RRset,
|
||
except for any server also named in the SOA MNAME.
|
||
Some implementations will permit the name server
|
||
administrator to override this set or add elements to
|
||
it (such as, for example, stealth servers).
|
||
|
||
2.2. The zone's servers must be organized into a dependency graph
|
||
such that there is a primary master, and all other servers must use
|
||
AXFR or IXFR either from the primary master or from some slave which
|
||
is also a master. No loops are permitted in the AXFR dependency
|
||
graph.
|
||
|
||
3. NOTIFY Message
|
||
|
||
3.1. When a master has updated one or more RRs in which slave servers
|
||
may be interested, the master may send the changed RR's name, class,
|
||
type, and optionally, new RDATA(s), to each known slave server using
|
||
a best efforts protocol based on the NOTIFY opcode.
|
||
|
||
3.2. NOTIFY uses the DNS Message Format, although it uses only a
|
||
subset of the available fields. Fields not otherwise described
|
||
herein are to be filled with binary zero (0), and implementations
|
||
|
||
|
||
|
||
Vixie Standards Track [Page 2]
|
||
|
||
RFC 1996 DNS NOTIFY August 1996
|
||
|
||
|
||
must ignore all messages for which this is not the case.
|
||
|
||
3.3. NOTIFY is similar to QUERY in that it has a request message with
|
||
the header QR flag "clear" and a response message with QR "set". The
|
||
response message contains no useful information, but its reception by
|
||
the master is an indication that the slave has received the NOTIFY
|
||
and that the master can remove the slave from any retry queue for
|
||
this NOTIFY event.
|
||
|
||
3.4. The transport protocol used for a NOTIFY transaction will be UDP
|
||
unless the master has reason to believe that TCP is necessary; for
|
||
example, if a firewall has been installed between master and slave,
|
||
and only TCP has been allowed; or, if the changed RR is too large to
|
||
fit in a UDP/DNS datagram.
|
||
|
||
3.5. If TCP is used, both master and slave must continue to offer
|
||
name service during the transaction, even when the TCP transaction is
|
||
not making progress. The NOTIFY request is sent once, and a
|
||
"timeout" is said to have occurred if no NOTIFY response is received
|
||
within a reasonable interval.
|
||
|
||
3.6. If UDP is used, a master periodically sends a NOTIFY request to
|
||
a slave until either too many copies have been sent (a "timeout"), an
|
||
ICMP message indicating that the port is unreachable, or until a
|
||
NOTIFY response is received from the slave with a matching query ID,
|
||
QNAME, IP source address, and UDP source port number.
|
||
|
||
Note:
|
||
The interval between transmissions, and the total number of
|
||
retransmissions, should be operational parameters specifiable by
|
||
the name server administrator, perhaps on a per-zone basis.
|
||
Reasonable defaults are a 60 second interval (or timeout if
|
||
using TCP), and a maximum of 5 retransmissions (for UDP). It is
|
||
considered reasonable to use additive or exponential backoff for
|
||
the retry interval.
|
||
|
||
3.7. A NOTIFY request has QDCOUNT>0, ANCOUNT>=0, AUCOUNT>=0,
|
||
ADCOUNT>=0. If ANCOUNT>0, then the answer section represents an
|
||
unsecure hint at the new RRset for this <QNAME,QCLASS,QTYPE>. A
|
||
slave receiving such a hint is free to treat equivilence of this
|
||
answer section with its local data as a "no further work needs to be
|
||
done" indication. If ANCOUNT=0, or ANCOUNT>0 and the answer section
|
||
differs from the slave's local data, then the slave should query its
|
||
known masters to retrieve the new data.
|
||
|
||
3.8. In no case shall the answer section of a NOTIFY request be used
|
||
to update a slave's local data, or to indicate that a zone transfer
|
||
needs to be undertaken, or to change the slave's zone refresh timers.
|
||
|
||
|
||
|
||
Vixie Standards Track [Page 3]
|
||
|
||
RFC 1996 DNS NOTIFY August 1996
|
||
|
||
|
||
Only a "data present; data same" condition can lead a slave to act
|
||
differently if ANCOUNT>0 than it would if ANCOUNT=0.
|
||
|
||
3.9. This version of the NOTIFY specification makes no use of the
|
||
authority or additional data sections, and so conforming
|
||
implementations should set AUCOUNT=0 and ADCOUNT=0 when transmitting
|
||
requests. Since a future revision of this specification may define a
|
||
backwards compatible use for either or both of these sections,
|
||
current implementations must ignore these sections, but not the
|
||
entire message, if AUCOUNT>0 and/or ADCOUNT>0.
|
||
|
||
3.10. If a slave receives a NOTIFY request from a host that is not a
|
||
known master for the zone containing the QNAME, it should ignore the
|
||
request and produce an error message in its operations log.
|
||
|
||
Note:
|
||
This implies that slaves of a multihomed master must either know
|
||
their master by the "closest" of the master's interface
|
||
addresses, or must know all of the master's interface addresses.
|
||
Otherwise, a valid NOTIFY request might come from an address
|
||
that is not on the slave's state list of masters for the zone,
|
||
which would be an error.
|
||
|
||
3.11. The only defined NOTIFY event at this time is that the SOA RR
|
||
has changed. Upon completion of a NOTIFY transaction for QTYPE=SOA,
|
||
the slave should behave as though the zone given in the QNAME had
|
||
reached its REFRESH interval (see [RFC1035]), i.e., it should query
|
||
its masters for the SOA of the zone given in the NOTIFY QNAME, and
|
||
check the answer to see if the SOA SERIAL has been incremented since
|
||
the last time the zone was fetched. If so, a zone transfer (either
|
||
AXFR or IXFR) should be initiated.
|
||
|
||
Note:
|
||
Because a deep server dependency graph may have multiple paths
|
||
from the primary master to any given slave, it is possible that
|
||
a slave will receive a NOTIFY from one of its known masters even
|
||
though the rest of its known masters have not yet updated their
|
||
copies of the zone. Therefore, when issuing a QUERY for the
|
||
zone's SOA, the query should be directed at the known master who
|
||
was the source of the NOTIFY event, and not at any of the other
|
||
known masters. This represents a departure from [RFC1035],
|
||
which specifies that upon expiry of the SOA REFRESH interval,
|
||
all known masters should be queried in turn.
|
||
|
||
3.12. If a NOTIFY request is received by a slave who does not
|
||
implement the NOTIFY opcode, it will respond with a NOTIMP
|
||
(unimplemented feature error) message. A master server who receives
|
||
such a NOTIMP should consider the NOTIFY transaction complete for
|
||
|
||
|
||
|
||
Vixie Standards Track [Page 4]
|
||
|
||
RFC 1996 DNS NOTIFY August 1996
|
||
|
||
|
||
that slave.
|
||
|
||
4. Details and Examples
|
||
|
||
4.1. Retaining query state information across host reboots is
|
||
optional, but it is reasonable to simply execute an SOA NOTIFY
|
||
transaction on each authority zone when a server first starts.
|
||
|
||
4.2. Each slave is likely to receive several copies of the same
|
||
NOTIFY request: One from the primary master, and one from each other
|
||
slave as that slave transfers the new zone and notifies its potential
|
||
peers. The NOTIFY protocol supports this multiplicity by requiring
|
||
that NOTIFY be sent by a slave/master only AFTER it has updated the
|
||
SOA RR or has determined that no update is necessary, which in
|
||
practice means after a successful zone transfer. Thus, barring
|
||
delivery reordering, the last NOTIFY any slave receives will be the
|
||
one indicating the latest change. Since a slave always requests SOAs
|
||
and AXFR/IXFRs only from its known masters, it will have an
|
||
opportunity to retry its QUERY for the SOA after each of its masters
|
||
have completed each zone update.
|
||
|
||
4.3. If a master server seeks to avoid causing a large number of
|
||
simultaneous outbound zone transfers, it may delay for an arbitrary
|
||
length of time before sending a NOTIFY message to any given slave.
|
||
It is expected that the time will be chosen at random, so that each
|
||
slave will begin its transfer at a unique time. The delay shall not
|
||
in any case be longer than the SOA REFRESH time.
|
||
|
||
Note:
|
||
This delay should be a parameter that each primary master name
|
||
server can specify, perhaps on a per-zone basis. Random delays
|
||
of between 30 and 60 seconds would seem adequate if the servers
|
||
share a LAN and the zones are of moderate size.
|
||
|
||
4.4. A slave which receives a valid NOTIFY should defer action on any
|
||
subsequent NOTIFY with the same <QNAME,QCLASS,QTYPE> until it has
|
||
completed the transaction begun by the first NOTIFY. This duplicate
|
||
rejection is necessary to avoid having multiple notifications lead to
|
||
pummeling the master server.
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Vixie Standards Track [Page 5]
|
||
|
||
RFC 1996 DNS NOTIFY August 1996
|
||
|
||
|
||
4.5 Zone has Updated on Primary Master
|
||
|
||
Primary master sends a NOTIFY request to all servers named in Notify
|
||
Set. The NOTIFY request has the following characteristics:
|
||
|
||
query ID: (new)
|
||
op: NOTIFY (4)
|
||
resp: NOERROR
|
||
flags: AA
|
||
qcount: 1
|
||
qname: (zone name)
|
||
qclass: (zone class)
|
||
qtype: T_SOA
|
||
|
||
4.6 Zone has Updated on a Slave that is also a Master
|
||
|
||
As above in 4.5, except that this server's Notify Set may be
|
||
different from the Primary Master's due to optional static
|
||
specification of local stealth servers.
|
||
|
||
4.7 Slave Receives a NOTIFY Request from a Master
|
||
|
||
When a slave server receives a NOTIFY request from one of its locally
|
||
designated masters for the zone enclosing the given QNAME, with
|
||
QTYPE=SOA and QR=0, it should enter the state it would if the zone's
|
||
refresh timer had expired. It will also send a NOTIFY response back
|
||
to the NOTIFY request's source, with the following characteristics:
|
||
|
||
query ID: (same)
|
||
op: NOTIFY (4)
|
||
resp: NOERROR
|
||
flags: QR AA
|
||
qcount: 1
|
||
qname: (zone name)
|
||
qclass: (zone class)
|
||
qtype: T_SOA
|
||
|
||
This is intended to be identical to the NOTIFY request, except that
|
||
the QR bit is also set. The query ID of the response must be the
|
||
same as was received in the request.
|
||
|
||
4.8 Master Receives a NOTIFY Response from Slave
|
||
|
||
When a master server receives a NOTIFY response, it deletes this
|
||
query from the retry queue, thus completing the "notification
|
||
process" of "this" RRset change to "that" server.
|
||
|
||
|
||
|
||
|
||
|
||
Vixie Standards Track [Page 6]
|
||
|
||
RFC 1996 DNS NOTIFY August 1996
|
||
|
||
|
||
5. Security Considerations
|
||
|
||
We believe that the NOTIFY operation's only security considerations
|
||
are:
|
||
|
||
1. That a NOTIFY request with a forged IP/UDP source address can
|
||
cause a slave to send spurious SOA queries to its masters,
|
||
leading to a benign denial of service attack if the forged
|
||
requests are sent very often.
|
||
|
||
2. That TCP spoofing could be used against a slave server given
|
||
NOTIFY as a means of synchronizing an SOA query and UDP/DNS
|
||
spoofing as a means of forcing a zone transfer.
|
||
|
||
6. References
|
||
|
||
[RFC1035]
|
||
Mockapetris, P., "Domain Names - Implementation and
|
||
Specification", STD 13, RFC 1035, November 1987.
|
||
|
||
[IXFR]
|
||
Ohta, M., "Incremental Zone Transfer", RFC 1995, August 1996.
|
||
|
||
7. Author's Address
|
||
|
||
Paul Vixie
|
||
Internet Software Consortium
|
||
Star Route Box 159A
|
||
Woodside, CA 94062
|
||
|
||
Phone: +1 415 747 0204
|
||
EMail: paul@vix.com
|