7 Network Working Group P. Vixie
8 Request for Comments: 1996 ISC
9 Updates: 1035 August 1996
10 Category: Standards Track
13 A Mechanism for Prompt Notification of Zone Changes (DNS NOTIFY)
17 This document specifies an Internet standards track protocol for the
18 Internet community, and requests discussion and suggestions for
19 improvements. Please refer to the current edition of the "Internet
20 Official Protocol Standards" (STD 1) for the standardization state
21 and status of this protocol. Distribution of this memo is unlimited.
25 This memo describes the NOTIFY opcode for DNS, by which a master
26 server advises a set of slave servers that the master's data has been
27 changed and that a query should be initiated to discover the new
30 1. Rationale and Scope
32 1.1. Slow propagation of new and changed data in a DNS zone can be
33 due to a zone's relatively long refresh times. Longer refresh times
34 are beneficial in that they reduce load on the master servers, but
35 that benefit comes at the cost of long intervals of incoherence among
36 authority servers whenever the zone is updated.
38 1.2. The DNS NOTIFY transaction allows master servers to inform slave
39 servers when the zone has changed -- an interrupt as opposed to poll
40 model -- which it is hoped will reduce propagation delay while not
41 unduly increasing the masters' load. This specification only allows
42 slaves to be notified of SOA RR changes, but the architechture of
43 NOTIFY is intended to be extensible to other RR types.
45 1.3. This document intentionally gives more definition to the roles
46 of "Master," "Slave" and "Stealth" servers, their enumeration in NS
47 RRs, and the SOA MNAME field. In that sense, this document can be
48 considered an addendum to [RFC1035].
58 Vixie Standards Track [Page 1]
60 RFC 1996 DNS NOTIFY August 1996
63 2. Definitions and Invariants
65 2.1. The following definitions are used in this document:
67 Slave an authoritative server which uses zone transfer to
68 retrieve the zone. All slave servers are named in
69 the NS RRs for the zone.
71 Master any authoritative server configured to be the source
72 of zone transfer for one or more slave servers.
74 Primary Master master server at the root of the zone transfer
75 dependency graph. The primary master is named in the
76 zone's SOA MNAME field and optionally by an NS RR.
77 There is by definition only one primary master server
80 Stealth like a slave server except not listed in an NS RR for
81 the zone. A stealth server, unless explicitly
82 configured to do otherwise, will set the AA bit in
83 responses and be capable of acting as a master. A
84 stealth server will only be known by other servers if
85 they are given static configuration data indicating
88 Notify Set set of servers to be notified of changes to some
89 zone. Default is all servers named in the NS RRset,
90 except for any server also named in the SOA MNAME.
91 Some implementations will permit the name server
92 administrator to override this set or add elements to
93 it (such as, for example, stealth servers).
95 2.2. The zone's servers must be organized into a dependency graph
96 such that there is a primary master, and all other servers must use
97 AXFR or IXFR either from the primary master or from some slave which
98 is also a master. No loops are permitted in the AXFR dependency
103 3.1. When a master has updated one or more RRs in which slave servers
104 may be interested, the master may send the changed RR's name, class,
105 type, and optionally, new RDATA(s), to each known slave server using
106 a best efforts protocol based on the NOTIFY opcode.
108 3.2. NOTIFY uses the DNS Message Format, although it uses only a
109 subset of the available fields. Fields not otherwise described
110 herein are to be filled with binary zero (0), and implementations
114 Vixie Standards Track [Page 2]
116 RFC 1996 DNS NOTIFY August 1996
119 must ignore all messages for which this is not the case.
121 3.3. NOTIFY is similar to QUERY in that it has a request message with
122 the header QR flag "clear" and a response message with QR "set". The
123 response message contains no useful information, but its reception by
124 the master is an indication that the slave has received the NOTIFY
125 and that the master can remove the slave from any retry queue for
128 3.4. The transport protocol used for a NOTIFY transaction will be UDP
129 unless the master has reason to believe that TCP is necessary; for
130 example, if a firewall has been installed between master and slave,
131 and only TCP has been allowed; or, if the changed RR is too large to
132 fit in a UDP/DNS datagram.
134 3.5. If TCP is used, both master and slave must continue to offer
135 name service during the transaction, even when the TCP transaction is
136 not making progress. The NOTIFY request is sent once, and a
137 "timeout" is said to have occurred if no NOTIFY response is received
138 within a reasonable interval.
140 3.6. If UDP is used, a master periodically sends a NOTIFY request to
141 a slave until either too many copies have been sent (a "timeout"), an
142 ICMP message indicating that the port is unreachable, or until a
143 NOTIFY response is received from the slave with a matching query ID,
144 QNAME, IP source address, and UDP source port number.
147 The interval between transmissions, and the total number of
148 retransmissions, should be operational parameters specifiable by
149 the name server administrator, perhaps on a per-zone basis.
150 Reasonable defaults are a 60 second interval (or timeout if
151 using TCP), and a maximum of 5 retransmissions (for UDP). It is
152 considered reasonable to use additive or exponential backoff for
155 3.7. A NOTIFY request has QDCOUNT>0, ANCOUNT>=0, AUCOUNT>=0,
156 ADCOUNT>=0. If ANCOUNT>0, then the answer section represents an
157 unsecure hint at the new RRset for this <QNAME,QCLASS,QTYPE>. A
158 slave receiving such a hint is free to treat equivilence of this
159 answer section with its local data as a "no further work needs to be
160 done" indication. If ANCOUNT=0, or ANCOUNT>0 and the answer section
161 differs from the slave's local data, then the slave should query its
162 known masters to retrieve the new data.
164 3.8. In no case shall the answer section of a NOTIFY request be used
165 to update a slave's local data, or to indicate that a zone transfer
166 needs to be undertaken, or to change the slave's zone refresh timers.
170 Vixie Standards Track [Page 3]
172 RFC 1996 DNS NOTIFY August 1996
175 Only a "data present; data same" condition can lead a slave to act
176 differently if ANCOUNT>0 than it would if ANCOUNT=0.
178 3.9. This version of the NOTIFY specification makes no use of the
179 authority or additional data sections, and so conforming
180 implementations should set AUCOUNT=0 and ADCOUNT=0 when transmitting
181 requests. Since a future revision of this specification may define a
182 backwards compatible use for either or both of these sections,
183 current implementations must ignore these sections, but not the
184 entire message, if AUCOUNT>0 and/or ADCOUNT>0.
186 3.10. If a slave receives a NOTIFY request from a host that is not a
187 known master for the zone containing the QNAME, it should ignore the
188 request and produce an error message in its operations log.
191 This implies that slaves of a multihomed master must either know
192 their master by the "closest" of the master's interface
193 addresses, or must know all of the master's interface addresses.
194 Otherwise, a valid NOTIFY request might come from an address
195 that is not on the slave's state list of masters for the zone,
196 which would be an error.
198 3.11. The only defined NOTIFY event at this time is that the SOA RR
199 has changed. Upon completion of a NOTIFY transaction for QTYPE=SOA,
200 the slave should behave as though the zone given in the QNAME had
201 reached its REFRESH interval (see [RFC1035]), i.e., it should query
202 its masters for the SOA of the zone given in the NOTIFY QNAME, and
203 check the answer to see if the SOA SERIAL has been incremented since
204 the last time the zone was fetched. If so, a zone transfer (either
205 AXFR or IXFR) should be initiated.
208 Because a deep server dependency graph may have multiple paths
209 from the primary master to any given slave, it is possible that
210 a slave will receive a NOTIFY from one of its known masters even
211 though the rest of its known masters have not yet updated their
212 copies of the zone. Therefore, when issuing a QUERY for the
213 zone's SOA, the query should be directed at the known master who
214 was the source of the NOTIFY event, and not at any of the other
215 known masters. This represents a departure from [RFC1035],
216 which specifies that upon expiry of the SOA REFRESH interval,
217 all known masters should be queried in turn.
219 3.12. If a NOTIFY request is received by a slave who does not
220 implement the NOTIFY opcode, it will respond with a NOTIMP
221 (unimplemented feature error) message. A master server who receives
222 such a NOTIMP should consider the NOTIFY transaction complete for
226 Vixie Standards Track [Page 4]
228 RFC 1996 DNS NOTIFY August 1996
233 4. Details and Examples
235 4.1. Retaining query state information across host reboots is
236 optional, but it is reasonable to simply execute an SOA NOTIFY
237 transaction on each authority zone when a server first starts.
239 4.2. Each slave is likely to receive several copies of the same
240 NOTIFY request: One from the primary master, and one from each other
241 slave as that slave transfers the new zone and notifies its potential
242 peers. The NOTIFY protocol supports this multiplicity by requiring
243 that NOTIFY be sent by a slave/master only AFTER it has updated the
244 SOA RR or has determined that no update is necessary, which in
245 practice means after a successful zone transfer. Thus, barring
246 delivery reordering, the last NOTIFY any slave receives will be the
247 one indicating the latest change. Since a slave always requests SOAs
248 and AXFR/IXFRs only from its known masters, it will have an
249 opportunity to retry its QUERY for the SOA after each of its masters
250 have completed each zone update.
252 4.3. If a master server seeks to avoid causing a large number of
253 simultaneous outbound zone transfers, it may delay for an arbitrary
254 length of time before sending a NOTIFY message to any given slave.
255 It is expected that the time will be chosen at random, so that each
256 slave will begin its transfer at a unique time. The delay shall not
257 in any case be longer than the SOA REFRESH time.
260 This delay should be a parameter that each primary master name
261 server can specify, perhaps on a per-zone basis. Random delays
262 of between 30 and 60 seconds would seem adequate if the servers
263 share a LAN and the zones are of moderate size.
265 4.4. A slave which receives a valid NOTIFY should defer action on any
266 subsequent NOTIFY with the same <QNAME,QCLASS,QTYPE> until it has
267 completed the transaction begun by the first NOTIFY. This duplicate
268 rejection is necessary to avoid having multiple notifications lead to
269 pummeling the master server.
282 Vixie Standards Track [Page 5]
284 RFC 1996 DNS NOTIFY August 1996
287 4.5 Zone has Updated on Primary Master
289 Primary master sends a NOTIFY request to all servers named in Notify
290 Set. The NOTIFY request has the following characteristics:
301 4.6 Zone has Updated on a Slave that is also a Master
303 As above in 4.5, except that this server's Notify Set may be
304 different from the Primary Master's due to optional static
305 specification of local stealth servers.
307 4.7 Slave Receives a NOTIFY Request from a Master
309 When a slave server receives a NOTIFY request from one of its locally
310 designated masters for the zone enclosing the given QNAME, with
311 QTYPE=SOA and QR=0, it should enter the state it would if the zone's
312 refresh timer had expired. It will also send a NOTIFY response back
313 to the NOTIFY request's source, with the following characteristics:
324 This is intended to be identical to the NOTIFY request, except that
325 the QR bit is also set. The query ID of the response must be the
326 same as was received in the request.
328 4.8 Master Receives a NOTIFY Response from Slave
330 When a master server receives a NOTIFY response, it deletes this
331 query from the retry queue, thus completing the "notification
332 process" of "this" RRset change to "that" server.
338 Vixie Standards Track [Page 6]
340 RFC 1996 DNS NOTIFY August 1996
343 5. Security Considerations
345 We believe that the NOTIFY operation's only security considerations
348 1. That a NOTIFY request with a forged IP/UDP source address can
349 cause a slave to send spurious SOA queries to its masters,
350 leading to a benign denial of service attack if the forged
351 requests are sent very often.
353 2. That TCP spoofing could be used against a slave server given
354 NOTIFY as a means of synchronizing an SOA query and UDP/DNS
355 spoofing as a means of forcing a zone transfer.
360 Mockapetris, P., "Domain Names - Implementation and
361 Specification", STD 13, RFC 1035, November 1987.
364 Ohta, M., "Incremental Zone Transfer", RFC 1995, August 1996.
369 Internet Software Consortium
373 Phone: +1 415 747 0204
394 Vixie Standards Track [Page 7]
projects / FreeBSD / releng / 7.2.git / blob