Initializing a DNS Resolver with Priming Queries DENIC eG
pk@DENIC.DE
ICANN
matt.larson@icann.org
ICANN
paul.hoffman@icann.org
OPS dnsop DNS caching root zone This document describes the queries that a DNS resolver should emit to initialize its cache. The result is that the resolver gets both a current NS resource record set (RRset) for the root zone and the necessary address information for reaching the root servers. This document obsoletes RFC 8109.
Status of This Memo This memo documents an Internet Best Current Practice. This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on BCPs is available in Section 2 of RFC 7841. Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at .
Copyright Notice Copyright (c) 2025 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents () in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.
Table of Contents
  • .  Introduction
    • .  Terminology
  • .  Description of Priming
    • .  Content of Priming Information
  • .  Priming Queries
    • .  Repeating Priming Queries
    • .  Target Selection
    • .  DNSSEC with Priming Queries
  • .  Priming Responses
    • .  Expected Properties of the Priming Response
    • .  Completeness of the Response
  • .  Post-Priming Strategies
  • .  Security Considerations
  • .  IANA Considerations
  • .  References
    • .  Normative References
    • .  Informative References
  • .  Changes from RFC 8109
  • Acknowledgements
  • Authors' Addresses
Introduction Recursive DNS resolvers need a starting point to resolve queries. describes a common scenario for recursive resolvers: They begin with an empty cache and some configuration for finding the names and addresses of the DNS root servers. describes that configuration as a list of servers that will give authoritative answers to queries about the root. This has become a common implementation choice for recursive resolvers and is the topic of this document. This document describes the steps needed for this common implementation choice. Note that this is not the only way to start a recursive name server with an empty cache, but it is the only one described in . Some implementers have chosen other directions, some of which work well and others of which fail (sometimes disastrously) under different conditions. For example, an implementation that only gets the addresses of the root name servers from configuration, not from the DNS as described in this document, will have stale data that could cause slower resolution. This document only deals with recursive name servers (also called "recursive resolvers" and just "resolvers") for the IN class. See for the list of changes from .
Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here. See for terminology that relates to the root server system. See for terminology that relates to the DNS in general.
Description of Priming Priming is the act of finding the list of root servers from a configuration that lists some or all of the purported IP addresses of some or all of those root servers. In priming, a recursive resolver starts with no cached information about the root servers, and it finishes with a full list of their names and addresses in its cache. Priming is described in Sections  and of . (It is called "SBELT", a "safety belt" structure, in that document.) The scenario used in that description, that of a recursive server that is also authoritative, is no longer as common. The configured list of IP addresses for the root servers usually comes from the vendor or distributor of the recursive server software. Although this list is generally accurate and complete at the time of distribution, it may become outdated over time. The domain names for the root servers are called the "root server identifiers". Although this list has remained stable since 1997, the associated IPv4 and IPv6 addresses for these root server identifiers occasionally change. Research indicates that, following such changes, certain resolvers fail to update to the new addresses; for further details, refer to . Therefore, it is important that resolvers are able to cope with change, even without relying upon configuration updates to be applied by their operator. Root server identifier and address changes are the main reasons that resolvers need to use priming to get a full and accurate list of root servers, instead of just using a statically configured list. See for a history of the root server system. Although this document is targeted at the global DNS, it could apply to a private DNS as well. These terms are defined in . Some systems serve a copy of the full root zone on the same server as the resolver, e.g., as described in . In such a setup, the resolver primes its cache using the same methods as those described in the rest of this document.
Content of Priming Information As described above, the configuration for priming is a list of IP addresses. The priming information in software may be in any format that gives the software the addresses associated with at least some of the root server identifiers. Some software has configuration that also contains the root server identifiers (such as "L.ROOT-SERVERS.NET"), sometimes as comments and sometimes as data consumed by the software. For example, the "root hints file" published by IANA at is derived directly from the root zone and contains all of the addresses of the root server identifiers found in the root zone. It is in DNS zone file presentation format and includes the root server identifiers. Although there is no harm in adding these names, they are not useful in the priming process.
Priming Queries A priming query is a DNS query whose response provides root server identifiers and addresses. It has a QNAME of ".", a QTYPE of NS, and a QCLASS of IN; it is sent to one of the addresses in the configuration for the recursive resolver. The priming query can be sent over either UDP or TCP. If the query is sent over UDP, the source port SHOULD be randomly selected (see ) to hamper on-path attacks. DNS cookies can also be used to hamper on-path attacks. The Recursion Desired (RD) bit SHOULD be set to 0. The meaning when RD is set to 1 is undefined for priming queries and is outside the scope of this document. The recursive resolver SHOULD use EDNS0 for priming queries and SHOULD announce and handle a reassembly size of at least 1024 octets . Doing so allows responses that cover the size of a full priming response (see ) for the current set of root servers. See for discussion of setting the DNSSEC OK (DO) bit (defined in ).
Repeating Priming Queries The recursive resolver SHOULD send a priming query only when it is needed, such as when the resolver starts with an empty cache or when the NS resource record set (RRset) for the root zone has expired. Because the NS records for the root zone are not special, the recursive resolver expires those NS records according to their TTL values. (Note that a recursive resolver MAY pre-fetch the NS RRset before it expires.) If a resolver chooses to pre-fetch the root NS RRset before that RRset has expired in its cache, it needs to choose whether to use the addresses for the root NS RRset that it already has in its cache or to use the addresses it has in its configuration. Such a resolver SHOULD send queries to the addresses in its cache in order to reduce the chance of delay due to out-of-date addresses in its configuration. If a priming query does not get a response, the recursive resolver MUST retry the query with a different target address from the configuration.
Target Selection In order to spread the load across all the root server identifiers, the recursive resolver SHOULD select the target for a priming query randomly from the list of addresses. The recursive resolver might choose either IPv4 or IPv6 addresses based on its knowledge of whether the system on which it is running has adequate connectivity on either type of address. Note that this recommended method is not the only way to choose from the list in a recursive resolver's configuration. Two other common methods include picking the first from the list, and remembering which address in the list gave the fastest response earlier and using that one. There are probably other methods in use today. However, the random method SHOULD be used for priming.
DNSSEC with Priming Queries The root NS RRset is signed and can be validated by a DNSSEC validating resolver. At the time this document is published, the addresses for the names in the root NS RRset are in the "root-servers.net" zone. All root servers are also authoritative for the "root-servers.net" zone, which allows priming responses to include the appropriate root name server A and AAAA RRsets. However, because at the time this document is published the "root-servers.net" zone is not signed, the root name server A and AAAA RRsets cannot be validated. An attacker that is able to provide a spoofed priming response can provide alternative A and AAAA RRsets and thus fool a resolver into considering addresses under the control of the attacker to be authoritative for the root zone. A rogue root name server can view all queries from the resolver to the root and alter all unsigned parts of responses, such as the parent-side NS RRsets and glue in referral responses. A resolver can be fooled into trusting child (Top-Level Domain (TLD)) NS addresses that are under the control of the attacker as being authoritative if the resolver:
  • follows referrals from a rogue root server,
  • and does not explicitly query the authoritative NS RRset at the apex of the child (TLD) zone,
  • and does not explicitly query for the authoritative A and AAAA RRsets for the child (TLD) NS RRsets.
With such resolvers, an attacker that controls a rogue root server effectively controls the entire domain name space and can view all queries and alter all unsigned data undetected unless other protections are configured at the resolver. An attacker controlling a rogue root name server also has complete control over all unsigned delegations and over the entire domain name space in the case of non-DNSSEC validating resolvers. If the "root-servers.net" zone is later signed or if the root servers are named in a different zone and that zone is signed, having DNSSEC validation for the priming queries might be valuable. The benefits and costs of resolvers validating the responses will depend heavily on the naming scheme used.
Priming Responses A priming query is a normal DNS query. Thus, a root server cannot distinguish a priming query from any other query for the root NS RRset. Thus, the root server's response will also be a normal DNS response.
Expected Properties of the Priming Response The priming response MUST have an RCODE of NOERROR and MUST have the Authoritative Answer (AA) bit set. Also, it MUST have an NS RRset in the Answer section (because the NS RRset originates from the root zone) and an empty Authority section (because the NS RRset already appears in the Answer section). There will also be an Additional section with A and/or AAAA RRsets for the root servers pointed at by the NS RRset. Resolver software SHOULD treat the response to the priming query as a normal DNS response, just as it would use any other data fed to its cache. Resolver software SHOULD NOT expect 13 NS RRs because, historically, some root servers have returned fewer.
Completeness of the Response At the time this document is published, there are 13 root server operators operating a total of more than 1500 root server instances. Each instance has one IPv4 address and one IPv6 address. The combined size of all the A and AAAA RRsets exceeds the original 512-octet payload limit specified in . In the event of a response where the Additional section omits certain root server address information, reissuing of the priming query does not help with those root name servers that respond with a fixed order of addresses in the Additional section. Instead, the recursive resolver needs to issue direct queries for A and AAAA RRsets for the remaining names. At the time this document is published, these RRsets would be authoritatively available from the root name servers. If some root server addresses are omitted from the Additional section, there is no expectation that the TC bit in the response will be set to 1. At the time this document is written, many of the root servers are not setting the TC bit when omitting addresses from the Additional section. Note that updates with respect to the use of the TC bit. It says
If message size constraints prevent the inclusion of all glue records for in-domain name servers over the chosen transport, the server MUST set the TC (Truncated) flag to inform the client that the response is incomplete and that the client SHOULD use another transport to retrieve the full response.
Because the priming response is not a referral, root server addresses in the priming response are not considered glue records. Thus, does not apply to the priming response and root servers are not required to set the TC bit if not all root server addresses fit within message size constraints. There are no requirements on the number of root server addresses that a root server must include in a priming response.
Post-Priming Strategies When a resolver has a zone's NS RRset in its cache and it receives a query for a domain in that zone that cannot be answered from its cache, the resolver has to choose which NS to send queries to. (This statement is as true for the root zone as for any other zone in the DNS.) Two common strategies for choosing are "determine the fastest name server and always use it" and "create buckets of fastness and pick randomly in the buckets". This document does not specify a preference for any particular strategy other than to suggest that resolvers not treat the root zone as special for this decision.
Security Considerations Spoofing a response to a priming query can be used to redirect all of the queries originating from a victim recursive resolver to one or more servers for the attacker. Until the responses to priming queries are protected with DNSSEC, there is no definitive way to prevent such redirection. An on-path attacker who sees a priming query coming from a resolver can inject false answers before a root server can give correct answers. If the attacker's answers are accepted, this can set up the ability to give further false answers for future queries to the resolver. False answers for root servers are more dangerous than, say, false answers for TLDs, because the root is the highest node of the DNS. See for more discussion. In both of the scenarios listed here, a validating resolver will be able to detect the attack if its chain of queries comes for a zone that is signed, but not for those that are unsigned.
IANA Considerations This document has no IANA actions.
References Normative References Domain names - concepts and facilities This RFC is the revised basic definition of The Domain Name System. It obsoletes RFC-882. This memo describes the domain style names and their used for host address look up and electronic mail forwarding. It discusses the clients and servers in the domain name system and the protocol used between them. Domain names - implementation and specification This RFC is the revised specification of the protocol and format used in the implementation of the Domain Name System. It obsoletes RFC-883. This memo documents the details of the domain name client - server communication. Key words for use in RFCs to Indicate Requirement Levels In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. DNSSEC and IPv6 A6 aware server/resolver message size requirements This document mandates support for EDNS0 (Extension Mechanisms for DNS) in DNS entities claiming to support either DNS Security Extensions or A6 records. This requirement is necessary because these new features increase the size of DNS messages. If EDNS0 is not supported fall back to TCP will happen, having a detrimental impact on query latency and DNS server load. This document updates RFC 2535 and RFC 2874, by adding new requirements. [STANDARDS-TRACK] DNS Security Introduction and Requirements The Domain Name System Security Extensions (DNSSEC) add data origin authentication and data integrity to the Domain Name System. This document introduces these extensions and describes their capabilities and limitations. This document also discusses the services that the DNS security extensions do and do not provide. Last, this document describes the interrelationships between the documents that collectively describe DNSSEC. [STANDARDS-TRACK] Measures for Making DNS More Resilient against Forged Answers The current Internet climate poses serious threats to the Domain Name System. In the interim period before the DNS protocol can be secured more fully, measures can already be taken to harden the DNS to make 'spoofing' a recursing nameserver many orders of magnitude harder. Even a cryptographically secured DNS benefits from having the ability to discard bogus responses quickly, as this potentially saves large amounts of computation. By describing certain behavior that has previously not been standardized, this document sets out how to make the DNS more resilient against accepting incorrect responses. This document updates RFC 2181. [STANDARDS-TRACK] Extension Mechanisms for DNS (EDNS(0)) The Domain Name System's wire protocol includes a number of fixed fields whose range has been or soon will be exhausted and does not allow requestors to advertise their capabilities to responders. This document describes backward-compatible mechanisms for allowing the protocol to grow. This document updates the Extension Mechanisms for DNS (EDNS(0)) specification (and obsoletes RFC 2671) based on feedback from deployment experience in several implementations. It also obsoletes RFC 2673 ("Binary Labels in the Domain Name System") and adds considerations on the use of extended labels in the DNS. Domain Name System (DNS) Cookies DNS Cookies are a lightweight DNS transaction security mechanism that provides limited protection to DNS servers and clients against a variety of increasingly common denial-of-service and amplification/ forgery or cache poisoning attacks by off-path attackers. DNS Cookies are tolerant of NAT, NAT-PT (Network Address Translation - Protocol Translation), and anycast and can be incrementally deployed. (Since DNS Cookies are only returned to the IP address from which they were originally received, they cannot be used to generally track Internet users.) Initializing a DNS Resolver with Priming Queries This document describes the queries that a DNS resolver should emit to initialize its cache. The result is that the resolver gets both a current NS Resource Record Set (RRset) for the root zone and the necessary address information for reaching the root servers. Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings. DNS Glue Requirements in Referral Responses The DNS uses glue records to allow iterative clients to find the addresses of name servers that are contained within a delegated zone. Authoritative servers are expected to return all available glue records for in-domain name servers in a referral response. If message size constraints prevent the inclusion of all glue records for in-domain name servers, the server must set the TC (Truncated) flag to inform the client that the response is incomplete and that the client should use another transport to retrieve the full response. This document updates RFC 1034 to clarify correct server behavior. DNS Terminology The Domain Name System (DNS) is defined in literally dozens of different RFCs. The terminology used by implementers and developers of DNS protocols, and by operators of DNS systems, has changed in the decades since the DNS was first defined. This document gives current definitions for many of the terms used in the DNS in a single document. This document updates RFC 2308 by clarifying the definitions of "forwarder" and "QNAME". It obsoletes RFC 8499 by adding multiple terms and clarifications. Comprehensive lists of changed and new definitions can be found in Appendices A and B. Informative References Thirteen Years of 'Old J Root' DNS-OARC Fall 2015 Workshop Running a Root Server Local to a Resolver Some DNS recursive resolvers have longer-than-desired round-trip times to the closest DNS root server; those resolvers may have difficulty getting responses from the root servers, such as during a network attack. Some DNS recursive resolver operators want to prevent snooping by third parties of requests sent to DNS root servers. In both cases, resolvers can greatly decrease the round-trip time and prevent observation of requests by serving a copy of the full root zone on the same server, such as on a loopback address or in the resolver software. This document shows how to start and maintain such a copy of the root zone that does not cause problems for other users of the DNS, at the cost of adding some operational fragility for the operator. This document obsoletes RFC 7706. History of the Root Server System A Report from the ICANN Root Server System Advisory Committee (RSSAC) RSSAC023v2 RSSAC Lexicon An Advisory from the ICANN Root Server System Advisory Committee (RSSAC) RSSAC026v2
Changes from RFC 8109 This document obsoletes . The significant changes from RFC 8109 are as follows:
  • Added section on the content of priming information.
  • Added paragraph about no expectation that the TC bit in responses will be set.
  • Added paragraph about RFC 9471 and requirements on authoritative servers and the TC bit. This clarified the role of glue records and truncation for responses from the root zone.
  • Changed "man-in-the-middle" to "machine-in-the-middle" to be both more inclusive and more technically accurate.
  • Clarified that there are other effects of machine-in-the-middle attacks.
  • Clarified language for root server domain names as "root server identifiers".
  • Added short discussion of post-priming strategies.
  • Added informative references to Root Server System Advisory Committee (RSSAC) documents.
  • Added short discussion about this document and private DNS.
  • Clarified that machine-in-the-middle attacks could be successful for non-signed TLDs.
  • Added discussion of where resolvers that pre-fetch should get the root NS addresses.
  • Elevated the expectations in ("") to MUST-level.
  • Clarified that "currently" means "at the time this document is published".
  • Added a note about priming and RFC 8806.
  • Added a reference to research about discontinued root server addresses.
Acknowledgements RFC 8109 was the product of the DNSOP WG and benefited from the reviews done there. This document also benefited from review by .
Authors' Addresses DENIC eG
pk@DENIC.DE
ICANN
matt.larson@icann.org
ICANN
paul.hoffman@icann.org