| draft-ietf-add-ddr-01.txt | draft-ietf-add-ddr-02.txt | |||
|---|---|---|---|---|
| ADD T. Pauly | ADD T. Pauly | |||
| Internet-Draft E. Kinnear | Internet-Draft E. Kinnear | |||
| Intended status: Standards Track Apple Inc. | Intended status: Standards Track Apple Inc. | |||
| Expires: 16 December 2021 C.A. Wood | Expires: 9 January 2022 C.A. Wood | |||
| Cloudflare | Cloudflare | |||
| P. McManus | P. McManus | |||
| Fastly | Fastly | |||
| T. Jensen | T. Jensen | |||
| Microsoft | Microsoft | |||
| 14 June 2021 | 8 July 2021 | |||
| Discovery of Designated Resolvers | Discovery of Designated Resolvers | |||
| draft-ietf-add-ddr-01 | draft-ietf-add-ddr-02 | |||
| Abstract | Abstract | |||
| This document defines Discovery of Designated Resolvers (DDR), a | This document defines Discovery of Designated Resolvers (DDR), a | |||
| mechanism for DNS clients to use DNS records to discover a resolver's | mechanism for DNS clients to use DNS records to discover a resolver's | |||
| encrypted DNS configuration. This mechanism can be used to move from | encrypted DNS configuration. This mechanism can be used to move from | |||
| unencrypted DNS to encrypted DNS when only the IP address of an | unencrypted DNS to encrypted DNS when only the IP address of a | |||
| encrypted resolver is known. It can also be used to discover support | resolver is known. It can also be used to discover support for | |||
| for encrypted DNS protocols when the name of an encrypted resolver is | encrypted DNS protocols when the name of an encrypted resolver is | |||
| known. This mechanism is designed to be limited to cases where | known. This mechanism is designed to be limited to cases where | |||
| unencrypted resolvers and their designated resolvers are operated by | unencrypted resolvers and their designated resolvers are operated by | |||
| the same entity or cooperating entities. | the same entity or cooperating entities. | |||
| Discussion Venues | Discussion Venues | |||
| This note is to be removed before publishing as an RFC. | This note is to be removed before publishing as an RFC. | |||
| Discussion of this document takes place on the Adaptive DNS Discovery | Discussion of this document takes place on the Adaptive DNS Discovery | |||
| Working Group mailing list (add@ietf.org), which is archived at | Working Group mailing list (add@ietf.org), which is archived at | |||
| skipping to change at page 2, line 10 ¶ | skipping to change at page 2, line 10 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on 16 December 2021. | This Internet-Draft will expire on 9 January 2022. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2021 IETF Trust and the persons identified as the | Copyright (c) 2021 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents (https://trustee.ietf.org/ | Provisions Relating to IETF Documents (https://trustee.ietf.org/ | |||
| license-info) in effect on the date of publication of this document. | license-info) in effect on the date of publication of this document. | |||
| Please review these documents carefully, as they describe your rights | Please review these documents carefully, as they describe your rights | |||
| skipping to change at page 2, line 33 ¶ | skipping to change at page 2, line 33 ¶ | |||
| as described in Section 4.e of the Trust Legal Provisions and are | as described in Section 4.e of the Trust Legal Provisions and are | |||
| provided without warranty as described in the Simplified BSD License. | provided without warranty as described in the Simplified BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 1.1. Specification of Requirements . . . . . . . . . . . . . . 3 | 1.1. Specification of Requirements . . . . . . . . . . . . . . 3 | |||
| 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 3. DNS Service Binding Records . . . . . . . . . . . . . . . . . 4 | 3. DNS Service Binding Records . . . . . . . . . . . . . . . . . 4 | |||
| 4. Discovery Using Resolver IP Addresses . . . . . . . . . . . . 5 | 4. Discovery Using Resolver IP Addresses . . . . . . . . . . . . 5 | |||
| 4.1. Authenticated Discovery . . . . . . . . . . . . . . . . . 5 | 4.1. Authenticated Discovery . . . . . . . . . . . . . . . . . 6 | |||
| 4.2. Opportunistic Discovery . . . . . . . . . . . . . . . . . 6 | 4.2. Opportunistic Discovery . . . . . . . . . . . . . . . . . 6 | |||
| 5. Discovery Using Resolver Names . . . . . . . . . . . . . . . 6 | 5. Discovery Using Resolver Names . . . . . . . . . . . . . . . 7 | |||
| 6. Deployment Considerations . . . . . . . . . . . . . . . . . . 7 | 6. Deployment Considerations . . . . . . . . . . . . . . . . . . 7 | |||
| 6.1. Caching Forwarders . . . . . . . . . . . . . . . . . . . 7 | 6.1. Caching Forwarders . . . . . . . . . . . . . . . . . . . 8 | |||
| 6.2. Certificate Management . . . . . . . . . . . . . . . . . 8 | 6.2. Certificate Management . . . . . . . . . . . . . . . . . 8 | |||
| 7. Security Considerations . . . . . . . . . . . . . . . . . . . 8 | 7. Security Considerations . . . . . . . . . . . . . . . . . . . 8 | |||
| 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 | 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 | |||
| 8.1. Special Use Domain Name "resolver.arpa" . . . . . . . . . 8 | 8.1. Special Use Domain Name "resolver.arpa" . . . . . . . . . 9 | |||
| 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 9 | 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 9 | |||
| 9.1. Normative References . . . . . . . . . . . . . . . . . . 9 | 9.1. Normative References . . . . . . . . . . . . . . . . . . 9 | |||
| 9.2. Informative References . . . . . . . . . . . . . . . . . 9 | 9.2. Informative References . . . . . . . . . . . . . . . . . 10 | |||
| Appendix A. Rationale for using SVCB records . . . . . . . . . . 10 | Appendix A. Rationale for using SVCB records . . . . . . . . . . 11 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 11 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 12 | |||
| 1. Introduction | 1. Introduction | |||
| When DNS clients wish to use encrypted DNS protocols such as DNS- | When DNS clients wish to use encrypted DNS protocols such as DNS- | |||
| over-TLS (DoT) [RFC7858] or DNS-over-HTTPS (DoH) [RFC8484], they | over-TLS (DoT) [RFC7858] or DNS-over-HTTPS (DoH) [RFC8484], they | |||
| require additional information beyond the IP address of the DNS | require additional information beyond the IP address of the DNS | |||
| server, such as the resolver's hostname, non-standard ports, or URL | server, such as the resolver's hostname, non-standard ports, or URL | |||
| paths. However, common configuration mechanisms only provide the | paths. However, common configuration mechanisms only provide the | |||
| resolver's IP address during configuration. Such mechanisms include | resolver's IP address during configuration. Such mechanisms include | |||
| network provisioning protocols like DHCP [RFC2132] and IPv6 Router | network provisioning protocols like DHCP [RFC2132] and IPv6 Router | |||
| Advertisement (RA) options [RFC8106], as well as manual | Advertisement (RA) options [RFC8106], as well as manual | |||
| configuration. | configuration. | |||
| This document defines two mechanisms for clients to discover | This document defines two mechanisms for clients to discover | |||
| designated resolvers using DNS server Service Binding (SVCB, | designated resolvers using DNS server Service Binding (SVCB, | |||
| [I-D.ietf-dnsop-svcb-https]) records: | [I-D.ietf-dnsop-svcb-https]) records: | |||
| 1. When only an IP address of an Unencrypted Resolver is known, the | 1. When only an IP address of an Unencrypted Resolver is known, the | |||
| client queries a special use domain name to discover DNS SVCB | client queries a special use domain name to discover DNS SVCB | |||
| records associated with the Unencrypted Resolver (Section 4). | records associated with one or more Encrypted Resolvers the | |||
| Unencrypted Resolver has designated for use when support for DNS | ||||
| encryption is requested (Section 4). | ||||
| 2. When the hostname of an encrypted DNS server is known, the client | 2. When the hostname of an Encrypted Resolver is known, the client | |||
| requests details by sending a query for a DNS SVCB record. This | requests details by sending a query for a DNS SVCB record. This | |||
| can be used to discover alternate encrypted DNS protocols | can be used to discover alternate encrypted DNS protocols | |||
| supported by a known server, or to provide details if a resolver | supported by a known server, or to provide details if a resolver | |||
| name is provisioned by a network (Section 5). | name is provisioned by a network (Section 5). | |||
| Both of these approaches allow clients to confirm that a discovered | Both of these approaches allow clients to confirm that a discovered | |||
| Encrypted Resolver is designated by the originally provisioned | Encrypted Resolver is designated by the originally provisioned | |||
| resolver. "Designated" in this context means that the resolvers are | resolver. "Designated" in this context means that the resolvers are | |||
| operated by the same entity or cooperating entities; for example, the | operated by the same entity or cooperating entities; for example, the | |||
| resolvers are accessible on the same IP address, or there is a | resolvers are accessible on the same IP address, or there is a | |||
| skipping to change at page 4, line 27 ¶ | skipping to change at page 4, line 28 ¶ | |||
| DNS resolvers can advertise one or more Designated Resolvers that may | DNS resolvers can advertise one or more Designated Resolvers that may | |||
| offer support over encrypted channels and are controlled by the same | offer support over encrypted channels and are controlled by the same | |||
| entity. | entity. | |||
| When a client discovers Designated Resolvers, it learns information | When a client discovers Designated Resolvers, it learns information | |||
| such as the supported protocols, ports, and server name to use in | such as the supported protocols, ports, and server name to use in | |||
| certificate validation. This information is provided in Service | certificate validation. This information is provided in Service | |||
| Binding (SVCB) records for DNS Servers, defined by | Binding (SVCB) records for DNS Servers, defined by | |||
| [I-D.schwartz-svcb-dns]. | [I-D.schwartz-svcb-dns]. | |||
| The following is an example of an SVCB record describing a DoH | The following is an example of an SVCB record describing a DoH server | |||
| server: | discovered by querying for "_dns.example.net": | |||
| _dns.example.net 7200 IN SVCB 1 . ( | _dns.example.net 7200 IN SVCB 1 . ( | |||
| alpn=h2 dohpath=/dns-query{?dns} ) | alpn=h2 dohpath=/dns-query{?dns} ) | |||
| The following is an example of an SVCB record describing a DoT | The following is an example of an SVCB record describing a DoT server | |||
| server: | discovered by querying for "_dns.example.net": | |||
| _dns.example.net 7200 IN SVCB 1 dot.example.net ( | _dns.example.net 7200 IN SVCB 1 dot.example.net ( | |||
| alpn=dot port=8530 ) | alpn=dot port=8530 ) | |||
| If multiple Designated Resolvers are available, using one or more | If multiple Designated Resolvers are available, using one or more | |||
| encrypted DNS protocols, the resolver deployment can indicate a | encrypted DNS protocols, the resolver deployment can indicate a | |||
| preference using the priority fields in each SVCB record | preference using the priority fields in each SVCB record | |||
| [I-D.ietf-dnsop-svcb-https]. | [I-D.ietf-dnsop-svcb-https]. | |||
| To avoid name lookup deadlock, Designated Resolvers SHOULD follow the | ||||
| guidance in Section 10 of [RFC8484] regarding the avoidance of DNS- | ||||
| based references that block the completion of the TLS handshake. | ||||
| This document focuses on discovering DoH and DoT Designated | This document focuses on discovering DoH and DoT Designated | |||
| Resolvers. Other protocols can also use the format defined by | Resolvers. Other protocols can also use the format defined by | |||
| [I-D.schwartz-svcb-dns]. However, if any protocol does not involve | [I-D.schwartz-svcb-dns]. However, if any protocol does not involve | |||
| some form of certificate validation, new validation mechanisms will | some form of certificate validation, new validation mechanisms will | |||
| need to be defined to support validating designation as defined in | need to be defined to support validating designation as defined in | |||
| Section 4.1. | Section 4.1. | |||
| 4. Discovery Using Resolver IP Addresses | 4. Discovery Using Resolver IP Addresses | |||
| When a DNS client is configured with an Unencrypted Resolver IP | When a DNS client is configured with an Unencrypted Resolver IP | |||
| address, it SHOULD query the resolver for SVCB records for | address, it SHOULD query the resolver for SVCB records for | |||
| "dns://resolver.arpa" before making other queries. Specifically, the | "dns://resolver.arpa" before making other queries. Specifically, the | |||
| client issues a query for "_dns.resolver.arpa" with the SVCB resource | client issues a query for "_dns.resolver.arpa" with the SVCB resource | |||
| record type (64) [I-D.ietf-dnsop-svcb-https]. | record type (64) [I-D.ietf-dnsop-svcb-https]. | |||
| Because this query is for an SUDN, which no entity can claim | ||||
| ownership over, the SVCB response MUST NOT use the "." value for the | ||||
| SvcDomainName. Instead, the domain name used for DoT or used to | ||||
| construct the DoH template MUST be provided. | ||||
| The following is an example of an SVCB record describing a DoH server | ||||
| discovered by querying for "_dns.resolver.arpa": | ||||
| _dns.resolver.arpa 7200 IN SVCB 1 doh.example.net ( | ||||
| alpn=h2 dohpath=/dns-query{?dns} ) | ||||
| The following is an example of an SVCB record describing a DoT server | ||||
| discovered by querying for "_dns.resolver.arpa": | ||||
| _dns.resolver.arpa 7200 IN SVCB 1 dot.example.net ( | ||||
| alpn=dot port=8530 ) | ||||
| If the recursive resolver that receives this query has one or more | If the recursive resolver that receives this query has one or more | |||
| Designated Resolvers, it will return the corresponding SVCB records. | Designated Resolvers, it will return the corresponding SVCB records. | |||
| When responding to these special queries for "dns://resolver.arpa", | When responding to these special queries for "dns://resolver.arpa", | |||
| the recursive resolver SHOULD include the A and AAAA records for the | the recursive resolver SHOULD include the A and AAAA records for the | |||
| name of the Designated Resolver in the Additional Answers section. | name of the Designated Resolver in the Additional Answers section. | |||
| This will allow the DNS client to make queries over an encrypted | This will allow the DNS client to make queries over an encrypted | |||
| connection without waiting to resolve the Encrypted Resolver name per | connection without waiting to resolve the Encrypted Resolver name per | |||
| [I-D.ietf-dnsop-svcb-https]. If no A/AAAA records or SVCB IP address | [I-D.ietf-dnsop-svcb-https]. If no A/AAAA records or SVCB IP address | |||
| hints are included, clients will be forced to delay use of the | hints are included, clients will be forced to delay use of the | |||
| Encrypted Resolver until an additional DNS lookup for the A and AAAA | Encrypted Resolver until an additional DNS lookup for the A and AAAA | |||
| skipping to change at page 9, line 20 ¶ | skipping to change at page 9, line 36 ¶ | |||
| the rationale behind "ipv4only.arpa" in [RFC8880]. | the rationale behind "ipv4only.arpa" in [RFC8880]. | |||
| 9. References | 9. References | |||
| 9.1. Normative References | 9.1. Normative References | |||
| [I-D.ietf-dnsop-svcb-https] | [I-D.ietf-dnsop-svcb-https] | |||
| Schwartz, B., Bishop, M., and E. Nygren, "Service binding | Schwartz, B., Bishop, M., and E. Nygren, "Service binding | |||
| and parameter specification via the DNS (DNS SVCB and | and parameter specification via the DNS (DNS SVCB and | |||
| HTTPS RRs)", Work in Progress, Internet-Draft, draft-ietf- | HTTPS RRs)", Work in Progress, Internet-Draft, draft-ietf- | |||
| dnsop-svcb-https-05, 21 April 2021, | dnsop-svcb-https-06, 16 June 2021, | |||
| <https://www.ietf.org/archive/id/draft-ietf-dnsop-svcb- | <https://www.ietf.org/archive/id/draft-ietf-dnsop-svcb- | |||
| https-05.txt>. | https-06.txt>. | |||
| [I-D.ietf-tls-esni] | [I-D.ietf-tls-esni] | |||
| Rescorla, E., Oku, K., Sullivan, N., and C. A. Wood, "TLS | Rescorla, E., Oku, K., Sullivan, N., and C. A. Wood, "TLS | |||
| Encrypted Client Hello", Work in Progress, Internet-Draft, | Encrypted Client Hello", Work in Progress, Internet-Draft, | |||
| draft-ietf-tls-esni-10, 8 March 2021, | draft-ietf-tls-esni-12, 7 July 2021, | |||
| <https://www.ietf.org/archive/id/draft-ietf-tls-esni- | <https://www.ietf.org/archive/id/draft-ietf-tls-esni- | |||
| 10.txt>. | 12.txt>. | |||
| [I-D.schwartz-svcb-dns] | [I-D.schwartz-svcb-dns] | |||
| Schwartz, B., "Service Binding Mapping for DNS Servers", | Schwartz, B., "Service Binding Mapping for DNS Servers", | |||
| Work in Progress, Internet-Draft, draft-schwartz-svcb-dns- | Work in Progress, Internet-Draft, draft-schwartz-svcb-dns- | |||
| 03, 19 April 2021, <https://www.ietf.org/archive/id/draft- | 03, 19 April 2021, <https://www.ietf.org/archive/id/draft- | |||
| schwartz-svcb-dns-03.txt>. | schwartz-svcb-dns-03.txt>. | |||
| [RFC1918] Rekhter, Y., Moskowitz, B., Karrenberg, D., de Groot, G. | [RFC1918] Rekhter, Y., Moskowitz, B., Karrenberg, D., de Groot, G. | |||
| J., and E. Lear, "Address Allocation for Private | J., and E. Lear, "Address Allocation for Private | |||
| Internets", BCP 5, RFC 1918, DOI 10.17487/RFC1918, | Internets", BCP 5, RFC 1918, DOI 10.17487/RFC1918, | |||
| End of changes. 20 change blocks. | ||||
| 25 lines changed or deleted | 48 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||