draft-ietf-add-ddr-01.txt   draft-ietf-add-ddr-02.txt 
ADD T. Pauly ADD T. Pauly
Internet-Draft E. Kinnear Internet-Draft E. Kinnear
Intended status: Standards Track Apple Inc. Intended status: Standards Track Apple Inc.
Expires: 16 December 2021 C.A. Wood Expires: 9 January 2022 C.A. Wood
Cloudflare Cloudflare
P. McManus P. McManus
Fastly Fastly
T. Jensen T. Jensen
Microsoft Microsoft
14 June 2021 8 July 2021
Discovery of Designated Resolvers Discovery of Designated Resolvers
draft-ietf-add-ddr-01 draft-ietf-add-ddr-02
Abstract Abstract
This document defines Discovery of Designated Resolvers (DDR), a This document defines Discovery of Designated Resolvers (DDR), a
mechanism for DNS clients to use DNS records to discover a resolver's mechanism for DNS clients to use DNS records to discover a resolver's
encrypted DNS configuration. This mechanism can be used to move from encrypted DNS configuration. This mechanism can be used to move from
unencrypted DNS to encrypted DNS when only the IP address of an unencrypted DNS to encrypted DNS when only the IP address of a
encrypted resolver is known. It can also be used to discover support resolver is known. It can also be used to discover support for
for encrypted DNS protocols when the name of an encrypted resolver is encrypted DNS protocols when the name of an encrypted resolver is
known. This mechanism is designed to be limited to cases where known. This mechanism is designed to be limited to cases where
unencrypted resolvers and their designated resolvers are operated by unencrypted resolvers and their designated resolvers are operated by
the same entity or cooperating entities. the same entity or cooperating entities.
Discussion Venues Discussion Venues
This note is to be removed before publishing as an RFC. This note is to be removed before publishing as an RFC.
Discussion of this document takes place on the Adaptive DNS Discovery Discussion of this document takes place on the Adaptive DNS Discovery
Working Group mailing list (add@ietf.org), which is archived at Working Group mailing list (add@ietf.org), which is archived at
skipping to change at page 2, line 10 skipping to change at page 2, line 10
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on 16 December 2021. This Internet-Draft will expire on 9 January 2022.
Copyright Notice Copyright Notice
Copyright (c) 2021 IETF Trust and the persons identified as the Copyright (c) 2021 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/ Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document. license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights Please review these documents carefully, as they describe your rights
skipping to change at page 2, line 33 skipping to change at page 2, line 33
as described in Section 4.e of the Trust Legal Provisions and are as described in Section 4.e of the Trust Legal Provisions and are
provided without warranty as described in the Simplified BSD License. provided without warranty as described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Specification of Requirements . . . . . . . . . . . . . . 3 1.1. Specification of Requirements . . . . . . . . . . . . . . 3
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. DNS Service Binding Records . . . . . . . . . . . . . . . . . 4 3. DNS Service Binding Records . . . . . . . . . . . . . . . . . 4
4. Discovery Using Resolver IP Addresses . . . . . . . . . . . . 5 4. Discovery Using Resolver IP Addresses . . . . . . . . . . . . 5
4.1. Authenticated Discovery . . . . . . . . . . . . . . . . . 5 4.1. Authenticated Discovery . . . . . . . . . . . . . . . . . 6
4.2. Opportunistic Discovery . . . . . . . . . . . . . . . . . 6 4.2. Opportunistic Discovery . . . . . . . . . . . . . . . . . 6
5. Discovery Using Resolver Names . . . . . . . . . . . . . . . 6 5. Discovery Using Resolver Names . . . . . . . . . . . . . . . 7
6. Deployment Considerations . . . . . . . . . . . . . . . . . . 7 6. Deployment Considerations . . . . . . . . . . . . . . . . . . 7
6.1. Caching Forwarders . . . . . . . . . . . . . . . . . . . 7 6.1. Caching Forwarders . . . . . . . . . . . . . . . . . . . 8
6.2. Certificate Management . . . . . . . . . . . . . . . . . 8 6.2. Certificate Management . . . . . . . . . . . . . . . . . 8
7. Security Considerations . . . . . . . . . . . . . . . . . . . 8 7. Security Considerations . . . . . . . . . . . . . . . . . . . 8
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9
8.1. Special Use Domain Name "resolver.arpa" . . . . . . . . . 8 8.1. Special Use Domain Name "resolver.arpa" . . . . . . . . . 9
9. References . . . . . . . . . . . . . . . . . . . . . . . . . 9 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 9
9.1. Normative References . . . . . . . . . . . . . . . . . . 9 9.1. Normative References . . . . . . . . . . . . . . . . . . 9
9.2. Informative References . . . . . . . . . . . . . . . . . 9 9.2. Informative References . . . . . . . . . . . . . . . . . 10
Appendix A. Rationale for using SVCB records . . . . . . . . . . 10 Appendix A. Rationale for using SVCB records . . . . . . . . . . 11
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 11 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 12
1. Introduction 1. Introduction
When DNS clients wish to use encrypted DNS protocols such as DNS- When DNS clients wish to use encrypted DNS protocols such as DNS-
over-TLS (DoT) [RFC7858] or DNS-over-HTTPS (DoH) [RFC8484], they over-TLS (DoT) [RFC7858] or DNS-over-HTTPS (DoH) [RFC8484], they
require additional information beyond the IP address of the DNS require additional information beyond the IP address of the DNS
server, such as the resolver's hostname, non-standard ports, or URL server, such as the resolver's hostname, non-standard ports, or URL
paths. However, common configuration mechanisms only provide the paths. However, common configuration mechanisms only provide the
resolver's IP address during configuration. Such mechanisms include resolver's IP address during configuration. Such mechanisms include
network provisioning protocols like DHCP [RFC2132] and IPv6 Router network provisioning protocols like DHCP [RFC2132] and IPv6 Router
Advertisement (RA) options [RFC8106], as well as manual Advertisement (RA) options [RFC8106], as well as manual
configuration. configuration.
This document defines two mechanisms for clients to discover This document defines two mechanisms for clients to discover
designated resolvers using DNS server Service Binding (SVCB, designated resolvers using DNS server Service Binding (SVCB,
[I-D.ietf-dnsop-svcb-https]) records: [I-D.ietf-dnsop-svcb-https]) records:
1. When only an IP address of an Unencrypted Resolver is known, the 1. When only an IP address of an Unencrypted Resolver is known, the
client queries a special use domain name to discover DNS SVCB client queries a special use domain name to discover DNS SVCB
records associated with the Unencrypted Resolver (Section 4). records associated with one or more Encrypted Resolvers the
Unencrypted Resolver has designated for use when support for DNS
encryption is requested (Section 4).
2. When the hostname of an encrypted DNS server is known, the client 2. When the hostname of an Encrypted Resolver is known, the client
requests details by sending a query for a DNS SVCB record. This requests details by sending a query for a DNS SVCB record. This
can be used to discover alternate encrypted DNS protocols can be used to discover alternate encrypted DNS protocols
supported by a known server, or to provide details if a resolver supported by a known server, or to provide details if a resolver
name is provisioned by a network (Section 5). name is provisioned by a network (Section 5).
Both of these approaches allow clients to confirm that a discovered Both of these approaches allow clients to confirm that a discovered
Encrypted Resolver is designated by the originally provisioned Encrypted Resolver is designated by the originally provisioned
resolver. "Designated" in this context means that the resolvers are resolver. "Designated" in this context means that the resolvers are
operated by the same entity or cooperating entities; for example, the operated by the same entity or cooperating entities; for example, the
resolvers are accessible on the same IP address, or there is a resolvers are accessible on the same IP address, or there is a
skipping to change at page 4, line 27 skipping to change at page 4, line 28
DNS resolvers can advertise one or more Designated Resolvers that may DNS resolvers can advertise one or more Designated Resolvers that may
offer support over encrypted channels and are controlled by the same offer support over encrypted channels and are controlled by the same
entity. entity.
When a client discovers Designated Resolvers, it learns information When a client discovers Designated Resolvers, it learns information
such as the supported protocols, ports, and server name to use in such as the supported protocols, ports, and server name to use in
certificate validation. This information is provided in Service certificate validation. This information is provided in Service
Binding (SVCB) records for DNS Servers, defined by Binding (SVCB) records for DNS Servers, defined by
[I-D.schwartz-svcb-dns]. [I-D.schwartz-svcb-dns].
The following is an example of an SVCB record describing a DoH The following is an example of an SVCB record describing a DoH server
server: discovered by querying for "_dns.example.net":
_dns.example.net 7200 IN SVCB 1 . ( _dns.example.net 7200 IN SVCB 1 . (
alpn=h2 dohpath=/dns-query{?dns} ) alpn=h2 dohpath=/dns-query{?dns} )
The following is an example of an SVCB record describing a DoT The following is an example of an SVCB record describing a DoT server
server: discovered by querying for "_dns.example.net":
_dns.example.net 7200 IN SVCB 1 dot.example.net ( _dns.example.net 7200 IN SVCB 1 dot.example.net (
alpn=dot port=8530 ) alpn=dot port=8530 )
If multiple Designated Resolvers are available, using one or more If multiple Designated Resolvers are available, using one or more
encrypted DNS protocols, the resolver deployment can indicate a encrypted DNS protocols, the resolver deployment can indicate a
preference using the priority fields in each SVCB record preference using the priority fields in each SVCB record
[I-D.ietf-dnsop-svcb-https]. [I-D.ietf-dnsop-svcb-https].
To avoid name lookup deadlock, Designated Resolvers SHOULD follow the
guidance in Section 10 of [RFC8484] regarding the avoidance of DNS-
based references that block the completion of the TLS handshake.
This document focuses on discovering DoH and DoT Designated This document focuses on discovering DoH and DoT Designated
Resolvers. Other protocols can also use the format defined by Resolvers. Other protocols can also use the format defined by
[I-D.schwartz-svcb-dns]. However, if any protocol does not involve [I-D.schwartz-svcb-dns]. However, if any protocol does not involve
some form of certificate validation, new validation mechanisms will some form of certificate validation, new validation mechanisms will
need to be defined to support validating designation as defined in need to be defined to support validating designation as defined in
Section 4.1. Section 4.1.
4. Discovery Using Resolver IP Addresses 4. Discovery Using Resolver IP Addresses
When a DNS client is configured with an Unencrypted Resolver IP When a DNS client is configured with an Unencrypted Resolver IP
address, it SHOULD query the resolver for SVCB records for address, it SHOULD query the resolver for SVCB records for
"dns://resolver.arpa" before making other queries. Specifically, the "dns://resolver.arpa" before making other queries. Specifically, the
client issues a query for "_dns.resolver.arpa" with the SVCB resource client issues a query for "_dns.resolver.arpa" with the SVCB resource
record type (64) [I-D.ietf-dnsop-svcb-https]. record type (64) [I-D.ietf-dnsop-svcb-https].
Because this query is for an SUDN, which no entity can claim
ownership over, the SVCB response MUST NOT use the "." value for the
SvcDomainName. Instead, the domain name used for DoT or used to
construct the DoH template MUST be provided.
The following is an example of an SVCB record describing a DoH server
discovered by querying for "_dns.resolver.arpa":
_dns.resolver.arpa 7200 IN SVCB 1 doh.example.net (
alpn=h2 dohpath=/dns-query{?dns} )
The following is an example of an SVCB record describing a DoT server
discovered by querying for "_dns.resolver.arpa":
_dns.resolver.arpa 7200 IN SVCB 1 dot.example.net (
alpn=dot port=8530 )
If the recursive resolver that receives this query has one or more If the recursive resolver that receives this query has one or more
Designated Resolvers, it will return the corresponding SVCB records. Designated Resolvers, it will return the corresponding SVCB records.
When responding to these special queries for "dns://resolver.arpa", When responding to these special queries for "dns://resolver.arpa",
the recursive resolver SHOULD include the A and AAAA records for the the recursive resolver SHOULD include the A and AAAA records for the
name of the Designated Resolver in the Additional Answers section. name of the Designated Resolver in the Additional Answers section.
This will allow the DNS client to make queries over an encrypted This will allow the DNS client to make queries over an encrypted
connection without waiting to resolve the Encrypted Resolver name per connection without waiting to resolve the Encrypted Resolver name per
[I-D.ietf-dnsop-svcb-https]. If no A/AAAA records or SVCB IP address [I-D.ietf-dnsop-svcb-https]. If no A/AAAA records or SVCB IP address
hints are included, clients will be forced to delay use of the hints are included, clients will be forced to delay use of the
Encrypted Resolver until an additional DNS lookup for the A and AAAA Encrypted Resolver until an additional DNS lookup for the A and AAAA
skipping to change at page 9, line 20 skipping to change at page 9, line 36
the rationale behind "ipv4only.arpa" in [RFC8880]. the rationale behind "ipv4only.arpa" in [RFC8880].
9. References 9. References
9.1. Normative References 9.1. Normative References
[I-D.ietf-dnsop-svcb-https] [I-D.ietf-dnsop-svcb-https]
Schwartz, B., Bishop, M., and E. Nygren, "Service binding Schwartz, B., Bishop, M., and E. Nygren, "Service binding
and parameter specification via the DNS (DNS SVCB and and parameter specification via the DNS (DNS SVCB and
HTTPS RRs)", Work in Progress, Internet-Draft, draft-ietf- HTTPS RRs)", Work in Progress, Internet-Draft, draft-ietf-
dnsop-svcb-https-05, 21 April 2021, dnsop-svcb-https-06, 16 June 2021,
<https://www.ietf.org/archive/id/draft-ietf-dnsop-svcb- <https://www.ietf.org/archive/id/draft-ietf-dnsop-svcb-
https-05.txt>. https-06.txt>.
[I-D.ietf-tls-esni] [I-D.ietf-tls-esni]
Rescorla, E., Oku, K., Sullivan, N., and C. A. Wood, "TLS Rescorla, E., Oku, K., Sullivan, N., and C. A. Wood, "TLS
Encrypted Client Hello", Work in Progress, Internet-Draft, Encrypted Client Hello", Work in Progress, Internet-Draft,
draft-ietf-tls-esni-10, 8 March 2021, draft-ietf-tls-esni-12, 7 July 2021,
<https://www.ietf.org/archive/id/draft-ietf-tls-esni- <https://www.ietf.org/archive/id/draft-ietf-tls-esni-
10.txt>. 12.txt>.
[I-D.schwartz-svcb-dns] [I-D.schwartz-svcb-dns]
Schwartz, B., "Service Binding Mapping for DNS Servers", Schwartz, B., "Service Binding Mapping for DNS Servers",
Work in Progress, Internet-Draft, draft-schwartz-svcb-dns- Work in Progress, Internet-Draft, draft-schwartz-svcb-dns-
03, 19 April 2021, <https://www.ietf.org/archive/id/draft- 03, 19 April 2021, <https://www.ietf.org/archive/id/draft-
schwartz-svcb-dns-03.txt>. schwartz-svcb-dns-03.txt>.
[RFC1918] Rekhter, Y., Moskowitz, B., Karrenberg, D., de Groot, G. [RFC1918] Rekhter, Y., Moskowitz, B., Karrenberg, D., de Groot, G.
J., and E. Lear, "Address Allocation for Private J., and E. Lear, "Address Allocation for Private
Internets", BCP 5, RFC 1918, DOI 10.17487/RFC1918, Internets", BCP 5, RFC 1918, DOI 10.17487/RFC1918,
 End of changes. 20 change blocks. 
25 lines changed or deleted 48 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/