draft-ietf-add-ddr-04.txt   draft-ietf-add-ddr-05.txt 
ADD T. Pauly ADD T. Pauly
Internet-Draft E. Kinnear Internet-Draft E. Kinnear
Intended status: Standards Track Apple Inc. Intended status: Standards Track Apple Inc.
Expires: 19 May 2022 C.A. Wood Expires: 4 August 2022 C.A. Wood
Cloudflare Cloudflare
P. McManus P. McManus
Fastly Fastly
T. Jensen T. Jensen
Microsoft Microsoft
15 November 2021 31 January 2022
Discovery of Designated Resolvers Discovery of Designated Resolvers
draft-ietf-add-ddr-04 draft-ietf-add-ddr-05
Abstract Abstract
This document defines Discovery of Designated Resolvers (DDR), a This document defines Discovery of Designated Resolvers (DDR), a
mechanism for DNS clients to use DNS records to discover a resolver's mechanism for DNS clients to use DNS records to discover a resolver's
encrypted DNS configuration. This mechanism can be used to move from encrypted DNS configuration. This mechanism can be used to move from
unencrypted DNS to encrypted DNS when only the IP address of a unencrypted DNS to encrypted DNS when only the IP address of a
resolver is known. This mechanism is designed to be limited to cases resolver is known. This mechanism is designed to be limited to cases
where unencrypted resolvers and their designated resolvers are where unencrypted resolvers and their designated resolvers are
operated by the same entity or cooperating entities. It can also be operated by the same entity or cooperating entities. It can also be
skipping to change at page 2, line 10 skipping to change at page 2, line 10
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on 19 May 2022. This Internet-Draft will expire on 4 August 2022.
Copyright Notice Copyright Notice
Copyright (c) 2021 IETF Trust and the persons identified as the Copyright (c) 2022 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/ Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document. license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights Please review these documents carefully, as they describe your rights
and restrictions with respect to this document. Code Components and restrictions with respect to this document. Code Components
extracted from this document must include Simplified BSD License text extracted from this document must include Revised BSD License text as
as described in Section 4.e of the Trust Legal Provisions and are described in Section 4.e of the Trust Legal Provisions and are
provided without warranty as described in the Simplified BSD License. provided without warranty as described in the Revised BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Specification of Requirements . . . . . . . . . . . . . . 3 1.1. Specification of Requirements . . . . . . . . . . . . . . 3
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. DNS Service Binding Records . . . . . . . . . . . . . . . . . 4 3. DNS Service Binding Records . . . . . . . . . . . . . . . . . 4
4. Discovery Using Resolver IP Addresses . . . . . . . . . . . . 5 4. Discovery Using Resolver IP Addresses . . . . . . . . . . . . 5
4.1. Use of Designated Resolvers . . . . . . . . . . . . . . . 6 4.1. Use of Designated Resolvers . . . . . . . . . . . . . . . 6
4.2. Verified Discovery . . . . . . . . . . . . . . . . . . . 6 4.2. Verified Discovery . . . . . . . . . . . . . . . . . . . 7
4.3. Opportunistic Discovery . . . . . . . . . . . . . . . . . 7 4.3. Opportunistic Discovery . . . . . . . . . . . . . . . . . 8
5. Discovery Using Resolver Names . . . . . . . . . . . . . . . 7 5. Discovery Using Resolver Names . . . . . . . . . . . . . . . 8
6. Deployment Considerations . . . . . . . . . . . . . . . . . . 8 6. Deployment Considerations . . . . . . . . . . . . . . . . . . 9
6.1. Caching Forwarders . . . . . . . . . . . . . . . . . . . 8 6.1. Caching Forwarders . . . . . . . . . . . . . . . . . . . 9
6.2. Certificate Management . . . . . . . . . . . . . . . . . 9 6.2. Certificate Management . . . . . . . . . . . . . . . . . 10
6.3. Server Name Handling . . . . . . . . . . . . . . . . . . 9 6.3. Server Name Handling . . . . . . . . . . . . . . . . . . 10
7. Security Considerations . . . . . . . . . . . . . . . . . . . 9 7. Security Considerations . . . . . . . . . . . . . . . . . . . 10
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11
8.1. Special Use Domain Name "resolver.arpa" . . . . . . . . . 10 8.1. Special Use Domain Name "resolver.arpa" . . . . . . . . . 11
9. References . . . . . . . . . . . . . . . . . . . . . . . . . 10 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 11
9.1. Normative References . . . . . . . . . . . . . . . . . . 10 9.1. Normative References . . . . . . . . . . . . . . . . . . 11
9.2. Informative References . . . . . . . . . . . . . . . . . 11 9.2. Informative References . . . . . . . . . . . . . . . . . 12
Appendix A. Rationale for using SVCB records . . . . . . . . . . 12 Appendix A. Rationale for using SVCB records . . . . . . . . . . 13
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 13 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 14
1. Introduction 1. Introduction
When DNS clients wish to use encrypted DNS protocols such as DNS- When DNS clients wish to use encrypted DNS protocols such as DNS-
over-TLS (DoT) [RFC7858] or DNS-over-HTTPS (DoH) [RFC8484], they over-TLS (DoT) [RFC7858] or DNS-over-HTTPS (DoH) [RFC8484], they
require additional information beyond the IP address of the DNS require additional information beyond the IP address of the DNS
server, such as the resolver's hostname, non-standard ports, or URL server, such as the resolver's hostname, non-standard ports, or URL
paths. However, common configuration mechanisms only provide the paths. However, common configuration mechanisms only provide the
resolver's IP address during configuration. Such mechanisms include resolver's IP address during configuration. Such mechanisms include
network provisioning protocols like DHCP [RFC2132] and IPv6 Router network provisioning protocols like DHCP [RFC2132] and IPv6 Router
skipping to change at page 3, line 38 skipping to change at page 3, line 38
requests details by sending a query for a DNS SVCB record. This requests details by sending a query for a DNS SVCB record. This
can be used to discover alternate encrypted DNS protocols can be used to discover alternate encrypted DNS protocols
supported by a known server, or to provide details if a resolver supported by a known server, or to provide details if a resolver
name is provisioned by a network (Section 5). name is provisioned by a network (Section 5).
Both of these approaches allow clients to confirm that a discovered Both of these approaches allow clients to confirm that a discovered
Encrypted Resolver is designated by the originally provisioned Encrypted Resolver is designated by the originally provisioned
resolver. "Designated" in this context means that the resolvers are resolver. "Designated" in this context means that the resolvers are
operated by the same entity or cooperating entities; for example, the operated by the same entity or cooperating entities; for example, the
resolvers are accessible on the same IP address, or there is a resolvers are accessible on the same IP address, or there is a
certificate that claims ownership over both resolvers. certificate that claims ownership over the IP address for the
original designating resolver.
1.1. Specification of Requirements 1.1. Specification of Requirements
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP "OPTIONAL" in this document are to be interpreted as described in BCP
14 [RFC2119] [RFC8174] when, and only when, they appear in all 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here. capitals, as shown here.
2. Terminology 2. Terminology
skipping to change at page 4, line 24 skipping to change at page 4, line 26
Unencrypted Resolver: A DNS resolver using TCP or UDP port 53. Unencrypted Resolver: A DNS resolver using TCP or UDP port 53.
3. DNS Service Binding Records 3. DNS Service Binding Records
DNS resolvers can advertise one or more Designated Resolvers that may DNS resolvers can advertise one or more Designated Resolvers that may
offer support over encrypted channels and are controlled by the same offer support over encrypted channels and are controlled by the same
entity. entity.
When a client discovers Designated Resolvers, it learns information When a client discovers Designated Resolvers, it learns information
such as the supported protocols and ports. This information is such as the supported protocols and ports. This information is
provided in Service Binding (SVCB) records for DNS Servers. The provided in ServiceMode Service Binding (SVCB) records for DNS
formatting of these records, including the DNS-unique parameters such Servers, although AliasMode SVCB records can be used to direct
as "dohpath", are defined by [I-D.ietf-add-svcb-dns]. clients to the needed ServiceMode SVCB record per
[I-D.ietf-dnsop-svcb-https]. The formatting of these records,
including the DNS-unique parameters such as "dohpath", are defined by
[I-D.ietf-add-svcb-dns].
The following is an example of an SVCB record describing a DoH server The following is an example of an SVCB record describing a DoH server
discovered by querying for _dns.example.net: discovered by querying for _dns.example.net:
_dns.example.net. 7200 IN SVCB 1 example.net. ( _dns.example.net. 7200 IN SVCB 1 example.net. (
alpn=h2 dohpath=/dns-query{?dns} ) alpn=h2 dohpath=/dns-query{?dns} )
The following is an example of an SVCB record describing a DoT server The following is an example of an SVCB record describing a DoT server
discovered by querying for _dns.example.net: discovered by querying for _dns.example.net:
_dns.example.net 7200 IN SVCB 1 dot.example.net ( _dns.example.net 7200 IN SVCB 1 dot.example.net (
alpn=dot port=8530 ) alpn=dot port=8530 )
If multiple Designated Resolvers are available, using one or more If multiple Designated Resolvers are available, using one or more
encrypted DNS protocols, the resolver deployment can indicate a encrypted DNS protocols, the resolver deployment can indicate a
preference using the priority fields in each SVCB record preference using the priority fields in each SVCB record
[I-D.ietf-dnsop-svcb-https]. [I-D.ietf-dnsop-svcb-https].
If the client encounters a mandatory parameter in an SVCB record it
does not understand, it MUST NOT use that record to discover a
Designated Resolver. The client can still use others records in the
same response if the client can understand all of their mandatory
parameters. This allows future encrypted deployments to
simultaneously support protocols even if a given client is not aware
of all those protocols. For example, if the Unencrypted Resolver
returns three SVCB records, one for DoH, one for DoT, and one for a
yet-to-exist protocol, a client which only supports DoH and DoT
should be able to use those records while safely ignoring the third
record.
To avoid name lookup deadlock, Designated Resolvers SHOULD follow the To avoid name lookup deadlock, Designated Resolvers SHOULD follow the
guidance in Section 10 of [RFC8484] regarding the avoidance of DNS- guidance in Section 10 of [RFC8484] regarding the avoidance of DNS-
based references that block the completion of the TLS handshake. based references that block the completion of the TLS handshake.
This document focuses on discovering DoH and DoT Designated This document focuses on discovering DoH and DoT Designated
Resolvers. Other protocols can also use the format defined by Resolvers. Other protocols can also use the format defined by
[I-D.ietf-add-svcb-dns]. However, if any protocol does not involve [I-D.ietf-add-svcb-dns]. However, if any protocol does not involve
some form of certificate validation, new validation mechanisms will some form of certificate validation, new validation mechanisms will
need to be defined to support validating designation as defined in need to be defined to support validating designation as defined in
Section 4.2. Section 4.2.
4. Discovery Using Resolver IP Addresses 4. Discovery Using Resolver IP Addresses
When a DNS client is configured with an Unencrypted Resolver IP When a DNS client is configured with an Unencrypted Resolver IP
address, it SHOULD query the resolver for SVCB records for address, it SHOULD query the resolver for SVCB records for
"dns://resolver.arpa" before making other queries. Specifically, the "dns://resolver.arpa" before making other queries. Specifically, the
client issues a query for _dns.resolver.arpa with the SVCB resource client issues a query for _dns.resolver.arpa with the SVCB resource
record type (64) [I-D.ietf-dnsop-svcb-https]. record type (64) [I-D.ietf-dnsop-svcb-https].
Because this query is for an SUDN, which no entity can claim Because this query is for an SUDN, which no entity can claim
ownership over, the SVCB response MUST NOT use the "." value for the ownership over, the ServiceMode SVCB response MUST NOT use the "."
TargetName. Instead, the domain name used for DoT or used to value for the TargetName. Instead, the domain name used for DoT or
construct the DoH template MUST be provided. used to construct the DoH template MUST be provided.
The following is an example of an SVCB record describing a DoH server The following is an example of an SVCB record describing a DoH server
discovered by querying for _dns.resolver.arpa: discovered by querying for _dns.resolver.arpa:
_dns.resolver.arpa 7200 IN SVCB 1 doh.example.net ( _dns.resolver.arpa 7200 IN SVCB 1 doh.example.net (
alpn=h2 dohpath=/dns-query{?dns} ) alpn=h2 dohpath=/dns-query{?dns} )
The following is an example of an SVCB record describing a DoT server The following is an example of an SVCB record describing a DoT server
discovered by querying for _dns.resolver.arpa: discovered by querying for _dns.resolver.arpa:
skipping to change at page 6, line 28 skipping to change at page 6, line 41
* Opportunistic Discovery Section 4.3, for when a resolver is * Opportunistic Discovery Section 4.3, for when a resolver is
accessed using a non-public IP address. accessed using a non-public IP address.
A client MAY additionally use a discovered Designated Resolver A client MAY additionally use a discovered Designated Resolver
without either of these methods, based on implementation-specific without either of these methods, based on implementation-specific
policy or user input. Details of such policy are out of scope of policy or user input. Details of such policy are out of scope of
this document. Clients SHOULD NOT automatically use a Designated this document. Clients SHOULD NOT automatically use a Designated
Resolver without some sort of validation, such as the two methods Resolver without some sort of validation, such as the two methods
defined in this document or a future mechanism. defined in this document or a future mechanism.
A client MUST NOT use a Designated Resolver designated by one
Unencrypted Resolver in place of another Unencrypted Resolver. As
these are known only by IP address, this means each unique IP address
used for unencrypted DNS requires its own designation discovery.
This ensures queries are being sent to a party designated by the
resolver originally being used.
Generally, clients also SHOULD NOT reuse the Designated Resolver
discovered from an Unencrypted Resolver over one network connection
in place of the same Unencrypted Resolver on another network
connection. Instead, clients SHOULD repeat the discovery process on
the other network connection.
However, if a given Unencrypted Resolver designates a Designated
Resolver that uses a public IP address and can be verified using the
mechanism described in Section 4.2, it MAY be used on different
network connections so long as the subsequent connections over other
networks can also be successfully verified using the mechanism
described in Section 4.2. This is a tradeoff between performance (by
having no delay in establishing an encrypted DNS connection on the
new network) and functionality (if the Unencrypted Resolver intends
to designate different Designated Resolvers based on the network from
which clients connect).
4.2. Verified Discovery 4.2. Verified Discovery
Verified Discovery is a mechanism that allows automatic use of a Verified Discovery is a mechanism that allows automatic use of a
Designated Resolver that supports DNS encryption that performs a TLS Designated Resolver that supports DNS encryption that performs a TLS
handshake. handshake.
In order to be considered a verified Designated Resolver, the TLS In order to be considered a verified Designated Resolver, the TLS
certificate presented by the Designated Resolver MUST contain the IP certificate presented by the Designated Resolver MUST contain the IP
address of the designating Unencrypted Resolver in a subjectAltName address of the designating Unencrypted Resolver in a subjectAltName
extension. If the certificate can be validated, the client SHOULD extension. If the certificate can be validated, the client SHOULD
skipping to change at page 14, line 4 skipping to change at page 14, line 46
Cupertino, California 95014, Cupertino, California 95014,
United States of America United States of America
Email: tpauly@apple.com Email: tpauly@apple.com
Eric Kinnear Eric Kinnear
Apple Inc. Apple Inc.
One Apple Park Way One Apple Park Way
Cupertino, California 95014, Cupertino, California 95014,
United States of America United States of America
Email: ekinnear@apple.com
Email: ekinnear@apple.com
Christopher A. Wood Christopher A. Wood
Cloudflare Cloudflare
101 Townsend St 101 Townsend St
San Francisco, San Francisco,
United States of America United States of America
Email: caw@heapingbits.net Email: caw@heapingbits.net
Patrick McManus Patrick McManus
Fastly Fastly
 End of changes. 14 change blocks. 
31 lines changed or deleted 71 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/