| draft-ietf-add-ddr-04.txt | draft-ietf-add-ddr-05.txt | |||
|---|---|---|---|---|
| ADD T. Pauly | ADD T. Pauly | |||
| Internet-Draft E. Kinnear | Internet-Draft E. Kinnear | |||
| Intended status: Standards Track Apple Inc. | Intended status: Standards Track Apple Inc. | |||
| Expires: 19 May 2022 C.A. Wood | Expires: 4 August 2022 C.A. Wood | |||
| Cloudflare | Cloudflare | |||
| P. McManus | P. McManus | |||
| Fastly | Fastly | |||
| T. Jensen | T. Jensen | |||
| Microsoft | Microsoft | |||
| 15 November 2021 | 31 January 2022 | |||
| Discovery of Designated Resolvers | Discovery of Designated Resolvers | |||
| draft-ietf-add-ddr-04 | draft-ietf-add-ddr-05 | |||
| Abstract | Abstract | |||
| This document defines Discovery of Designated Resolvers (DDR), a | This document defines Discovery of Designated Resolvers (DDR), a | |||
| mechanism for DNS clients to use DNS records to discover a resolver's | mechanism for DNS clients to use DNS records to discover a resolver's | |||
| encrypted DNS configuration. This mechanism can be used to move from | encrypted DNS configuration. This mechanism can be used to move from | |||
| unencrypted DNS to encrypted DNS when only the IP address of a | unencrypted DNS to encrypted DNS when only the IP address of a | |||
| resolver is known. This mechanism is designed to be limited to cases | resolver is known. This mechanism is designed to be limited to cases | |||
| where unencrypted resolvers and their designated resolvers are | where unencrypted resolvers and their designated resolvers are | |||
| operated by the same entity or cooperating entities. It can also be | operated by the same entity or cooperating entities. It can also be | |||
| skipping to change at page 2, line 10 ¶ | skipping to change at page 2, line 10 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on 19 May 2022. | This Internet-Draft will expire on 4 August 2022. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2021 IETF Trust and the persons identified as the | Copyright (c) 2022 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents (https://trustee.ietf.org/ | Provisions Relating to IETF Documents (https://trustee.ietf.org/ | |||
| license-info) in effect on the date of publication of this document. | license-info) in effect on the date of publication of this document. | |||
| Please review these documents carefully, as they describe your rights | Please review these documents carefully, as they describe your rights | |||
| and restrictions with respect to this document. Code Components | and restrictions with respect to this document. Code Components | |||
| extracted from this document must include Simplified BSD License text | extracted from this document must include Revised BSD License text as | |||
| as described in Section 4.e of the Trust Legal Provisions and are | described in Section 4.e of the Trust Legal Provisions and are | |||
| provided without warranty as described in the Simplified BSD License. | provided without warranty as described in the Revised BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 1.1. Specification of Requirements . . . . . . . . . . . . . . 3 | 1.1. Specification of Requirements . . . . . . . . . . . . . . 3 | |||
| 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 3. DNS Service Binding Records . . . . . . . . . . . . . . . . . 4 | 3. DNS Service Binding Records . . . . . . . . . . . . . . . . . 4 | |||
| 4. Discovery Using Resolver IP Addresses . . . . . . . . . . . . 5 | 4. Discovery Using Resolver IP Addresses . . . . . . . . . . . . 5 | |||
| 4.1. Use of Designated Resolvers . . . . . . . . . . . . . . . 6 | 4.1. Use of Designated Resolvers . . . . . . . . . . . . . . . 6 | |||
| 4.2. Verified Discovery . . . . . . . . . . . . . . . . . . . 6 | 4.2. Verified Discovery . . . . . . . . . . . . . . . . . . . 7 | |||
| 4.3. Opportunistic Discovery . . . . . . . . . . . . . . . . . 7 | 4.3. Opportunistic Discovery . . . . . . . . . . . . . . . . . 8 | |||
| 5. Discovery Using Resolver Names . . . . . . . . . . . . . . . 7 | 5. Discovery Using Resolver Names . . . . . . . . . . . . . . . 8 | |||
| 6. Deployment Considerations . . . . . . . . . . . . . . . . . . 8 | 6. Deployment Considerations . . . . . . . . . . . . . . . . . . 9 | |||
| 6.1. Caching Forwarders . . . . . . . . . . . . . . . . . . . 8 | 6.1. Caching Forwarders . . . . . . . . . . . . . . . . . . . 9 | |||
| 6.2. Certificate Management . . . . . . . . . . . . . . . . . 9 | 6.2. Certificate Management . . . . . . . . . . . . . . . . . 10 | |||
| 6.3. Server Name Handling . . . . . . . . . . . . . . . . . . 9 | 6.3. Server Name Handling . . . . . . . . . . . . . . . . . . 10 | |||
| 7. Security Considerations . . . . . . . . . . . . . . . . . . . 9 | 7. Security Considerations . . . . . . . . . . . . . . . . . . . 10 | |||
| 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 | 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11 | |||
| 8.1. Special Use Domain Name "resolver.arpa" . . . . . . . . . 10 | 8.1. Special Use Domain Name "resolver.arpa" . . . . . . . . . 11 | |||
| 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 10 | 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 11 | |||
| 9.1. Normative References . . . . . . . . . . . . . . . . . . 10 | 9.1. Normative References . . . . . . . . . . . . . . . . . . 11 | |||
| 9.2. Informative References . . . . . . . . . . . . . . . . . 11 | 9.2. Informative References . . . . . . . . . . . . . . . . . 12 | |||
| Appendix A. Rationale for using SVCB records . . . . . . . . . . 12 | Appendix A. Rationale for using SVCB records . . . . . . . . . . 13 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 13 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 14 | |||
| 1. Introduction | 1. Introduction | |||
| When DNS clients wish to use encrypted DNS protocols such as DNS- | When DNS clients wish to use encrypted DNS protocols such as DNS- | |||
| over-TLS (DoT) [RFC7858] or DNS-over-HTTPS (DoH) [RFC8484], they | over-TLS (DoT) [RFC7858] or DNS-over-HTTPS (DoH) [RFC8484], they | |||
| require additional information beyond the IP address of the DNS | require additional information beyond the IP address of the DNS | |||
| server, such as the resolver's hostname, non-standard ports, or URL | server, such as the resolver's hostname, non-standard ports, or URL | |||
| paths. However, common configuration mechanisms only provide the | paths. However, common configuration mechanisms only provide the | |||
| resolver's IP address during configuration. Such mechanisms include | resolver's IP address during configuration. Such mechanisms include | |||
| network provisioning protocols like DHCP [RFC2132] and IPv6 Router | network provisioning protocols like DHCP [RFC2132] and IPv6 Router | |||
| skipping to change at page 3, line 38 ¶ | skipping to change at page 3, line 38 ¶ | |||
| requests details by sending a query for a DNS SVCB record. This | requests details by sending a query for a DNS SVCB record. This | |||
| can be used to discover alternate encrypted DNS protocols | can be used to discover alternate encrypted DNS protocols | |||
| supported by a known server, or to provide details if a resolver | supported by a known server, or to provide details if a resolver | |||
| name is provisioned by a network (Section 5). | name is provisioned by a network (Section 5). | |||
| Both of these approaches allow clients to confirm that a discovered | Both of these approaches allow clients to confirm that a discovered | |||
| Encrypted Resolver is designated by the originally provisioned | Encrypted Resolver is designated by the originally provisioned | |||
| resolver. "Designated" in this context means that the resolvers are | resolver. "Designated" in this context means that the resolvers are | |||
| operated by the same entity or cooperating entities; for example, the | operated by the same entity or cooperating entities; for example, the | |||
| resolvers are accessible on the same IP address, or there is a | resolvers are accessible on the same IP address, or there is a | |||
| certificate that claims ownership over both resolvers. | certificate that claims ownership over the IP address for the | |||
| original designating resolver. | ||||
| 1.1. Specification of Requirements | 1.1. Specification of Requirements | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | |||
| "OPTIONAL" in this document are to be interpreted as described in BCP | "OPTIONAL" in this document are to be interpreted as described in BCP | |||
| 14 [RFC2119] [RFC8174] when, and only when, they appear in all | 14 [RFC2119] [RFC8174] when, and only when, they appear in all | |||
| capitals, as shown here. | capitals, as shown here. | |||
| 2. Terminology | 2. Terminology | |||
| skipping to change at page 4, line 24 ¶ | skipping to change at page 4, line 26 ¶ | |||
| Unencrypted Resolver: A DNS resolver using TCP or UDP port 53. | Unencrypted Resolver: A DNS resolver using TCP or UDP port 53. | |||
| 3. DNS Service Binding Records | 3. DNS Service Binding Records | |||
| DNS resolvers can advertise one or more Designated Resolvers that may | DNS resolvers can advertise one or more Designated Resolvers that may | |||
| offer support over encrypted channels and are controlled by the same | offer support over encrypted channels and are controlled by the same | |||
| entity. | entity. | |||
| When a client discovers Designated Resolvers, it learns information | When a client discovers Designated Resolvers, it learns information | |||
| such as the supported protocols and ports. This information is | such as the supported protocols and ports. This information is | |||
| provided in Service Binding (SVCB) records for DNS Servers. The | provided in ServiceMode Service Binding (SVCB) records for DNS | |||
| formatting of these records, including the DNS-unique parameters such | Servers, although AliasMode SVCB records can be used to direct | |||
| as "dohpath", are defined by [I-D.ietf-add-svcb-dns]. | clients to the needed ServiceMode SVCB record per | |||
| [I-D.ietf-dnsop-svcb-https]. The formatting of these records, | ||||
| including the DNS-unique parameters such as "dohpath", are defined by | ||||
| [I-D.ietf-add-svcb-dns]. | ||||
| The following is an example of an SVCB record describing a DoH server | The following is an example of an SVCB record describing a DoH server | |||
| discovered by querying for _dns.example.net: | discovered by querying for _dns.example.net: | |||
| _dns.example.net. 7200 IN SVCB 1 example.net. ( | _dns.example.net. 7200 IN SVCB 1 example.net. ( | |||
| alpn=h2 dohpath=/dns-query{?dns} ) | alpn=h2 dohpath=/dns-query{?dns} ) | |||
| The following is an example of an SVCB record describing a DoT server | The following is an example of an SVCB record describing a DoT server | |||
| discovered by querying for _dns.example.net: | discovered by querying for _dns.example.net: | |||
| _dns.example.net 7200 IN SVCB 1 dot.example.net ( | _dns.example.net 7200 IN SVCB 1 dot.example.net ( | |||
| alpn=dot port=8530 ) | alpn=dot port=8530 ) | |||
| If multiple Designated Resolvers are available, using one or more | If multiple Designated Resolvers are available, using one or more | |||
| encrypted DNS protocols, the resolver deployment can indicate a | encrypted DNS protocols, the resolver deployment can indicate a | |||
| preference using the priority fields in each SVCB record | preference using the priority fields in each SVCB record | |||
| [I-D.ietf-dnsop-svcb-https]. | [I-D.ietf-dnsop-svcb-https]. | |||
| If the client encounters a mandatory parameter in an SVCB record it | ||||
| does not understand, it MUST NOT use that record to discover a | ||||
| Designated Resolver. The client can still use others records in the | ||||
| same response if the client can understand all of their mandatory | ||||
| parameters. This allows future encrypted deployments to | ||||
| simultaneously support protocols even if a given client is not aware | ||||
| of all those protocols. For example, if the Unencrypted Resolver | ||||
| returns three SVCB records, one for DoH, one for DoT, and one for a | ||||
| yet-to-exist protocol, a client which only supports DoH and DoT | ||||
| should be able to use those records while safely ignoring the third | ||||
| record. | ||||
| To avoid name lookup deadlock, Designated Resolvers SHOULD follow the | To avoid name lookup deadlock, Designated Resolvers SHOULD follow the | |||
| guidance in Section 10 of [RFC8484] regarding the avoidance of DNS- | guidance in Section 10 of [RFC8484] regarding the avoidance of DNS- | |||
| based references that block the completion of the TLS handshake. | based references that block the completion of the TLS handshake. | |||
| This document focuses on discovering DoH and DoT Designated | This document focuses on discovering DoH and DoT Designated | |||
| Resolvers. Other protocols can also use the format defined by | Resolvers. Other protocols can also use the format defined by | |||
| [I-D.ietf-add-svcb-dns]. However, if any protocol does not involve | [I-D.ietf-add-svcb-dns]. However, if any protocol does not involve | |||
| some form of certificate validation, new validation mechanisms will | some form of certificate validation, new validation mechanisms will | |||
| need to be defined to support validating designation as defined in | need to be defined to support validating designation as defined in | |||
| Section 4.2. | Section 4.2. | |||
| 4. Discovery Using Resolver IP Addresses | 4. Discovery Using Resolver IP Addresses | |||
| When a DNS client is configured with an Unencrypted Resolver IP | When a DNS client is configured with an Unencrypted Resolver IP | |||
| address, it SHOULD query the resolver for SVCB records for | address, it SHOULD query the resolver for SVCB records for | |||
| "dns://resolver.arpa" before making other queries. Specifically, the | "dns://resolver.arpa" before making other queries. Specifically, the | |||
| client issues a query for _dns.resolver.arpa with the SVCB resource | client issues a query for _dns.resolver.arpa with the SVCB resource | |||
| record type (64) [I-D.ietf-dnsop-svcb-https]. | record type (64) [I-D.ietf-dnsop-svcb-https]. | |||
| Because this query is for an SUDN, which no entity can claim | Because this query is for an SUDN, which no entity can claim | |||
| ownership over, the SVCB response MUST NOT use the "." value for the | ownership over, the ServiceMode SVCB response MUST NOT use the "." | |||
| TargetName. Instead, the domain name used for DoT or used to | value for the TargetName. Instead, the domain name used for DoT or | |||
| construct the DoH template MUST be provided. | used to construct the DoH template MUST be provided. | |||
| The following is an example of an SVCB record describing a DoH server | The following is an example of an SVCB record describing a DoH server | |||
| discovered by querying for _dns.resolver.arpa: | discovered by querying for _dns.resolver.arpa: | |||
| _dns.resolver.arpa 7200 IN SVCB 1 doh.example.net ( | _dns.resolver.arpa 7200 IN SVCB 1 doh.example.net ( | |||
| alpn=h2 dohpath=/dns-query{?dns} ) | alpn=h2 dohpath=/dns-query{?dns} ) | |||
| The following is an example of an SVCB record describing a DoT server | The following is an example of an SVCB record describing a DoT server | |||
| discovered by querying for _dns.resolver.arpa: | discovered by querying for _dns.resolver.arpa: | |||
| skipping to change at page 6, line 28 ¶ | skipping to change at page 6, line 41 ¶ | |||
| * Opportunistic Discovery Section 4.3, for when a resolver is | * Opportunistic Discovery Section 4.3, for when a resolver is | |||
| accessed using a non-public IP address. | accessed using a non-public IP address. | |||
| A client MAY additionally use a discovered Designated Resolver | A client MAY additionally use a discovered Designated Resolver | |||
| without either of these methods, based on implementation-specific | without either of these methods, based on implementation-specific | |||
| policy or user input. Details of such policy are out of scope of | policy or user input. Details of such policy are out of scope of | |||
| this document. Clients SHOULD NOT automatically use a Designated | this document. Clients SHOULD NOT automatically use a Designated | |||
| Resolver without some sort of validation, such as the two methods | Resolver without some sort of validation, such as the two methods | |||
| defined in this document or a future mechanism. | defined in this document or a future mechanism. | |||
| A client MUST NOT use a Designated Resolver designated by one | ||||
| Unencrypted Resolver in place of another Unencrypted Resolver. As | ||||
| these are known only by IP address, this means each unique IP address | ||||
| used for unencrypted DNS requires its own designation discovery. | ||||
| This ensures queries are being sent to a party designated by the | ||||
| resolver originally being used. | ||||
| Generally, clients also SHOULD NOT reuse the Designated Resolver | ||||
| discovered from an Unencrypted Resolver over one network connection | ||||
| in place of the same Unencrypted Resolver on another network | ||||
| connection. Instead, clients SHOULD repeat the discovery process on | ||||
| the other network connection. | ||||
| However, if a given Unencrypted Resolver designates a Designated | ||||
| Resolver that uses a public IP address and can be verified using the | ||||
| mechanism described in Section 4.2, it MAY be used on different | ||||
| network connections so long as the subsequent connections over other | ||||
| networks can also be successfully verified using the mechanism | ||||
| described in Section 4.2. This is a tradeoff between performance (by | ||||
| having no delay in establishing an encrypted DNS connection on the | ||||
| new network) and functionality (if the Unencrypted Resolver intends | ||||
| to designate different Designated Resolvers based on the network from | ||||
| which clients connect). | ||||
| 4.2. Verified Discovery | 4.2. Verified Discovery | |||
| Verified Discovery is a mechanism that allows automatic use of a | Verified Discovery is a mechanism that allows automatic use of a | |||
| Designated Resolver that supports DNS encryption that performs a TLS | Designated Resolver that supports DNS encryption that performs a TLS | |||
| handshake. | handshake. | |||
| In order to be considered a verified Designated Resolver, the TLS | In order to be considered a verified Designated Resolver, the TLS | |||
| certificate presented by the Designated Resolver MUST contain the IP | certificate presented by the Designated Resolver MUST contain the IP | |||
| address of the designating Unencrypted Resolver in a subjectAltName | address of the designating Unencrypted Resolver in a subjectAltName | |||
| extension. If the certificate can be validated, the client SHOULD | extension. If the certificate can be validated, the client SHOULD | |||
| skipping to change at page 14, line 4 ¶ | skipping to change at page 14, line 46 ¶ | |||
| Cupertino, California 95014, | Cupertino, California 95014, | |||
| United States of America | United States of America | |||
| Email: tpauly@apple.com | Email: tpauly@apple.com | |||
| Eric Kinnear | Eric Kinnear | |||
| Apple Inc. | Apple Inc. | |||
| One Apple Park Way | One Apple Park Way | |||
| Cupertino, California 95014, | Cupertino, California 95014, | |||
| United States of America | United States of America | |||
| Email: ekinnear@apple.com | ||||
| Email: ekinnear@apple.com | ||||
| Christopher A. Wood | Christopher A. Wood | |||
| Cloudflare | Cloudflare | |||
| 101 Townsend St | 101 Townsend St | |||
| San Francisco, | San Francisco, | |||
| United States of America | United States of America | |||
| Email: caw@heapingbits.net | Email: caw@heapingbits.net | |||
| Patrick McManus | Patrick McManus | |||
| Fastly | Fastly | |||
| End of changes. 14 change blocks. | ||||
| 31 lines changed or deleted | 71 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||