--- 1/draft-ietf-add-ddr-04.txt 2022-01-31 15:13:28.489618907 -0800 +++ 2/draft-ietf-add-ddr-05.txt 2022-01-31 15:13:28.521619709 -0800 @@ -1,24 +1,24 @@ ADD T. Pauly Internet-Draft E. Kinnear Intended status: Standards Track Apple Inc. -Expires: 19 May 2022 C.A. Wood +Expires: 4 August 2022 C.A. Wood Cloudflare P. McManus Fastly T. Jensen Microsoft - 15 November 2021 + 31 January 2022 Discovery of Designated Resolvers - draft-ietf-add-ddr-04 + draft-ietf-add-ddr-05 Abstract This document defines Discovery of Designated Resolvers (DDR), a mechanism for DNS clients to use DNS records to discover a resolver's encrypted DNS configuration. This mechanism can be used to move from unencrypted DNS to encrypted DNS when only the IP address of a resolver is known. This mechanism is designed to be limited to cases where unencrypted resolvers and their designated resolvers are operated by the same entity or cooperating entities. It can also be @@ -44,59 +44,59 @@ Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on 19 May 2022. + This Internet-Draft will expire on 4 August 2022. Copyright Notice - Copyright (c) 2021 IETF Trust and the persons identified as the + Copyright (c) 2022 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components - extracted from this document must include Simplified BSD License text - as described in Section 4.e of the Trust Legal Provisions and are - provided without warranty as described in the Simplified BSD License. + extracted from this document must include Revised BSD License text as + described in Section 4.e of the Trust Legal Provisions and are + provided without warranty as described in the Revised BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1.1. Specification of Requirements . . . . . . . . . . . . . . 3 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 3. DNS Service Binding Records . . . . . . . . . . . . . . . . . 4 4. Discovery Using Resolver IP Addresses . . . . . . . . . . . . 5 4.1. Use of Designated Resolvers . . . . . . . . . . . . . . . 6 - 4.2. Verified Discovery . . . . . . . . . . . . . . . . . . . 6 - 4.3. Opportunistic Discovery . . . . . . . . . . . . . . . . . 7 - 5. Discovery Using Resolver Names . . . . . . . . . . . . . . . 7 - 6. Deployment Considerations . . . . . . . . . . . . . . . . . . 8 - 6.1. Caching Forwarders . . . . . . . . . . . . . . . . . . . 8 - 6.2. Certificate Management . . . . . . . . . . . . . . . . . 9 - 6.3. Server Name Handling . . . . . . . . . . . . . . . . . . 9 - 7. Security Considerations . . . . . . . . . . . . . . . . . . . 9 - 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 - 8.1. Special Use Domain Name "resolver.arpa" . . . . . . . . . 10 - 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 10 - 9.1. Normative References . . . . . . . . . . . . . . . . . . 10 - 9.2. Informative References . . . . . . . . . . . . . . . . . 11 - Appendix A. Rationale for using SVCB records . . . . . . . . . . 12 - Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 13 + 4.2. Verified Discovery . . . . . . . . . . . . . . . . . . . 7 + 4.3. Opportunistic Discovery . . . . . . . . . . . . . . . . . 8 + 5. Discovery Using Resolver Names . . . . . . . . . . . . . . . 8 + 6. Deployment Considerations . . . . . . . . . . . . . . . . . . 9 + 6.1. Caching Forwarders . . . . . . . . . . . . . . . . . . . 9 + 6.2. Certificate Management . . . . . . . . . . . . . . . . . 10 + 6.3. Server Name Handling . . . . . . . . . . . . . . . . . . 10 + 7. Security Considerations . . . . . . . . . . . . . . . . . . . 10 + 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11 + 8.1. Special Use Domain Name "resolver.arpa" . . . . . . . . . 11 + 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 11 + 9.1. Normative References . . . . . . . . . . . . . . . . . . 11 + 9.2. Informative References . . . . . . . . . . . . . . . . . 12 + Appendix A. Rationale for using SVCB records . . . . . . . . . . 13 + Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 14 1. Introduction When DNS clients wish to use encrypted DNS protocols such as DNS- over-TLS (DoT) [RFC7858] or DNS-over-HTTPS (DoH) [RFC8484], they require additional information beyond the IP address of the DNS server, such as the resolver's hostname, non-standard ports, or URL paths. However, common configuration mechanisms only provide the resolver's IP address during configuration. Such mechanisms include network provisioning protocols like DHCP [RFC2132] and IPv6 Router @@ -117,21 +117,22 @@ requests details by sending a query for a DNS SVCB record. This can be used to discover alternate encrypted DNS protocols supported by a known server, or to provide details if a resolver name is provisioned by a network (Section 5). Both of these approaches allow clients to confirm that a discovered Encrypted Resolver is designated by the originally provisioned resolver. "Designated" in this context means that the resolvers are operated by the same entity or cooperating entities; for example, the resolvers are accessible on the same IP address, or there is a - certificate that claims ownership over both resolvers. + certificate that claims ownership over the IP address for the + original designating resolver. 1.1. Specification of Requirements The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here. 2. Terminology @@ -152,64 +153,79 @@ Unencrypted Resolver: A DNS resolver using TCP or UDP port 53. 3. DNS Service Binding Records DNS resolvers can advertise one or more Designated Resolvers that may offer support over encrypted channels and are controlled by the same entity. When a client discovers Designated Resolvers, it learns information such as the supported protocols and ports. This information is - provided in Service Binding (SVCB) records for DNS Servers. The - formatting of these records, including the DNS-unique parameters such - as "dohpath", are defined by [I-D.ietf-add-svcb-dns]. + provided in ServiceMode Service Binding (SVCB) records for DNS + Servers, although AliasMode SVCB records can be used to direct + clients to the needed ServiceMode SVCB record per + [I-D.ietf-dnsop-svcb-https]. The formatting of these records, + including the DNS-unique parameters such as "dohpath", are defined by + [I-D.ietf-add-svcb-dns]. The following is an example of an SVCB record describing a DoH server discovered by querying for _dns.example.net: _dns.example.net. 7200 IN SVCB 1 example.net. ( alpn=h2 dohpath=/dns-query{?dns} ) The following is an example of an SVCB record describing a DoT server discovered by querying for _dns.example.net: _dns.example.net 7200 IN SVCB 1 dot.example.net ( alpn=dot port=8530 ) If multiple Designated Resolvers are available, using one or more encrypted DNS protocols, the resolver deployment can indicate a preference using the priority fields in each SVCB record [I-D.ietf-dnsop-svcb-https]. + If the client encounters a mandatory parameter in an SVCB record it + does not understand, it MUST NOT use that record to discover a + Designated Resolver. The client can still use others records in the + same response if the client can understand all of their mandatory + parameters. This allows future encrypted deployments to + simultaneously support protocols even if a given client is not aware + of all those protocols. For example, if the Unencrypted Resolver + returns three SVCB records, one for DoH, one for DoT, and one for a + yet-to-exist protocol, a client which only supports DoH and DoT + should be able to use those records while safely ignoring the third + record. + To avoid name lookup deadlock, Designated Resolvers SHOULD follow the guidance in Section 10 of [RFC8484] regarding the avoidance of DNS- based references that block the completion of the TLS handshake. This document focuses on discovering DoH and DoT Designated Resolvers. Other protocols can also use the format defined by [I-D.ietf-add-svcb-dns]. However, if any protocol does not involve some form of certificate validation, new validation mechanisms will need to be defined to support validating designation as defined in Section 4.2. 4. Discovery Using Resolver IP Addresses When a DNS client is configured with an Unencrypted Resolver IP address, it SHOULD query the resolver for SVCB records for "dns://resolver.arpa" before making other queries. Specifically, the client issues a query for _dns.resolver.arpa with the SVCB resource record type (64) [I-D.ietf-dnsop-svcb-https]. Because this query is for an SUDN, which no entity can claim - ownership over, the SVCB response MUST NOT use the "." value for the - TargetName. Instead, the domain name used for DoT or used to - construct the DoH template MUST be provided. + ownership over, the ServiceMode SVCB response MUST NOT use the "." + value for the TargetName. Instead, the domain name used for DoT or + used to construct the DoH template MUST be provided. The following is an example of an SVCB record describing a DoH server discovered by querying for _dns.resolver.arpa: _dns.resolver.arpa 7200 IN SVCB 1 doh.example.net ( alpn=h2 dohpath=/dns-query{?dns} ) The following is an example of an SVCB record describing a DoT server discovered by querying for _dns.resolver.arpa: @@ -249,20 +265,44 @@ * Opportunistic Discovery Section 4.3, for when a resolver is accessed using a non-public IP address. A client MAY additionally use a discovered Designated Resolver without either of these methods, based on implementation-specific policy or user input. Details of such policy are out of scope of this document. Clients SHOULD NOT automatically use a Designated Resolver without some sort of validation, such as the two methods defined in this document or a future mechanism. + A client MUST NOT use a Designated Resolver designated by one + Unencrypted Resolver in place of another Unencrypted Resolver. As + these are known only by IP address, this means each unique IP address + used for unencrypted DNS requires its own designation discovery. + This ensures queries are being sent to a party designated by the + resolver originally being used. + + Generally, clients also SHOULD NOT reuse the Designated Resolver + discovered from an Unencrypted Resolver over one network connection + in place of the same Unencrypted Resolver on another network + connection. Instead, clients SHOULD repeat the discovery process on + the other network connection. + + However, if a given Unencrypted Resolver designates a Designated + Resolver that uses a public IP address and can be verified using the + mechanism described in Section 4.2, it MAY be used on different + network connections so long as the subsequent connections over other + networks can also be successfully verified using the mechanism + described in Section 4.2. This is a tradeoff between performance (by + having no delay in establishing an encrypted DNS connection on the + new network) and functionality (if the Unencrypted Resolver intends + to designate different Designated Resolvers based on the network from + which clients connect). + 4.2. Verified Discovery Verified Discovery is a mechanism that allows automatic use of a Designated Resolver that supports DNS encryption that performs a TLS handshake. In order to be considered a verified Designated Resolver, the TLS certificate presented by the Designated Resolver MUST contain the IP address of the designating Unencrypted Resolver in a subjectAltName extension. If the certificate can be validated, the client SHOULD @@ -603,22 +643,22 @@ Cupertino, California 95014, United States of America Email: tpauly@apple.com Eric Kinnear Apple Inc. One Apple Park Way Cupertino, California 95014, United States of America - Email: ekinnear@apple.com + Email: ekinnear@apple.com Christopher A. Wood Cloudflare 101 Townsend St San Francisco, United States of America Email: caw@heapingbits.net Patrick McManus Fastly