| rfc9462v2.txt | rfc9462.txt | |||
|---|---|---|---|---|
| skipping to change at line 164 ¶ | skipping to change at line 164 ¶ | |||
| entity. | entity. | |||
| When a client discovers Designated Resolvers, it learns information | When a client discovers Designated Resolvers, it learns information | |||
| such as the supported protocols and ports. This information is | such as the supported protocols and ports. This information is | |||
| provided in ServiceMode SVCB records for DNS servers, although | provided in ServiceMode SVCB records for DNS servers, although | |||
| AliasMode SVCB records can be used to direct clients to the needed | AliasMode SVCB records can be used to direct clients to the needed | |||
| ServiceMode SVCB record per [RFC9460]. The formatting of these | ServiceMode SVCB record per [RFC9460]. The formatting of these | |||
| records, including the DNS-unique parameters such as "dohpath", are | records, including the DNS-unique parameters such as "dohpath", are | |||
| defined by [RFC9461]. | defined by [RFC9461]. | |||
| The following is an example of an SVCB record describing a DoH server | The following is an example of a SVCB record describing a DoH server | |||
| discovered by querying for _dns.example.net: | discovered by querying for _dns.example.net: | |||
| _dns.example.net. 7200 IN SVCB 1 example.net. ( | _dns.example.net. 7200 IN SVCB 1 example.net. ( | |||
| alpn=h2 dohpath=/dns-query{?dns} ) | alpn=h2 dohpath=/dns-query{?dns} ) | |||
| The following is an example of an SVCB record describing a DoT server | The following is an example of a SVCB record describing a DoT server | |||
| discovered by querying for _dns.example.net: | discovered by querying for _dns.example.net: | |||
| _dns.example.net. 7200 IN SVCB 1 dot.example.net ( | _dns.example.net. 7200 IN SVCB 1 dot.example.net ( | |||
| alpn=dot port=8530 ) | alpn=dot port=8530 ) | |||
| The following is an example of an SVCB record describing a DoQ server | The following is an example of a SVCB record describing a DoQ server | |||
| discovered by querying for _dns.example.net: | discovered by querying for _dns.example.net: | |||
| _dns.example.net. 7200 IN SVCB 1 doq.example.net ( | _dns.example.net. 7200 IN SVCB 1 doq.example.net ( | |||
| alpn=doq port=8530 ) | alpn=doq port=8530 ) | |||
| If multiple Designated Resolvers are available, using one or more | If multiple Designated Resolvers are available, using one or more | |||
| encrypted DNS protocols, the resolver deployment can indicate a | encrypted DNS protocols, the resolver deployment can indicate a | |||
| preference using the priority fields in each SVCB record [RFC9460]. | preference using the priority fields in each SVCB record [RFC9460]. | |||
| If the client encounters a mandatory parameter in an SVCB record it | If the client encounters a mandatory parameter in a SVCB record it | |||
| does not understand, it MUST NOT use that record to discover a | does not understand, it MUST NOT use that record to discover a | |||
| Designated Resolver, in accordance with Section 8 of [RFC9460]. The | Designated Resolver, in accordance with Section 8 of [RFC9460]. The | |||
| client can still use other records in the same response if the client | client can still use other records in the same response if the client | |||
| can understand all of their mandatory parameters. This allows future | can understand all of their mandatory parameters. This allows future | |||
| encrypted deployments to simultaneously support protocols even if a | encrypted deployments to simultaneously support protocols even if a | |||
| given client is not aware of all those protocols. For example, if | given client is not aware of all those protocols. For example, if | |||
| the Unencrypted DNS Resolver returns three SVCB records -- one for | the Unencrypted DNS Resolver returns three SVCB records -- one for | |||
| DoH, one for DoT, and one for a yet-to-exist protocol -- a client | DoH, one for DoT, and one for a yet-to-exist protocol -- a client | |||
| that only supports DoH and DoT should be able to use those records | that only supports DoH and DoT should be able to use those records | |||
| while safely ignoring the third record. | while safely ignoring the third record. | |||
| skipping to change at line 230 ¶ | skipping to change at line 230 ¶ | |||
| record type (64) [RFC9460]. | record type (64) [RFC9460]. | |||
| Responses to the SVCB query for the "resolver.arpa" SUDN describe | Responses to the SVCB query for the "resolver.arpa" SUDN describe | |||
| Designated Resolvers. To ensure that different Designated Resolver | Designated Resolvers. To ensure that different Designated Resolver | |||
| configurations can be correctly distinguished and associated with A | configurations can be correctly distinguished and associated with A | |||
| and AAAA records for the resolver, ServiceMode SVCB responses to | and AAAA records for the resolver, ServiceMode SVCB responses to | |||
| these queries MUST NOT use the "." or "resolver.arpa" value for the | these queries MUST NOT use the "." or "resolver.arpa" value for the | |||
| TargetName. Similarly, clients MUST NOT perform A or AAAA queries | TargetName. Similarly, clients MUST NOT perform A or AAAA queries | |||
| for "resolver.arpa". | for "resolver.arpa". | |||
| The following is an example of an SVCB record describing a DoH server | The following is an example of a SVCB record describing a DoH server | |||
| discovered by querying for _dns.resolver.arpa.: | discovered by querying for _dns.resolver.arpa.: | |||
| _dns.resolver.arpa. 7200 IN SVCB 1 doh.example.net ( | _dns.resolver.arpa. 7200 IN SVCB 1 doh.example.net ( | |||
| alpn=h2 dohpath=/dns-query{?dns} ) | alpn=h2 dohpath=/dns-query{?dns} ) | |||
| The following is an example of an SVCB record describing a DoT server | The following is an example of a SVCB record describing a DoT server | |||
| discovered by querying for _dns.resolver.arpa.: | discovered by querying for _dns.resolver.arpa.: | |||
| _dns.resolver.arpa. 7200 IN SVCB 1 dot.example.net ( | _dns.resolver.arpa. 7200 IN SVCB 1 dot.example.net ( | |||
| alpn=dot port=8530 ) | alpn=dot port=8530 ) | |||
| The following is an example of an SVCB record describing a DoQ server | The following is an example of a SVCB record describing a DoQ server | |||
| discovered by querying for _dns.resolver.arpa.: | discovered by querying for _dns.resolver.arpa.: | |||
| _dns.resolver.arpa. 7200 IN SVCB 1 doq.example.net ( | _dns.resolver.arpa. 7200 IN SVCB 1 doq.example.net ( | |||
| alpn=doq port=8530 ) | alpn=doq port=8530 ) | |||
| If the recursive resolver that receives this query has one or more | If the recursive resolver that receives this query has one or more | |||
| Designated Resolvers, it will return the corresponding SVCB records. | Designated Resolvers, it will return the corresponding SVCB records. | |||
| When responding to these special queries for "resolver.arpa", the | When responding to these special queries for "resolver.arpa", the | |||
| recursive resolver SHOULD include the A and AAAA records for the name | recursive resolver SHOULD include the A and AAAA records for the name | |||
| of the Designated Resolver in the Additional Answers section. This | of the Designated Resolver in the Additional Answers section. This | |||
| skipping to change at line 419 ¶ | skipping to change at line 419 ¶ | |||
| Encrypted DNS Resolver itself or to any other resolver. Unlike the | Encrypted DNS Resolver itself or to any other resolver. Unlike the | |||
| case of bootstrapping from an Unencrypted DNS Resolver (Section 4), | case of bootstrapping from an Unencrypted DNS Resolver (Section 4), | |||
| these records SHOULD be available in the public DNS if the same | these records SHOULD be available in the public DNS if the same | |||
| domain name's A or AAAA records are available in the public DNS to | domain name's A or AAAA records are available in the public DNS to | |||
| allow using any resolver to discover another resolver's Designated | allow using any resolver to discover another resolver's Designated | |||
| Resolvers. When the name can only be resolved in private namespaces, | Resolvers. When the name can only be resolved in private namespaces, | |||
| these records SHOULD be available to the same audience as the A and | these records SHOULD be available to the same audience as the A and | |||
| AAAA records. | AAAA records. | |||
| For example, if the client already knows about a DoT server | For example, if the client already knows about a DoT server | |||
| resolver.example.com, it can issue an SVCB query for | resolver.example.com, it can issue a SVCB query for | |||
| _dns.resolver.example.com to discover if there are other encrypted | _dns.resolver.example.com to discover if there are other encrypted | |||
| DNS protocols available. In the following example, the SVCB answers | DNS protocols available. In the following example, the SVCB answers | |||
| indicate that resolver.example.com supports both DoH and DoT and that | indicate that resolver.example.com supports both DoH and DoT and that | |||
| the DoH server indicates a higher priority than the DoT server. | the DoH server indicates a higher priority than the DoT server. | |||
| _dns.resolver.example.com. 7200 IN SVCB 1 resolver.example.com. ( | _dns.resolver.example.com. 7200 IN SVCB 1 resolver.example.com. ( | |||
| alpn=h2 dohpath=/dns-query{?dns} ) | alpn=h2 dohpath=/dns-query{?dns} ) | |||
| _dns.resolver.example.com. 7200 IN SVCB 2 resolver.example.com. ( | _dns.resolver.example.com. 7200 IN SVCB 2 resolver.example.com. ( | |||
| alpn=dot ) | alpn=dot ) | |||
| skipping to change at line 460 ¶ | skipping to change at line 460 ¶ | |||
| server for foo.resolver.example.com. | server for foo.resolver.example.com. | |||
| 6. Deployment Considerations | 6. Deployment Considerations | |||
| Resolver deployments that support DDR are advised to consider the | Resolver deployments that support DDR are advised to consider the | |||
| following points. | following points. | |||
| 6.1. Caching Forwarders | 6.1. Caching Forwarders | |||
| A DNS forwarder SHOULD NOT forward queries for "resolver.arpa" (or | A DNS forwarder SHOULD NOT forward queries for "resolver.arpa" (or | |||
| any subdomains) upstream. This prevents a client from receiving an | any subdomains) upstream. This prevents a client from receiving a | |||
| SVCB record that will fail to authenticate because the forwarder's IP | SVCB record that will fail to authenticate because the forwarder's IP | |||
| address is not in the SubjectAltName (SAN) field of the upstream | address is not in the SubjectAltName (SAN) field of the upstream | |||
| resolver's Designated Resolver's TLS certificate. A DNS forwarder | resolver's Designated Resolver's TLS certificate. A DNS forwarder | |||
| that already acts as a completely transparent forwarder MAY choose to | that already acts as a completely transparent forwarder MAY choose to | |||
| forward these queries when the operator expects that this does not | forward these queries when the operator expects that this does not | |||
| apply, because the operator either knows that the upstream resolver | apply, because the operator either knows that the upstream resolver | |||
| does have the forwarder's IP address in its TLS certificate's SAN | does have the forwarder's IP address in its TLS certificate's SAN | |||
| field or expects clients to validate the connection via some future | field or expects clients to validate the connection via some future | |||
| mechanism. | mechanism. | |||
| skipping to change at line 520 ¶ | skipping to change at line 520 ¶ | |||
| directly through DHCP [RFC2132] [RFC8415] and through IPv6 RA options | directly through DHCP [RFC2132] [RFC8415] and through IPv6 RA options | |||
| [RFC8106]. When such indications are present, clients can suppress | [RFC8106]. When such indications are present, clients can suppress | |||
| queries for "resolver.arpa" to the unencrypted DNS server indicated | queries for "resolver.arpa" to the unencrypted DNS server indicated | |||
| by the network over DHCP or RAs, and the DNR indications SHOULD take | by the network over DHCP or RAs, and the DNR indications SHOULD take | |||
| precedence over those discovered using "resolver.arpa" for the same | precedence over those discovered using "resolver.arpa" for the same | |||
| resolver if there is a conflict, since DNR is considered a more | resolver if there is a conflict, since DNR is considered a more | |||
| reliable source. | reliable source. | |||
| The Designated Resolver information in DNR might not contain a full | The Designated Resolver information in DNR might not contain a full | |||
| set of SvcParams needed to connect to an Encrypted DNS Resolver. In | set of SvcParams needed to connect to an Encrypted DNS Resolver. In | |||
| such a case, the client can use an SVCB query using a resolver name, | such a case, the client can use a SVCB query using a resolver name, | |||
| as described in Section 5, to the Authentication Domain Name (ADN). | as described in Section 5, to the Authentication Domain Name (ADN). | |||
| 7. Security Considerations | 7. Security Considerations | |||
| Since clients can receive DNS SVCB answers over unencrypted DNS, on- | Since clients can receive DNS SVCB answers over unencrypted DNS, on- | |||
| path attackers can prevent successful discovery by dropping SVCB | path attackers can prevent successful discovery by dropping SVCB | |||
| queries or answers and thus can prevent clients from switching to | queries or answers and thus can prevent clients from switching to | |||
| using encrypted DNS. Clients should be aware that it might not be | using encrypted DNS. Clients should be aware that it might not be | |||
| possible to distinguish between resolvers that do not have any | possible to distinguish between resolvers that do not have any | |||
| Designated Resolver and such an active attack. To limit the impact | Designated Resolver and such an active attack. To limit the impact | |||
| End of changes. 10 change blocks. | ||||
| 10 lines changed or deleted | 10 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. | ||||