rfc9462.original   rfc9462.txt 
ADD T. Pauly Internet Engineering Task Force (IETF) T. Pauly
Internet-Draft E. Kinnear Request for Comments: 9462 E. Kinnear
Intended status: Standards Track Apple Inc. Category: Standards Track Apple Inc.
Expires: 6 February 2023 C. A. Wood ISSN: 2070-1721 C. A. Wood
Cloudflare Cloudflare
P. McManus P. McManus
Fastly Fastly
T. Jensen T. Jensen
Microsoft Microsoft
5 August 2022 September 2023
Discovery of Designated Resolvers Discovery of Designated Resolvers
draft-ietf-add-ddr-10
Abstract Abstract
This document defines Discovery of Designated Resolvers (DDR), a This document defines Discovery of Designated Resolvers (DDR), a
mechanism for DNS clients to use DNS records to discover a resolver's mechanism for DNS clients to use DNS records to discover a resolver's
encrypted DNS configuration. An encrypted DNS resolver discovered in encrypted DNS configuration. An encrypted DNS resolver discovered in
this manner is referred to as a "Designated Resolver". This this manner is referred to as a "Designated Resolver". This
mechanism can be used to move from unencrypted DNS to encrypted DNS mechanism can be used to move from unencrypted DNS to encrypted DNS
when only the IP address of a resolver is known. This mechanism is when only the IP address of a resolver is known. This mechanism is
designed to be limited to cases where unencrypted DNS resolvers and designed to be limited to cases where unencrypted DNS resolvers and
their designated resolvers are operated by the same entity or their designated resolvers are operated by the same entity or
cooperating entities. It can also be used to discover support for cooperating entities. It can also be used to discover support for
encrypted DNS protocols when the name of an encrypted DNS resolver is encrypted DNS protocols when the name of an encrypted DNS resolver is
known. known.
Discussion Venues
This note is to be removed before publishing as an RFC.
Discussion of this document takes place on the Adaptive DNS Discovery
Working Group mailing list (add@ietf.org), which is archived at
https://mailarchive.ietf.org/arch/browse/add/.
Source for this draft and an issue tracker can be found at
https://github.com/ietf-wg-add/draft-ietf-add-ddr.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This is an Internet Standards Track document.
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months This document is a product of the Internet Engineering Task Force
and may be updated, replaced, or obsoleted by other documents at any (IETF). It represents the consensus of the IETF community. It has
time. It is inappropriate to use Internet-Drafts as reference received public review and has been approved for publication by the
material or to cite them other than as "work in progress." Internet Engineering Steering Group (IESG). Further information on
Internet Standards is available in Section 2 of RFC 7841.
This Internet-Draft will expire on 6 February 2023. Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
https://www.rfc-editor.org/info/rfc9462.
Copyright Notice Copyright Notice
Copyright (c) 2022 IETF Trust and the persons identified as the Copyright (c) 2023 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/ Provisions Relating to IETF Documents
license-info) in effect on the date of publication of this document. (https://trustee.ietf.org/license-info) in effect on the date of
Please review these documents carefully, as they describe your rights publication of this document. Please review these documents
and restrictions with respect to this document. Code Components carefully, as they describe your rights and restrictions with respect
extracted from this document must include Revised BSD License text as to this document. Code Components extracted from this document must
described in Section 4.e of the Trust Legal Provisions and are include Revised BSD License text as described in Section 4.e of the
provided without warranty as described in the Revised BSD License. Trust Legal Provisions and are provided without warranty as described
in the Revised BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction
1.1. Specification of Requirements . . . . . . . . . . . . . . 4 1.1. Specification of Requirements
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 2. Terminology
3. DNS Service Binding Records . . . . . . . . . . . . . . . . . 4 3. DNS Service Binding Records
4. Discovery Using Resolver IP Addresses . . . . . . . . . . . . 6 4. Discovery Using Resolver IP Addresses
4.1. Use of Designated Resolvers . . . . . . . . . . . . . . . 7 4.1. Use of Designated Resolvers
4.1.1. Use of Designated Resolvers across network changes . 8 4.1.1. Use of Designated Resolvers across Network Changes
4.2. Verified Discovery . . . . . . . . . . . . . . . . . . . 8 4.2. Verified Discovery
4.3. Opportunistic Discovery . . . . . . . . . . . . . . . . . 9 4.3. Opportunistic Discovery
5. Discovery Using Resolver Names . . . . . . . . . . . . . . . 10 5. Discovery Using Resolver Names
6. Deployment Considerations . . . . . . . . . . . . . . . . . . 11 6. Deployment Considerations
6.1. Caching Forwarders . . . . . . . . . . . . . . . . . . . 11 6.1. Caching Forwarders
6.2. Certificate Management . . . . . . . . . . . . . . . . . 11 6.2. Certificate Management
6.3. Server Name Handling . . . . . . . . . . . . . . . . . . 11 6.3. Server Name Handling
6.4. Handling non-DDR queries for resolver.arpa . . . . . . . 12 6.4. Handling Non-DDR Queries for resolver.arpa
6.5. Interaction with Network-Designated Resolvers . . . . . . 12 6.5. Interaction with Network-Designated Resolvers
7. Security Considerations . . . . . . . . . . . . . . . . . . . 12 7. Security Considerations
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13 8. IANA Considerations
8.1. Special Use Domain Name "resolver.arpa" . . . . . . . . . 14 8.1. Special-Use Domain Name "resolver.arpa"
8.2. Domain Name Reservation Considerations . . . . . . . . . 14 8.2. Domain Name Reservation Considerations
9. References
9. References . . . . . . . . . . . . . . . . . . . . . . . . . 15 9.1. Normative References
9.1. Normative References . . . . . . . . . . . . . . . . . . 15 9.2. Informative References
9.2. Informative References . . . . . . . . . . . . . . . . . 17 Appendix A. Rationale for Using a Special-Use Domain Name
Appendix A. Rationale for using a Special Use Domain Name . . . 18 Appendix B. Rationale for Using SVCB Records
Appendix B. Rationale for using SVCB records . . . . . . . . . . 18 Authors' Addresses
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 19
1. Introduction 1. Introduction
When DNS clients wish to use encrypted DNS protocols such as DNS- When DNS clients wish to use encrypted DNS protocols such as DNS over
over-TLS (DoT) [RFC7858], DNS-over-QUIC (DoQ) [RFC9250], or DNS-over- TLS (DoT) [RFC7858], DNS over QUIC (DoQ) [RFC9250], or DNS over HTTPS
HTTPS (DoH) [RFC8484], they can require additional information beyond (DoH) [RFC8484], they can require additional information beyond the
the IP address of the DNS server, such as the resolver's hostname, IP address of the DNS server, such as the resolver's hostname,
alternate IP addresses, non-standard ports, or URI templates. alternate IP addresses, non-standard ports, or URI Templates.
However, common configuration mechanisms only provide the resolver's However, common configuration mechanisms only provide the resolver's
IP address during configuration. Such mechanisms include network IP address during configuration. Such mechanisms include network
provisioning protocols like DHCP [RFC2132] [RFC8415] and IPv6 Router provisioning protocols like DHCP [RFC2132] [RFC8415] and IPv6 Router
Advertisement (RA) options [RFC8106], as well as manual Advertisement (RA) options [RFC8106], as well as manual
configuration. configuration.
This document defines two mechanisms for clients to discover This document defines two mechanisms for clients to discover
designated resolvers that support these encrypted protocols using DNS designated resolvers that support these encrypted protocols using DNS
server Service Binding (SVCB, [I-D.ietf-dnsop-svcb-https]) records: server Service Binding (SVCB) records [RFC9460]:
1. When only an IP address of an Unencrypted DNS Resolver is known, 1. When only an IP address of an Unencrypted DNS Resolver is known,
the client queries a special use domain name (SUDN) [RFC6761] to the client queries a Special-Use Domain Name (SUDN) [RFC6761] to
discover DNS SVCB records associated with one or more Encrypted discover DNS SVCB records associated with one or more Encrypted
DNS Resolvers the Unencrypted DNS Resolver has designated for use DNS Resolvers the Unencrypted DNS Resolver has designated for use
when support for DNS encryption is requested (Section 4). when support for DNS encryption is requested (Section 4).
2. When the hostname of an Encrypted DNS Resolver is known, the 2. When the hostname of an Encrypted DNS Resolver is known, the
client requests details by sending a query for a DNS SVCB record. client requests details by sending a query for a DNS SVCB record.
This can be used to discover alternate encrypted DNS protocols This can be used to discover alternate encrypted DNS protocols
supported by a known server, or to provide details if a resolver supported by a known server, or to provide details if a resolver
name is provisioned by a network (Section 5). name is provisioned by a network (Section 5).
skipping to change at page 4, line 9 skipping to change at line 128
resolver. "Designated" in this context means that the resolvers are resolver. "Designated" in this context means that the resolvers are
operated by the same entity or cooperating entities; for example, the operated by the same entity or cooperating entities; for example, the
resolvers are accessible on the same IP address, or there is a resolvers are accessible on the same IP address, or there is a
certificate that contains the IP address for the original designating certificate that contains the IP address for the original designating
resolver. resolver.
1.1. Specification of Requirements 1.1. Specification of Requirements
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP "OPTIONAL" in this document are to be interpreted as described in
14 [RFC2119] [RFC8174] when, and only when, they appear in all BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here. capitals, as shown here.
2. Terminology 2. Terminology
This document defines the following terms: This document defines the following terms:
DDR: Discovery of Designated Resolvers. Refers to the mechanisms DDR: Discovery of Designated Resolvers. "DDR" refers to the
defined in this document. mechanisms defined in this document.
Designated Resolver: A resolver, presumably an Encrypted DNS Designated Resolver: A resolver, presumably an Encrypted DNS
Resolver, designated by another resolver for use in its own place. Resolver, designated by another resolver for use in its own place.
This designation can be verified with TLS certificates. This designation can be verified with TLS certificates.
Encrypted DNS Resolver: A DNS resolver using any encrypted DNS Encrypted DNS Resolver: A DNS resolver using any encrypted DNS
transport. This includes current mechanisms such as DoH, DoT, and transport. This includes current mechanisms such as DoH, DoT, and
DoQ, as well as future mechanisms. DoQ, as well as future mechanisms.
Unencrypted DNS Resolver: A DNS resolver using a transport without Unencrypted DNS Resolver: A DNS resolver using a transport without
encryption, historically TCP or UDP port 53. encryption, historically TCP or UDP port 53.
3. DNS Service Binding Records 3. DNS Service Binding Records
DNS resolvers can advertise one or more Designated Resolvers that may DNS resolvers can advertise one or more Designated Resolvers that may
offer support over encrypted channels and are controlled by the same offer support over encrypted channels and are controlled by the same
entity. entity.
When a client discovers Designated Resolvers, it learns information When a client discovers Designated Resolvers, it learns information
such as the supported protocols and ports. This information is such as the supported protocols and ports. This information is
provided in ServiceMode Service Binding (SVCB) records for DNS provided in ServiceMode SVCB records for DNS servers, although
Servers, although AliasMode SVCB records can be used to direct AliasMode SVCB records can be used to direct clients to the needed
clients to the needed ServiceMode SVCB record per ServiceMode SVCB record per [RFC9460]. The formatting of these
[I-D.ietf-dnsop-svcb-https]. The formatting of these records, records, including the DNS-unique parameters such as "dohpath", are
including the DNS-unique parameters such as "dohpath", are defined by defined by [RFC9461].
[I-D.ietf-add-svcb-dns].
The following is an example of an SVCB record describing a DoH server The following is an example of an SVCB record describing a DoH server
discovered by querying for _dns.example.net: discovered by querying for _dns.example.net:
_dns.example.net. 7200 IN SVCB 1 example.net. ( _dns.example.net. 7200 IN SVCB 1 example.net. (
alpn=h2 dohpath=/dns-query{?dns} ) alpn=h2 dohpath=/dns-query{?dns} )
The following is an example of an SVCB record describing a DoT server The following is an example of an SVCB record describing a DoT server
discovered by querying for _dns.example.net: discovered by querying for _dns.example.net:
skipping to change at page 5, line 19 skipping to change at line 184
alpn=dot port=8530 ) alpn=dot port=8530 )
The following is an example of an SVCB record describing a DoQ server The following is an example of an SVCB record describing a DoQ server
discovered by querying for _dns.example.net: discovered by querying for _dns.example.net:
_dns.example.net. 7200 IN SVCB 1 doq.example.net ( _dns.example.net. 7200 IN SVCB 1 doq.example.net (
alpn=doq port=8530 ) alpn=doq port=8530 )
If multiple Designated Resolvers are available, using one or more If multiple Designated Resolvers are available, using one or more
encrypted DNS protocols, the resolver deployment can indicate a encrypted DNS protocols, the resolver deployment can indicate a
preference using the priority fields in each SVCB record preference using the priority fields in each SVCB record [RFC9460].
[I-D.ietf-dnsop-svcb-https].
If the client encounters a mandatory parameter in an SVCB record it If the client encounters a mandatory parameter in an SVCB record it
does not understand, it MUST NOT use that record to discover a does not understand, it MUST NOT use that record to discover a
Designated Resolver, in accordance with Section 8 of Designated Resolver, in accordance with Section 8 of [RFC9460]. The
[I-D.ietf-dnsop-svcb-https]. The client can still use other records client can still use other records in the same response if the client
in the same response if the client can understand all of their can understand all of their mandatory parameters. This allows future
mandatory parameters. This allows future encrypted deployments to encrypted deployments to simultaneously support protocols even if a
simultaneously support protocols even if a given client is not aware given client is not aware of all those protocols. For example, if
of all those protocols. For example, if the Unencrypted DNS Resolver the Unencrypted DNS Resolver returns three SVCB records -- one for
returns three SVCB records, one for DoH, one for DoT, and one for a DoH, one for DoT, and one for a yet-to-exist protocol -- a client
yet-to-exist protocol, a client which only supports DoH and DoT that only supports DoH and DoT should be able to use those records
should be able to use those records while safely ignoring the third while safely ignoring the third record.
record.
To avoid name lookup deadlock, clients that use Designated Resolvers To avoid name lookup deadlock, clients that use Designated Resolvers
need to ensure that a specific Encrypted Resolver is not used for any need to ensure that a specific Encrypted Resolver is not used for any
queries that are needed to resolve the name of the resolver itself or queries that are needed to resolve the name of the resolver itself or
to perform certificate revocation checks for the resolver, as to perform certificate revocation checks for the resolver, as
described in Section 10 of [RFC8484]. Designated Resolvers need to described in Section 10 of [RFC8484]. Designated Resolvers need to
ensure this deadlock is avoidable as described in Section 10 of ensure that this deadlock is avoidable, as also described in
[RFC8484]. Section 10 of [RFC8484].
This document focuses on discovering DoH, DoT, and DoQ Designated This document focuses on discovering DoH, DoT, and DoQ Designated
Resolvers. Other protocols can also use the format defined by Resolvers. Other protocols can also use the format defined by
[I-D.ietf-add-svcb-dns]. However, if any such protocol does not [RFC9461]. However, if any such protocol does not involve some form
involve some form of certificate validation, new validation of certificate validation, new validation mechanisms will need to be
mechanisms will need to be defined to support validating designation defined to support validating designation as defined in Section 4.2.
as defined in Section 4.2.
4. Discovery Using Resolver IP Addresses 4. Discovery Using Resolver IP Addresses
When a DNS client is configured with an Unencrypted DNS Resolver IP When a DNS client is configured with an Unencrypted DNS Resolver IP
address, it SHOULD query the resolver for SVCB records of a service address, it SHOULD query the resolver for SVCB records of a service
with a scheme of "dns" and an Authority of "resolver.arpa" before with a scheme of "dns" and an Authority of "resolver.arpa" before
making other queries. This allows the client to switch to using making other queries. This allows the client to switch to using
Encrypted DNS for all other queries, if possible. Specifically, the Encrypted DNS for all other queries, if possible. Specifically, the
client issues a query for _dns.resolver.arpa. with the SVCB resource client issues a query for _dns.resolver.arpa. with the SVCB resource
record type (64) [I-D.ietf-dnsop-svcb-https]. record type (64) [RFC9460].
Responses to the SVCB query for the "resolver.arpa" SUDN describe Responses to the SVCB query for the "resolver.arpa" SUDN describe
Designated Resolvers. To ensure that different Designated Resolver Designated Resolvers. To ensure that different Designated Resolver
configurations can be correctly distinguished and associated with A configurations can be correctly distinguished and associated with A
and AAAA records for the resolver, ServiceMode SVCB responses to and AAAA records for the resolver, ServiceMode SVCB responses to
these queries MUST NOT use the "." or "resolver.arpa" value for the these queries MUST NOT use the "." or "resolver.arpa" value for the
TargetName. Similarly, clients MUST NOT perform A or AAAA queries TargetName. Similarly, clients MUST NOT perform A or AAAA queries
for "resolver.arpa". for "resolver.arpa".
The following is an example of an SVCB record describing a DoH server The following is an example of an SVCB record describing a DoH server
skipping to change at page 6, line 47 skipping to change at line 254
_dns.resolver.arpa. 7200 IN SVCB 1 doq.example.net ( _dns.resolver.arpa. 7200 IN SVCB 1 doq.example.net (
alpn=doq port=8530 ) alpn=doq port=8530 )
If the recursive resolver that receives this query has one or more If the recursive resolver that receives this query has one or more
Designated Resolvers, it will return the corresponding SVCB records. Designated Resolvers, it will return the corresponding SVCB records.
When responding to these special queries for "resolver.arpa", the When responding to these special queries for "resolver.arpa", the
recursive resolver SHOULD include the A and AAAA records for the name recursive resolver SHOULD include the A and AAAA records for the name
of the Designated Resolver in the Additional Answers section. This of the Designated Resolver in the Additional Answers section. This
will save the DNS client an additional round trip to retrieve the will save the DNS client an additional round trip to retrieve the
address of the designated resolver; see Section 5 of address of the designated resolver; see Section 5 of [RFC9460].
[I-D.ietf-dnsop-svcb-https].
Designated Resolvers SHOULD be accessible using the IP address Designated Resolvers SHOULD be accessible using the IP address
families that are supported by their associated Unencrypted DNS families that are supported by their associated Unencrypted DNS
Resolvers. If an Unencrypted DNS Resolver is accessible using an Resolvers. If an Unencrypted DNS Resolver is accessible using an
IPv4 address, it ought to provide an A record for an IPv4 address of IPv4 address, it ought to provide an A record for an IPv4 address of
the Designated Resolver; similarly, if it is accessible using an IPv6 the Designated Resolver; similarly, if it is accessible using an IPv6
address, it ought to provide a AAAA record for an IPv6 address of the address, it ought to provide a AAAA record for an IPv6 address of the
Designated Resolver. The Designated Resolver MAY support more Designated Resolver. The Designated Resolver MAY support more
address families than the Unencrypted DNS Resolver, but it SHOULD NOT address families than the Unencrypted DNS Resolver, but it SHOULD NOT
support fewer. If this is not done, clients that only have support fewer. If this is not done, clients that only have
skipping to change at page 7, line 22 skipping to change at line 277
If the recursive resolver that receives this query has no Designated If the recursive resolver that receives this query has no Designated
Resolvers, it SHOULD return NODATA for queries to the "resolver.arpa" Resolvers, it SHOULD return NODATA for queries to the "resolver.arpa"
zone, to provide a consistent and accurate signal to clients that it zone, to provide a consistent and accurate signal to clients that it
does not have a Designated Resolver. does not have a Designated Resolver.
4.1. Use of Designated Resolvers 4.1. Use of Designated Resolvers
When a client discovers Designated Resolvers from an Unencrypted DNS When a client discovers Designated Resolvers from an Unencrypted DNS
Resolver IP address, it can choose to use these Designated Resolvers Resolver IP address, it can choose to use these Designated Resolvers
either automatically, or based on some other policy, heuristic, or either (1) automatically or (2) based on some other policy,
user choice. heuristic, or user choice.
This document defines two preferred methods to automatically use This document defines two preferred methods for automatically using
Designated Resolvers: Designated Resolvers:
* Verified Discovery (Section 4.2), for when a TLS certificate can * Verified Discovery (Section 4.2), for when a TLS certificate can
be used to validate the resolver's identity. be used to validate the resolver's identity.
* Opportunistic Discovery (Section 4.3), for when a resolver's IP * Opportunistic Discovery (Section 4.3), for when a resolver's IP
address is a private or local address. address is a private or local address.
A client MAY additionally use a discovered Designated Resolver A client MAY additionally use a discovered Designated Resolver
without either of these methods, based on implementation-specific without either of these methods, based on implementation-specific
policy or user input. Details of such policy are out of scope of policy or user input. Details of such policy are out of scope for
this document. Clients MUST NOT automatically use a Designated this document. Clients MUST NOT automatically use a Designated
Resolver without some sort of validation, such as the two methods Resolver without some sort of validation, such as the two methods
defined in this document or a future mechanism. Use without defined in this document or a future mechanism. Use without
validation can allow an attacker to direct traffic to an Encrypted validation can allow an attacker to direct traffic to an Encrypted
Resolver that is unrelated to the original Unencrypted DNS Resolver, Resolver that is unrelated to the original Unencrypted DNS Resolver,
as described in Section 7. as described in Section 7.
A client MUST NOT re-use a designation discovered using the IP A client MUST NOT reuse a designation discovered using the IP address
address of one Unencrypted DNS Resolver in place of any other of one Unencrypted DNS Resolver in place of any other Unencrypted DNS
Unencrypted DNS Resolver. Instead, the client needs to repeat the Resolver. Instead, the client needs to repeat the discovery process
discovery process to discover the Designated Resolver of the other to discover the Designated Resolver of the other Unencrypted DNS
Unencrypted DNS Resolver. In other words, designations are per- Resolver. In other words, designations are per-resolver and MUST NOT
resolver and MUST NOT be used to configure the client's universal DNS be used to configure the client's universal DNS behavior. This
behavior. This ensures in all cases that queries are being sent to a ensures in all cases that queries are being sent to a party
party designated by the resolver originally being used. designated by the resolver originally being used.
4.1.1. Use of Designated Resolvers across network changes 4.1.1. Use of Designated Resolvers across Network Changes
If a client is configured with the same Unencrypted DNS Resolver IP If a client is configured with the same Unencrypted DNS Resolver IP
address on multiple different networks, a Designated Resolver that address on multiple different networks, a Designated Resolver that
has been discovered on one network SHOULD NOT be reused on any of the has been discovered on one network SHOULD NOT be reused on any of the
other networks without repeating the discovery process for each other networks without repeating the discovery process for each
network, since the same IP address may be used for different servers network, since the same IP address may be used for different servers
on the different networks. on the different networks.
4.2. Verified Discovery 4.2. Verified Discovery
Verified Discovery is a mechanism that allows automatic use of a Verified Discovery is a mechanism that allows the automatic use of a
Designated Resolver that supports DNS encryption that performs a TLS Designated Resolver that supports DNS encryption that performs a TLS
handshake. handshake.
In order to be considered a verified Designated Resolver, the TLS In order to be considered a verified Designated Resolver, the TLS
certificate presented by the Designated Resolver needs to pass the certificate presented by the Designated Resolver needs to pass the
following checks made by the client: following checks made by the client:
1. The client MUST verify the chain of certificates up to a trust 1. The client MUST verify the chain of certificates up to a trust
anchor as described in Section 6 of [RFC5280]. This SHOULD use anchor as described in Section 6 of [RFC5280]. This SHOULD use
the default system or application trust anchors, unless otherwise the default system or application trust anchors, unless otherwise
skipping to change at page 8, line 50 skipping to change at line 353
discovered Designated Resolver if this designation was only discovered Designated Resolver if this designation was only
discovered via a _dns.resolver.arpa. query (if the designation was discovered via a _dns.resolver.arpa. query (if the designation was
advertised directly by the network as described in Section 6.5, the advertised directly by the network as described in Section 6.5, the
server can still be used). Additionally, the client SHOULD suppress server can still be used). Additionally, the client SHOULD suppress
any further queries for Designated Resolvers using this Unencrypted any further queries for Designated Resolvers using this Unencrypted
DNS Resolver for the length of time indicated by the SVCB record's DNS Resolver for the length of time indicated by the SVCB record's
Time to Live (TTL) in order to avoid excessive queries that will lead Time to Live (TTL) in order to avoid excessive queries that will lead
to further failed validations. The client MAY issue new queries if to further failed validations. The client MAY issue new queries if
the SVCB record's TTL is excessively long (as determined by client the SVCB record's TTL is excessively long (as determined by client
policy) to minimize the length of time an intermittent attacker can policy) to minimize the length of time an intermittent attacker can
prevent use of encrypted DNS. prevent the use of encrypted DNS.
If the Designated Resolver and the Unencrypted DNS Resolver share an If the Designated Resolver and the Unencrypted DNS Resolver share an
IP address, clients MAY choose to opportunistically use the IP address, clients MAY choose to opportunistically use the
Designated Resolver even without this certificate check Designated Resolver even without this certificate check
(Section 4.3). If the IP address is not shared, opportunistic use (Section 4.3). If the IP address is not shared, opportunistic use
allows for attackers to redirect queries to an unrelated Encrypted allows for attackers to redirect queries to an unrelated Encrypted
Resolver, as described in Section 7. Resolver, as described in Section 7.
Connections to a Designated Resolver can use a different IP address Connections to a Designated Resolver can use a different IP address
than the IP address of the Unencrypted DNS Resolver, such as if the than the IP address of the Unencrypted DNS Resolver -- for example,
process of resolving the SVCB service yields additional addresses. if the process of resolving the SVCB service yields additional
Even when a different IP address is used for the connection, the TLS addresses. Even when a different IP address is used for the
certificate checks described in this section still apply for the connection, the TLS certificate checks described in this section
original IP address of the Unencrypted DNS Resolver. still apply for the original IP address of the Unencrypted DNS
Resolver.
4.3. Opportunistic Discovery 4.3. Opportunistic Discovery
There are situations where Verified Discovery of encrypted DNS There are situations where Verified Discovery of encrypted DNS
configuration over unencrypted DNS is not possible. This includes configuration over unencrypted DNS is not possible. This includes
Unencrypted DNS Resolvers on private IP addresses [RFC1918], Unique Unencrypted DNS Resolvers on private IP addresses [RFC1918], Unique
Local Addresses (ULAs) [RFC4193], and Link Local Addresses [RFC3927] Local Addresses (ULAs) [RFC4193], and Link-Local addresses [RFC3927]
[RFC4291], whose identity cannot be safely confirmed using TLS [RFC4291], whose identity cannot be safely confirmed using TLS
certificates under most conditions. certificates under most conditions.
An Opportunistic Privacy Profile is defined for DoT in Section 4.1 of An opportunistic privacy profile is defined for DoT in Section 4.1 of
[RFC7858] as a mode in which clients do not validate the name of the [RFC7858] as a mode in which clients do not validate the name of the
resolver presented in the certificate. This Opportunistic Privacy resolver presented in the certificate. This opportunistic privacy
Profile similarly applies to DoQ [RFC9250]. For this profile, profile similarly applies to DoQ [RFC9250]. For this profile,
Section 4.1 of [RFC7858] explains that clients might or might not Section 4.1 of [RFC7858] explains that clients might or might not
validate the resolver; however, even if clients choose to perform validate the resolver; however, even if clients choose to perform
some certificate validation checks, they will not be able to validate some certificate validation checks, they will not be able to validate
the names presented in the SubjectAlternativeName field of the the names presented in the SubjectAlternativeName field of the
certificate for private and local IP addresses. certificate for private and local IP addresses.
A client MAY use information from the SVCB record for A client MAY use information from the SVCB record for
"_dns.resolver.arpa" with this Opportunistic Privacy Profile as long "_dns.resolver.arpa" with this opportunistic privacy profile as long
as the IP address of the Encrypted DNS Resolver does not differ from as the IP address of the Encrypted DNS Resolver does not differ from
the IP address of the Unencrypted DNS Resolver. Clients SHOULD use the IP address of the Unencrypted DNS Resolver. Clients SHOULD use
this mode only for resolvers using private or local IP addresses, this mode only for resolvers using private or local IP addresses,
since resolvers that use other addresses are able to provision TLS since resolvers that use other addresses are able to provision TLS
certificates for their addresses. certificates for their addresses.
5. Discovery Using Resolver Names 5. Discovery Using Resolver Names
A DNS client that already knows the name of an Encrypted DNS Resolver A DNS client that already knows the name of an Encrypted DNS Resolver
can use DDR to discover details about all supported encrypted DNS can use DDR to discover details about all supported encrypted DNS
protocols. This situation can arise if a client has been configured protocols. This situation can arise if a client has been configured
to use a given Encrypted DNS Resolver, or if a network provisioning to use a given Encrypted DNS Resolver, or if a network provisioning
protocol (such as DHCP or IPv6 Router Advertisements) provides a name protocol (such as DHCP or IPv6 RAs) provides a name for an Encrypted
for an Encrypted DNS Resolver alongside the resolver IP address, such DNS Resolver alongside the resolver IP address, such as by using
as by using Discovery of Network Resolvers (DNR) [I-D.ietf-add-dnr]. Discovery of Network-designated Resolvers (DNR) [RFC9463].
For these cases, the client simply sends a DNS SVCB query using the For these cases, the client simply sends a DNS SVCB query using the
known name of the resolver. This query can be issued to the named known name of the resolver. This query can be issued to the named
Encrypted DNS Resolver itself or to any other resolver. Unlike the Encrypted DNS Resolver itself or to any other resolver. Unlike the
case of bootstrapping from an Unencrypted DNS Resolver (Section 4), case of bootstrapping from an Unencrypted DNS Resolver (Section 4),
these records SHOULD be available in the public DNS if the same these records SHOULD be available in the public DNS if the same
domain name's A or AAAA records are available in the public DNS to domain name's A or AAAA records are available in the public DNS to
allow using any resolver to discover another resolver's Designated allow using any resolver to discover another resolver's Designated
Resolvers. When the name can only be resolved in private namespaces, Resolvers. When the name can only be resolved in private namespaces,
these records SHOULD be available to the same audience as the A and these records SHOULD be available to the same audience as the A and
AAAA records. AAAA records.
For example, if the client already knows about a DoT server For example, if the client already knows about a DoT server
resolver.example.com, it can issue an SVCB query for resolver.example.com, it can issue an SVCB query for
_dns.resolver.example.com to discover if there are other encrypted _dns.resolver.example.com to discover if there are other encrypted
DNS protocols available. In the following example, the SVCB answers DNS protocols available. In the following example, the SVCB answers
indicate that resolver.example.com supports both DoH and DoT, and indicate that resolver.example.com supports both DoH and DoT and that
that the DoH server indicates a higher priority than the DoT server. the DoH server indicates a higher priority than the DoT server.
_dns.resolver.example.com. 7200 IN SVCB 1 resolver.example.com. ( _dns.resolver.example.com. 7200 IN SVCB 1 resolver.example.com. (
alpn=h2 dohpath=/dns-query{?dns} ) alpn=h2 dohpath=/dns-query{?dns} )
_dns.resolver.example.com. 7200 IN SVCB 2 resolver.example.com. ( _dns.resolver.example.com. 7200 IN SVCB 2 resolver.example.com. (
alpn=dot ) alpn=dot )
Clients MUST validate that for any Encrypted DNS Resolver discovered Clients MUST validate that for any Encrypted DNS Resolver discovered
using a known resolver name, the TLS certificate of the resolver using a known resolver name, the TLS certificate of the resolver
contains the known name in a subjectAltName extension. In the contains the known name in a subjectAltName extension. In the
example above, this means that both servers need to have certificates example above, this means that both servers need to have certificates
skipping to change at page 11, line 24 skipping to change at line 463
Resolver deployments that support DDR are advised to consider the Resolver deployments that support DDR are advised to consider the
following points. following points.
6.1. Caching Forwarders 6.1. Caching Forwarders
A DNS forwarder SHOULD NOT forward queries for "resolver.arpa" (or A DNS forwarder SHOULD NOT forward queries for "resolver.arpa" (or
any subdomains) upstream. This prevents a client from receiving an any subdomains) upstream. This prevents a client from receiving an
SVCB record that will fail to authenticate because the forwarder's IP SVCB record that will fail to authenticate because the forwarder's IP
address is not in the upstream resolver's Designated Resolver's TLS address is not in the upstream resolver's Designated Resolver's TLS
certificate SAN field. A DNS forwarder which already acts as a certificate SubjectAlternativeName (SAN) field. A DNS forwarder that
completely transparent forwarder MAY choose to forward these queries already acts as a completely transparent forwarder MAY choose to
when the operator expects that this does not apply, either because forward these queries when the operator expects that this does not
the operator knows that the upstream resolver does have the apply, because the operator either knows that the upstream resolver
forwarder's IP address in its TLS certificate's SAN field or that the does have the forwarder's IP address in its TLS certificate's SAN
operator expects clients to validate the connection via some future field or expects clients to validate the connection via some future
mechanism. mechanism.
Operators who choose to forward queries for "resolver.arpa" upstream Operators who choose to forward queries for "resolver.arpa" upstream
should note that client behavior is never guaranteed and use of DDR should note that client behavior is never guaranteed and that the use
by a resolver does not communicate a requirement for clients to use of DDR by a resolver does not communicate a requirement for clients
the SVCB record when it cannot be verified. to use the SVCB record when it cannot be verified.
6.2. Certificate Management 6.2. Certificate Management
Resolver owners that support Verified Discovery will need to list Resolver owners that support Verified Discovery will need to list
valid referring IP addresses in their TLS certificates. This may valid referring IP addresses in their TLS certificates. This may
pose challenges for resolvers with a large number of referring IP pose challenges for resolvers with a large number of referring IP
addresses. addresses.
6.3. Server Name Handling 6.3. Server Name Handling
Clients MUST NOT use "resolver.arpa" as the server name either in the Clients MUST NOT use "resolver.arpa" as the server name in either
TLS Server Name Indication (SNI) ([RFC8446]) for DoT, DoQ, or DoH (1) the TLS Server Name Indication (SNI) [RFC8446] for DoT, DoQ, or
connections, or in the URI host for DoH requests. DoH connections or (2) the URI host for DoH requests.
When performing discovery using resolver IP addresses, clients MUST When performing discovery using resolver IP addresses, clients MUST
use the original IP address of the Unencrypted DNS Resolver as the use the original IP address of the Unencrypted DNS Resolver as the
URI host for DoH requests. URI host for DoH requests.
Note that since IP addresses are not supported by default in the TLS Note that since IP addresses are not supported by default in the TLS
SNI, resolvers that support discovery using IP addresses will need to SNI, resolvers that support discovery using IP addresses will need to
be configured to present the appropriate TLS certificate when no SNI be configured to present the appropriate TLS certificate when no SNI
is present for DoT, DoQ, and DoH. is present for DoT, DoQ, and DoH.
6.4. Handling non-DDR queries for resolver.arpa 6.4. Handling Non-DDR Queries for resolver.arpa
DNS resolvers that support DDR by responding to queries for DNS resolvers that support DDR by responding to queries for
_dns.resolver.arpa MUST treat resolver.arpa as a locally served zone _dns.resolver.arpa MUST treat resolver.arpa as a locally served zone
per [RFC6303]. In practice, this means that resolvers SHOULD respond per [RFC6303]. In practice, this means that resolvers SHOULD respond
to queries of any type other than SVCB for _dns.resolver.arpa with to queries of any type other than SVCB for _dns.resolver.arpa with
NODATA and queries of any type for any domain name under NODATA and queries of any type for any domain name under
resolver.arpa with NODATA. resolver.arpa with NODATA.
6.5. Interaction with Network-Designated Resolvers 6.5. Interaction with Network-Designated Resolvers
Discovery of network-designated resolvers (DNR, [I-D.ietf-add-dnr]) DNR [RFC9463] allows a network to provide designation of resolvers
allows a network to provide designation of resolvers directly through directly through DHCP [RFC2132] [RFC8415] and through IPv6 RA options
DHCP [RFC2132] [RFC8415] and IPv6 Router Advertisement (RA) [RFC4861] [RFC4861]. When such indications are present, clients can suppress
options. When such indications are present, clients can suppress
queries for "resolver.arpa" to the unencrypted DNS server indicated queries for "resolver.arpa" to the unencrypted DNS server indicated
by the network over DHCP or RAs, and the DNR indications SHOULD take by the network over DHCP or RAs, and the DNR indications SHOULD take
precedence over those discovered using "resolver.arpa" for the same precedence over those discovered using "resolver.arpa" for the same
resolver if there is a conflict, since DNR is considered a more resolver if there is a conflict, since DNR is considered a more
reliable source. reliable source.
The designated resolver information in DNR might not contain a full The designated resolver information in DNR might not contain a full
set of SvcParams needed to connect to an encrypted DNS resolver. In set of SvcParams needed to connect to an encrypted DNS resolver. In
such a case, the client can use an SVCB query using a resolver name, such a case, the client can use an SVCB query using a resolver name,
as described in Section 5, to the authentication-domain-name (ADN). as described in Section 5, to the Authentication Domain Name (ADN).
7. Security Considerations 7. Security Considerations
Since clients can receive DNS SVCB answers over unencrypted DNS, on- Since clients can receive DNS SVCB answers over unencrypted DNS, on-
path attackers can prevent successful discovery by dropping SVCB path attackers can prevent successful discovery by dropping SVCB
queries or answers, and thus prevent clients from switching to use queries or answers and thus can prevent clients from switching to
encrypted DNS. Clients should be aware that it might not be possible using encrypted DNS. Clients should be aware that it might not be
to distinguish between resolvers that do not have any Designated possible to distinguish between resolvers that do not have any
Resolver and such an active attack. To limit the impact of discovery Designated Resolver and such an active attack. To limit the impact
queries being dropped either maliciously or unintentionally, clients of discovery queries being dropped either maliciously or
can re-send their SVCB queries periodically. unintentionally, clients can re-send their SVCB queries periodically.
Section 8.2 of [I-D.ietf-add-svcb-dns] describes a second downgrade Section 8.2 of [RFC9461] describes another type of downgrade attack
attack where an attacker can block connections to the encrypted DNS where an attacker can block connections to the encrypted DNS server.
server. For DDR, clients need to validate a Designated Resolver For DDR, clients need to validate a Designated Resolver using a
using a connection to the server before trusting it, so attackers connection to the server before trusting it, so attackers that can
that can block these connections can prevent clients from switching block these connections can prevent clients from switching to using
to use encrypted DNS. encrypted DNS.
Encrypted DNS Resolvers that allow discovery using DNS SVCB answers Encrypted DNS Resolvers that allow discovery using DNS SVCB answers
over unencrypted DNS MUST NOT provide differentiated behavior based over unencrypted DNS MUST NOT provide differentiated behavior based
solely on metadata in the SVCB record, such as the HTTP path or solely on metadata in the SVCB record, such as the HTTP path or
alternate port number, which are parameters that an attacker could alternate port number, which are parameters that an attacker could
modify. For example, if a DoH resolver provides a filtering service modify. For example, if a DoH resolver provides a filtering service
for one URI path, and a non-filtered service for another URI path, an for one URI path and a non-filtered service for another URI path, an
attacker could select which of these services is used by modifying attacker could select which of these services is used by modifying
the "dohpath" parameter. These attacks can be mitigated by providing the "dohpath" parameter. These attacks can be mitigated by providing
separate resolver IP addresses or hostnames. separate resolver IP addresses or hostnames.
While the IP address of the Unencrypted DNS Resolver is often While the IP address of the Unencrypted DNS Resolver is often
provisioned over insecure mechanisms, it can also be provisioned provisioned over insecure mechanisms, it can also be provisioned
securely, such as via manual configuration, a VPN, or on a network securely, such as via manual configuration, on a VPN, or on a network
with protections like RA-Guard [RFC6105]. An attacker might try to with protections like RA-Guard [RFC6105]. An attacker might try to
direct Encrypted DNS traffic to itself by causing the client to think direct Encrypted DNS traffic to itself by causing the client to think
that a discovered Designated Resolver uses a different IP address that a discovered Designated Resolver uses a different IP address
from the Unencrypted DNS Resolver. Such a Designated Resolver might from the Unencrypted DNS Resolver. Such a Designated Resolver might
have a valid certificate, but be operated by an attacker that is have a valid certificate but might be operated by an attacker that is
trying to observe or modify user queries without the knowledge of the trying to observe or modify user queries without the knowledge of the
client or network. client or network.
If the IP address of a Designated Resolver differs from that of an If the IP address of a Designated Resolver differs from that of an
Unencrypted DNS Resolver, clients applying Verified Discovery Unencrypted DNS Resolver, clients applying Verified Discovery
(Section 4.2) MUST validate that the IP address of the Unencrypted (Section 4.2) MUST validate that the IP address of the Unencrypted
DNS Resolver is covered by the SubjectAlternativeName of the DNS Resolver is covered by the SubjectAlternativeName of the
Designated Resolver's TLS certificate. If that validation fails, the Designated Resolver's TLS certificate. If that validation fails, the
client MUST NOT automatically use the discovered Designated Resolver. client MUST NOT automatically use the discovered Designated Resolver.
Clients using Opportunistic Discovery (Section 4.3) MUST be limited Clients using Opportunistic Discovery (Section 4.3) MUST be limited
to cases where the Unencrypted DNS Resolver and Designated Resolver to cases where the Unencrypted DNS Resolver and Designated Resolver
have the same IP address, which SHOULD be a private or local IP have the same IP address, which SHOULD be a private or local IP
address. Clients which do not follow Opportunistic Discovery address. Clients that do not follow Opportunistic Discovery
(Section 4.3) and instead try to connect without first checking for a (Section 4.3) and instead try to connect without first checking for a
designation run the possible risk of being intercepted by an attacker designation run the possible risk of being intercepted by an attacker
hosting an Encrypted DNS Resolver on an IP address of an Unencrypted hosting an Encrypted DNS Resolver on an IP address of an Unencrypted
DNS Resolver where the attacker has failed to gain control of the DNS Resolver where the attacker has failed to gain control of the
Unencrypted DNS Resolver. Unencrypted DNS Resolver.
The constraints on the use of Designated Resolvers specified here The constraints on the use of Designated Resolvers specified here
apply specifically to the automatic discovery mechanisms defined in apply specifically to the automatic discovery mechanisms defined in
this document, which are referred to as Verified Discovery and this document, which are referred to as Verified Discovery and
Opportunistic Discovery. Clients MAY use some other mechanism to Opportunistic Discovery. Clients MAY use some other mechanism to
verify and use Designated Resolvers discovered using the DNS SVCB verify and use Designated Resolvers discovered using the DNS SVCB
record. However, use of such an alternate mechanism needs to take record. However, the use of such an alternate mechanism needs to
into account the attack scenarios detailed here. take into account the attack scenarios detailed here.
8. IANA Considerations 8. IANA Considerations
8.1. Special Use Domain Name "resolver.arpa"
This document calls for the addition of "resolver.arpa" to the 8.1. Special-Use Domain Name "resolver.arpa"
Special-Use Domain Names (SUDN) registry established by [RFC6761].
IANA is requested to add an entry in "Transport-Independent Locally- IANA has registered "resolver.arpa" in the "Special-Use Domain Names"
Served DNS Zones" registry for 'resolver.arpa.' with the description registry established by [RFC6761].
"DNS Resolver Special-Use Domain", listing this document as the
IANA has added an entry in the "Transport-Independent Locally-Served
DNS Zone Registry" for 'resolver.arpa.' with the description "DNS
Resolver Special-Use Domain" and listed this document as the
reference. reference.
8.2. Domain Name Reservation Considerations 8.2. Domain Name Reservation Considerations
In accordance with Section 5 of [RFC6761], the answers to the In accordance with Section 5 of [RFC6761], the answers to the
following questions are provided relative to this document: following questions are provided relative to this document:
1) Are human users expected to recognize these names as special and 1. Are human users expected to recognize these names as special and
use them differently? In what way? use them differently? In what way?
No. This name is used automatically by DNS stub resolvers running on No. This name is used automatically by DNS stub resolvers
client devices on behalf of users, and users will never see this name running on client devices on behalf of users, and users will
directly. never see this name directly.
2) Are writers of application software expected to make their 2. Are writers of application software expected to make their
software recognize these names as special and treat them differently? software recognize these names as special and treat them
In what way? differently? In what way?
No. There is no use case where a non-DNS application (covered by the No. There is no use case where a non-DNS application (covered by
next question) would need to use this name. the next question) would need to use this name.
3) Are writers of name resolution APIs and libraries expected to make 3. Are writers of name resolution APIs and libraries expected to
their software recognize these names as special and treat them make their software recognize these names as special and treat
differently? If so, how? them differently? If so, how?
Yes. DNS client implementors are expected to use this name when Yes. DNS client implementors are expected to use this name when
querying for a resolver's properties instead of records for the name querying for a resolver's properties instead of records for the
itself. DNS servers are expected to respond to queries for this name name itself. DNS servers are expected to respond to queries for
with their own properties instead of checking the matching zone as it this name with their own properties instead of checking the
would for normal domain names. matching zone as it would for normal domain names.
4) Are developers of caching domain name servers expected to make 4. Are developers of caching domain name servers expected to make
their implementations recognize these names as special and treat them their implementations recognize these names as special and treat
differently? If so, how? them differently? If so, how?
Yes. Caching domain name servers should not forward queries for this Yes. Caching domain name servers should not forward queries for
name to avoid causing validation failures due to IP address mismatch. this name, to avoid causing validation failures due to IP address
mismatch.
5) Are developers of authoritative domain name servers expected to 5. Are developers of authoritative domain name servers expected to
make their implementations recognize these names as special and treat make their implementations recognize these names as special and
them differently? If so, how? treat them differently? If so, how?
No. DDR is designed for use by recursive resolvers. Theoretically, No. DDR is designed for use by recursive resolvers.
an authoritative server could choose to support this name if it wants Theoretically, an authoritative server could choose to support
to advertise support for encrypted DNS protocols over plain-text DNS, this name if it wants to advertise support for encrypted DNS
but that scenario is covered by other work in the IETF DNSOP working protocols over plaintext DNS, but that scenario is covered by
group. other work in the IETF DNSOP Working Group.
6) Does this reserved Special-Use Domain Name have any potential 6. Does this reserved Special-Use Domain Name have any potential
impact on DNS server operators? If they try to configure their impact on DNS server operators? If they try to configure their
authoritative DNS server as authoritative for this reserved name, authoritative DNS server as authoritative for this reserved name,
will compliant name server software reject it as invalid? Do DNS will compliant name server software reject it as invalid? Do DNS
server operators need to know about that and understand why? Even if server operators need to know about that and understand why?
the name server software doesn't prevent them from using this Even if the name server software doesn't prevent them from using
reserved name, are there other ways that it may not work as expected, this reserved name, are there other ways that it may not work as
of which the DNS server operator should be aware? expected, of which the DNS server operator should be aware?
This name is locally served, and any resolver which supports this This name is locally served, and any resolver that supports this
name should never forward the query. DNS server operators should be name should never forward the query. DNS server operators should
aware that records for this name will be used by clients to modify be aware that records for this name will be used by clients to
the way they connect to their resolvers. modify the way they connect to their resolvers.
7) How should DNS Registries/Registrars treat requests to register 7. How should DNS Registries/Registrars treat requests to register
this reserved domain name? Should such requests be denied? Should this reserved domain name? Should such requests be denied?
such requests be allowed, but only to a specially-designated entity? Should such requests be allowed, but only to a specially
designated entity?
IANA should hold the registration for this name. Non-IANA requests IANA holds the registration for this name. Non-IANA requests to
to register this name should always be denied by DNS Registries/ register this name should always be denied by DNS Registries/
Registrars. Registrars.
9. References 9. References
9.1. Normative References 9.1. Normative References
[I-D.ietf-add-dnr]
Boucadair, M., Reddy, T., Wing, D., Cook, N., and T.
Jensen, "DHCP and Router Advertisement Options for the
Discovery of Network-designated Resolvers (DNR)", Work in
Progress, Internet-Draft, draft-ietf-add-dnr-12, 24 July
2022, <https://datatracker.ietf.org/doc/html/draft-ietf-
add-dnr-12>.
[I-D.ietf-add-svcb-dns]
Schwartz, B., "Service Binding Mapping for DNS Servers",
Work in Progress, Internet-Draft, draft-ietf-add-svcb-dns-
06, 5 July 2022, <https://datatracker.ietf.org/doc/html/
draft-ietf-add-svcb-dns-06>.
[I-D.ietf-dnsop-svcb-https]
Schwartz, B., Bishop, M., and E. Nygren, "Service binding
and parameter specification via the DNS (DNS SVCB and
HTTPS RRs)", Work in Progress, Internet-Draft, draft-ietf-
dnsop-svcb-https-10, 24 May 2022,
<https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-
svcb-https-10>.
[RFC1918] Rekhter, Y., Moskowitz, B., Karrenberg, D., de Groot, G. [RFC1918] Rekhter, Y., Moskowitz, B., Karrenberg, D., de Groot, G.
J., and E. Lear, "Address Allocation for Private J., and E. Lear, "Address Allocation for Private
Internets", BCP 5, RFC 1918, DOI 10.17487/RFC1918, Internets", BCP 5, RFC 1918, DOI 10.17487/RFC1918,
February 1996, <https://www.rfc-editor.org/rfc/rfc1918>. February 1996, <https://www.rfc-editor.org/info/rfc1918>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/rfc/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
[RFC3927] Cheshire, S., Aboba, B., and E. Guttman, "Dynamic [RFC3927] Cheshire, S., Aboba, B., and E. Guttman, "Dynamic
Configuration of IPv4 Link-Local Addresses", RFC 3927, Configuration of IPv4 Link-Local Addresses", RFC 3927,
DOI 10.17487/RFC3927, May 2005, DOI 10.17487/RFC3927, May 2005,
<https://www.rfc-editor.org/rfc/rfc3927>. <https://www.rfc-editor.org/info/rfc3927>.
[RFC4193] Hinden, R. and B. Haberman, "Unique Local IPv6 Unicast [RFC4193] Hinden, R. and B. Haberman, "Unique Local IPv6 Unicast
Addresses", RFC 4193, DOI 10.17487/RFC4193, October 2005, Addresses", RFC 4193, DOI 10.17487/RFC4193, October 2005,
<https://www.rfc-editor.org/rfc/rfc4193>. <https://www.rfc-editor.org/info/rfc4193>.
[RFC4291] Hinden, R. and S. Deering, "IP Version 6 Addressing [RFC4291] Hinden, R. and S. Deering, "IP Version 6 Addressing
Architecture", RFC 4291, DOI 10.17487/RFC4291, February Architecture", RFC 4291, DOI 10.17487/RFC4291, February
2006, <https://www.rfc-editor.org/rfc/rfc4291>. 2006, <https://www.rfc-editor.org/info/rfc4291>.
[RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
Housley, R., and W. Polk, "Internet X.509 Public Key Housley, R., and W. Polk, "Internet X.509 Public Key
Infrastructure Certificate and Certificate Revocation List Infrastructure Certificate and Certificate Revocation List
(CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008, (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008,
<https://www.rfc-editor.org/rfc/rfc5280>. <https://www.rfc-editor.org/info/rfc5280>.
[RFC6303] Andrews, M., "Locally Served DNS Zones", BCP 163, [RFC6303] Andrews, M., "Locally Served DNS Zones", BCP 163,
RFC 6303, DOI 10.17487/RFC6303, July 2011, RFC 6303, DOI 10.17487/RFC6303, July 2011,
<https://www.rfc-editor.org/rfc/rfc6303>. <https://www.rfc-editor.org/info/rfc6303>.
[RFC6761] Cheshire, S. and M. Krochmal, "Special-Use Domain Names", [RFC6761] Cheshire, S. and M. Krochmal, "Special-Use Domain Names",
RFC 6761, DOI 10.17487/RFC6761, February 2013, RFC 6761, DOI 10.17487/RFC6761, February 2013,
<https://www.rfc-editor.org/rfc/rfc6761>. <https://www.rfc-editor.org/info/rfc6761>.
[RFC7858] Hu, Z., Zhu, L., Heidemann, J., Mankin, A., Wessels, D., [RFC7858] Hu, Z., Zhu, L., Heidemann, J., Mankin, A., Wessels, D.,
and P. Hoffman, "Specification for DNS over Transport and P. Hoffman, "Specification for DNS over Transport
Layer Security (TLS)", RFC 7858, DOI 10.17487/RFC7858, May Layer Security (TLS)", RFC 7858, DOI 10.17487/RFC7858, May
2016, <https://www.rfc-editor.org/rfc/rfc7858>. 2016, <https://www.rfc-editor.org/info/rfc7858>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/rfc/rfc8174>. May 2017, <https://www.rfc-editor.org/info/rfc8174>.
[RFC8484] Hoffman, P. and P. McManus, "DNS Queries over HTTPS [RFC8484] Hoffman, P. and P. McManus, "DNS Queries over HTTPS
(DoH)", RFC 8484, DOI 10.17487/RFC8484, October 2018, (DoH)", RFC 8484, DOI 10.17487/RFC8484, October 2018,
<https://www.rfc-editor.org/rfc/rfc8484>. <https://www.rfc-editor.org/info/rfc8484>.
[RFC9250] Huitema, C., Dickinson, S., and A. Mankin, "DNS over [RFC9250] Huitema, C., Dickinson, S., and A. Mankin, "DNS over
Dedicated QUIC Connections", RFC 9250, Dedicated QUIC Connections", RFC 9250,
DOI 10.17487/RFC9250, May 2022, DOI 10.17487/RFC9250, May 2022,
<https://www.rfc-editor.org/rfc/rfc9250>. <https://www.rfc-editor.org/info/rfc9250>.
9.2. Informative References [RFC9460] Schwartz, B., Bishop, M., and E. Nygren, "Service Binding
and Parameter Specification via the DNS (DNS SVCB and
HTTPS Resource Records (RRs))", RFC 9460,
DOI 10.17487/RFC9460, September 2023,
<https://www.rfc-editor.org/info/rfc9460>.
[I-D.ietf-tls-esni] [RFC9461] Schwartz, B., "Service Binding Mapping for DNS Servers",
Rescorla, E., Oku, K., Sullivan, N., and C. A. Wood, "TLS RFC 9461, DOI 10.17487/RFC9461, September 2023,
Encrypted Client Hello", Work in Progress, Internet-Draft, <https://www.rfc-editor.org/info/rfc9461>.
draft-ietf-tls-esni-14, 13 February 2022,
<https://datatracker.ietf.org/doc/html/draft-ietf-tls-
esni-14>.
[I-D.schinazi-httpbis-doh-preference-hints] [RFC9463] Boucadair, M., Ed., Reddy.K, T., Ed., Wing, D., Cook, N.,
and T. Jensen, "DHCP and Router Advertisement Options for
the Discovery of Network-designated Resolvers (DNR)",
RFC 9463, DOI 10.17487/RFC9463, September 2023,
<https://www.rfc-editor.org/info/rfc9463>.
9.2. Informative References
[DoH-HINTS]
Schinazi, D., Sullivan, N., and J. Kipp, "DoH Preference Schinazi, D., Sullivan, N., and J. Kipp, "DoH Preference
Hints for HTTP", Work in Progress, Internet-Draft, draft- Hints for HTTP", Work in Progress, Internet-Draft, draft-
schinazi-httpbis-doh-preference-hints-02, 13 July 2020, schinazi-httpbis-doh-preference-hints-02, 13 July 2020,
<https://datatracker.ietf.org/doc/html/draft-schinazi- <https://datatracker.ietf.org/doc/html/draft-schinazi-
httpbis-doh-preference-hints-02>. httpbis-doh-preference-hints-02>.
[ECH] Rescorla, E., Oku, K., Sullivan, N., and C. A. Wood, "TLS
Encrypted Client Hello", Work in Progress, Internet-Draft,
draft-ietf-tls-esni-16, 6 April 2023,
<https://datatracker.ietf.org/doc/html/draft-ietf-tls-
esni-16>.
[RFC2132] Alexander, S. and R. Droms, "DHCP Options and BOOTP Vendor [RFC2132] Alexander, S. and R. Droms, "DHCP Options and BOOTP Vendor
Extensions", RFC 2132, DOI 10.17487/RFC2132, March 1997, Extensions", RFC 2132, DOI 10.17487/RFC2132, March 1997,
<https://www.rfc-editor.org/rfc/rfc2132>. <https://www.rfc-editor.org/info/rfc2132>.
[RFC4861] Narten, T., Nordmark, E., Simpson, W., and H. Soliman, [RFC4861] Narten, T., Nordmark, E., Simpson, W., and H. Soliman,
"Neighbor Discovery for IP version 6 (IPv6)", RFC 4861, "Neighbor Discovery for IP version 6 (IPv6)", RFC 4861,
DOI 10.17487/RFC4861, September 2007, DOI 10.17487/RFC4861, September 2007,
<https://www.rfc-editor.org/rfc/rfc4861>. <https://www.rfc-editor.org/info/rfc4861>.
[RFC6105] Levy-Abegnoli, E., Van de Velde, G., Popoviciu, C., and J. [RFC6105] Levy-Abegnoli, E., Van de Velde, G., Popoviciu, C., and J.
Mohacsi, "IPv6 Router Advertisement Guard", RFC 6105, Mohacsi, "IPv6 Router Advertisement Guard", RFC 6105,
DOI 10.17487/RFC6105, February 2011, DOI 10.17487/RFC6105, February 2011,
<https://www.rfc-editor.org/rfc/rfc6105>. <https://www.rfc-editor.org/info/rfc6105>.
[RFC8106] Jeong, J., Park, S., Beloeil, L., and S. Madanapalli, [RFC8106] Jeong, J., Park, S., Beloeil, L., and S. Madanapalli,
"IPv6 Router Advertisement Options for DNS Configuration", "IPv6 Router Advertisement Options for DNS Configuration",
RFC 8106, DOI 10.17487/RFC8106, March 2017, RFC 8106, DOI 10.17487/RFC8106, March 2017,
<https://www.rfc-editor.org/rfc/rfc8106>. <https://www.rfc-editor.org/info/rfc8106>.
[RFC8415] Mrugalski, T., Siodelski, M., Volz, B., Yourtchenko, A., [RFC8415] Mrugalski, T., Siodelski, M., Volz, B., Yourtchenko, A.,
Richardson, M., Jiang, S., Lemon, T., and T. Winters, Richardson, M., Jiang, S., Lemon, T., and T. Winters,
"Dynamic Host Configuration Protocol for IPv6 (DHCPv6)", "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)",
RFC 8415, DOI 10.17487/RFC8415, November 2018, RFC 8415, DOI 10.17487/RFC8415, November 2018,
<https://www.rfc-editor.org/rfc/rfc8415>. <https://www.rfc-editor.org/info/rfc8415>.
[RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol
Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018,
<https://www.rfc-editor.org/rfc/rfc8446>. <https://www.rfc-editor.org/info/rfc8446>.
[RFC8880] Cheshire, S. and D. Schinazi, "Special Use Domain Name [RFC8880] Cheshire, S. and D. Schinazi, "Special Use Domain Name
'ipv4only.arpa'", RFC 8880, DOI 10.17487/RFC8880, August 'ipv4only.arpa'", RFC 8880, DOI 10.17487/RFC8880, August
2020, <https://www.rfc-editor.org/rfc/rfc8880>. 2020, <https://www.rfc-editor.org/info/rfc8880>.
Appendix A. Rationale for using a Special Use Domain Name Appendix A. Rationale for Using a Special-Use Domain Name
The "resolver.arpa" SUDN is similar to "ipv4only.arpa" in that the The "resolver.arpa" SUDN is similar to "ipv4only.arpa" in that the
querying client is not interested in an answer from the authoritative querying client is not interested in an answer from the authoritative
"arpa" name servers. The intent of the SUDN is to allow clients to "arpa" name servers. The intent of the SUDN is to allow clients to
communicate with the Unencrypted DNS Resolver much like communicate with the Unencrypted DNS Resolver much like
"ipv4only.arpa" allows for client-to-middlebox communication. For "ipv4only.arpa" allows for client-to-middlebox communication. For
more context, see the rationale behind "ipv4only.arpa" in [RFC8880]. more context, see [RFC8880] for the rationale behind "ipv4only.arpa".
Appendix B. Rationale for using SVCB records Appendix B. Rationale for Using SVCB Records
This mechanism uses SVCB/HTTPS resource records This mechanism uses SVCB/HTTPS resource records [RFC9460] to
[I-D.ietf-dnsop-svcb-https] to communicate that a given domain communicate that a given domain designates a particular Designated
designates a particular Designated Resolver for clients to use in Resolver for clients to use in place of an Unencrypted DNS Resolver
place of an Unencrypted DNS Resolver (using a SUDN) or another (using a SUDN) or another Encrypted DNS Resolver (using its domain
Encrypted DNS Resolver (using its domain name). name).
There are various other proposals for how to provide similar There are various other proposals for how to provide similar
functionality. There are several reasons that this mechanism has functionality. There are several reasons that this mechanism has
chosen SVCB records: chosen SVCB records:
* Discovering encrypted DNS resolvers using DNS records keeps client * Discovering encrypted DNS resolvers using DNS records keeps client
logic for DNS self-contained and allows a DNS resolver operator to logic for DNS self-contained and allows a DNS resolver operator to
define which resolver names and IP addresses are related to one define which resolver names and IP addresses are related to one
another. another.
* Using DNS records also does not rely on bootstrapping with higher- * Using DNS records also does not rely on bootstrapping with higher-
level application operations (such as level application operations (such as those discussed in
[I-D.schinazi-httpbis-doh-preference-hints]). [DoH-HINTS]).
* SVCB records are extensible and allow definition of parameter * SVCB records are extensible and allow the definition of parameter
keys. This makes them a superior mechanism for extensibility as keys, making them a superior mechanism for extensibility as
compared to approaches such as overloading TXT records. The same compared to approaches such as overloading TXT records. The same
keys can be used for discovering Designated Resolvers of different keys can be used for discovering Designated Resolvers of different
transport types as well as those advertised by Unencrypted DNS transport types as well as those advertised by Unencrypted DNS
Resolvers or another Encrypted DNS Resolver. Resolvers or another Encrypted DNS Resolver.
* Clients and servers that are interested in privacy of names will * Clients and servers that are interested in privacy of names will
already need to support SVCB records in order to use Encrypted TLS already need to support SVCB records in order to use the TLS
Client Hello [I-D.ietf-tls-esni]. Without encrypting names in Encrypted ClientHello [ECH]. Without encrypting names in TLS, the
TLS, the value of encrypting DNS is reduced, so pairing the value of encrypting DNS is reduced, so pairing the solutions
solutions provides the largest benefit. provides the greatest benefit.
Authors' Addresses Authors' Addresses
Tommy Pauly Tommy Pauly
Apple Inc. Apple Inc.
One Apple Park Way One Apple Park Way
Cupertino, California 95014, Cupertino, California 95014
United States of America United States of America
Email: tpauly@apple.com Email: tpauly@apple.com
Eric Kinnear Eric Kinnear
Apple Inc. Apple Inc.
One Apple Park Way One Apple Park Way
Cupertino, California 95014, Cupertino, California 95014
United States of America United States of America
Email: ekinnear@apple.com Email: ekinnear@apple.com
Christopher A. Wood Christopher A. Wood
Cloudflare Cloudflare
101 Townsend St 101 Townsend St
San Francisco, San Francisco, California 94107
United States of America United States of America
Email: caw@heapingbits.net Email: caw@heapingbits.net
Patrick McManus Patrick McManus
Fastly Fastly
Email: mcmanus@ducksong.com Email: mcmanus@ducksong.com
Tommy Jensen Tommy Jensen
Microsoft Microsoft
Email: tojens@microsoft.com Email: tojens@microsoft.com
 End of changes. 101 change blocks. 
291 lines changed or deleted 268 lines changed or added

This html diff was produced by rfcdiff 1.48.