rfc9462.original | rfc9462.txt | |||
---|---|---|---|---|
ADD T. Pauly | Internet Engineering Task Force (IETF) T. Pauly | |||
Internet-Draft E. Kinnear | Request for Comments: 9462 E. Kinnear | |||
Intended status: Standards Track Apple Inc. | Category: Standards Track Apple Inc. | |||
Expires: 6 February 2023 C. A. Wood | ISSN: 2070-1721 C. A. Wood | |||
Cloudflare | Cloudflare | |||
P. McManus | P. McManus | |||
Fastly | Fastly | |||
T. Jensen | T. Jensen | |||
Microsoft | Microsoft | |||
5 August 2022 | September 2023 | |||
Discovery of Designated Resolvers | Discovery of Designated Resolvers | |||
draft-ietf-add-ddr-10 | ||||
Abstract | Abstract | |||
This document defines Discovery of Designated Resolvers (DDR), a | This document defines Discovery of Designated Resolvers (DDR), a | |||
mechanism for DNS clients to use DNS records to discover a resolver's | mechanism for DNS clients to use DNS records to discover a resolver's | |||
encrypted DNS configuration. An encrypted DNS resolver discovered in | encrypted DNS configuration. An encrypted DNS resolver discovered in | |||
this manner is referred to as a "Designated Resolver". This | this manner is referred to as a "Designated Resolver". This | |||
mechanism can be used to move from unencrypted DNS to encrypted DNS | mechanism can be used to move from unencrypted DNS to encrypted DNS | |||
when only the IP address of a resolver is known. This mechanism is | when only the IP address of a resolver is known. This mechanism is | |||
designed to be limited to cases where unencrypted DNS resolvers and | designed to be limited to cases where unencrypted DNS resolvers and | |||
their designated resolvers are operated by the same entity or | their designated resolvers are operated by the same entity or | |||
cooperating entities. It can also be used to discover support for | cooperating entities. It can also be used to discover support for | |||
encrypted DNS protocols when the name of an encrypted DNS resolver is | encrypted DNS protocols when the name of an encrypted DNS resolver is | |||
known. | known. | |||
Discussion Venues | ||||
This note is to be removed before publishing as an RFC. | ||||
Discussion of this document takes place on the Adaptive DNS Discovery | ||||
Working Group mailing list (add@ietf.org), which is archived at | ||||
https://mailarchive.ietf.org/arch/browse/add/. | ||||
Source for this draft and an issue tracker can be found at | ||||
https://github.com/ietf-wg-add/draft-ietf-add-ddr. | ||||
Status of This Memo | Status of This Memo | |||
This Internet-Draft is submitted in full conformance with the | This is an Internet Standards Track document. | |||
provisions of BCP 78 and BCP 79. | ||||
Internet-Drafts are working documents of the Internet Engineering | ||||
Task Force (IETF). Note that other groups may also distribute | ||||
working documents as Internet-Drafts. The list of current Internet- | ||||
Drafts is at https://datatracker.ietf.org/drafts/current/. | ||||
Internet-Drafts are draft documents valid for a maximum of six months | This document is a product of the Internet Engineering Task Force | |||
and may be updated, replaced, or obsoleted by other documents at any | (IETF). It represents the consensus of the IETF community. It has | |||
time. It is inappropriate to use Internet-Drafts as reference | received public review and has been approved for publication by the | |||
material or to cite them other than as "work in progress." | Internet Engineering Steering Group (IESG). Further information on | |||
Internet Standards is available in Section 2 of RFC 7841. | ||||
This Internet-Draft will expire on 6 February 2023. | Information about the current status of this document, any errata, | |||
and how to provide feedback on it may be obtained at | ||||
https://www.rfc-editor.org/info/rfc9462. | ||||
Copyright Notice | Copyright Notice | |||
Copyright (c) 2022 IETF Trust and the persons identified as the | Copyright (c) 2023 IETF Trust and the persons identified as the | |||
document authors. All rights reserved. | document authors. All rights reserved. | |||
This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
Provisions Relating to IETF Documents (https://trustee.ietf.org/ | Provisions Relating to IETF Documents | |||
license-info) in effect on the date of publication of this document. | (https://trustee.ietf.org/license-info) in effect on the date of | |||
Please review these documents carefully, as they describe your rights | publication of this document. Please review these documents | |||
and restrictions with respect to this document. Code Components | carefully, as they describe your rights and restrictions with respect | |||
extracted from this document must include Revised BSD License text as | to this document. Code Components extracted from this document must | |||
described in Section 4.e of the Trust Legal Provisions and are | include Revised BSD License text as described in Section 4.e of the | |||
provided without warranty as described in the Revised BSD License. | Trust Legal Provisions and are provided without warranty as described | |||
in the Revised BSD License. | ||||
Table of Contents | Table of Contents | |||
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 | 1. Introduction | |||
1.1. Specification of Requirements . . . . . . . . . . . . . . 4 | 1.1. Specification of Requirements | |||
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 | 2. Terminology | |||
3. DNS Service Binding Records . . . . . . . . . . . . . . . . . 4 | 3. DNS Service Binding Records | |||
4. Discovery Using Resolver IP Addresses . . . . . . . . . . . . 6 | 4. Discovery Using Resolver IP Addresses | |||
4.1. Use of Designated Resolvers . . . . . . . . . . . . . . . 7 | 4.1. Use of Designated Resolvers | |||
4.1.1. Use of Designated Resolvers across network changes . 8 | 4.1.1. Use of Designated Resolvers across Network Changes | |||
4.2. Verified Discovery . . . . . . . . . . . . . . . . . . . 8 | 4.2. Verified Discovery | |||
4.3. Opportunistic Discovery . . . . . . . . . . . . . . . . . 9 | 4.3. Opportunistic Discovery | |||
5. Discovery Using Resolver Names . . . . . . . . . . . . . . . 10 | 5. Discovery Using Resolver Names | |||
6. Deployment Considerations . . . . . . . . . . . . . . . . . . 11 | 6. Deployment Considerations | |||
6.1. Caching Forwarders . . . . . . . . . . . . . . . . . . . 11 | 6.1. Caching Forwarders | |||
6.2. Certificate Management . . . . . . . . . . . . . . . . . 11 | 6.2. Certificate Management | |||
6.3. Server Name Handling . . . . . . . . . . . . . . . . . . 11 | 6.3. Server Name Handling | |||
6.4. Handling non-DDR queries for resolver.arpa . . . . . . . 12 | 6.4. Handling Non-DDR Queries for resolver.arpa | |||
6.5. Interaction with Network-Designated Resolvers . . . . . . 12 | 6.5. Interaction with Network-Designated Resolvers | |||
7. Security Considerations . . . . . . . . . . . . . . . . . . . 12 | 7. Security Considerations | |||
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13 | 8. IANA Considerations | |||
8.1. Special Use Domain Name "resolver.arpa" . . . . . . . . . 14 | 8.1. Special-Use Domain Name "resolver.arpa" | |||
8.2. Domain Name Reservation Considerations . . . . . . . . . 14 | 8.2. Domain Name Reservation Considerations | |||
9. References | ||||
9. References . . . . . . . . . . . . . . . . . . . . . . . . . 15 | 9.1. Normative References | |||
9.1. Normative References . . . . . . . . . . . . . . . . . . 15 | 9.2. Informative References | |||
9.2. Informative References . . . . . . . . . . . . . . . . . 17 | Appendix A. Rationale for Using a Special-Use Domain Name | |||
Appendix A. Rationale for using a Special Use Domain Name . . . 18 | Appendix B. Rationale for Using SVCB Records | |||
Appendix B. Rationale for using SVCB records . . . . . . . . . . 18 | Authors' Addresses | |||
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 19 | ||||
1. Introduction | 1. Introduction | |||
When DNS clients wish to use encrypted DNS protocols such as DNS- | When DNS clients wish to use encrypted DNS protocols such as DNS over | |||
over-TLS (DoT) [RFC7858], DNS-over-QUIC (DoQ) [RFC9250], or DNS-over- | TLS (DoT) [RFC7858], DNS over QUIC (DoQ) [RFC9250], or DNS over HTTPS | |||
HTTPS (DoH) [RFC8484], they can require additional information beyond | (DoH) [RFC8484], they can require additional information beyond the | |||
the IP address of the DNS server, such as the resolver's hostname, | IP address of the DNS server, such as the resolver's hostname, | |||
alternate IP addresses, non-standard ports, or URI templates. | alternate IP addresses, non-standard ports, or URI Templates. | |||
However, common configuration mechanisms only provide the resolver's | However, common configuration mechanisms only provide the resolver's | |||
IP address during configuration. Such mechanisms include network | IP address during configuration. Such mechanisms include network | |||
provisioning protocols like DHCP [RFC2132] [RFC8415] and IPv6 Router | provisioning protocols like DHCP [RFC2132] [RFC8415] and IPv6 Router | |||
Advertisement (RA) options [RFC8106], as well as manual | Advertisement (RA) options [RFC8106], as well as manual | |||
configuration. | configuration. | |||
This document defines two mechanisms for clients to discover | This document defines two mechanisms for clients to discover | |||
designated resolvers that support these encrypted protocols using DNS | designated resolvers that support these encrypted protocols using DNS | |||
server Service Binding (SVCB, [I-D.ietf-dnsop-svcb-https]) records: | server Service Binding (SVCB) records [RFC9460]: | |||
1. When only an IP address of an Unencrypted DNS Resolver is known, | 1. When only an IP address of an Unencrypted DNS Resolver is known, | |||
the client queries a special use domain name (SUDN) [RFC6761] to | the client queries a Special-Use Domain Name (SUDN) [RFC6761] to | |||
discover DNS SVCB records associated with one or more Encrypted | discover DNS SVCB records associated with one or more Encrypted | |||
DNS Resolvers the Unencrypted DNS Resolver has designated for use | DNS Resolvers the Unencrypted DNS Resolver has designated for use | |||
when support for DNS encryption is requested (Section 4). | when support for DNS encryption is requested (Section 4). | |||
2. When the hostname of an Encrypted DNS Resolver is known, the | 2. When the hostname of an Encrypted DNS Resolver is known, the | |||
client requests details by sending a query for a DNS SVCB record. | client requests details by sending a query for a DNS SVCB record. | |||
This can be used to discover alternate encrypted DNS protocols | This can be used to discover alternate encrypted DNS protocols | |||
supported by a known server, or to provide details if a resolver | supported by a known server, or to provide details if a resolver | |||
name is provisioned by a network (Section 5). | name is provisioned by a network (Section 5). | |||
skipping to change at page 4, line 9 ¶ | skipping to change at line 128 ¶ | |||
resolver. "Designated" in this context means that the resolvers are | resolver. "Designated" in this context means that the resolvers are | |||
operated by the same entity or cooperating entities; for example, the | operated by the same entity or cooperating entities; for example, the | |||
resolvers are accessible on the same IP address, or there is a | resolvers are accessible on the same IP address, or there is a | |||
certificate that contains the IP address for the original designating | certificate that contains the IP address for the original designating | |||
resolver. | resolver. | |||
1.1. Specification of Requirements | 1.1. Specification of Requirements | |||
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | |||
"OPTIONAL" in this document are to be interpreted as described in BCP | "OPTIONAL" in this document are to be interpreted as described in | |||
14 [RFC2119] [RFC8174] when, and only when, they appear in all | BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all | |||
capitals, as shown here. | capitals, as shown here. | |||
2. Terminology | 2. Terminology | |||
This document defines the following terms: | This document defines the following terms: | |||
DDR: Discovery of Designated Resolvers. Refers to the mechanisms | DDR: Discovery of Designated Resolvers. "DDR" refers to the | |||
defined in this document. | mechanisms defined in this document. | |||
Designated Resolver: A resolver, presumably an Encrypted DNS | Designated Resolver: A resolver, presumably an Encrypted DNS | |||
Resolver, designated by another resolver for use in its own place. | Resolver, designated by another resolver for use in its own place. | |||
This designation can be verified with TLS certificates. | This designation can be verified with TLS certificates. | |||
Encrypted DNS Resolver: A DNS resolver using any encrypted DNS | Encrypted DNS Resolver: A DNS resolver using any encrypted DNS | |||
transport. This includes current mechanisms such as DoH, DoT, and | transport. This includes current mechanisms such as DoH, DoT, and | |||
DoQ, as well as future mechanisms. | DoQ, as well as future mechanisms. | |||
Unencrypted DNS Resolver: A DNS resolver using a transport without | Unencrypted DNS Resolver: A DNS resolver using a transport without | |||
encryption, historically TCP or UDP port 53. | encryption, historically TCP or UDP port 53. | |||
3. DNS Service Binding Records | 3. DNS Service Binding Records | |||
DNS resolvers can advertise one or more Designated Resolvers that may | DNS resolvers can advertise one or more Designated Resolvers that may | |||
offer support over encrypted channels and are controlled by the same | offer support over encrypted channels and are controlled by the same | |||
entity. | entity. | |||
When a client discovers Designated Resolvers, it learns information | When a client discovers Designated Resolvers, it learns information | |||
such as the supported protocols and ports. This information is | such as the supported protocols and ports. This information is | |||
provided in ServiceMode Service Binding (SVCB) records for DNS | provided in ServiceMode SVCB records for DNS servers, although | |||
Servers, although AliasMode SVCB records can be used to direct | AliasMode SVCB records can be used to direct clients to the needed | |||
clients to the needed ServiceMode SVCB record per | ServiceMode SVCB record per [RFC9460]. The formatting of these | |||
[I-D.ietf-dnsop-svcb-https]. The formatting of these records, | records, including the DNS-unique parameters such as "dohpath", are | |||
including the DNS-unique parameters such as "dohpath", are defined by | defined by [RFC9461]. | |||
[I-D.ietf-add-svcb-dns]. | ||||
The following is an example of an SVCB record describing a DoH server | The following is an example of an SVCB record describing a DoH server | |||
discovered by querying for _dns.example.net: | discovered by querying for _dns.example.net: | |||
_dns.example.net. 7200 IN SVCB 1 example.net. ( | _dns.example.net. 7200 IN SVCB 1 example.net. ( | |||
alpn=h2 dohpath=/dns-query{?dns} ) | alpn=h2 dohpath=/dns-query{?dns} ) | |||
The following is an example of an SVCB record describing a DoT server | The following is an example of an SVCB record describing a DoT server | |||
discovered by querying for _dns.example.net: | discovered by querying for _dns.example.net: | |||
skipping to change at page 5, line 19 ¶ | skipping to change at line 184 ¶ | |||
alpn=dot port=8530 ) | alpn=dot port=8530 ) | |||
The following is an example of an SVCB record describing a DoQ server | The following is an example of an SVCB record describing a DoQ server | |||
discovered by querying for _dns.example.net: | discovered by querying for _dns.example.net: | |||
_dns.example.net. 7200 IN SVCB 1 doq.example.net ( | _dns.example.net. 7200 IN SVCB 1 doq.example.net ( | |||
alpn=doq port=8530 ) | alpn=doq port=8530 ) | |||
If multiple Designated Resolvers are available, using one or more | If multiple Designated Resolvers are available, using one or more | |||
encrypted DNS protocols, the resolver deployment can indicate a | encrypted DNS protocols, the resolver deployment can indicate a | |||
preference using the priority fields in each SVCB record | preference using the priority fields in each SVCB record [RFC9460]. | |||
[I-D.ietf-dnsop-svcb-https]. | ||||
If the client encounters a mandatory parameter in an SVCB record it | If the client encounters a mandatory parameter in an SVCB record it | |||
does not understand, it MUST NOT use that record to discover a | does not understand, it MUST NOT use that record to discover a | |||
Designated Resolver, in accordance with Section 8 of | Designated Resolver, in accordance with Section 8 of [RFC9460]. The | |||
[I-D.ietf-dnsop-svcb-https]. The client can still use other records | client can still use other records in the same response if the client | |||
in the same response if the client can understand all of their | can understand all of their mandatory parameters. This allows future | |||
mandatory parameters. This allows future encrypted deployments to | encrypted deployments to simultaneously support protocols even if a | |||
simultaneously support protocols even if a given client is not aware | given client is not aware of all those protocols. For example, if | |||
of all those protocols. For example, if the Unencrypted DNS Resolver | the Unencrypted DNS Resolver returns three SVCB records -- one for | |||
returns three SVCB records, one for DoH, one for DoT, and one for a | DoH, one for DoT, and one for a yet-to-exist protocol -- a client | |||
yet-to-exist protocol, a client which only supports DoH and DoT | that only supports DoH and DoT should be able to use those records | |||
should be able to use those records while safely ignoring the third | while safely ignoring the third record. | |||
record. | ||||
To avoid name lookup deadlock, clients that use Designated Resolvers | To avoid name lookup deadlock, clients that use Designated Resolvers | |||
need to ensure that a specific Encrypted Resolver is not used for any | need to ensure that a specific Encrypted Resolver is not used for any | |||
queries that are needed to resolve the name of the resolver itself or | queries that are needed to resolve the name of the resolver itself or | |||
to perform certificate revocation checks for the resolver, as | to perform certificate revocation checks for the resolver, as | |||
described in Section 10 of [RFC8484]. Designated Resolvers need to | described in Section 10 of [RFC8484]. Designated Resolvers need to | |||
ensure this deadlock is avoidable as described in Section 10 of | ensure that this deadlock is avoidable, as also described in | |||
[RFC8484]. | Section 10 of [RFC8484]. | |||
This document focuses on discovering DoH, DoT, and DoQ Designated | This document focuses on discovering DoH, DoT, and DoQ Designated | |||
Resolvers. Other protocols can also use the format defined by | Resolvers. Other protocols can also use the format defined by | |||
[I-D.ietf-add-svcb-dns]. However, if any such protocol does not | [RFC9461]. However, if any such protocol does not involve some form | |||
involve some form of certificate validation, new validation | of certificate validation, new validation mechanisms will need to be | |||
mechanisms will need to be defined to support validating designation | defined to support validating designation as defined in Section 4.2. | |||
as defined in Section 4.2. | ||||
4. Discovery Using Resolver IP Addresses | 4. Discovery Using Resolver IP Addresses | |||
When a DNS client is configured with an Unencrypted DNS Resolver IP | When a DNS client is configured with an Unencrypted DNS Resolver IP | |||
address, it SHOULD query the resolver for SVCB records of a service | address, it SHOULD query the resolver for SVCB records of a service | |||
with a scheme of "dns" and an Authority of "resolver.arpa" before | with a scheme of "dns" and an Authority of "resolver.arpa" before | |||
making other queries. This allows the client to switch to using | making other queries. This allows the client to switch to using | |||
Encrypted DNS for all other queries, if possible. Specifically, the | Encrypted DNS for all other queries, if possible. Specifically, the | |||
client issues a query for _dns.resolver.arpa. with the SVCB resource | client issues a query for _dns.resolver.arpa. with the SVCB resource | |||
record type (64) [I-D.ietf-dnsop-svcb-https]. | record type (64) [RFC9460]. | |||
Responses to the SVCB query for the "resolver.arpa" SUDN describe | Responses to the SVCB query for the "resolver.arpa" SUDN describe | |||
Designated Resolvers. To ensure that different Designated Resolver | Designated Resolvers. To ensure that different Designated Resolver | |||
configurations can be correctly distinguished and associated with A | configurations can be correctly distinguished and associated with A | |||
and AAAA records for the resolver, ServiceMode SVCB responses to | and AAAA records for the resolver, ServiceMode SVCB responses to | |||
these queries MUST NOT use the "." or "resolver.arpa" value for the | these queries MUST NOT use the "." or "resolver.arpa" value for the | |||
TargetName. Similarly, clients MUST NOT perform A or AAAA queries | TargetName. Similarly, clients MUST NOT perform A or AAAA queries | |||
for "resolver.arpa". | for "resolver.arpa". | |||
The following is an example of an SVCB record describing a DoH server | The following is an example of an SVCB record describing a DoH server | |||
skipping to change at page 6, line 47 ¶ | skipping to change at line 254 ¶ | |||
_dns.resolver.arpa. 7200 IN SVCB 1 doq.example.net ( | _dns.resolver.arpa. 7200 IN SVCB 1 doq.example.net ( | |||
alpn=doq port=8530 ) | alpn=doq port=8530 ) | |||
If the recursive resolver that receives this query has one or more | If the recursive resolver that receives this query has one or more | |||
Designated Resolvers, it will return the corresponding SVCB records. | Designated Resolvers, it will return the corresponding SVCB records. | |||
When responding to these special queries for "resolver.arpa", the | When responding to these special queries for "resolver.arpa", the | |||
recursive resolver SHOULD include the A and AAAA records for the name | recursive resolver SHOULD include the A and AAAA records for the name | |||
of the Designated Resolver in the Additional Answers section. This | of the Designated Resolver in the Additional Answers section. This | |||
will save the DNS client an additional round trip to retrieve the | will save the DNS client an additional round trip to retrieve the | |||
address of the designated resolver; see Section 5 of | address of the designated resolver; see Section 5 of [RFC9460]. | |||
[I-D.ietf-dnsop-svcb-https]. | ||||
Designated Resolvers SHOULD be accessible using the IP address | Designated Resolvers SHOULD be accessible using the IP address | |||
families that are supported by their associated Unencrypted DNS | families that are supported by their associated Unencrypted DNS | |||
Resolvers. If an Unencrypted DNS Resolver is accessible using an | Resolvers. If an Unencrypted DNS Resolver is accessible using an | |||
IPv4 address, it ought to provide an A record for an IPv4 address of | IPv4 address, it ought to provide an A record for an IPv4 address of | |||
the Designated Resolver; similarly, if it is accessible using an IPv6 | the Designated Resolver; similarly, if it is accessible using an IPv6 | |||
address, it ought to provide a AAAA record for an IPv6 address of the | address, it ought to provide a AAAA record for an IPv6 address of the | |||
Designated Resolver. The Designated Resolver MAY support more | Designated Resolver. The Designated Resolver MAY support more | |||
address families than the Unencrypted DNS Resolver, but it SHOULD NOT | address families than the Unencrypted DNS Resolver, but it SHOULD NOT | |||
support fewer. If this is not done, clients that only have | support fewer. If this is not done, clients that only have | |||
skipping to change at page 7, line 22 ¶ | skipping to change at line 277 ¶ | |||
If the recursive resolver that receives this query has no Designated | If the recursive resolver that receives this query has no Designated | |||
Resolvers, it SHOULD return NODATA for queries to the "resolver.arpa" | Resolvers, it SHOULD return NODATA for queries to the "resolver.arpa" | |||
zone, to provide a consistent and accurate signal to clients that it | zone, to provide a consistent and accurate signal to clients that it | |||
does not have a Designated Resolver. | does not have a Designated Resolver. | |||
4.1. Use of Designated Resolvers | 4.1. Use of Designated Resolvers | |||
When a client discovers Designated Resolvers from an Unencrypted DNS | When a client discovers Designated Resolvers from an Unencrypted DNS | |||
Resolver IP address, it can choose to use these Designated Resolvers | Resolver IP address, it can choose to use these Designated Resolvers | |||
either automatically, or based on some other policy, heuristic, or | either (1) automatically or (2) based on some other policy, | |||
user choice. | heuristic, or user choice. | |||
This document defines two preferred methods to automatically use | This document defines two preferred methods for automatically using | |||
Designated Resolvers: | Designated Resolvers: | |||
* Verified Discovery (Section 4.2), for when a TLS certificate can | * Verified Discovery (Section 4.2), for when a TLS certificate can | |||
be used to validate the resolver's identity. | be used to validate the resolver's identity. | |||
* Opportunistic Discovery (Section 4.3), for when a resolver's IP | * Opportunistic Discovery (Section 4.3), for when a resolver's IP | |||
address is a private or local address. | address is a private or local address. | |||
A client MAY additionally use a discovered Designated Resolver | A client MAY additionally use a discovered Designated Resolver | |||
without either of these methods, based on implementation-specific | without either of these methods, based on implementation-specific | |||
policy or user input. Details of such policy are out of scope of | policy or user input. Details of such policy are out of scope for | |||
this document. Clients MUST NOT automatically use a Designated | this document. Clients MUST NOT automatically use a Designated | |||
Resolver without some sort of validation, such as the two methods | Resolver without some sort of validation, such as the two methods | |||
defined in this document or a future mechanism. Use without | defined in this document or a future mechanism. Use without | |||
validation can allow an attacker to direct traffic to an Encrypted | validation can allow an attacker to direct traffic to an Encrypted | |||
Resolver that is unrelated to the original Unencrypted DNS Resolver, | Resolver that is unrelated to the original Unencrypted DNS Resolver, | |||
as described in Section 7. | as described in Section 7. | |||
A client MUST NOT re-use a designation discovered using the IP | A client MUST NOT reuse a designation discovered using the IP address | |||
address of one Unencrypted DNS Resolver in place of any other | of one Unencrypted DNS Resolver in place of any other Unencrypted DNS | |||
Unencrypted DNS Resolver. Instead, the client needs to repeat the | Resolver. Instead, the client needs to repeat the discovery process | |||
discovery process to discover the Designated Resolver of the other | to discover the Designated Resolver of the other Unencrypted DNS | |||
Unencrypted DNS Resolver. In other words, designations are per- | Resolver. In other words, designations are per-resolver and MUST NOT | |||
resolver and MUST NOT be used to configure the client's universal DNS | be used to configure the client's universal DNS behavior. This | |||
behavior. This ensures in all cases that queries are being sent to a | ensures in all cases that queries are being sent to a party | |||
party designated by the resolver originally being used. | designated by the resolver originally being used. | |||
4.1.1. Use of Designated Resolvers across network changes | 4.1.1. Use of Designated Resolvers across Network Changes | |||
If a client is configured with the same Unencrypted DNS Resolver IP | If a client is configured with the same Unencrypted DNS Resolver IP | |||
address on multiple different networks, a Designated Resolver that | address on multiple different networks, a Designated Resolver that | |||
has been discovered on one network SHOULD NOT be reused on any of the | has been discovered on one network SHOULD NOT be reused on any of the | |||
other networks without repeating the discovery process for each | other networks without repeating the discovery process for each | |||
network, since the same IP address may be used for different servers | network, since the same IP address may be used for different servers | |||
on the different networks. | on the different networks. | |||
4.2. Verified Discovery | 4.2. Verified Discovery | |||
Verified Discovery is a mechanism that allows automatic use of a | Verified Discovery is a mechanism that allows the automatic use of a | |||
Designated Resolver that supports DNS encryption that performs a TLS | Designated Resolver that supports DNS encryption that performs a TLS | |||
handshake. | handshake. | |||
In order to be considered a verified Designated Resolver, the TLS | In order to be considered a verified Designated Resolver, the TLS | |||
certificate presented by the Designated Resolver needs to pass the | certificate presented by the Designated Resolver needs to pass the | |||
following checks made by the client: | following checks made by the client: | |||
1. The client MUST verify the chain of certificates up to a trust | 1. The client MUST verify the chain of certificates up to a trust | |||
anchor as described in Section 6 of [RFC5280]. This SHOULD use | anchor as described in Section 6 of [RFC5280]. This SHOULD use | |||
the default system or application trust anchors, unless otherwise | the default system or application trust anchors, unless otherwise | |||
skipping to change at page 8, line 50 ¶ | skipping to change at line 353 ¶ | |||
discovered Designated Resolver if this designation was only | discovered Designated Resolver if this designation was only | |||
discovered via a _dns.resolver.arpa. query (if the designation was | discovered via a _dns.resolver.arpa. query (if the designation was | |||
advertised directly by the network as described in Section 6.5, the | advertised directly by the network as described in Section 6.5, the | |||
server can still be used). Additionally, the client SHOULD suppress | server can still be used). Additionally, the client SHOULD suppress | |||
any further queries for Designated Resolvers using this Unencrypted | any further queries for Designated Resolvers using this Unencrypted | |||
DNS Resolver for the length of time indicated by the SVCB record's | DNS Resolver for the length of time indicated by the SVCB record's | |||
Time to Live (TTL) in order to avoid excessive queries that will lead | Time to Live (TTL) in order to avoid excessive queries that will lead | |||
to further failed validations. The client MAY issue new queries if | to further failed validations. The client MAY issue new queries if | |||
the SVCB record's TTL is excessively long (as determined by client | the SVCB record's TTL is excessively long (as determined by client | |||
policy) to minimize the length of time an intermittent attacker can | policy) to minimize the length of time an intermittent attacker can | |||
prevent use of encrypted DNS. | prevent the use of encrypted DNS. | |||
If the Designated Resolver and the Unencrypted DNS Resolver share an | If the Designated Resolver and the Unencrypted DNS Resolver share an | |||
IP address, clients MAY choose to opportunistically use the | IP address, clients MAY choose to opportunistically use the | |||
Designated Resolver even without this certificate check | Designated Resolver even without this certificate check | |||
(Section 4.3). If the IP address is not shared, opportunistic use | (Section 4.3). If the IP address is not shared, opportunistic use | |||
allows for attackers to redirect queries to an unrelated Encrypted | allows for attackers to redirect queries to an unrelated Encrypted | |||
Resolver, as described in Section 7. | Resolver, as described in Section 7. | |||
Connections to a Designated Resolver can use a different IP address | Connections to a Designated Resolver can use a different IP address | |||
than the IP address of the Unencrypted DNS Resolver, such as if the | than the IP address of the Unencrypted DNS Resolver -- for example, | |||
process of resolving the SVCB service yields additional addresses. | if the process of resolving the SVCB service yields additional | |||
Even when a different IP address is used for the connection, the TLS | addresses. Even when a different IP address is used for the | |||
certificate checks described in this section still apply for the | connection, the TLS certificate checks described in this section | |||
original IP address of the Unencrypted DNS Resolver. | still apply for the original IP address of the Unencrypted DNS | |||
Resolver. | ||||
4.3. Opportunistic Discovery | 4.3. Opportunistic Discovery | |||
There are situations where Verified Discovery of encrypted DNS | There are situations where Verified Discovery of encrypted DNS | |||
configuration over unencrypted DNS is not possible. This includes | configuration over unencrypted DNS is not possible. This includes | |||
Unencrypted DNS Resolvers on private IP addresses [RFC1918], Unique | Unencrypted DNS Resolvers on private IP addresses [RFC1918], Unique | |||
Local Addresses (ULAs) [RFC4193], and Link Local Addresses [RFC3927] | Local Addresses (ULAs) [RFC4193], and Link-Local addresses [RFC3927] | |||
[RFC4291], whose identity cannot be safely confirmed using TLS | [RFC4291], whose identity cannot be safely confirmed using TLS | |||
certificates under most conditions. | certificates under most conditions. | |||
An Opportunistic Privacy Profile is defined for DoT in Section 4.1 of | An opportunistic privacy profile is defined for DoT in Section 4.1 of | |||
[RFC7858] as a mode in which clients do not validate the name of the | [RFC7858] as a mode in which clients do not validate the name of the | |||
resolver presented in the certificate. This Opportunistic Privacy | resolver presented in the certificate. This opportunistic privacy | |||
Profile similarly applies to DoQ [RFC9250]. For this profile, | profile similarly applies to DoQ [RFC9250]. For this profile, | |||
Section 4.1 of [RFC7858] explains that clients might or might not | Section 4.1 of [RFC7858] explains that clients might or might not | |||
validate the resolver; however, even if clients choose to perform | validate the resolver; however, even if clients choose to perform | |||
some certificate validation checks, they will not be able to validate | some certificate validation checks, they will not be able to validate | |||
the names presented in the SubjectAlternativeName field of the | the names presented in the SubjectAlternativeName field of the | |||
certificate for private and local IP addresses. | certificate for private and local IP addresses. | |||
A client MAY use information from the SVCB record for | A client MAY use information from the SVCB record for | |||
"_dns.resolver.arpa" with this Opportunistic Privacy Profile as long | "_dns.resolver.arpa" with this opportunistic privacy profile as long | |||
as the IP address of the Encrypted DNS Resolver does not differ from | as the IP address of the Encrypted DNS Resolver does not differ from | |||
the IP address of the Unencrypted DNS Resolver. Clients SHOULD use | the IP address of the Unencrypted DNS Resolver. Clients SHOULD use | |||
this mode only for resolvers using private or local IP addresses, | this mode only for resolvers using private or local IP addresses, | |||
since resolvers that use other addresses are able to provision TLS | since resolvers that use other addresses are able to provision TLS | |||
certificates for their addresses. | certificates for their addresses. | |||
5. Discovery Using Resolver Names | 5. Discovery Using Resolver Names | |||
A DNS client that already knows the name of an Encrypted DNS Resolver | A DNS client that already knows the name of an Encrypted DNS Resolver | |||
can use DDR to discover details about all supported encrypted DNS | can use DDR to discover details about all supported encrypted DNS | |||
protocols. This situation can arise if a client has been configured | protocols. This situation can arise if a client has been configured | |||
to use a given Encrypted DNS Resolver, or if a network provisioning | to use a given Encrypted DNS Resolver, or if a network provisioning | |||
protocol (such as DHCP or IPv6 Router Advertisements) provides a name | protocol (such as DHCP or IPv6 RAs) provides a name for an Encrypted | |||
for an Encrypted DNS Resolver alongside the resolver IP address, such | DNS Resolver alongside the resolver IP address, such as by using | |||
as by using Discovery of Network Resolvers (DNR) [I-D.ietf-add-dnr]. | Discovery of Network-designated Resolvers (DNR) [RFC9463]. | |||
For these cases, the client simply sends a DNS SVCB query using the | For these cases, the client simply sends a DNS SVCB query using the | |||
known name of the resolver. This query can be issued to the named | known name of the resolver. This query can be issued to the named | |||
Encrypted DNS Resolver itself or to any other resolver. Unlike the | Encrypted DNS Resolver itself or to any other resolver. Unlike the | |||
case of bootstrapping from an Unencrypted DNS Resolver (Section 4), | case of bootstrapping from an Unencrypted DNS Resolver (Section 4), | |||
these records SHOULD be available in the public DNS if the same | these records SHOULD be available in the public DNS if the same | |||
domain name's A or AAAA records are available in the public DNS to | domain name's A or AAAA records are available in the public DNS to | |||
allow using any resolver to discover another resolver's Designated | allow using any resolver to discover another resolver's Designated | |||
Resolvers. When the name can only be resolved in private namespaces, | Resolvers. When the name can only be resolved in private namespaces, | |||
these records SHOULD be available to the same audience as the A and | these records SHOULD be available to the same audience as the A and | |||
AAAA records. | AAAA records. | |||
For example, if the client already knows about a DoT server | For example, if the client already knows about a DoT server | |||
resolver.example.com, it can issue an SVCB query for | resolver.example.com, it can issue an SVCB query for | |||
_dns.resolver.example.com to discover if there are other encrypted | _dns.resolver.example.com to discover if there are other encrypted | |||
DNS protocols available. In the following example, the SVCB answers | DNS protocols available. In the following example, the SVCB answers | |||
indicate that resolver.example.com supports both DoH and DoT, and | indicate that resolver.example.com supports both DoH and DoT and that | |||
that the DoH server indicates a higher priority than the DoT server. | the DoH server indicates a higher priority than the DoT server. | |||
_dns.resolver.example.com. 7200 IN SVCB 1 resolver.example.com. ( | _dns.resolver.example.com. 7200 IN SVCB 1 resolver.example.com. ( | |||
alpn=h2 dohpath=/dns-query{?dns} ) | alpn=h2 dohpath=/dns-query{?dns} ) | |||
_dns.resolver.example.com. 7200 IN SVCB 2 resolver.example.com. ( | _dns.resolver.example.com. 7200 IN SVCB 2 resolver.example.com. ( | |||
alpn=dot ) | alpn=dot ) | |||
Clients MUST validate that for any Encrypted DNS Resolver discovered | Clients MUST validate that for any Encrypted DNS Resolver discovered | |||
using a known resolver name, the TLS certificate of the resolver | using a known resolver name, the TLS certificate of the resolver | |||
contains the known name in a subjectAltName extension. In the | contains the known name in a subjectAltName extension. In the | |||
example above, this means that both servers need to have certificates | example above, this means that both servers need to have certificates | |||
skipping to change at page 11, line 24 ¶ | skipping to change at line 463 ¶ | |||
Resolver deployments that support DDR are advised to consider the | Resolver deployments that support DDR are advised to consider the | |||
following points. | following points. | |||
6.1. Caching Forwarders | 6.1. Caching Forwarders | |||
A DNS forwarder SHOULD NOT forward queries for "resolver.arpa" (or | A DNS forwarder SHOULD NOT forward queries for "resolver.arpa" (or | |||
any subdomains) upstream. This prevents a client from receiving an | any subdomains) upstream. This prevents a client from receiving an | |||
SVCB record that will fail to authenticate because the forwarder's IP | SVCB record that will fail to authenticate because the forwarder's IP | |||
address is not in the upstream resolver's Designated Resolver's TLS | address is not in the upstream resolver's Designated Resolver's TLS | |||
certificate SAN field. A DNS forwarder which already acts as a | certificate SubjectAlternativeName (SAN) field. A DNS forwarder that | |||
completely transparent forwarder MAY choose to forward these queries | already acts as a completely transparent forwarder MAY choose to | |||
when the operator expects that this does not apply, either because | forward these queries when the operator expects that this does not | |||
the operator knows that the upstream resolver does have the | apply, because the operator either knows that the upstream resolver | |||
forwarder's IP address in its TLS certificate's SAN field or that the | does have the forwarder's IP address in its TLS certificate's SAN | |||
operator expects clients to validate the connection via some future | field or expects clients to validate the connection via some future | |||
mechanism. | mechanism. | |||
Operators who choose to forward queries for "resolver.arpa" upstream | Operators who choose to forward queries for "resolver.arpa" upstream | |||
should note that client behavior is never guaranteed and use of DDR | should note that client behavior is never guaranteed and that the use | |||
by a resolver does not communicate a requirement for clients to use | of DDR by a resolver does not communicate a requirement for clients | |||
the SVCB record when it cannot be verified. | to use the SVCB record when it cannot be verified. | |||
6.2. Certificate Management | 6.2. Certificate Management | |||
Resolver owners that support Verified Discovery will need to list | Resolver owners that support Verified Discovery will need to list | |||
valid referring IP addresses in their TLS certificates. This may | valid referring IP addresses in their TLS certificates. This may | |||
pose challenges for resolvers with a large number of referring IP | pose challenges for resolvers with a large number of referring IP | |||
addresses. | addresses. | |||
6.3. Server Name Handling | 6.3. Server Name Handling | |||
Clients MUST NOT use "resolver.arpa" as the server name either in the | Clients MUST NOT use "resolver.arpa" as the server name in either | |||
TLS Server Name Indication (SNI) ([RFC8446]) for DoT, DoQ, or DoH | (1) the TLS Server Name Indication (SNI) [RFC8446] for DoT, DoQ, or | |||
connections, or in the URI host for DoH requests. | DoH connections or (2) the URI host for DoH requests. | |||
When performing discovery using resolver IP addresses, clients MUST | When performing discovery using resolver IP addresses, clients MUST | |||
use the original IP address of the Unencrypted DNS Resolver as the | use the original IP address of the Unencrypted DNS Resolver as the | |||
URI host for DoH requests. | URI host for DoH requests. | |||
Note that since IP addresses are not supported by default in the TLS | Note that since IP addresses are not supported by default in the TLS | |||
SNI, resolvers that support discovery using IP addresses will need to | SNI, resolvers that support discovery using IP addresses will need to | |||
be configured to present the appropriate TLS certificate when no SNI | be configured to present the appropriate TLS certificate when no SNI | |||
is present for DoT, DoQ, and DoH. | is present for DoT, DoQ, and DoH. | |||
6.4. Handling non-DDR queries for resolver.arpa | 6.4. Handling Non-DDR Queries for resolver.arpa | |||
DNS resolvers that support DDR by responding to queries for | DNS resolvers that support DDR by responding to queries for | |||
_dns.resolver.arpa MUST treat resolver.arpa as a locally served zone | _dns.resolver.arpa MUST treat resolver.arpa as a locally served zone | |||
per [RFC6303]. In practice, this means that resolvers SHOULD respond | per [RFC6303]. In practice, this means that resolvers SHOULD respond | |||
to queries of any type other than SVCB for _dns.resolver.arpa with | to queries of any type other than SVCB for _dns.resolver.arpa with | |||
NODATA and queries of any type for any domain name under | NODATA and queries of any type for any domain name under | |||
resolver.arpa with NODATA. | resolver.arpa with NODATA. | |||
6.5. Interaction with Network-Designated Resolvers | 6.5. Interaction with Network-Designated Resolvers | |||
Discovery of network-designated resolvers (DNR, [I-D.ietf-add-dnr]) | DNR [RFC9463] allows a network to provide designation of resolvers | |||
allows a network to provide designation of resolvers directly through | directly through DHCP [RFC2132] [RFC8415] and through IPv6 RA options | |||
DHCP [RFC2132] [RFC8415] and IPv6 Router Advertisement (RA) [RFC4861] | [RFC4861]. When such indications are present, clients can suppress | |||
options. When such indications are present, clients can suppress | ||||
queries for "resolver.arpa" to the unencrypted DNS server indicated | queries for "resolver.arpa" to the unencrypted DNS server indicated | |||
by the network over DHCP or RAs, and the DNR indications SHOULD take | by the network over DHCP or RAs, and the DNR indications SHOULD take | |||
precedence over those discovered using "resolver.arpa" for the same | precedence over those discovered using "resolver.arpa" for the same | |||
resolver if there is a conflict, since DNR is considered a more | resolver if there is a conflict, since DNR is considered a more | |||
reliable source. | reliable source. | |||
The designated resolver information in DNR might not contain a full | The designated resolver information in DNR might not contain a full | |||
set of SvcParams needed to connect to an encrypted DNS resolver. In | set of SvcParams needed to connect to an encrypted DNS resolver. In | |||
such a case, the client can use an SVCB query using a resolver name, | such a case, the client can use an SVCB query using a resolver name, | |||
as described in Section 5, to the authentication-domain-name (ADN). | as described in Section 5, to the Authentication Domain Name (ADN). | |||
7. Security Considerations | 7. Security Considerations | |||
Since clients can receive DNS SVCB answers over unencrypted DNS, on- | Since clients can receive DNS SVCB answers over unencrypted DNS, on- | |||
path attackers can prevent successful discovery by dropping SVCB | path attackers can prevent successful discovery by dropping SVCB | |||
queries or answers, and thus prevent clients from switching to use | queries or answers and thus can prevent clients from switching to | |||
encrypted DNS. Clients should be aware that it might not be possible | using encrypted DNS. Clients should be aware that it might not be | |||
to distinguish between resolvers that do not have any Designated | possible to distinguish between resolvers that do not have any | |||
Resolver and such an active attack. To limit the impact of discovery | Designated Resolver and such an active attack. To limit the impact | |||
queries being dropped either maliciously or unintentionally, clients | of discovery queries being dropped either maliciously or | |||
can re-send their SVCB queries periodically. | unintentionally, clients can re-send their SVCB queries periodically. | |||
Section 8.2 of [I-D.ietf-add-svcb-dns] describes a second downgrade | Section 8.2 of [RFC9461] describes another type of downgrade attack | |||
attack where an attacker can block connections to the encrypted DNS | where an attacker can block connections to the encrypted DNS server. | |||
server. For DDR, clients need to validate a Designated Resolver | For DDR, clients need to validate a Designated Resolver using a | |||
using a connection to the server before trusting it, so attackers | connection to the server before trusting it, so attackers that can | |||
that can block these connections can prevent clients from switching | block these connections can prevent clients from switching to using | |||
to use encrypted DNS. | encrypted DNS. | |||
Encrypted DNS Resolvers that allow discovery using DNS SVCB answers | Encrypted DNS Resolvers that allow discovery using DNS SVCB answers | |||
over unencrypted DNS MUST NOT provide differentiated behavior based | over unencrypted DNS MUST NOT provide differentiated behavior based | |||
solely on metadata in the SVCB record, such as the HTTP path or | solely on metadata in the SVCB record, such as the HTTP path or | |||
alternate port number, which are parameters that an attacker could | alternate port number, which are parameters that an attacker could | |||
modify. For example, if a DoH resolver provides a filtering service | modify. For example, if a DoH resolver provides a filtering service | |||
for one URI path, and a non-filtered service for another URI path, an | for one URI path and a non-filtered service for another URI path, an | |||
attacker could select which of these services is used by modifying | attacker could select which of these services is used by modifying | |||
the "dohpath" parameter. These attacks can be mitigated by providing | the "dohpath" parameter. These attacks can be mitigated by providing | |||
separate resolver IP addresses or hostnames. | separate resolver IP addresses or hostnames. | |||
While the IP address of the Unencrypted DNS Resolver is often | While the IP address of the Unencrypted DNS Resolver is often | |||
provisioned over insecure mechanisms, it can also be provisioned | provisioned over insecure mechanisms, it can also be provisioned | |||
securely, such as via manual configuration, a VPN, or on a network | securely, such as via manual configuration, on a VPN, or on a network | |||
with protections like RA-Guard [RFC6105]. An attacker might try to | with protections like RA-Guard [RFC6105]. An attacker might try to | |||
direct Encrypted DNS traffic to itself by causing the client to think | direct Encrypted DNS traffic to itself by causing the client to think | |||
that a discovered Designated Resolver uses a different IP address | that a discovered Designated Resolver uses a different IP address | |||
from the Unencrypted DNS Resolver. Such a Designated Resolver might | from the Unencrypted DNS Resolver. Such a Designated Resolver might | |||
have a valid certificate, but be operated by an attacker that is | have a valid certificate but might be operated by an attacker that is | |||
trying to observe or modify user queries without the knowledge of the | trying to observe or modify user queries without the knowledge of the | |||
client or network. | client or network. | |||
If the IP address of a Designated Resolver differs from that of an | If the IP address of a Designated Resolver differs from that of an | |||
Unencrypted DNS Resolver, clients applying Verified Discovery | Unencrypted DNS Resolver, clients applying Verified Discovery | |||
(Section 4.2) MUST validate that the IP address of the Unencrypted | (Section 4.2) MUST validate that the IP address of the Unencrypted | |||
DNS Resolver is covered by the SubjectAlternativeName of the | DNS Resolver is covered by the SubjectAlternativeName of the | |||
Designated Resolver's TLS certificate. If that validation fails, the | Designated Resolver's TLS certificate. If that validation fails, the | |||
client MUST NOT automatically use the discovered Designated Resolver. | client MUST NOT automatically use the discovered Designated Resolver. | |||
Clients using Opportunistic Discovery (Section 4.3) MUST be limited | Clients using Opportunistic Discovery (Section 4.3) MUST be limited | |||
to cases where the Unencrypted DNS Resolver and Designated Resolver | to cases where the Unencrypted DNS Resolver and Designated Resolver | |||
have the same IP address, which SHOULD be a private or local IP | have the same IP address, which SHOULD be a private or local IP | |||
address. Clients which do not follow Opportunistic Discovery | address. Clients that do not follow Opportunistic Discovery | |||
(Section 4.3) and instead try to connect without first checking for a | (Section 4.3) and instead try to connect without first checking for a | |||
designation run the possible risk of being intercepted by an attacker | designation run the possible risk of being intercepted by an attacker | |||
hosting an Encrypted DNS Resolver on an IP address of an Unencrypted | hosting an Encrypted DNS Resolver on an IP address of an Unencrypted | |||
DNS Resolver where the attacker has failed to gain control of the | DNS Resolver where the attacker has failed to gain control of the | |||
Unencrypted DNS Resolver. | Unencrypted DNS Resolver. | |||
The constraints on the use of Designated Resolvers specified here | The constraints on the use of Designated Resolvers specified here | |||
apply specifically to the automatic discovery mechanisms defined in | apply specifically to the automatic discovery mechanisms defined in | |||
this document, which are referred to as Verified Discovery and | this document, which are referred to as Verified Discovery and | |||
Opportunistic Discovery. Clients MAY use some other mechanism to | Opportunistic Discovery. Clients MAY use some other mechanism to | |||
verify and use Designated Resolvers discovered using the DNS SVCB | verify and use Designated Resolvers discovered using the DNS SVCB | |||
record. However, use of such an alternate mechanism needs to take | record. However, the use of such an alternate mechanism needs to | |||
into account the attack scenarios detailed here. | take into account the attack scenarios detailed here. | |||
8. IANA Considerations | 8. IANA Considerations | |||
8.1. Special Use Domain Name "resolver.arpa" | ||||
This document calls for the addition of "resolver.arpa" to the | 8.1. Special-Use Domain Name "resolver.arpa" | |||
Special-Use Domain Names (SUDN) registry established by [RFC6761]. | ||||
IANA is requested to add an entry in "Transport-Independent Locally- | IANA has registered "resolver.arpa" in the "Special-Use Domain Names" | |||
Served DNS Zones" registry for 'resolver.arpa.' with the description | registry established by [RFC6761]. | |||
"DNS Resolver Special-Use Domain", listing this document as the | ||||
IANA has added an entry in the "Transport-Independent Locally-Served | ||||
DNS Zone Registry" for 'resolver.arpa.' with the description "DNS | ||||
Resolver Special-Use Domain" and listed this document as the | ||||
reference. | reference. | |||
8.2. Domain Name Reservation Considerations | 8.2. Domain Name Reservation Considerations | |||
In accordance with Section 5 of [RFC6761], the answers to the | In accordance with Section 5 of [RFC6761], the answers to the | |||
following questions are provided relative to this document: | following questions are provided relative to this document: | |||
1) Are human users expected to recognize these names as special and | 1. Are human users expected to recognize these names as special and | |||
use them differently? In what way? | use them differently? In what way? | |||
No. This name is used automatically by DNS stub resolvers running on | No. This name is used automatically by DNS stub resolvers | |||
client devices on behalf of users, and users will never see this name | running on client devices on behalf of users, and users will | |||
directly. | never see this name directly. | |||
2) Are writers of application software expected to make their | 2. Are writers of application software expected to make their | |||
software recognize these names as special and treat them differently? | software recognize these names as special and treat them | |||
In what way? | differently? In what way? | |||
No. There is no use case where a non-DNS application (covered by the | No. There is no use case where a non-DNS application (covered by | |||
next question) would need to use this name. | the next question) would need to use this name. | |||
3) Are writers of name resolution APIs and libraries expected to make | 3. Are writers of name resolution APIs and libraries expected to | |||
their software recognize these names as special and treat them | make their software recognize these names as special and treat | |||
differently? If so, how? | them differently? If so, how? | |||
Yes. DNS client implementors are expected to use this name when | Yes. DNS client implementors are expected to use this name when | |||
querying for a resolver's properties instead of records for the name | querying for a resolver's properties instead of records for the | |||
itself. DNS servers are expected to respond to queries for this name | name itself. DNS servers are expected to respond to queries for | |||
with their own properties instead of checking the matching zone as it | this name with their own properties instead of checking the | |||
would for normal domain names. | matching zone as it would for normal domain names. | |||
4) Are developers of caching domain name servers expected to make | 4. Are developers of caching domain name servers expected to make | |||
their implementations recognize these names as special and treat them | their implementations recognize these names as special and treat | |||
differently? If so, how? | them differently? If so, how? | |||
Yes. Caching domain name servers should not forward queries for this | Yes. Caching domain name servers should not forward queries for | |||
name to avoid causing validation failures due to IP address mismatch. | this name, to avoid causing validation failures due to IP address | |||
mismatch. | ||||
5) Are developers of authoritative domain name servers expected to | 5. Are developers of authoritative domain name servers expected to | |||
make their implementations recognize these names as special and treat | make their implementations recognize these names as special and | |||
them differently? If so, how? | treat them differently? If so, how? | |||
No. DDR is designed for use by recursive resolvers. Theoretically, | No. DDR is designed for use by recursive resolvers. | |||
an authoritative server could choose to support this name if it wants | Theoretically, an authoritative server could choose to support | |||
to advertise support for encrypted DNS protocols over plain-text DNS, | this name if it wants to advertise support for encrypted DNS | |||
but that scenario is covered by other work in the IETF DNSOP working | protocols over plaintext DNS, but that scenario is covered by | |||
group. | other work in the IETF DNSOP Working Group. | |||
6) Does this reserved Special-Use Domain Name have any potential | 6. Does this reserved Special-Use Domain Name have any potential | |||
impact on DNS server operators? If they try to configure their | impact on DNS server operators? If they try to configure their | |||
authoritative DNS server as authoritative for this reserved name, | authoritative DNS server as authoritative for this reserved name, | |||
will compliant name server software reject it as invalid? Do DNS | will compliant name server software reject it as invalid? Do DNS | |||
server operators need to know about that and understand why? Even if | server operators need to know about that and understand why? | |||
the name server software doesn't prevent them from using this | Even if the name server software doesn't prevent them from using | |||
reserved name, are there other ways that it may not work as expected, | this reserved name, are there other ways that it may not work as | |||
of which the DNS server operator should be aware? | expected, of which the DNS server operator should be aware? | |||
This name is locally served, and any resolver which supports this | This name is locally served, and any resolver that supports this | |||
name should never forward the query. DNS server operators should be | name should never forward the query. DNS server operators should | |||
aware that records for this name will be used by clients to modify | be aware that records for this name will be used by clients to | |||
the way they connect to their resolvers. | modify the way they connect to their resolvers. | |||
7) How should DNS Registries/Registrars treat requests to register | 7. How should DNS Registries/Registrars treat requests to register | |||
this reserved domain name? Should such requests be denied? Should | this reserved domain name? Should such requests be denied? | |||
such requests be allowed, but only to a specially-designated entity? | Should such requests be allowed, but only to a specially | |||
designated entity? | ||||
IANA should hold the registration for this name. Non-IANA requests | IANA holds the registration for this name. Non-IANA requests to | |||
to register this name should always be denied by DNS Registries/ | register this name should always be denied by DNS Registries/ | |||
Registrars. | Registrars. | |||
9. References | 9. References | |||
9.1. Normative References | 9.1. Normative References | |||
[I-D.ietf-add-dnr] | ||||
Boucadair, M., Reddy, T., Wing, D., Cook, N., and T. | ||||
Jensen, "DHCP and Router Advertisement Options for the | ||||
Discovery of Network-designated Resolvers (DNR)", Work in | ||||
Progress, Internet-Draft, draft-ietf-add-dnr-12, 24 July | ||||
2022, <https://datatracker.ietf.org/doc/html/draft-ietf- | ||||
add-dnr-12>. | ||||
[I-D.ietf-add-svcb-dns] | ||||
Schwartz, B., "Service Binding Mapping for DNS Servers", | ||||
Work in Progress, Internet-Draft, draft-ietf-add-svcb-dns- | ||||
06, 5 July 2022, <https://datatracker.ietf.org/doc/html/ | ||||
draft-ietf-add-svcb-dns-06>. | ||||
[I-D.ietf-dnsop-svcb-https] | ||||
Schwartz, B., Bishop, M., and E. Nygren, "Service binding | ||||
and parameter specification via the DNS (DNS SVCB and | ||||
HTTPS RRs)", Work in Progress, Internet-Draft, draft-ietf- | ||||
dnsop-svcb-https-10, 24 May 2022, | ||||
<https://datatracker.ietf.org/doc/html/draft-ietf-dnsop- | ||||
svcb-https-10>. | ||||
[RFC1918] Rekhter, Y., Moskowitz, B., Karrenberg, D., de Groot, G. | [RFC1918] Rekhter, Y., Moskowitz, B., Karrenberg, D., de Groot, G. | |||
J., and E. Lear, "Address Allocation for Private | J., and E. Lear, "Address Allocation for Private | |||
Internets", BCP 5, RFC 1918, DOI 10.17487/RFC1918, | Internets", BCP 5, RFC 1918, DOI 10.17487/RFC1918, | |||
February 1996, <https://www.rfc-editor.org/rfc/rfc1918>. | February 1996, <https://www.rfc-editor.org/info/rfc1918>. | |||
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
Requirement Levels", BCP 14, RFC 2119, | Requirement Levels", BCP 14, RFC 2119, | |||
DOI 10.17487/RFC2119, March 1997, | DOI 10.17487/RFC2119, March 1997, | |||
<https://www.rfc-editor.org/rfc/rfc2119>. | <https://www.rfc-editor.org/info/rfc2119>. | |||
[RFC3927] Cheshire, S., Aboba, B., and E. Guttman, "Dynamic | [RFC3927] Cheshire, S., Aboba, B., and E. Guttman, "Dynamic | |||
Configuration of IPv4 Link-Local Addresses", RFC 3927, | Configuration of IPv4 Link-Local Addresses", RFC 3927, | |||
DOI 10.17487/RFC3927, May 2005, | DOI 10.17487/RFC3927, May 2005, | |||
<https://www.rfc-editor.org/rfc/rfc3927>. | <https://www.rfc-editor.org/info/rfc3927>. | |||
[RFC4193] Hinden, R. and B. Haberman, "Unique Local IPv6 Unicast | [RFC4193] Hinden, R. and B. Haberman, "Unique Local IPv6 Unicast | |||
Addresses", RFC 4193, DOI 10.17487/RFC4193, October 2005, | Addresses", RFC 4193, DOI 10.17487/RFC4193, October 2005, | |||
<https://www.rfc-editor.org/rfc/rfc4193>. | <https://www.rfc-editor.org/info/rfc4193>. | |||
[RFC4291] Hinden, R. and S. Deering, "IP Version 6 Addressing | [RFC4291] Hinden, R. and S. Deering, "IP Version 6 Addressing | |||
Architecture", RFC 4291, DOI 10.17487/RFC4291, February | Architecture", RFC 4291, DOI 10.17487/RFC4291, February | |||
2006, <https://www.rfc-editor.org/rfc/rfc4291>. | 2006, <https://www.rfc-editor.org/info/rfc4291>. | |||
[RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., | [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., | |||
Housley, R., and W. Polk, "Internet X.509 Public Key | Housley, R., and W. Polk, "Internet X.509 Public Key | |||
Infrastructure Certificate and Certificate Revocation List | Infrastructure Certificate and Certificate Revocation List | |||
(CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008, | (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008, | |||
<https://www.rfc-editor.org/rfc/rfc5280>. | <https://www.rfc-editor.org/info/rfc5280>. | |||
[RFC6303] Andrews, M., "Locally Served DNS Zones", BCP 163, | [RFC6303] Andrews, M., "Locally Served DNS Zones", BCP 163, | |||
RFC 6303, DOI 10.17487/RFC6303, July 2011, | RFC 6303, DOI 10.17487/RFC6303, July 2011, | |||
<https://www.rfc-editor.org/rfc/rfc6303>. | <https://www.rfc-editor.org/info/rfc6303>. | |||
[RFC6761] Cheshire, S. and M. Krochmal, "Special-Use Domain Names", | [RFC6761] Cheshire, S. and M. Krochmal, "Special-Use Domain Names", | |||
RFC 6761, DOI 10.17487/RFC6761, February 2013, | RFC 6761, DOI 10.17487/RFC6761, February 2013, | |||
<https://www.rfc-editor.org/rfc/rfc6761>. | <https://www.rfc-editor.org/info/rfc6761>. | |||
[RFC7858] Hu, Z., Zhu, L., Heidemann, J., Mankin, A., Wessels, D., | [RFC7858] Hu, Z., Zhu, L., Heidemann, J., Mankin, A., Wessels, D., | |||
and P. Hoffman, "Specification for DNS over Transport | and P. Hoffman, "Specification for DNS over Transport | |||
Layer Security (TLS)", RFC 7858, DOI 10.17487/RFC7858, May | Layer Security (TLS)", RFC 7858, DOI 10.17487/RFC7858, May | |||
2016, <https://www.rfc-editor.org/rfc/rfc7858>. | 2016, <https://www.rfc-editor.org/info/rfc7858>. | |||
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | |||
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | |||
May 2017, <https://www.rfc-editor.org/rfc/rfc8174>. | May 2017, <https://www.rfc-editor.org/info/rfc8174>. | |||
[RFC8484] Hoffman, P. and P. McManus, "DNS Queries over HTTPS | [RFC8484] Hoffman, P. and P. McManus, "DNS Queries over HTTPS | |||
(DoH)", RFC 8484, DOI 10.17487/RFC8484, October 2018, | (DoH)", RFC 8484, DOI 10.17487/RFC8484, October 2018, | |||
<https://www.rfc-editor.org/rfc/rfc8484>. | <https://www.rfc-editor.org/info/rfc8484>. | |||
[RFC9250] Huitema, C., Dickinson, S., and A. Mankin, "DNS over | [RFC9250] Huitema, C., Dickinson, S., and A. Mankin, "DNS over | |||
Dedicated QUIC Connections", RFC 9250, | Dedicated QUIC Connections", RFC 9250, | |||
DOI 10.17487/RFC9250, May 2022, | DOI 10.17487/RFC9250, May 2022, | |||
<https://www.rfc-editor.org/rfc/rfc9250>. | <https://www.rfc-editor.org/info/rfc9250>. | |||
9.2. Informative References | [RFC9460] Schwartz, B., Bishop, M., and E. Nygren, "Service Binding | |||
and Parameter Specification via the DNS (DNS SVCB and | ||||
HTTPS Resource Records (RRs))", RFC 9460, | ||||
DOI 10.17487/RFC9460, September 2023, | ||||
<https://www.rfc-editor.org/info/rfc9460>. | ||||
[I-D.ietf-tls-esni] | [RFC9461] Schwartz, B., "Service Binding Mapping for DNS Servers", | |||
Rescorla, E., Oku, K., Sullivan, N., and C. A. Wood, "TLS | RFC 9461, DOI 10.17487/RFC9461, September 2023, | |||
Encrypted Client Hello", Work in Progress, Internet-Draft, | <https://www.rfc-editor.org/info/rfc9461>. | |||
draft-ietf-tls-esni-14, 13 February 2022, | ||||
<https://datatracker.ietf.org/doc/html/draft-ietf-tls- | ||||
esni-14>. | ||||
[I-D.schinazi-httpbis-doh-preference-hints] | [RFC9463] Boucadair, M., Ed., Reddy.K, T., Ed., Wing, D., Cook, N., | |||
and T. Jensen, "DHCP and Router Advertisement Options for | ||||
the Discovery of Network-designated Resolvers (DNR)", | ||||
RFC 9463, DOI 10.17487/RFC9463, September 2023, | ||||
<https://www.rfc-editor.org/info/rfc9463>. | ||||
9.2. Informative References | ||||
[DoH-HINTS] | ||||
Schinazi, D., Sullivan, N., and J. Kipp, "DoH Preference | Schinazi, D., Sullivan, N., and J. Kipp, "DoH Preference | |||
Hints for HTTP", Work in Progress, Internet-Draft, draft- | Hints for HTTP", Work in Progress, Internet-Draft, draft- | |||
schinazi-httpbis-doh-preference-hints-02, 13 July 2020, | schinazi-httpbis-doh-preference-hints-02, 13 July 2020, | |||
<https://datatracker.ietf.org/doc/html/draft-schinazi- | <https://datatracker.ietf.org/doc/html/draft-schinazi- | |||
httpbis-doh-preference-hints-02>. | httpbis-doh-preference-hints-02>. | |||
[ECH] Rescorla, E., Oku, K., Sullivan, N., and C. A. Wood, "TLS | ||||
Encrypted Client Hello", Work in Progress, Internet-Draft, | ||||
draft-ietf-tls-esni-16, 6 April 2023, | ||||
<https://datatracker.ietf.org/doc/html/draft-ietf-tls- | ||||
esni-16>. | ||||
[RFC2132] Alexander, S. and R. Droms, "DHCP Options and BOOTP Vendor | [RFC2132] Alexander, S. and R. Droms, "DHCP Options and BOOTP Vendor | |||
Extensions", RFC 2132, DOI 10.17487/RFC2132, March 1997, | Extensions", RFC 2132, DOI 10.17487/RFC2132, March 1997, | |||
<https://www.rfc-editor.org/rfc/rfc2132>. | <https://www.rfc-editor.org/info/rfc2132>. | |||
[RFC4861] Narten, T., Nordmark, E., Simpson, W., and H. Soliman, | [RFC4861] Narten, T., Nordmark, E., Simpson, W., and H. Soliman, | |||
"Neighbor Discovery for IP version 6 (IPv6)", RFC 4861, | "Neighbor Discovery for IP version 6 (IPv6)", RFC 4861, | |||
DOI 10.17487/RFC4861, September 2007, | DOI 10.17487/RFC4861, September 2007, | |||
<https://www.rfc-editor.org/rfc/rfc4861>. | <https://www.rfc-editor.org/info/rfc4861>. | |||
[RFC6105] Levy-Abegnoli, E., Van de Velde, G., Popoviciu, C., and J. | [RFC6105] Levy-Abegnoli, E., Van de Velde, G., Popoviciu, C., and J. | |||
Mohacsi, "IPv6 Router Advertisement Guard", RFC 6105, | Mohacsi, "IPv6 Router Advertisement Guard", RFC 6105, | |||
DOI 10.17487/RFC6105, February 2011, | DOI 10.17487/RFC6105, February 2011, | |||
<https://www.rfc-editor.org/rfc/rfc6105>. | <https://www.rfc-editor.org/info/rfc6105>. | |||
[RFC8106] Jeong, J., Park, S., Beloeil, L., and S. Madanapalli, | [RFC8106] Jeong, J., Park, S., Beloeil, L., and S. Madanapalli, | |||
"IPv6 Router Advertisement Options for DNS Configuration", | "IPv6 Router Advertisement Options for DNS Configuration", | |||
RFC 8106, DOI 10.17487/RFC8106, March 2017, | RFC 8106, DOI 10.17487/RFC8106, March 2017, | |||
<https://www.rfc-editor.org/rfc/rfc8106>. | <https://www.rfc-editor.org/info/rfc8106>. | |||
[RFC8415] Mrugalski, T., Siodelski, M., Volz, B., Yourtchenko, A., | [RFC8415] Mrugalski, T., Siodelski, M., Volz, B., Yourtchenko, A., | |||
Richardson, M., Jiang, S., Lemon, T., and T. Winters, | Richardson, M., Jiang, S., Lemon, T., and T. Winters, | |||
"Dynamic Host Configuration Protocol for IPv6 (DHCPv6)", | "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)", | |||
RFC 8415, DOI 10.17487/RFC8415, November 2018, | RFC 8415, DOI 10.17487/RFC8415, November 2018, | |||
<https://www.rfc-editor.org/rfc/rfc8415>. | <https://www.rfc-editor.org/info/rfc8415>. | |||
[RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol | [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol | |||
Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, | Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, | |||
<https://www.rfc-editor.org/rfc/rfc8446>. | <https://www.rfc-editor.org/info/rfc8446>. | |||
[RFC8880] Cheshire, S. and D. Schinazi, "Special Use Domain Name | [RFC8880] Cheshire, S. and D. Schinazi, "Special Use Domain Name | |||
'ipv4only.arpa'", RFC 8880, DOI 10.17487/RFC8880, August | 'ipv4only.arpa'", RFC 8880, DOI 10.17487/RFC8880, August | |||
2020, <https://www.rfc-editor.org/rfc/rfc8880>. | 2020, <https://www.rfc-editor.org/info/rfc8880>. | |||
Appendix A. Rationale for using a Special Use Domain Name | Appendix A. Rationale for Using a Special-Use Domain Name | |||
The "resolver.arpa" SUDN is similar to "ipv4only.arpa" in that the | The "resolver.arpa" SUDN is similar to "ipv4only.arpa" in that the | |||
querying client is not interested in an answer from the authoritative | querying client is not interested in an answer from the authoritative | |||
"arpa" name servers. The intent of the SUDN is to allow clients to | "arpa" name servers. The intent of the SUDN is to allow clients to | |||
communicate with the Unencrypted DNS Resolver much like | communicate with the Unencrypted DNS Resolver much like | |||
"ipv4only.arpa" allows for client-to-middlebox communication. For | "ipv4only.arpa" allows for client-to-middlebox communication. For | |||
more context, see the rationale behind "ipv4only.arpa" in [RFC8880]. | more context, see [RFC8880] for the rationale behind "ipv4only.arpa". | |||
Appendix B. Rationale for using SVCB records | Appendix B. Rationale for Using SVCB Records | |||
This mechanism uses SVCB/HTTPS resource records | This mechanism uses SVCB/HTTPS resource records [RFC9460] to | |||
[I-D.ietf-dnsop-svcb-https] to communicate that a given domain | communicate that a given domain designates a particular Designated | |||
designates a particular Designated Resolver for clients to use in | Resolver for clients to use in place of an Unencrypted DNS Resolver | |||
place of an Unencrypted DNS Resolver (using a SUDN) or another | (using a SUDN) or another Encrypted DNS Resolver (using its domain | |||
Encrypted DNS Resolver (using its domain name). | name). | |||
There are various other proposals for how to provide similar | There are various other proposals for how to provide similar | |||
functionality. There are several reasons that this mechanism has | functionality. There are several reasons that this mechanism has | |||
chosen SVCB records: | chosen SVCB records: | |||
* Discovering encrypted DNS resolvers using DNS records keeps client | * Discovering encrypted DNS resolvers using DNS records keeps client | |||
logic for DNS self-contained and allows a DNS resolver operator to | logic for DNS self-contained and allows a DNS resolver operator to | |||
define which resolver names and IP addresses are related to one | define which resolver names and IP addresses are related to one | |||
another. | another. | |||
* Using DNS records also does not rely on bootstrapping with higher- | * Using DNS records also does not rely on bootstrapping with higher- | |||
level application operations (such as | level application operations (such as those discussed in | |||
[I-D.schinazi-httpbis-doh-preference-hints]). | [DoH-HINTS]). | |||
* SVCB records are extensible and allow definition of parameter | * SVCB records are extensible and allow the definition of parameter | |||
keys. This makes them a superior mechanism for extensibility as | keys, making them a superior mechanism for extensibility as | |||
compared to approaches such as overloading TXT records. The same | compared to approaches such as overloading TXT records. The same | |||
keys can be used for discovering Designated Resolvers of different | keys can be used for discovering Designated Resolvers of different | |||
transport types as well as those advertised by Unencrypted DNS | transport types as well as those advertised by Unencrypted DNS | |||
Resolvers or another Encrypted DNS Resolver. | Resolvers or another Encrypted DNS Resolver. | |||
* Clients and servers that are interested in privacy of names will | * Clients and servers that are interested in privacy of names will | |||
already need to support SVCB records in order to use Encrypted TLS | already need to support SVCB records in order to use the TLS | |||
Client Hello [I-D.ietf-tls-esni]. Without encrypting names in | Encrypted ClientHello [ECH]. Without encrypting names in TLS, the | |||
TLS, the value of encrypting DNS is reduced, so pairing the | value of encrypting DNS is reduced, so pairing the solutions | |||
solutions provides the largest benefit. | provides the greatest benefit. | |||
Authors' Addresses | Authors' Addresses | |||
Tommy Pauly | Tommy Pauly | |||
Apple Inc. | Apple Inc. | |||
One Apple Park Way | One Apple Park Way | |||
Cupertino, California 95014, | Cupertino, California 95014 | |||
United States of America | United States of America | |||
Email: tpauly@apple.com | Email: tpauly@apple.com | |||
Eric Kinnear | Eric Kinnear | |||
Apple Inc. | Apple Inc. | |||
One Apple Park Way | One Apple Park Way | |||
Cupertino, California 95014, | Cupertino, California 95014 | |||
United States of America | United States of America | |||
Email: ekinnear@apple.com | Email: ekinnear@apple.com | |||
Christopher A. Wood | Christopher A. Wood | |||
Cloudflare | Cloudflare | |||
101 Townsend St | 101 Townsend St | |||
San Francisco, | San Francisco, California 94107 | |||
United States of America | United States of America | |||
Email: caw@heapingbits.net | Email: caw@heapingbits.net | |||
Patrick McManus | Patrick McManus | |||
Fastly | Fastly | |||
Email: mcmanus@ducksong.com | Email: mcmanus@ducksong.com | |||
Tommy Jensen | Tommy Jensen | |||
Microsoft | Microsoft | |||
Email: tojens@microsoft.com | Email: tojens@microsoft.com | |||
End of changes. 101 change blocks. | ||||
291 lines changed or deleted | 268 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. |