[Docs] [txt|pdf] [Tracker] [WG] [Email] [Nits]



ADD                                                             T. Pauly
Internet-Draft                                                E. Kinnear
Intended status: Standards Track                              Apple Inc.
Expires: 14 August 2021                                        C.A. Wood
                                                              Cloudflare
                                                              P. McManus
                                                                  Fastly
                                                               T. Jensen
                                                               Microsoft
                                                        10 February 2021


                   Discovery of Designated Resolvers
                         draft-ietf-add-ddr-00

Abstract

   This document defines Discovery of Designated Resolvers (DDR), a
   mechanism for DNS clients to use DNS records to discover a resolver's
   encrypted DNS configuration.  This mechanism can be used to move from
   unencrypted DNS to encrypted DNS when only the IP address of an
   encrypted resolver is known.  It can also be used to discover support
   for encrypted DNS protocols when the name of an encrypted resolver is
   known.  This mechanism is designed to be limited to cases where
   unencrypted resolvers and their designated resolvers are operated by
   the same entity.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on 14 August 2021.

Copyright Notice

   Copyright (c) 2021 IETF Trust and the persons identified as the
   document authors.  All rights reserved.



Pauly, et al.            Expires 14 August 2021                 [Page 1]


Internet-Draft                     DDR                     February 2021


   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents (https://trustee.ietf.org/
   license-info) in effect on the date of publication of this document.
   Please review these documents carefully, as they describe your rights
   and restrictions with respect to this document.  Code Components
   extracted from this document must include Simplified BSD License text
   as described in Section 4.e of the Trust Legal Provisions and are
   provided without warranty as described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
     1.1.  Specification of Requirements . . . . . . . . . . . . . .   3
   2.  Terminology . . . . . . . . . . . . . . . . . . . . . . . . .   3
   3.  DNS Service Binding Records . . . . . . . . . . . . . . . . .   3
   4.  Discovery Using Resolver IP Addresses . . . . . . . . . . . .   4
     4.1.  Authenticated Discovery . . . . . . . . . . . . . . . . .   5
     4.2.  Opportunistic Discovery . . . . . . . . . . . . . . . . .   5
   5.  Discovery Using Resolver Names  . . . . . . . . . . . . . . .   6
   6.  Deployment Considerations . . . . . . . . . . . . . . . . . .   6
     6.1.  Caching Forwarders  . . . . . . . . . . . . . . . . . . .   7
     6.2.  Certificate Management  . . . . . . . . . . . . . . . . .   7
   7.  Security Considerations . . . . . . . . . . . . . . . . . . .   7
   8.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   8
     8.1.  Special Use Domain Name "resolver.arpa" . . . . . . . . .   8
   9.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   8
     9.1.  Normative References  . . . . . . . . . . . . . . . . . .   8
     9.2.  Informative References  . . . . . . . . . . . . . . . . .   9
   Appendix A.  Rationale for using SVCB records . . . . . . . . . .  10
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  11

1.  Introduction

   When DNS clients wish to use encrypted DNS protocols such as DNS-
   over-TLS (DoT) [RFC7858] or DNS-over-HTTPS (DoH) [RFC8484], they
   require additional information beyond the IP address of the DNS
   server, such as the resolver's hostname, non-standard ports, or URL
   paths.  However, common configuration mechanisms only provide the
   resolver's IP address during configuration.  Such mechanisms include
   network provisioning protocols like DHCP [RFC2132] and IPv6 Router
   Advertisement (RA) options [RFC8106], as well as manual
   configuration.

   This document defines two mechanisms for clients to discover
   designated resolvers using DNS server Service Binding (SVCB,
   [I-D.ietf-dnsop-svcb-https]) records:





Pauly, et al.            Expires 14 August 2021                 [Page 2]


Internet-Draft                     DDR                     February 2021


   1.  When only an IP address of an Unencrypted Resolver is known, the
       client queries a special use domain name to discover DNS SVCB
       records associated with the Unencrypted Resolver (Section 4).

   2.  When the hostname of an encrypted DNS server is known, the client
       requests details by sending a query for a DNS SVCB record.  This
       can be used to discover alternate encrypted DNS protocols
       supported by a known server, or to provide details if a resolver
       name is provisioned by a network (Section 5).

   Both of these approaches allow clients to confirm that a discovered
   Encrypted Resolver is designated by the originally provisioned
   resolver.  "Equivalence" in this context means that the resolvers are
   operated by the same entity; for example, the resolvers are
   accessible on the same IP address, or there is a certificate that
   claims ownership over both resolvers.

1.1.  Specification of Requirements

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
   "OPTIONAL" in this document are to be interpreted as described in BCP
   14 [RFC2119] [RFC8174] when, and only when, they appear in all
   capitals, as shown here.

2.  Terminology

   This document defines the following terms:

   DDR:  Discovery of Designated Resolvers.  Refers to the mechanisms
      defined in this document.

   Designated Resolver:  A resolver, presumably an Encrypted Resolver,
      designated by another resolver for use in its own place.  This
      designation can be authenticated with TLS certificates.

   Encrypted Resolver:  A DNS resolver using any encrypted DNS
      transport.  This includes current mechanisms such as DoH and DoT
      as well as future mechanisms.

   Unencrypted Resolver:  A DNS resolver using TCP or UDP port 53.

3.  DNS Service Binding Records

   DNS resolvers can advertise one or more Designated Resolvers that may
   offer support over encrypted channels and are controlled by the same
   entity.




Pauly, et al.            Expires 14 August 2021                 [Page 3]


Internet-Draft                     DDR                     February 2021


   When a client discovers Designated Resolvers, it learns information
   such as the supported protocols, ports, and server name to use in
   certificate validation.  This information is provided in Service
   Binding (SVCB) records for DNS Servers, defined by
   [I-D.schwartz-svcb-dns].

   The following is an example of an SVCB record describing a DoH
   server:

   _dns.example.net  7200  IN SVCB 1 . (
        alpn=h2 dohpath=/dns-query{?dns} ipv4hint=x.y.z.w )

   The following is an example of an SVCB record describing a DoT
   server:

   _dns.example.net  7200  IN SVCB 1 dot.example.net (
        alpn=dot port=8530 ipv4hint=x.y.z.w )

   If multiple Designated Resolvers are available, using one or more
   encrypted DNS protocols, the resolver deployment can indicate a
   preference using the priority fields in each SVCB record
   [I-D.ietf-dnsop-svcb-https].

   This document focuses on discovering DoH and DoT Designated
   Resolvers.  Other protocols can also use the format defined by
   [I-D.schwartz-svcb-dns].  However, if any protocol does not involve
   some form of certificate validation, new validation mechanisms will
   need to be defined to support validating equivalence as defined in
   Section 4.1.

4.  Discovery Using Resolver IP Addresses

   When a DNS client is configured with an Unencrypted Resolver IP
   address, it SHOULD query the resolver for SVCB records for
   "dns://resolver.arpa" before making other queries.  Specifically, the
   client issues a query for "_dns.resolver.arpa" with the SVCB resource
   record type (64) [I-D.ietf-dnsop-svcb-https].

   If the recursive resolver that receives this query has one or more
   Designated Resolvers, it will return the corresponding SVCB records.
   When responding to these special queries for "dns://resolver.arpa",
   the SVCB records SHOULD contain at least one "ipv4hint" and/or
   "ipv6hint" keys.  These address hints indicate the address on which
   the corresponding Encrypted Resolver can be reached and avoid
   additional DNS lookup for the A and AAAA records of the Encrypted
   Resolver name.





Pauly, et al.            Expires 14 August 2021                 [Page 4]


Internet-Draft                     DDR                     February 2021


4.1.  Authenticated Discovery

   In order to be considered an authenticated Designated Resolver, the
   TLS certificate presented by the Encrypted Resolver MUST contain both
   the domain name (from the SVCB answer) and the IP address of the
   designating Unencrypted Resolver within the SubjectAlternativeName
   certificate field.  The client MUST check the SubjectAlternativeName
   field for both the Unencrypted Resolver's IP address and the
   advertised name of the Designated Resolver.  If the certificate can
   be validated, the client SHOULD use the discovered Designated
   Resolver for any cases in which it would have otherwise used the
   Unencrypted Resolver.  If the Designated Resolver has a different IP
   address than the Unencrypted Resolver and the TLS certificate does
   not cover the Unencrypted Resolver address, the client MUST NOT use
   the discovered Encrypted Resolver.  Additionally, the client SHOULD
   suppress any further queries for Designated Resolvers using this
   Unencrypted Resolver for the length of time indicated by the SVCB
   record's Time to Live (TTL).

   If the Designated Resolver and the Unencrypted Resolver share an IP
   address, clients MAY choose to opportunistically use the Encrypted
   Resolver even without this certificate check (Section 4.2).

4.2.  Opportunistic Discovery

   There are situations where authenticated discovery of encrypted DNS
   configuration over unencrypted DNS is not possible.  This includes
   Unencrypted Resolvers on non-public IP addresses whose identity
   cannot be confirmed using TLS certificates.

   Opportunistic Privacy is defined for DoT in Section 4.1 of [RFC7858]
   as a mode in which clients do not validate the name of the resolver
   presented in the certificate.  A client MAY use information from the
   SVCB record for "dns://resolver.arpa" with this "opportunistic"
   approach (not validating the names presented in the
   SubjectAlternativeName field of the certificate) as long as the IP
   address of the Encrypted Resolver does not differ from the IP address
   of the Unencrypted Resolver, and that IP address is a private address
   (such as those defined in [RFC1918]).  This approach can be used for
   DoT or DoH.

   If the IP addresses of the Encrypted and Unencrypted Resolvers are
   not the same, or the shared IP address is not a private IP address,
   the client MUST NOT use the Encrypted Resolver opportunistically.







Pauly, et al.            Expires 14 August 2021                 [Page 5]


Internet-Draft                     DDR                     February 2021


5.  Discovery Using Resolver Names

   A DNS client that already knows the name of an Encrypted Resolver can
   use DEER to discover details about all supported encrypted DNS
   protocols.  This situation can arise if a client has been configured
   to use a given Encrypted Resolver, or if a network provisioning
   protocol (such as DHCP or IPv6 Router Advertisements) provides a name
   for an Encrypted Resolver alongside the resolver IP address.

   For these cases, the client simply sends a DNS SVCB query using the
   known name of the resolver.  This query can be issued to the named
   Encrypted Resolver itself or to any other resolver.  Unlike the case
   of bootstrapping from an Unencrypted Resolver (Section 4), these
   records SHOULD be available in the public DNS.

   For example, if the client already knows about a DoT server
   "resolver.example.com", it can issue an SVCB query for
   "_dns.resolver.example.com" to discover if there are other encrypted
   DNS protocols available.  In the following example, the SVCB answers
   indicate that "resolver.example.com" supports both DoH and DoT, and
   that the DoH server indicates a higher priority than the DoT server.

   _dns.resolver.example.com  7200  IN SVCB 1 . (
        alpn=h2 dohpath=/dns-query{?dns} )
   _dns.resolver.example.com  7200  IN SVCB 2 . (
        alpn=dot )

   Often, the various supported encrypted DNS protocols will be
   accessible using the same hostname.  In the example above, both DoH
   and DoT use the name "resolver.example.com" for their TLS
   certficates.  If a deployment uses a different hostname for one
   protocol, but still wants clients to treat both DNS servers as
   designated, the TLS certificates MUST include both names in the
   SubjectAlternativeName fields.  Note that this name verification is
   not related to the DNS resolver that provided the SVCB answer.

   For example, being able to discover a Designated Resolver for a known
   Encrypted Resolver is useful when a client has a DoT configuration
   for "foo.resolver.example.com" but is on a network that blocks DoT
   traffic.  The client can still send a query to any other accessible
   resolver (either the local network resolver or an accessible DoH
   server) to discover if there is a designated DoH server for
   "foo.resolver.example.com".

6.  Deployment Considerations

   Resolver deployments that support DEER are advised to consider the
   following points.



Pauly, et al.            Expires 14 August 2021                 [Page 6]


Internet-Draft                     DDR                     February 2021


6.1.  Caching Forwarders

   If a caching forwarder consults multiple resolvers, it may be
   possible for it to cache records for the "resolver.arpa" Special Use
   Domain Name (SUDN) for multiple resolvers.  This may result in
   clients sending queries intended to discover Designated Resolvers for
   resolver "foo" and receiving answers for resolvers "foo" and "bar".

   A client will successfully reject unintended connections because the
   authenticated discovery will fail or the resolver addresses do not
   match.  Clients that attempt unauthenticated connections to resolvers
   discovered through SVCB queries run the risk of connecting to the
   wrong server in this scenario.

   To prevent unnecessary traffic from clients to incorrect resolvers,
   DNS caching resolvers SHOULD NOT cache results for the
   "resolver.arpa" SUDN other than for Designated Resolvers under their
   control.

6.2.  Certificate Management

   Resolver owners that support authenticated discovery will need to
   list valid referring IP addresses in their TLS certificates.  This
   may pose challenges for resolvers with a large number of referring IP
   addresses.

7.  Security Considerations

   Since client can receive DNS SVCB answers over unencrypted DNS, on-
   path attackers can prevent successful discovery by dropping SVCB
   packets.  Clients should be aware that it might not be possible to
   distinguish between resolvers that do not have any Designated
   Resolver and such an active attack.

   While the IP address of the Unencrypted Resolver is often provisioned
   over insecure mechanisms, it can also be provisioned securely, such
   as via manual configuration, a VPN, or on a network with protections
   like RA guard [RFC6105].  An attacker might try to direct Encrypted
   DNS traffic to itself by causing the client to think that a
   discovered Designated Resolver uses a different IP address from the
   Unencrypted Resolver.  Such an Encrypted Resolver might have a valid
   certificate, but be operated by an attacker that is trying to observe
   or modify user queries without the knowledge of the client or
   network.







Pauly, et al.            Expires 14 August 2021                 [Page 7]


Internet-Draft                     DDR                     February 2021


   If the IP address of a Designated Resolver differs from that of an
   Unencrypted Resolver, clients MUST validate that the IP address of
   the Unencrypted Resolver is covered by the SubjectAlternativeName of
   the Encrypted Resolver's TLS certificate (Section 4.1).

   Opportunistic use of Encrypted Resolvers MUST be limited to cases
   where the Unencrypted Resolver and Designated Resolver have the same
   IP address (Section 4.2).

8.  IANA Considerations

8.1.  Special Use Domain Name "resolver.arpa"

   This document calls for the creation of the "resolver.arpa" SUDN.
   This will allow resolvers to respond to queries directed at
   themselves rather than a specific domain name.  While this document
   uses "resolver.arpa" to return SVCB records indicating designated
   encrypted capability, the name is generic enough to allow future
   reuse for other purposes where the resolver wishes to provide
   information about itself to the client.

9.  References

9.1.  Normative References

   [I-D.ietf-dnsop-svcb-https]
              Schwartz, B., Bishop, M., and E. Nygren, "Service binding
              and parameter specification via the DNS (DNS SVCB and
              HTTPS RRs)", Work in Progress, Internet-Draft, draft-ietf-
              dnsop-svcb-https-02, 2 November 2020,
              <http://www.ietf.org/internet-drafts/draft-ietf-dnsop-
              svcb-https-02.txt>.

   [I-D.ietf-tls-esni]
              Rescorla, E., Oku, K., Sullivan, N., and C. Wood, "TLS
              Encrypted Client Hello", Work in Progress, Internet-Draft,
              draft-ietf-tls-esni-09, 16 December 2020,
              <http://www.ietf.org/internet-drafts/draft-ietf-tls-esni-
              09.txt>.

   [I-D.schwartz-svcb-dns]
              Schwartz, B., "Service Binding Mapping for DNS Servers",
              Work in Progress, Internet-Draft, draft-schwartz-svcb-dns-
              01, 10 August 2020, <http://www.ietf.org/internet-drafts/
              draft-schwartz-svcb-dns-01.txt>.






Pauly, et al.            Expires 14 August 2021                 [Page 8]


Internet-Draft                     DDR                     February 2021


   [RFC1918]  Rekhter, Y., Moskowitz, B., Karrenberg, D., de Groot, G.
              J., and E. Lear, "Address Allocation for Private
              Internets", BCP 5, RFC 1918, DOI 10.17487/RFC1918,
              February 1996, <https://www.rfc-editor.org/info/rfc1918>.

   [RFC7858]  Hu, Z., Zhu, L., Heidemann, J., Mankin, A., Wessels, D.,
              and P. Hoffman, "Specification for DNS over Transport
              Layer Security (TLS)", RFC 7858, DOI 10.17487/RFC7858, May
              2016, <https://www.rfc-editor.org/info/rfc7858>.

   [RFC8484]  Hoffman, P. and P. McManus, "DNS Queries over HTTPS
              (DoH)", RFC 8484, DOI 10.17487/RFC8484, October 2018,
              <https://www.rfc-editor.org/info/rfc8484>.

9.2.  Informative References

   [I-D.schinazi-httpbis-doh-preference-hints]
              Schinazi, D., Sullivan, N., and J. Kipp, "DoH Preference
              Hints for HTTP", Work in Progress, Internet-Draft, draft-
              schinazi-httpbis-doh-preference-hints-02, 13 July 2020,
              <http://www.ietf.org/internet-drafts/draft-schinazi-
              httpbis-doh-preference-hints-02.txt>.

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <https://www.rfc-editor.org/info/rfc2119>.

   [RFC2132]  Alexander, S. and R. Droms, "DHCP Options and BOOTP Vendor
              Extensions", RFC 2132, DOI 10.17487/RFC2132, March 1997,
              <https://www.rfc-editor.org/info/rfc2132>.

   [RFC5507]  IAB, Faltstrom, P., Ed., Austein, R., Ed., and P. Koch,
              Ed., "Design Choices When Expanding the DNS", RFC 5507,
              DOI 10.17487/RFC5507, April 2009,
              <https://www.rfc-editor.org/info/rfc5507>.

   [RFC6105]  Levy-Abegnoli, E., Van de Velde, G., Popoviciu, C., and J.
              Mohacsi, "IPv6 Router Advertisement Guard", RFC 6105,
              DOI 10.17487/RFC6105, February 2011,
              <https://www.rfc-editor.org/info/rfc6105>.

   [RFC8106]  Jeong, J., Park, S., Beloeil, L., and S. Madanapalli,
              "IPv6 Router Advertisement Options for DNS Configuration",
              RFC 8106, DOI 10.17487/RFC8106, March 2017,
              <https://www.rfc-editor.org/info/rfc8106>.





Pauly, et al.            Expires 14 August 2021                 [Page 9]


Internet-Draft                     DDR                     February 2021


   [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
              2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
              May 2017, <https://www.rfc-editor.org/info/rfc8174>.

Appendix A.  Rationale for using SVCB records

   This mechanism uses SVCB/HTTPS resource records
   [I-D.ietf-dnsop-svcb-https] to communicate that a given domain
   designates a particular Designated Resolver for clients to use in
   place of an Unencrypted Resolver (using a SUDN) or another Encrypted
   Resolver (using its domain name).

   There are various other proposals for how to provide similar
   functionality.  There are several reasons that this mechanism has
   chosen SVCB records:

   *  Discovering encrypted resolver using DNS records keeps client
      logic for DNS self-contained and allows a DNS resolver operator to
      define which resolver names and IP addresses are related to one
      another.

   *  Using DNS records also does not rely on bootstrapping with higher-
      level application operations (such as
      [I-D.schinazi-httpbis-doh-preference-hints]).

   *  SVCB records are extensible and allow definition of parameter
      keys.  This makes them a superior mechanism for extensibility as
      compared to approaches such as overloading TXT records.  The same
      keys can be used for discovering Designated Resolvers of different
      transport types as well as those advertised by Unencrypted
      Resolvers or another Encrypted Resolver.

   *  Clients and servers that are interested in privacy of names will
      already need to support SVCB records in order to use Encrypted TLS
      Client Hello [I-D.ietf-tls-esni].  Without encrypting names in
      TLS, the value of encrypting DNS is reduced, so pairing the
      solutions provides the largest benefit.

   *  Clients that support SVCB will generally send out three queries
      when accessing web content on a dual-stack network: A, AAAA, and
      HTTPS queries.  Discovering a Designated Resolver as part of one
      of these queries, without having to add yet another query,
      minimizes the total number of queries clients send.  While
      [RFC5507] recommends adding new RRTypes for new functionality,
      SVCB provides an extension mechanism that simplifies client
      behavior.





Pauly, et al.            Expires 14 August 2021                [Page 10]


Internet-Draft                     DDR                     February 2021


Authors' Addresses

   Tommy Pauly
   Apple Inc.
   One Apple Park Way
   Cupertino, California 95014,
   United States of America

   Email: tpauly@apple.com


   Eric Kinnear
   Apple Inc.
   One Apple Park Way
   Cupertino, California 95014,
   United States of America

   Email: ekinnear@apple.com


   Christopher A. Wood
   Cloudflare
   101 Townsend St
   San Francisco,
   United States of America

   Email: caw@heapingbits.net


   Patrick McManus
   Fastly

   Email: mcmanus@ducksong.com


   Tommy Jensen
   Microsoft

   Email: tojens@microsoft.com












Pauly, et al.            Expires 14 August 2021                [Page 11]


Html markup produced by rfcmarkup 1.129d, available from https://tools.ietf.org/tools/rfcmarkup/