[Docs] [txt|pdf|xml|html] [Tracker] [Email] [Diff1] [Diff2] [Nits]

Versions: 00 01 02 03 04

DPRIVE WG                                                       T. Reddy
Internet-Draft                                                    McAfee
Intended status: Standards Track                                 D. Wing
Expires: December 16, 2019                                        Citrix
                                                           M. Richardson
                                                Sandelman Software Works
                                                            M. Boucadair
                                                                  Orange
                                                           June 14, 2019


 A Bootstrapping Procedure to Discover and Authenticate DNS-over-(D)TLS
                       and DNS-over-HTTPS Servers
               draft-reddy-dprive-bootstrap-dns-server-04

Abstract

   This document specifies mechanisms to automatically bootstrap
   endpoints (e.g., hosts, Customer Equipment) to discover and
   authenticate DNS-over-(D)TLS and DNS-over-HTTPS servers provided by a
   local network.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on December 16, 2019.

Copyright Notice

   Copyright (c) 2019 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (https://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents



Reddy, et al.           Expires December 16, 2019               [Page 1]


Internet-Draft          DoT/DoH server discovery               June 2019


   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . .   5
   3.  Terminology . . . . . . . . . . . . . . . . . . . . . . . . .   5
   4.  Bootstrapping Endpoint Devices  . . . . . . . . . . . . . . .   5
   5.  Bootstrapping IoT Devices . . . . . . . . . . . . . . . . . .   7
   6.  DNS-over-(D)TLS and DNS-over-HTTPS Server Discovery Procedure   8
   7.  Connection Handshake and Service Invocation . . . . . . . . .  10
   8.  EST Service Discovery Procedure . . . . . . . . . . . . . . .  10
     8.1.  mDNS  . . . . . . . . . . . . . . . . . . . . . . . . . .  10
   9.  Network Reattachment  . . . . . . . . . . . . . . . . . . . .  11
   10. Privacy Considerations  . . . . . . . . . . . . . . . . . . .  12
     10.1.  Privacy Extension Format . . . . . . . . . . . . . . . .  12
     10.2.  Privacy Extension Syntax . . . . . . . . . . . . . . . .  14
   11. Security Considerations . . . . . . . . . . . . . . . . . . .  15
   12. IANA Considerations . . . . . . . . . . . . . . . . . . . . .  16
     12.1.  Application Service & Application Protocol Tags  . . . .  16
       12.1.1.  DNS Application Service Tag Registration . . . . . .  17
       12.1.2.  dns.tls Application Protocol Tag Registration  . . .  17
       12.1.3.  dns.dtls Application Protocol Tag Registration . . .  17
       12.1.4.  dns.https Application Protocol Tag Registration  . .  17
   13. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . .  17
   14. References  . . . . . . . . . . . . . . . . . . . . . . . . .  18
     14.1.  Normative References . . . . . . . . . . . . . . . . . .  18
     14.2.  Informative References . . . . . . . . . . . . . . . . .  19
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  21

1.  Introduction

   Traditionally a caching DNS server has been provided by local
   networks.  This provides benefits such as low latency to reach that
   DNS server (owing to its network proximity to the endpoint).
   However, if an endpoint is configured to use Internet-hosted or
   public DNS-over-(D)TLS [RFC7858] [RFC8094] or DNS-over-HTTPS
   [RFC8484] servers, any available local DNS server cannot serve DNS
   requests from local endpoints.  If public DNS servers are used
   instead of using local DNS servers, some operational problems can
   occur such as those listed below:

   o  "Split DNS" [RFC2775] to use the special internal-only domain
      names (e.g., "internal.example.com") in enterprise networks will



Reddy, et al.           Expires December 16, 2019               [Page 2]


Internet-Draft          DoT/DoH server discovery               June 2019


      not work, and ".local" and "home.arpa" names cannot be locally
      resolved in home networks.

   o  Content Delivery Networks (CDNs) that map traffic based on DNS may
      lose the ability to direct end-user traffic to a nearby service-
      specific cluster in cases where a DNS service is being used that
      is not affiliated with the local network and which does not send
      "EDNS Client Subnet" (ECS) information [RFC7871] to the CDN's DNS
      authorities [CDN].

   If public DNS servers are used instead of using local DNS servers,
   the following discusses the impact on network-based security:

   o  Various network security services are provided by Enterprise
      networks to protect endpoints (e.g,. Hosts, IoT devices).
      [I-D.camwinget-tls-use-cases] discusses some of the network-based
      security service use cases.  These network security services act
      on DNS requests originating from endpoints.

   o  However, if an endpoint is configured to use public DNS-
      over-(D)TLS or DNS-over-HTTPS servers, network security services
      cannot act efficiently on DNS requests from these endpoints.

   o  In order to act on DNS requests from endpoints, network security
      services can block DNS-over-(D)TLS traffic by dropping outgoing
      packets to destination port 853.  Identifying DNS-over-HTTPS
      traffic is far more challenging than DNS-over-(D)TLS traffic.
      Network security services may try to identify the domains offering
      DNS-over-HTTPS servers, and DNS-over-HTTPS traffic can be blocked
      by dropping outgoing packets to these domains.  If an endpoint has
      enabled strict privacy profile (Section 5 of [RFC8310]), and the
      network security service blocks the traffic to the public DNS
      server, the DNS service won't be available to the endpoint and
      ultimately the endpoint cannot access Internet-reachable services.

   o  If an endpoint has enabled opportunistic privacy profile
      (Section 5 of [RFC8310]), and the network security service blocks
      traffic to the public DNS server, the endpoint will either
      fallback to an encrypted connection without authenticating the DNS
      server provided by the local network or fallback to clear text
      DNS, and cannot exchange encrypted DNS messages.

   If the network security service fails to block DNS-over-(D)TLS or
   DNS-over-HTTPS traffic, this can compromise the endpoint security;
   some of the potential security threats are listed below:

   o  The network security service cannot prevent an endpoint from
      accessing malicious domains.



Reddy, et al.           Expires December 16, 2019               [Page 3]


Internet-Draft          DoT/DoH server discovery               June 2019


   o  If the endpoint is an IoT device which is configured to use public
      DNS-over-(D)TLS or DNS-over-HTTPS servers, and if a policy
      enforcement point in the local network is programmed using, for
      example, a Manufacturer Usage Description (MUD) file [RFC8520] by
      a MUD manager to only allow intented communications to and from
      the IoT device, the policy enforcement point cannot enforce the
      network Access Control List (ACL) rules based on domain names
      (Section 8 of [RFC8520]).

   If the network security service successfully blocks DNS-over-(D)TLS
   and DNS-over-HTTPS traffic, this can still compromise the endpoint
   security and privacy; some of the potential security threats are
   listed below:

   o  Pervasive monitoring of DNS traffic.

   o  An internal attacker can modify the DNS responses to re-direct the
      client to malicious servers.

   To overcome the above threats, this document specifies a mechanism to
   automatically bootstrap endpoints to discover and authenticate the
   DNS-over-(D)TLS and DNS-over-HTTPS servers provided by their local
   network.  The overall procedure can be structured into the following
   steps:

   o  Bootstrapping (Section 4) is necessary only when connecting to a
      new network or when the network's DNS certificate has changed.
      Bootstrapping authenticates the Enrollment over Secure Transport
      (EST) [RFC7030] server to the endpoint.  After authenticating the
      EST server, DNS server certificate used by the local network is
      downloaded to the endpoint.  This DNS server certificate enables
      subsequent authenticated encrypted communication with the local
      DNS server (e.g., DNS-over-HTTPS) during in the connection phase.

   o  Discovery (Section 6) is performed by a previously bootstrapped
      endpoint whenever connecting to a network.  During discovery, the
      endpoint is instructed which privacy-enabling DNS protocol(s),
      port number(s), and IP addresses are supported on a local network.
      This effectively takes the place of DNS server IP address
      traditionally provided by IPv4 or IPv6 DHCP or by IPv6 Router
      Advertisement [RFC8106].

   o  Connection handshake and service invocation (Section 7): The DNS
      client initiates a (D)TLS handshake with the DNS server learned in
      the discovery phase, and validates the DNS server's identity using
      the credentials obtained in the bootstrapping phase.





Reddy, et al.           Expires December 16, 2019               [Page 4]


Internet-Draft          DoT/DoH server discovery               June 2019


   Note: The strict and opportunistic privacy profiles as defined in
   [RFC8310] only applies to DNS-over-(D)TLS protocols, there has been
   no such distinction made for DNS-over-HTTPS protocol.

2.  Scope

   The problems discussed in Section 1 will be encountered in Enterprise
   networks.  Typically Enterprise networks do not assume that all
   devices in their network are managed by the IT team or Mobile Device
   Management (MDM) devices, especially in the quite common BYOD ("Bring
   Your Own Device") scenario.  The mechanisms specified in this
   document can be used by BYOD devices to discover and authenticate
   DNS-over-(D)TLS and DNS-over-HTTPS servers provided by the Enterprise
   network.  This mechanism can also be used by IoT devices (managed by
   IT team) after onboarding to discover and authenticate DNS-
   over-(D)TLS and DNS-over-HTTPS servers provided by the Enterprise
   network.

3.  Terminology

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
   "OPTIONAL" in this document are to be interpreted as described in BCP
   14 [RFC2119][RFC8174] when, and only when, they appear in all
   capitals, as shown here.

   (D)TLS is used for statements that apply to both Transport Layer
   Security [RFC8446] and Datagram Transport Layer Security [RFC6347].
   Specific terms are used for any statement that applies to either
   protocol alone.

   This document uses the terms defined in [RFC8499].

4.  Bootstrapping Endpoint Devices

   The following steps detail the mechanism to automatically bootstrap
   an endpoint with the local network's DNS server certificate:

   1.  The endpoint authenticates to the local network and discovers the
       Enrollment over Secure Transport (EST) [RFC7030] server using the
       procedure discussed in Section 8.

   2.  The endpoint establishes provisional TLS connection with that EST
       server, i.e., the endpoint provisionally accepts the unverified
       TLS server certificate.  However, the endpoint MUST authenticate
       the EST server before it accepts the DNS server certificate.  The
       endpoint either uses password-based authenticated key exchange
       (PAKE) with TLS 1.3 [I-D.barnes-tls-pake] as an authentication



Reddy, et al.           Expires December 16, 2019               [Page 5]


Internet-Draft          DoT/DoH server discovery               June 2019


       method or uses the mutual authentication protocol for HTTP
       [RFC8120] to authenticate the discovered EST server.

       As a reminder, PAKE is an authentication method that allows the
       use of usernames and passwords over unencrypted channels without
       revealing the passwords to an eavesdropper.  Similarly, the
       mutual authentication for HTTP is based on PAKE and provides
       mutual authentication between an HTTP client and an HTTP server
       using username and password as credentials.  The cryptographic
       algorithms to use with the mutual authentication protocol for
       HTTP are defined in [RFC8121].

   3.  The endpoint needs to use PAKE scheme to perform authentication
       the first time it connects to an EST server.  If the EST server
       authentication is successful, the server's identity can be used
       to authenticate subsequent TLS connections to that EST server.
       The endpoint configures the reference identifier for the EST
       server using the DNS-ID identifier type in the EST server
       certificate.  On subsequent connections to the EST server, the
       endpoint MUST validate the EST server certificate using the
       Implict Trust Anchor database (i.e, the EST server certificate
       must pass PKIX certification path validation) and match the
       reference identifier against the EST server's identity according
       to the rules specified in Section 6.4 of [RFC6125].

   4.  The endpoint learns the End-Entity certificates [RFC8295] from
       the EST server.  The certificate provisioned to the DNS server in
       the local network will be treated as a End-Entity certificate.
       As a reminder, the End-Entity certificates must be validated by
       the endpoint using an authorized trust anchor (Section 3.2 of
       [RFC8295]).  The endpoint needs to identify the certificate
       provisioned to the DNS server.  The SRV-ID identifier type
       [RFC6125] within subjectAltName entry MUST be used to identify
       the DNS server certificate.

       For example, DNS server certificate will include SRV-ID "_domain-
       s.example.net" along with DNS-ID "example.net".  The SRV service
       label "domain-s" is defined in Section 6 of [RFC7858].  As a
       reminder, the protocol component is not included in the SRV-ID
       [RFC4985].

   5.  The endpoint configures the authentication domain name (ADN)
       (defined in [RFC8310]) for the DNS server from the DNS-ID
       identifier type within subjectAltName entry in the DNS server
       certificate.  The DNS server certificate is associated with the
       ADN to be matched with the certificate given by the DNS server in
       (D)TLS.  To some extent, this approach is similar to certificate
       usage PKIX-EE(1) defined in [RFC7671].



Reddy, et al.           Expires December 16, 2019               [Page 6]


Internet-Draft          DoT/DoH server discovery               June 2019


   Figure 1 illustrates a sequence diagram for bootstrapping an endpoint
   with the local network's DNS server certificate.

 +----------+                                     +--------+  +--------+
 | Endpoint |                                     |  EST   |  |  DNS   |
 |          |                                     | Server |  | Server |
 +----------+                                     +--------+  +--------+
         | DNS-SD query to discover the EST server      |          |
         |-------------------------------------------------------->|
         |                                              |          |
         | optional: mDNS query to                      |          |
         |  discover the EST server                     |          |
         |--------------------------------------------->|          |
         |                                              |          |
         | Establish provisional TLS connection         |          |
         |<-------------------------------------------->|          |
         |                                              |          |
         | PAKE scheme to authenticate the EST server   |          |
         |<-------------------------------------------->|          |
         |                                              |          |
 [Generate reference identifier for the EST server      |          |
  to compare with the EST server certificate            |          |
  in subsequent TLS connections]                        |          |
         |                                              |          |
         |      Get EE certificates                     |          |
         |--------------------------------------------->|          |
         |                                              |          |
 [Identify the DNS server certificate in EE             |          |
  certificates to match with the certificate            |          |
  by the DNS server in (D)TLS handshake]                |          |
                                                        |          |
 [Configure ADN and associate DNS server certificate]   |          |
         |                                              |          |

                 Figure 1: Bootstrapping Endpoint Devices

5.  Bootstrapping IoT Devices

   The following steps explain the mechanism to automatically bootstrap
   IoT devices with local network's CA certificates and DNS server
   certificate:

   o  Bootstrapping Remote Secure Key Infrastructures (BRSKI) discussed
      in [I-D.ietf-anima-bootstrapping-keyinfra] provides a solution for
      secure automated bootstrap of devices.  BRSKI specifies means to
      provision credentials on devices to be used to operationally
      access networks.  In addition, BRSKI provides an automated
      mechanism for the bootstrap distribution of CA certificates from



Reddy, et al.           Expires December 16, 2019               [Page 7]


Internet-Draft          DoT/DoH server discovery               June 2019


      the EST server.  The IoT device can use BRSKI to automatically
      bootstrap the IoT device using the IoT manufacturer provisioned
      X.509 certificate, in combination with a registrar provided by the
      local network and IoT device manufacturer's authorizing service
      (MASA):

      1.  The IoT device authenticates to the local network using the
          IoT manufacturer provisioned X.509 certificate.  The IoT
          device can request and get a voucher from the MASA service via
          the registrar.  The voucher is signed by the MASA service and
          includes the local network's CA public key.

      2.  The IoT device validates the signed voucher using the
          manufacturer installed trust anchor associated with the MASA,
          stores the CA's public key and validates the provisional TLS
          connection to the registrar.

      3.  The IoT device requests the full EST distribution of current
          CA certificates (Section 5.9.1 in
          [I-D.ietf-anima-bootstrapping-keyinfra]) from the registrar
          operating as a BRSKI-EST server.  The IoT devices stores the
          CA certificates as Explicit Trust Anchor database entries.
          The IoT device uses the Explicit Trust Anchor database to
          validate the DNS server certificate.

      4.  The IoT device learns the End-Entity certificates from the
          BRSKI-EST server.  The certificate provisioned to the DNS
          server in the local network will be treated as an End-Entity
          certificate.  The IoT device needs to identify the certificate
          provisioned to the DNS server.  The SRV-ID identifier type
          within subjectAltName entry MUST be used to identify the DNS
          server certificate.

      5.  The endpoint configures the ADN for the DNS server from the
          DNS-ID identifier type within subjectAltName entry in the DNS
          server certificate.  The DNS server certificate is associated
          with the ADN to be matched with the certificate given by the
          DNS server in (D)TLS.

6.  DNS-over-(D)TLS and DNS-over-HTTPS Server Discovery Procedure

   This specification defines "DPRIVE" as the application service tag
   (Section 12.1.1) and "dns.tls" (Section 12.1.2), "dns.dtls"
   (Section 12.1.3), and "dns.https" (Section 12.1.4) as application
   protocol tags.  A DNS client discovers the DNS server in the local
   network supporting DNS-over-TLS, DNS-over-DTLS and DNS-over-HTTPS
   protocols by using the following discovery mechanism:




Reddy, et al.           Expires December 16, 2019               [Page 8]


Internet-Draft          DoT/DoH server discovery               June 2019


   o  The DNS client makes an S-NAPTR [RFC3958] lookup with the
      authentication domain name and the 'DPRIVE' application service
      tag to learn the protocols DNS-over-TLS, DNS-over-DTLS, and DNS-
      over-HTTPS supported by the DNS server and the DNS privacy
      protocol preferred by the DNS server administrators.  The S-NAPTR
      lookup is performed using an recursive DNS resolver discovered
      from an untrusted source (such as DHCP).

   o  In the example depicted in Figure 2, for authentication domain
      name 'example.net', the resolution algorithm will result in the
      privacy-enabling protocols supported by the DNS server and usable
      DNS server IP addresses and port numbers.

      example.net.
      IN NAPTR 100 10 "" DPRIVE:dns.tls  "" dns1.example.net.
      IN NAPTR 200 10 "" DPRIVE:dns.dtls "" dns2.example.net.

      dns1.example.net.
      IN NAPTR 100 10 S DPRIVE:dns.tls "" _domain-s._tcp.example.net.

      dns2.example.net.
      IN NAPTR 100 10 S DPRIVE:dns.dtls "" _domain-s._udp.example.net.

      _domain-s._tcp.example.net.
      IN SRV   0 0 853 a.example.net.

      _domain-s._udp.example.net.
      IN SRV   0 0 853 a.example.net.

      a.example.net.
      IN A        192.0.2.1
      IN AAAA     2001:db8:8:4::2

                                 Figure 2

   o  If DNS-over-HTTPS protocol is supported by the DNS server, the DNS
      client finds the URI template of the DNS-over-HTTPS server using
      one of the mechanisms discussed in
      [I-D.ietf-doh-resolver-associated-doh] to use the https URI scheme
      (Section 3 of [RFC8484]).

   o  If no DNS-specific S-NAPTR records can be retrieved, the discovery
      procedure fails for this authentication domain name.  However,
      before retrying a lookup that has failed, a DNS client MUST wait a
      time period that is appropriate for the encountered error (e.g.,
      NXDOMAIN, timeout, etc.).





Reddy, et al.           Expires December 16, 2019               [Page 9]


Internet-Draft          DoT/DoH server discovery               June 2019


7.  Connection Handshake and Service Invocation

   The DNS client initiates (D)TLS handshake with the DNS server, the
   DNS server presents its certificate in ServerHello message, and the
   DNS client MUST match the DNS server certificate downloaded in Step 4
   in Section 4 or Section 5 with the certificate provided by the DNS
   server in (D)TLS handshake.  If the match is successful, the DNS
   client MUST validate the server certificate using the Implicit Trust
   Anchor database (i.e., the DNS server certificate must pass PKIX
   certification path validation).

   If the match is successful and server certificate is successfully
   validated, the client continues with the connection as normal.
   Otherwise, the client MUST treat the server certificate validation
   failure as a non-recoverable error.  If the DNS client cannot reach
   or establish an authenticated and encrypted connection with the
   privacy-enabling DNS server provided by the local network, the DNS
   client can fallback to the privacy-enabling public DNS server.

8.  EST Service Discovery Procedure

   DNS-based Service Discovery (DNS-SD) [RFC6763] and Multicast DNS
   (mDNS) [RFC6762] provide generic solutions for discovering services
   available in a local network.  DNS-SD/mDNS define a set of naming
   rules for certain DNS record types that they use for advertising and
   discovering services.

   Section 4.1 of [RFC6763] specifies that a service instance name in
   DNS-SD has the following structure:

   <Instance> . <Service> . <Domain>

   The <Domain> portion specifies the DNS sub-domain where the service
   instance is registered.  It may be "local.", indicating the mDNS
   local domain, or it may be a conventional domain name such as
   "example.com.".  The <Service> portion of the EST service instance
   name MUST be "_est._tcp".

8.1.  mDNS

   A EST client application can proactively discover an EST server being
   advertised in the site by multicasting a PTR query to the following:

   o  "_est._tcp.local"

   A EST server can send out gratuitous multicast DNS answer packets
   whenever it starts up, wakes from sleep, or detects a change in EST




Reddy, et al.           Expires December 16, 2019              [Page 10]


Internet-Draft          DoT/DoH server discovery               June 2019


   server configuration.  EST client application can receive these
   gratuitous packets and cache information contained in them.

9.  Network Reattachment

   On subsequent attachments to the network, the endpoint discovers the
   privacy-enabling DNS server using the authentication domain name
   (configured in Step 5 of Section 4 or Section 5), initiates (D)TLS
   handshake with the DNS server and follows the mechanism discussed in
   Section 7 to validate the DNS server certificate.

   If the DNS server certificate is invalid (e.g., revoked or expired)
   or the procedure to discover the privacy-enabling DNS server fails
   (e.g.  the domain name of the privacy-enabling DNS server has changed
   because the Enterprise network has switched to a public privacy-
   enabling DNS server capable of blocking access to malicious domains),
   the endpoint discovers and initiates TLS handshake with the EST
   server, and uses the validation techniques described in [RFC6125] to
   compare the reference identifier (created in Step 2 of Section 4 in
   this document) to the EST server certificate and verifies the entire
   certification path as per [RFC5280].  The endpoint then gets the DNS
   server certificate from the EST server.  If the DNS-ID identifier
   type within subjectAltName entry in the DNS server certificate does
   not match the configured ADN, the ADN is replaced with the DNS-ID
   identifier type.  The DNS server certificate associated with the ADN
   is replaced with the one provided by the EST server.  If the ADN has
   changed, the endpoint discovers the privacy-enabling DNS server,
   initiates (D)TLS handshake with the DNS server and follows the
   mechanism discussed in Section 7 to validate the DNS server
   certificate.

   Figure 3 illustrates a sequence diagram for re-configuring an
   endpoint with ADN and local network's DNS server certificate on
   subsequent attachments to the network.

















Reddy, et al.           Expires December 16, 2019              [Page 11]


Internet-Draft          DoT/DoH server discovery               June 2019


 +----------+                                     +--------+  +--------+
 | Endpoint |                                     |  EST   |  |  DNS   |
 |          |                                     | Server |  | Server |
 +----------+                                     +--------+  +--------+
         | DNS-SD query to discover the EST server      |          |
         |-------------------------------------------------------->|
         |                                              |          |
         | optional: mDNS query to                      |          |
         | discover the EST server                      |          |
         |--------------------------------------------->|          |
         |                                              |          |
         | Establish TLS connection                     |          |
         | and validate EST server certificate          |          |
         |<-------------------------------------------->|          |
         |                                              |          |
         |      Get EE certificates                     |          |
         |<-------------------------------------------->|          |
         |                                              |          |
 [Identify the DNS server certificate in EE             |          |
  certificates to match with the certificate            |          |
  by the DNS server in (D)TLS handshake]                |          |
                                                        |          |
 [Re-configure ADN and associate DNS server certificate]|          |
         |                                              |          |


   Figure 3: Bootstrapping Endpoint Devices on subsequent attachments to
                                the network

10.  Privacy Considerations

   [RFC7626] discusses DNS privacy considerations in both "on the wire"
   (Section 2.4 of [RFC7626]) and "in the server" (Section 2.5 of
   [RFC7626] contexts.  The endpoint may not know if the DNS-over-(D)TLS
   or DNS-over-HTTPS server in the local network has a privacy
   preserving data policy.  A new privacy certificate extension is
   defined that identifies the privacy preserving data policy of the DNS
   server.

10.1.  Privacy Extension Format

   Like all X.509 certificate extensions, the privacy certificate
   extension is defined using ASN.1 [ASN1-88].  The non-critical privacy
   extension is identified by id-pe-privacy.







Reddy, et al.           Expires December 16, 2019              [Page 12]


Internet-Draft          DoT/DoH server discovery               June 2019


      PKIX Object Identifier Registry

      id-pkix OBJECT IDENTIFIER ::= { iso(1) identified-organization(3)
                 dod(6) internet(1) security(5) mechanisms(5) pkix(7) }

      PKIX Arcs
      id-mod  OBJECT IDENTIFIER ::= { id-pkix 0 }    -- modules
      id-pe   OBJECT IDENTIFIER ::= { id-pkix 1 }    -- private
      certificate extensions

      PKIX modules
      id-mod-privacy-extn         OBJECT IDENTIFIER ::= { id-mod TBD2 }
      id-pe-privacy OBJECT IDENTIFIER  ::=  { id-pe TBD1 }

   A non-null privacy always includes a base privacy.  The privacy
   extension includes the following information:

   o  If the client IP address is Personally Identifiable Information
      (PII) data or non PII-data.

   o  If the user identity that sent the DNS query is logged or not, and
      if user identity address is indeed logged, the period for which
      the user identity is logged.  User identity such as username, IP
      address, MAC address or personally identifiable data.  Logging
      duration is represented in hours.  A negative one (-1) of logging
      duration indicates indefinite duration.

   o  If the transaction data (e.g., DNS messages) is logged or not, and
      if transaction data is logged, the period for which the
      transaction data is stored.

   o  If the transaction data is logged to notify the user access to
      certain domains (e.g., malicious domains) is blocked, the period
      for which the transaction data is stored.  If access to malicious
      domains is logged, the period for which the transaction data is
      stored.  If the transaction data is logged for analytics (e.g. to
      detect malicious domains), the period for which the transaction
      data is stored.

   o  If the transaction data is shared with partners or not, and if the
      transaction data is shared with partners, the names of the
      partners.  If anonymized data or client identifiable data is
      shared with partners.

   o  If the transaction data is shared or sold to third parties.

   o  If the DNS server will block DNS resolution of certain domains
      (e.g., malicious domains).



Reddy, et al.           Expires December 16, 2019              [Page 13]


Internet-Draft          DoT/DoH server discovery               June 2019


   o  A URL that points to the privacy preserving data policy, and a URL
      that points to the security assessment report of the DNS server by
      a third party auditor.

10.2.  Privacy Extension Syntax

   The syntax for the privacy extension is as follows:

   Privacy ::=  CHOICE  {
     none                 NULL,
                          -- No privacy policy provided
     pPolicy              PrivacyPolicy
                          -- Privacy preserving data policy  }


   PrivacyPolicy ::=  SEQUENCE  {
     base              PrivacyInfo,
     pURL         [0]  PrivacyURL OPTIONAL,
     aURL         [1]  AuditURL OPTIONAL  }

  PrivacyInfo  ::=  SEQUENCE  {
    ipaddresspii      BOOLEAN,
                      -- TRUE means client IP address is PII
    log          [0]  Logging,
    sdata        [2]  ShareData,
    transferdata [3]  BOOLEAN,
                      -- TRUE means share or sell data to third parties
    blockdomains [4]  BOOLEAN
                      -- TRUE means domains will be blocked  }

   LoggingTypes  ::=  BIT STRING {
     none           (0),
             -- No logging
     all            (1),
             -- Log all transaction data
     useridentity   (2),
             -- Log user identity (e.g., username, IP address)
     notifyuser     (3),
             -- Log to notify user access
             -- to certain domains is blocked
     knownmalware   (4),
             -- Log access to malicious domains
     analytics      (5)
             -- Log transaction data for analytics
             -- (e.g. to detect malicious domains) }

   LoggingDuration ::=  SEQUENCE {
        all          [0]  INTEGER OPTIONAL,



Reddy, et al.           Expires December 16, 2019              [Page 14]


Internet-Draft          DoT/DoH server discovery               June 2019


                          -- Number of Hours the
                          -- transcation data is stored
        useridentity [1]  INTEGER OPTIONAL,
        notifyuser   [2]  INTEGER OPTIONAL,
        knownmalware [3]  INTEGER OPTIONAL,
        analytics    [4]  INTEGER OPTIONAL }

   Logging ::=  SEQUENCE  {
     loggingTypes         LoggingTypes DEFAULT {none},
     loggingDuration      LoggingDuration OPTIONAL
                          -- Transaction data is cleared
                          -- after logging duration,
                          -- Negative one (-1) indicates indefinite
                          -- duration  }

   ShareData ::=  SEQUENCE  {
     sharepartners        BOOLEAN,
                          -- TRUE means data is shared with partners
     partners        [1]  SEQUENCE SIZE (1..MAX) OF UTF8String OPTIONAL,
                          -- Names of the partners
     anonymizeddata  [0]  BOOLEAN OPTIONAL
                          -- TRUE means anonymized data
                          -- is shared with partners  }

   PrivacyURL  ::=  IA5String  -- MUST use https scheme
   AuditURL    ::=  IA5String  -- MUST use https scheme

11.  Security Considerations

   The bootstrapping procedure to obtain the certificate of the local
   networks DNS server uses a client identity and password to
   authenticate the EST server using PAKE schemes.  Security
   considerations such as those discussed in [I-D.barnes-tls-pake] or
   [RFC8120] and [RFC8121] need to be taken into consideration.

   Users cannot be expected to enable or disable the bootstrapping or
   the discovery procedure as they switch networks.  Thus, it is
   RECOMMENDED that users indicate to their system in some way that they
   desire bootstrapping to be performed when connecting to a specific
   network, similar to the way users disable VPN connection in specific
   network (e.g., Enterprise network) and enable VPN connection by
   default in other networks.

   If an endpoint has enabled strict privacy profile, and the network
   security service blocks the traffic to the privacy-enabling public
   DNS server, a hard failure occurs and the user is notified.  The user
   has a choice to switch to another network or if the user trusts the
   network, the user can enable strict privacy profile with the DNS-



Reddy, et al.           Expires December 16, 2019              [Page 15]


Internet-Draft          DoT/DoH server discovery               June 2019


   over-(D)TLS or DNS-over-HTTPS server discovered in the network
   instead of downgrading to opportunistic privacy profile.

   The primary attacks against the methods described in Section 6 are
   the ones that would lead to impersonation of a DNS server and
   spoofing the DNS response to indicate that the DNS server does not
   support any privacy-enabling protocols.  To protect against DNS-
   vectored attacks, secured DNS (DNSSEC) can be used to ensure the
   validity of the DNS records received.  Impersonation of the DNS
   server is prevented by validating the certificate presented by the
   DNS server.  If the EST server conveys the DNS server certificate,
   but the S-NAPTR lookup indicates that the DNS server does not support
   any privacy-enabling protocols, the client can detect the DNS
   response is spoofed.

   Security considerations in [I-D.ietf-anima-bootstrapping-keyinfra]
   need to be taken into consideration for IoT devices.

12.  IANA Considerations

   IANA is requested to allocate the SRV service name of "est".

   IANA is requested to add the following entry in the "SMI Security for
   PKIX Certificate Extension" (1.3.6.1.5.5.7.1) registry:

      Decimal  Description                     References
      -------  ------------------------------  ---------------------

        TBD1     id-pe-privacy                   this document

   IANA is requested to add the following entry in the "SMI Security for
   PKIX Module Identifier" (1.3.6.1.5.5.7.0) registry:

      Decimal  Description                     References
      -------  ------------------------------  ---------------------

        TBD2     id-mod-privacy-extn           this document

12.1.  Application Service & Application Protocol Tags

   This document requests IANA to make the following allocations from
   the registry available at: https://www.iana.org/assignments/s-naptr-
   parameters/s-naptr-parameters.xhtml.








Reddy, et al.           Expires December 16, 2019              [Page 16]


Internet-Draft          DoT/DoH server discovery               June 2019


12.1.1.  DNS Application Service Tag Registration

   o  Application Protocol Tag: DPRIVE

   o  Intended Usage: See Section 6

   o  Security Considerations: See Section 11

   o  Contact Information: <one of the authors>

12.1.2.  dns.tls Application Protocol Tag Registration

   o  Application Protocol Tag: dns.tls

   o  Intended Usage: See Section 6

   o  Security Considerations: See Section 11

   o  Contact Information: <one of the authors>

12.1.3.  dns.dtls Application Protocol Tag Registration

   o  Application Protocol Tag: dns.dtls

   o  Intended Usage: See Section 6

   o  Security Considerations: See Section 11

   o  Contact Information: <one of the authors>

12.1.4.  dns.https Application Protocol Tag Registration

   o  Application Protocol Tag: dnshttps

   o  Intended Usage: See Section 6

   o  Security Considerations: See Section 11

   o  Contact Information: <one of the authors>

13.  Acknowledgments

   Thanks to Joe Hildebrand, Harsha Joshi, Shashank Jain, Patrick
   McManus, Bob Harold, Livingood Jason, Winfield Alister, Eliot Lear
   and Sara Dickinson for the discussion and comments.






Reddy, et al.           Expires December 16, 2019              [Page 17]


Internet-Draft          DoT/DoH server discovery               June 2019


14.  References

14.1.  Normative References

   [I-D.ietf-doh-resolver-associated-doh]
              Hoffman, P., "Associating a DoH Server with a Resolver",
              draft-ietf-doh-resolver-associated-doh-03 (work in
              progress), March 2019.

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <https://www.rfc-editor.org/info/rfc2119>.

   [RFC3958]  Daigle, L. and A. Newton, "Domain-Based Application
              Service Location Using SRV RRs and the Dynamic Delegation
              Discovery Service (DDDS)", RFC 3958, DOI 10.17487/RFC3958,
              January 2005, <https://www.rfc-editor.org/info/rfc3958>.

   [RFC4985]  Santesson, S., "Internet X.509 Public Key Infrastructure
              Subject Alternative Name for Expression of Service Name",
              RFC 4985, DOI 10.17487/RFC4985, August 2007,
              <https://www.rfc-editor.org/info/rfc4985>.

   [RFC5280]  Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
              Housley, R., and W. Polk, "Internet X.509 Public Key
              Infrastructure Certificate and Certificate Revocation List
              (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008,
              <https://www.rfc-editor.org/info/rfc5280>.

   [RFC6125]  Saint-Andre, P. and J. Hodges, "Representation and
              Verification of Domain-Based Application Service Identity
              within Internet Public Key Infrastructure Using X.509
              (PKIX) Certificates in the Context of Transport Layer
              Security (TLS)", RFC 6125, DOI 10.17487/RFC6125, March
              2011, <https://www.rfc-editor.org/info/rfc6125>.

   [RFC6347]  Rescorla, E. and N. Modadugu, "Datagram Transport Layer
              Security Version 1.2", RFC 6347, DOI 10.17487/RFC6347,
              January 2012, <https://www.rfc-editor.org/info/rfc6347>.

   [RFC6762]  Cheshire, S. and M. Krochmal, "Multicast DNS", RFC 6762,
              DOI 10.17487/RFC6762, February 2013,
              <https://www.rfc-editor.org/info/rfc6762>.

   [RFC6763]  Cheshire, S. and M. Krochmal, "DNS-Based Service
              Discovery", RFC 6763, DOI 10.17487/RFC6763, February 2013,
              <https://www.rfc-editor.org/info/rfc6763>.



Reddy, et al.           Expires December 16, 2019              [Page 18]


Internet-Draft          DoT/DoH server discovery               June 2019


   [RFC7030]  Pritikin, M., Ed., Yee, P., Ed., and D. Harkins, Ed.,
              "Enrollment over Secure Transport", RFC 7030,
              DOI 10.17487/RFC7030, October 2013,
              <https://www.rfc-editor.org/info/rfc7030>.

   [RFC7858]  Hu, Z., Zhu, L., Heidemann, J., Mankin, A., Wessels, D.,
              and P. Hoffman, "Specification for DNS over Transport
              Layer Security (TLS)", RFC 7858, DOI 10.17487/RFC7858, May
              2016, <https://www.rfc-editor.org/info/rfc7858>.

   [RFC8094]  Reddy, T., Wing, D., and P. Patil, "DNS over Datagram
              Transport Layer Security (DTLS)", RFC 8094,
              DOI 10.17487/RFC8094, February 2017,
              <https://www.rfc-editor.org/info/rfc8094>.

   [RFC8121]  Oiwa, Y., Watanabe, H., Takagi, H., Maeda, K., Hayashi,
              T., and Y. Ioku, "Mutual Authentication Protocol for HTTP:
              Cryptographic Algorithms Based on the Key Agreement
              Mechanism 3 (KAM3)", RFC 8121, DOI 10.17487/RFC8121, April
              2017, <https://www.rfc-editor.org/info/rfc8121>.

   [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
              2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
              May 2017, <https://www.rfc-editor.org/info/rfc8174>.

   [RFC8295]  Turner, S., "EST (Enrollment over Secure Transport)
              Extensions", RFC 8295, DOI 10.17487/RFC8295, January 2018,
              <https://www.rfc-editor.org/info/rfc8295>.

   [RFC8446]  Rescorla, E., "The Transport Layer Security (TLS) Protocol
              Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018,
              <https://www.rfc-editor.org/info/rfc8446>.

   [RFC8484]  Hoffman, P. and P. McManus, "DNS Queries over HTTPS
              (DoH)", RFC 8484, DOI 10.17487/RFC8484, October 2018,
              <https://www.rfc-editor.org/info/rfc8484>.

   [RFC8499]  Hoffman, P., Sullivan, A., and K. Fujiwara, "DNS
              Terminology", BCP 219, RFC 8499, DOI 10.17487/RFC8499,
              January 2019, <https://www.rfc-editor.org/info/rfc8499>.

14.2.  Informative References

   [ASN1-88]  "International Telephone and Telegraph Consultative
              Committee, "Specification of Abstract Syntax Notation One
              (ASN.1)", CCITT Recommendation X.208, 1988.".





Reddy, et al.           Expires December 16, 2019              [Page 19]


Internet-Draft          DoT/DoH server discovery               June 2019


   [CDN]      "End-User Mapping: Next Generation Request Routing for
              Content Delivery", 2015,
              <https://conferences.sigcomm.org/sigcomm/2015/pdf/papers/
              p167.pdf>.

   [I-D.barnes-tls-pake]
              Barnes, R. and O. Friel, "Usage of PAKE with TLS 1.3",
              draft-barnes-tls-pake-04 (work in progress), July 2018.

   [I-D.camwinget-tls-use-cases]
              Andreasen, F., Cam-Winget, N., and E. Wang, "TLS 1.3
              Impact on Network-Based Security", draft-camwinget-tls-
              use-cases-04 (work in progress), March 2019.

   [I-D.ietf-anima-bootstrapping-keyinfra]
              Pritikin, M., Richardson, M., Behringer, M., Bjarnason,
              S., and K. Watsen, "Bootstrapping Remote Secure Key
              Infrastructures (BRSKI)", draft-ietf-anima-bootstrapping-
              keyinfra-21 (work in progress), June 2019.

   [RFC2775]  Carpenter, B., "Internet Transparency", RFC 2775,
              DOI 10.17487/RFC2775, February 2000,
              <https://www.rfc-editor.org/info/rfc2775>.

   [RFC7626]  Bortzmeyer, S., "DNS Privacy Considerations", RFC 7626,
              DOI 10.17487/RFC7626, August 2015,
              <https://www.rfc-editor.org/info/rfc7626>.

   [RFC7671]  Dukhovni, V. and W. Hardaker, "The DNS-Based
              Authentication of Named Entities (DANE) Protocol: Updates
              and Operational Guidance", RFC 7671, DOI 10.17487/RFC7671,
              October 2015, <https://www.rfc-editor.org/info/rfc7671>.

   [RFC7871]  Contavalli, C., van der Gaast, W., Lawrence, D., and W.
              Kumari, "Client Subnet in DNS Queries", RFC 7871,
              DOI 10.17487/RFC7871, May 2016,
              <https://www.rfc-editor.org/info/rfc7871>.

   [RFC8106]  Jeong, J., Park, S., Beloeil, L., and S. Madanapalli,
              "IPv6 Router Advertisement Options for DNS Configuration",
              RFC 8106, DOI 10.17487/RFC8106, March 2017,
              <https://www.rfc-editor.org/info/rfc8106>.

   [RFC8120]  Oiwa, Y., Watanabe, H., Takagi, H., Maeda, K., Hayashi,
              T., and Y. Ioku, "Mutual Authentication Protocol for
              HTTP", RFC 8120, DOI 10.17487/RFC8120, April 2017,
              <https://www.rfc-editor.org/info/rfc8120>.




Reddy, et al.           Expires December 16, 2019              [Page 20]


Internet-Draft          DoT/DoH server discovery               June 2019


   [RFC8310]  Dickinson, S., Gillmor, D., and T. Reddy, "Usage Profiles
              for DNS over TLS and DNS over DTLS", RFC 8310,
              DOI 10.17487/RFC8310, March 2018,
              <https://www.rfc-editor.org/info/rfc8310>.

   [RFC8520]  Lear, E., Droms, R., and D. Romascanu, "Manufacturer Usage
              Description Specification", RFC 8520,
              DOI 10.17487/RFC8520, March 2019,
              <https://www.rfc-editor.org/info/rfc8520>.

Authors' Addresses

   Tirumaleswar Reddy
   McAfee, Inc.
   Embassy Golf Link Business Park
   Bangalore, Karnataka  560071
   India

   Email: kondtir@gmail.com


   Dan Wing
   Citrix Systems, Inc.
   USA

   Email: dwing-ietf@fuggles.com


   Michael C. Richardson
   Sandelman Software Works
   USA

   Email: mcr+ietf@sandelman.ca


   Mohamed Boucadair
   Orange
   Rennes  35000
   France

   Email: mohamed.boucadair@orange.com










Reddy, et al.           Expires December 16, 2019              [Page 21]


Html markup produced by rfcmarkup 1.129c, available from https://tools.ietf.org/tools/rfcmarkup/