draft-ietf-ipsecme-split-dns-01.txt   draft-ietf-ipsecme-split-dns-02.txt 
Network T. Pauly Network T. Pauly
Internet-Draft Apple Inc. Internet-Draft Apple Inc.
Intended status: Standards Track P. Wouters Intended status: Standards Track P. Wouters
Expires: January 20, 2018 Red Hat Expires: January 30, 2018 Red Hat
July 19, 2017 July 29, 2017
Split DNS Configuration for IKEv2 Split DNS Configuration for IKEv2
draft-ietf-ipsecme-split-dns-01 draft-ietf-ipsecme-split-dns-02
Abstract Abstract
This document defines two Configuration Payload Attribute Types for This document defines two Configuration Payload Attribute Types for
the IKEv2 protocol that add support for private DNS domains. These the IKEv2 protocol that add support for private DNS domains. These
domains should be resolved using DNS servers reachable through an domains should be resolved using DNS servers reachable through an
IPsec connection, while leaving all other DNS resolution unchanged. IPsec connection, while leaving all other DNS resolution unchanged.
This approach of resolving a subset of domains using non-public DNS This approach of resolving a subset of domains using non-public DNS
servers is referred to as "Split DNS". servers is referred to as "Split DNS".
skipping to change at page 1, line 36 skipping to change at page 1, line 36
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on January 20, 2018. This Internet-Draft will expire on January 30, 2018.
Copyright Notice Copyright Notice
Copyright (c) 2017 IETF Trust and the persons identified as the Copyright (c) 2017 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 24 skipping to change at page 2, line 24
3.2. Configuration Reply . . . . . . . . . . . . . . . . . . . 4 3.2. Configuration Reply . . . . . . . . . . . . . . . . . . . 4
3.3. Mapping DNS Servers to Domains . . . . . . . . . . . . . 5 3.3. Mapping DNS Servers to Domains . . . . . . . . . . . . . 5
3.4. Example Exchanges . . . . . . . . . . . . . . . . . . . . 5 3.4. Example Exchanges . . . . . . . . . . . . . . . . . . . . 5
3.4.1. Simple Case . . . . . . . . . . . . . . . . . . . . . 5 3.4.1. Simple Case . . . . . . . . . . . . . . . . . . . . . 5
3.4.2. Requesting Domains and DNSSEC trust anchors . . . . . 6 3.4.2. Requesting Domains and DNSSEC trust anchors . . . . . 6
4. Payload Formats . . . . . . . . . . . . . . . . . . . . . . . 6 4. Payload Formats . . . . . . . . . . . . . . . . . . . . . . . 6
4.1. INTERNAL_DNS_DOMAIN Configuration Attribute Type . . . . 6 4.1. INTERNAL_DNS_DOMAIN Configuration Attribute Type . . . . 6
4.2. INTERNAL_DNSSEC_TA Configuration Attribute . . . . . . . 7 4.2. INTERNAL_DNSSEC_TA Configuration Attribute . . . . . . . 7
5. Split DNS Usage Guidelines . . . . . . . . . . . . . . . . . 7 5. Split DNS Usage Guidelines . . . . . . . . . . . . . . . . . 7
6. Security Considerations . . . . . . . . . . . . . . . . . . . 9 6. Security Considerations . . . . . . . . . . . . . . . . . . . 9
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10
8. References . . . . . . . . . . . . . . . . . . . . . . . . . 10 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 10
8.1. Normative References . . . . . . . . . . . . . . . . . . 10 8.1. Normative References . . . . . . . . . . . . . . . . . . 10
8.2. Informative References . . . . . . . . . . . . . . . . . 10 8.2. Informative References . . . . . . . . . . . . . . . . . 10
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 11 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 11
1. Introduction 1. Introduction
Split DNS is a common configuration for secure tunnels, such as Split DNS is a common configuration for secure tunnels, such as
Virtual Private Networks in which host machines private to an Virtual Private Networks in which host machines private to an
organization can only be resolved using internal DNS resolvers organization can only be resolved using internal DNS resolvers
skipping to change at page 5, line 12 skipping to change at page 5, line 12
Each INTERNAL_DNS_DOMAIN represents a domain that the DNS servers Each INTERNAL_DNS_DOMAIN represents a domain that the DNS servers
address listed in INTERNAL_IP4_DNS and INTERNAL_IP6_DNS can resolve. address listed in INTERNAL_IP4_DNS and INTERNAL_IP6_DNS can resolve.
If the CFG_REQUEST included INTERNAL_DNS_DOMAIN attributes with non- If the CFG_REQUEST included INTERNAL_DNS_DOMAIN attributes with non-
zero lengths, the content MAY be ignored or be interpreted as a zero lengths, the content MAY be ignored or be interpreted as a
suggestion by the responder. suggestion by the responder.
For each DNS domain specified in an INTERNAL_DNS_DOMAIN attribute, For each DNS domain specified in an INTERNAL_DNS_DOMAIN attribute,
one or more INTERNAL_DNSSEC_TA attributes MAY be included by the one or more INTERNAL_DNSSEC_TA attributes MAY be included by the
responder. This attribute lists the corresponding internal DNSSEC responder. This attribute lists the corresponding internal DNSSEC
trust anchor in the DNS wire format of a DS record as specified in trust anchor in the DNS presentation format of a DS record as
[RFC4034]. The INTERNAL_DNSSEC_TA attribute MUST immediately follow specified in [RFC4034]. The INTERNAL_DNSSEC_TA attribute MUST
the INTERNAL_DNS_DOMAIN attribute that it applies to. immediately follow the INTERNAL_DNS_DOMAIN attribute that it applies
to.
3.3. Mapping DNS Servers to Domains 3.3. Mapping DNS Servers to Domains
All DNS servers provided in the CFG_REPLY MUST support resolving All DNS servers provided in the CFG_REPLY MUST support resolving
hostnames within all INTERNAL_DNS_DOMAIN domains. In other words, hostnames within all INTERNAL_DNS_DOMAIN domains. In other words,
the INTERNAL_DNS_DOMAIN attributes in a CFG_REPLY payload form a the INTERNAL_DNS_DOMAIN attributes in a CFG_REPLY payload form a
single list of Split DNS domains that applies to the entire list of single list of Split DNS domains that applies to the entire list of
INTERNAL_IP4_DNS and INTERNAL_IP6_DNS attributes. INTERNAL_IP4_DNS and INTERNAL_IP6_DNS attributes.
3.4. Example Exchanges 3.4. Example Exchanges
skipping to change at page 6, line 45 skipping to change at page 6, line 45
4. Payload Formats 4. Payload Formats
4.1. INTERNAL_DNS_DOMAIN Configuration Attribute Type 4.1. INTERNAL_DNS_DOMAIN Configuration Attribute Type
1 2 3 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-----------------------------+-------------------------------+ +-+-----------------------------+-------------------------------+
|R| Attribute Type | Length | |R| Attribute Type | Length |
+-+-----------------------------+-------------------------------+ +-+-----------------------------+-------------------------------+
| | | |
~ Domain Name ~ ~ Domain Name in DNS presentation format ~
| | | |
+---------------------------------------------------------------+ +---------------------------------------------------------------+
o Reserved (1 bit) - Defined in IKEv2 RFC [RFC7296]. o Reserved (1 bit) - Defined in IKEv2 RFC [RFC7296].
o Attribute Type (15 bits) 25 - INTERNAL_DNS_DOMAIN. o Attribute Type (15 bits) 25 - INTERNAL_DNS_DOMAIN.
o Length (2 octets, unsigned integer) - Length of domain name. o Length (2 octets, unsigned integer) - Length of domain name.
o Domain Name (0 or more octets) - A domain or subdomain used for o Domain Name (0 or more octets) - A Fully Qualified Domain Name
Split DNS rules, such as example.com in DNS wire format. used for Split DNS rules, such as example.com, in DNS presentation
format and optionally using IDNA [RFC5890] for Internationalized
Domain Names. The value is NOT null-terminated.
4.2. INTERNAL_DNSSEC_TA Configuration Attribute 4.2. INTERNAL_DNSSEC_TA Configuration Attribute
1 2 3 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-----------------------------+-------------------------------+ +-+-----------------------------+-------------------------------+
|R| Attribute Type | Length | |R| Attribute Type | Length |
+-+-----------------------------+---------------+---------------+ +-+-----------------------------+---------------+---------------+
| Key Tag | Algorithm | Digest Type | | Key Tag | Algorithm | Digest Type |
+-------------------------------+---------------+---------------+ +-------------------------------+---------------+---------------+
skipping to change at page 7, line 41 skipping to change at page 7, line 43
o Key Tag value (0 or 2 octets, unsigned integer) - Key Tag as o Key Tag value (0 or 2 octets, unsigned integer) - Key Tag as
specified in [RFC4034] Section 5.1 specified in [RFC4034] Section 5.1
o DNSKEY algorithm (0 or 1 octet) - Value from the IANA DNS Security o DNSKEY algorithm (0 or 1 octet) - Value from the IANA DNS Security
Algorithm Numbers Registry Algorithm Numbers Registry
o DS algorithm (0 or 1 octet) - Value from the IANA Delegation o DS algorithm (0 or 1 octet) - Value from the IANA Delegation
Signer (DS) Resource Record (RR) Type Digest Algorithms Registry Signer (DS) Resource Record (RR) Type Digest Algorithms Registry
o Digest (0 or more octets) - The digest as specified in [RFC4034] o Digest (0 or more octets) - The digest as specified in [RFC4034]
Section 5.1 in wire format. Section 5.1 in presentation format.
5. Split DNS Usage Guidelines 5. Split DNS Usage Guidelines
If a CFG_REPLY payload contains no INTERNAL_DNS_DOMAIN attributes, If a CFG_REPLY payload contains no INTERNAL_DNS_DOMAIN attributes,
the client MAY use the provided INTERNAL_IP4_DNS or INTERNAL_IP6_DNS the client MAY use the provided INTERNAL_IP4_DNS or INTERNAL_IP6_DNS
servers as the default DNS server(s) for all queries. servers as the default DNS server(s) for all queries.
If a client is configured by local policy to only accept a limited If a client is configured by local policy to only accept a limited
number of INTERNAL_DNS_DOMAIN values, the client MUST ignore any number of INTERNAL_DNS_DOMAIN values, the client MUST ignore any
other INTERNAL_DNS_DOMAIN values. other INTERNAL_DNS_DOMAIN values.
skipping to change at page 9, line 41 skipping to change at page 9, line 43
accept insecure delegations for domains that are DNSSEC signed in the accept insecure delegations for domains that are DNSSEC signed in the
public DNS view, for which it has not explicitely requested such public DNS view, for which it has not explicitely requested such
deletation by specifying the domain specifically using a deletation by specifying the domain specifically using a
INTERNAL_DNS_DOMAIN(domain) request. INTERNAL_DNS_DOMAIN(domain) request.
A domain that is served via INTERNAL_DNS_DOMAIN should pay close A domain that is served via INTERNAL_DNS_DOMAIN should pay close
attention to their use of indirect reference RRtypes such as CNAME, attention to their use of indirect reference RRtypes such as CNAME,
DNAME, MX or SRV records so that resolving works as intended when DNAME, MX or SRV records so that resolving works as intended when
all, some or none of the IPsec connections are established. all, some or none of the IPsec connections are established.
The content of INTERNAL_DNS_DOMAIN and INTERNAL_DNSSEC_TA may be
passed to another (DNS) program for processing. The content MUST be
verified and sanitized before passing it to other software. For
example, domain names are limited to alphanumeric characters and the
minus ("-") and underscore ("_") symbol and if other other characters
are present, the entire payload could be ignored and not passed to
DNS software, or the malicious characters could be filtered out
before passing the payload to DNS software.
7. IANA Considerations 7. IANA Considerations
This document defines two new IKEv2 Configuration Payload Attribute This document defines two new IKEv2 Configuration Payload Attribute
Types, which are allocated from the "IKEv2 Configuration Payload Types, which are allocated from the "IKEv2 Configuration Payload
Attribute Types" namespace. Attribute Types" namespace.
Multi- Multi-
Value Attribute Type Valued Length Reference Value Attribute Type Valued Length Reference
------ ------------------- ------ ---------- --------------- ------ ------------------- ------ ---------- ---------------
25 INTERNAL_DNS_DOMAIN YES 0 or more [this document] 25 INTERNAL_DNS_DOMAIN YES 0 or more [this document]
 End of changes. 9 change blocks. 
12 lines changed or deleted 24 lines changed or added

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/