idnits 2.17.1 draft-ietf-6man-dns-options-bis-08.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- -- The draft header indicates that this document obsoletes RFC5006, but the abstract doesn't seem to mention this, which it should. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (September 8, 2010) is 4977 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Obsolete informational reference (is this intentional?): RFC 3315 (Obsoleted by RFC 8415) -- Obsolete informational reference (is this intentional?): RFC 3736 (Obsoleted by RFC 8415) -- Obsolete informational reference (is this intentional?): RFC 5006 (Obsoleted by RFC 6106) Summary: 0 errors (**), 0 flaws (~~), 1 warning (==), 5 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group J. Jeong 3 Internet-Draft Brocade/ETRI 4 Obsoletes: 5006 (if approved) S. Park 5 Intended status: Standards Track SAMSUNG Electronics 6 Expires: March 12, 2011 L. Beloeil 7 France Telecom R&D 8 S. Madanapalli 9 Ordyn Technologies 10 September 8, 2010 12 IPv6 Router Advertisement Options for DNS Configuration 13 draft-ietf-6man-dns-options-bis-08 15 Abstract 17 This document specifies IPv6 Router Advertisement options to allow 18 IPv6 routers to advertise a list of DNS recursive server addresses 19 and a DNS search list to IPv6 hosts. 21 Status of This Memo 23 This Internet-Draft is submitted to IETF in full conformance with the 24 provisions of BCP 78 and BCP 79. 26 Internet-Drafts are working documents of the Internet Engineering 27 Task Force (IETF), its areas, and its working groups. Note that 28 other groups may also distribute working documents as Internet- 29 Drafts. 31 Internet-Drafts are draft documents valid for a maximum of six months 32 and may be updated, replaced, or obsoleted by other documents at any 33 time. It is inappropriate to use Internet-Drafts as reference 34 material or to cite them other than as "work in progress." 36 The list of current Internet-Drafts can be accessed at 37 http://www.ietf.org/ietf/1id-abstracts.txt. 39 The list of Internet-Draft Shadow Directories can be accessed at 40 http://www.ietf.org/shadow.html. 42 This Internet-Draft will expire on March 12, 2011. 44 Copyright Notice 46 Copyright (c) 2010 IETF Trust and the persons identified as the 47 document authors. All rights reserved. 49 This document is subject to BCP 78 and the IETF Trust's Legal 50 Provisions Relating to IETF Documents 51 (http://trustee.ietf.org/license-info) in effect on the date of 52 publication of this document. Please review these documents 53 carefully, as they describe your rights and restrictions with respect 54 to this document. Code Components extracted from this document must 55 include Simplified BSD License text as described in Section 4.e of 56 the Trust Legal Provisions and are provided without warranty as 57 described in the Simplified BSD License. 59 Table of Contents 61 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 62 1.1. Applicability Statements . . . . . . . . . . . . . . . . . 3 63 1.2. Coexistence of RA Options and DHCP Options for DNS 64 Configuration . . . . . . . . . . . . . . . . . . . . . . 4 65 2. Requirements Language . . . . . . . . . . . . . . . . . . . . 4 66 3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 67 4. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 68 5. Neighbor Discovery Extension . . . . . . . . . . . . . . . . . 5 69 5.1. Recursive DNS Server Option . . . . . . . . . . . . . . . 6 70 5.2. DNS Search List Option . . . . . . . . . . . . . . . . . . 7 71 5.3. Procedure of DNS Configuration . . . . . . . . . . . . . . 8 72 5.3.1. Procedure in IPv6 Host . . . . . . . . . . . . . . . . 8 73 5.3.2. Warnings for DNS Options Configuration . . . . . . . . 10 74 6. Implementation Considerations . . . . . . . . . . . . . . . . 10 75 6.1. DNS Repository Management . . . . . . . . . . . . . . . . 10 76 6.2. Synchronization between DNS Server List and Resolver 77 Repository . . . . . . . . . . . . . . . . . . . . . . . . 11 78 6.3. Synchronization between DNS Search List and Resolver 79 Repository . . . . . . . . . . . . . . . . . . . . . . . . 12 80 7. Security Considerations . . . . . . . . . . . . . . . . . . . 13 81 7.1. Security Threats . . . . . . . . . . . . . . . . . . . . . 13 82 7.2. Recommendations . . . . . . . . . . . . . . . . . . . . . 14 83 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 15 84 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 15 85 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 15 86 10.1. Normative References . . . . . . . . . . . . . . . . . . . 15 87 10.2. Informative References . . . . . . . . . . . . . . . . . . 16 88 Appendix A. Changes from RFC 5006 . . . . . . . . . . . . . . . . 17 90 1. Introduction 92 The purpose of this document is to standardize an IPv6 Router 93 Advertisement (RA) option for DNS Recursive Server Addresses used for 94 the DNS name resolution in IPv6 hosts. This RA option was specified 95 in an earlier experimental specification [RFC5006]. This document is 96 also to define a new RA option for Domain Name Search Lists for an 97 enhanced DNS configuration. Thus, this document obsoleted [RFC5006] 98 defining only the RA option for DNS Recursive Server Addresses. 100 Neighbor Discovery (ND) for IP Version 6 and IPv6 Stateless Address 101 Autoconfiguration provide ways to configure either fixed or mobile 102 nodes with one or more IPv6 addresses, default routers and some other 103 parameters [RFC4861][RFC4862]. Most Internet services are identified 104 by using a DNS name. The two RA options defined in this document 105 provide the DNS information needed for an IPv6 host to reach Internet 106 services. 108 It is infeasible to manually configure nomadic hosts each time they 109 connect to a different network. While a one-time static 110 configuration is possible, it is generally not desirable on general- 111 purpose hosts such as laptops. For instance, locally defined name 112 spaces would not be available to the host if it were to run its own 113 name server software directly connected to the global DNS. 115 The DNS information can also be provided through DHCP 116 [RFC3315][RFC3736][RFC3646]. However, the access to DNS is a 117 fundamental requirement for almost all hosts, so IPv6 stateless 118 autoconfiguration cannot stand on its own as an alternative 119 deployment model in any practical network without any support for DNS 120 configuration. 122 These issues are not pressing in dual stack networks as long as a DNS 123 server is available on the IPv4 side, but become more critical with 124 the deployment of IPv6-only networks. As a result, this document 125 defines a mechanism based on IPv6 RA options to allow IPv6 hosts to 126 perform the automatic DNS configuration. 128 1.1. Applicability Statements 130 RA-based DNS configuration is a useful alternative in networks where 131 an IPv6 host's address is autoconfigured through IPv6 stateless 132 address autoconfiguration, and where there is either no DHCPv6 133 infrastructure at all or some hosts do not have a DHCPv6 client. The 134 intention is to enable the full configuration of basic networking 135 information for hosts without requiring DHCPv6. However, when in 136 many networks some additional information needs to be distributed, 137 those networks are likely to employ DHCPv6. In these networks RA- 138 based DNS configuration may not be needed. 140 RA-based DNS configuration allows an IPv6 host to acquire the DNS 141 configuration (i.e., DNS recursive server addresses and DNS search 142 list) for the link(s) to which the host is connected. Furthermore, 143 the host learns this DNS configuration from the same RA message that 144 provides configuration information for the link, thereby avoiding 145 also running DHCPv6. 147 The advantages and disadvantages of the RA-based approach are 148 discussed in [RFC4339] along with other approaches, such as the DHCP 149 and well-known anycast addresses approaches. 151 1.2. Coexistence of RA Options and DHCP Options for DNS Configuration 153 Two protocols exist to configure the DNS information on a host, the 154 Router Advertisement options described in this document and the 155 DHCPv6 options described in [RFC3646]. They can be used together. 156 The rules governing the decision to use stateful configuration 157 mechanisms are specified in [RFC4861]. Hosts conforming to this 158 specification MUST extract DNS information from Router Advertisement 159 messages, unless static DNS configuration has been specified by the 160 user. If there is DNS information available from multiple Router 161 Advertisements and/or from DHCP, the host MUST maintain an ordered 162 list of this information as specified in Section 5.3.1. 164 2. Requirements Language 166 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 167 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 168 document are to be interpreted as described in [RFC2119]. 170 3. Terminology 172 This document uses the terminology described in [RFC4861] and 173 [RFC4862]. In addition, four new terms are defined below: 175 o Recursive DNS Server (RDNSS): Server which provides a recursive 176 DNS resolution service for translating domain names into IP 177 addresses as defined in [RFC1034] and [RFC1035]. 179 o RDNSS Option: IPv6 RA option to deliver the RDNSS information to 180 IPv6 hosts [RFC4861]. 182 o DNS Search List (DNSSL): The list of DNS suffix domain names used 183 by IPv6 hosts when they perform DNS query searches for short, 184 unqualified domain names. 186 o DNSSL Option: IPv6 RA option to deliver the DNSSL information to 187 IPv6 hosts. 189 o DNS Repository: Two data structures for managing DNS Configuration 190 Information in the IPv6 protocol stack in addition to Neighbor 191 Cache and Destination Cache for Neighbor Discovery [RFC4861]. The 192 first data structure is the DNS Server List for RDNSS addresses 193 and the second is the DNS Search List for DNS search domain names. 195 o Resolver Repository: Configuration repository with RDNSS addresses 196 and a DNS search list that a DNS resolver on the host uses for DNS 197 name resolution; for example, the Unix resolver file (i.e., /etc/ 198 resolv.conf) and Windows registry. 200 4. Overview 202 This document standardizes the ND option called the RDNSS option 203 defined in [RFC5006] that contains the addresses of recursive DNS 204 servers. This document also defines a new ND option called the DNSSL 205 option for Domain Search List. This is to maintain parity with the 206 DHCPv6 options and to ensure that there is necessary functionality to 207 determine the search domains. 209 The existing ND message (i.e., Router Advertisement) is used to carry 210 this information. An IPv6 host can configure the IPv6 addresses of 211 one or more RDNSSes via RA messages. Through the RDNSS and DNSSL 212 options, along with the prefix information option based on the ND 213 protocol ([RFC4861] and [RFC4862]), an IPv6 host can perform the 214 network configuration of its IPv6 address and the DNS information 215 simultaneously without needing DHCPv6 for the DNS configuration. The 216 RA options for RDNSS and DNSSL can be used on any network that 217 supports the use of ND. 219 This approach requires the manual configuration or other automatic 220 mechanisms (e.g., DHCPv6 or vendor proprietary configuration 221 mechanisms) to configure the DNS information in routers sending the 222 advertisements. The automatic configuration of RDNSS addresses and a 223 DNS search list in routers is out of scope for this document. 225 5. Neighbor Discovery Extension 227 The IPv6 DNS configuration mechanism in this document needs two new 228 ND options in Neighbor Discovery: (i) the Recursive DNS Server 229 (RDNSS) option and (ii) the DNS Search List (DNSSL) option. 231 5.1. Recursive DNS Server Option 233 The RDNSS option contains one or more IPv6 addresses of recursive DNS 234 servers. All of the addresses share the same lifetime value. If it 235 is desirable to have different lifetime values, multiple RDNSS 236 options can be used. Figure 1 shows the format of the RDNSS option. 238 0 1 2 3 239 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 240 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 241 | Type | Length | Reserved | 242 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 243 | Lifetime | 244 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 245 | | 246 : Addresses of IPv6 Recursive DNS Servers : 247 | | 248 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 250 Figure 1: Recursive DNS Server (RDNSS) Option Format 252 Fields: 253 Type 8-bit identifier of the RDNSS option type as assigned 254 by the IANA: 25 256 Length 8-bit unsigned integer. The length of the option 257 (including the Type and Length fields) is in units of 258 8 octets. The minimum value is 3 if one IPv6 address 259 is contained in the option. Every additional RDNSS 260 address increases the length by 2. The Length field 261 is used by the receiver to determine the number of 262 IPv6 addresses in the option. 264 Lifetime 32-bit unsigned integer. The maximum time, in 265 seconds (relative to the time the packet is sent), 266 over which this RDNSS address MAY be used for name 267 resolution. Hosts MAY send a Router Solicitation to 268 ensure the RDNSS information is fresh before the 269 interval expires. In order to provide fixed hosts 270 with stable DNS service and allow mobile hosts to 271 prefer local RDNSSes to remote RDNSSes, the value of 272 Lifetime SHOULD be bounded as MaxRtrAdvInterval <= 273 Lifetime <= 2*MaxRtrAdvInterval where 274 MaxRtrAdvInterval is the Maximum RA Interval defined 275 in [RFC4861]. A value of all one bits (0xffffffff) 276 represents infinity. A value of zero means that 277 the RDNSS address MUST no longer be used. 279 Addresses of IPv6 Recursive DNS Servers 280 One or more 128-bit IPv6 addresses of the recursive 281 DNS servers. The number of addresses is determined 282 by the Length field. That is, the number of 283 addresses is equal to (Length - 1) / 2. 285 5.2. DNS Search List Option 287 The DNSSL option contains one or more domain names of DNS suffixes. 288 All of the domain names share the same lifetime value. If it is 289 desirable to have different lifetime values, multiple DNSSL options 290 can be used. Figure 2 shows the format of the DNSSL option. 292 0 1 2 3 293 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 294 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 295 | Type | Length | Reserved | 296 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 297 | Lifetime | 298 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 299 | | 300 : Domain Names of DNS Search List : 301 | | 302 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 304 Figure 2: DNS Search List (DNSSL) Option Format 306 Fields: 307 Type 8-bit identifier of the DNSSL option type as assigned 308 by the IANA: (TBD) 310 Length 8-bit unsigned integer. The length of the option 311 (including the Type and Length fields) is in units of 312 8 octets. The minimum value is 2 if at least one 313 domain name is contained in the option. The Length 314 field is set to a multiple of 8 octets to accommodate 315 all the domain names in the field of Domain Names of 316 DNS Search List. 318 Lifetime 32-bit unsigned integer. The maximum time, in 319 seconds (relative to the time the packet is sent), 320 over which this DNSSL domain name MAY be used for 321 name resolution. The Lifetime value has the same 322 semantics as with RDNSS option. That is, Lifetime 323 SHOULD be bounded as follows: 324 MaxRtrAdvInterval <= Lifetime <= 2*MaxRtrAdvInterval. 326 A value of all one bits (0xffffffff) represents 327 infinity. A value of zero means that the DNSSL 328 domain name MUST no longer be used. 330 Domain Names of DNS Search List 331 One or more domain names of DNS search list that MUST 332 be encoded using the technique described in Section 333 3.1 of [RFC1035]. By this technique, each domain 334 name is represented as a sequence of labels ending in 335 a zero octet, defined as domain name representation. 336 For more than one domain name, the corresponding 337 domain name representations are concatenated as they 338 are. Note that for the simple decoding, the domain 339 names MUST NOT be encoded in a compressed form, as 340 described in Section 4.1.4 of [RFC1035]. Because the 341 size of this field MUST be a multiple of 8 octets, 342 for the minimum multiple including the domain name 343 representations, the remaining octets other than the 344 encoding parts of the domain name representations 345 MUST be padded with zeros. 347 Note: An RDNSS address or a DNSSL domain name MUST be used only as 348 long as both the RA router lifetime (advertised by a Router 349 Advertisement message [RFC4861]) and the corresponding option 350 lifetime have not expired. The reason is that in the current 351 network to which an IPv6 host is connected, the RDNSS may not be 352 currently reachable, that the DNSSL domain name is not valid any 353 more, or that these options do not provide service to the host's 354 current address (e.g., due to network ingress filtering 355 [RFC2827][RFC5358]). 357 5.3. Procedure of DNS Configuration 359 The procedure of DNS configuration through the RDNSS and DNSSL 360 options is the same as with any other ND option [RFC4861]. 362 5.3.1. Procedure in IPv6 Host 364 When an IPv6 host receives DNS options (i.e., RDNSS option and DNSSL 365 option) through RA messages, it processes the options as follows: 367 o The validity of DNS options is checked with the Length field; that 368 is, the value of the Length field in the RDNSS option is greater 369 than or equal to the minimum value (3) and also the value of the 370 Length field in the DNSSL option is greater than or equal to the 371 minimum value (2). 373 o If the DNS options are valid, the host SHOULD copy the values of 374 the options into the DNS Repository and the Resolver Repository in 375 order. Otherwise, the host MUST discard the options. Refer to 376 Section 6 for the detailed procedure. 378 When the IPv6 host has gathered a sufficient number (e.g., three) of 379 RDNSS addresses (or DNS search domain names), it SHOULD maintain 380 RDNSS addresses (or DNS search domain names) by the sufficient number 381 such that the latest received RDNSS or DNSSL is more preferred to the 382 old ones; that is, when the number of RDNSS addresses (or DNS search 383 domain names) is already the sufficient number, the new one replaces 384 the old one that will expire first in terms of Lifetime. As an 385 exceptional case, if the received RDNSS addresses (or DNS search 386 domain names) already exist in the IPv6 host, their Lifetime fields 387 update their expiration time, that is, when the corresponding DNS 388 information expires in the IPv6 host; note that when the Lifetime 389 field has zero, the corresponding RDNSS (or DNS search domain name) 390 is deleted from the IPv6 host. Except for this update, the IPv6 host 391 SHOULD ignore other RDNSS addresses (or DNS search domain names) 392 within an RDNSS (or a DNSSL) option and/or additional RDNSS (or 393 DNSSL) options within an RA. Refer to Section 6 for the detailed 394 procedure. Note that the sufficient number is a system parameter, so 395 it can be determined by a local policy. Also, separate parameters 396 can be specified for the sufficient number of RDNSS addresses and 397 that of DNS search domain names, respectively. In this document, 398 three is RECOMMENDED as a sufficient number considering both the 399 robust DNS query and the reasonably time-bounded recognition of the 400 unreachability of DNS servers. 402 In the case where the DNS options of RDNSS and DNSSL can be obtained 403 from multiple sources, such as RA and DHCP, the IPv6 host SHOULD keep 404 some DNS options from all sources. Unless explicitly specified for 405 the discovery mechanism, the exact number of addresses and domain 406 names to keep is a matter of local policy and implementation choice. 407 However, it is RECOMMENDED that at least three RDNSS addresses (or 408 DNSSL domain names) can be stored from at least two different 409 sources. The DNS options from Router Advertisements and DHCP SHOULD 410 be stored into DNS Repository and Resolver Repository so that 411 information from DHCP appears there first and therefore takes 412 precedence. Thus, the DNS information from DHCP takes precedence 413 over that from RA for DNS queries. On the other hand, for DNS 414 options announced by RA, if some RAs use the Secure Neighbor 415 Discovery (SEND) protocol [RFC3971] for RA security, they MUST be 416 preferred over those which do not use SEND. Refer to Section 7 for 417 the detailed discussion on SEND for RA DNS options. 419 5.3.2. Warnings for DNS Options Configuration 421 There are two warnings for DNS options configuration: (i) warning for 422 multiple sources of DNS options and (ii) warning for multiple network 423 interfaces. First, in the case of multiple sources for DNS options 424 (e.g., RA and DHCP), an IPv6 host can configure its IP addresses from 425 these sources. In this case, it is not possible to control how the 426 host uses DNS information and what source addresses it uses to send 427 DNS queries. As a result, configurations where different information 428 is provided by different sources may lead to problems. Therefore, 429 the network administrator needs to configure DNS options in multiple 430 sources in order to prevent such problems from happening. 432 Second, if different DNS information is provided on different network 433 interfaces, this can lead to inconsistent behavior. The IETF is 434 working on solving this problem for both DNS and other information 435 obtained by multiple interfaces [ID-mif-problem][ID-mif-practice]. 437 6. Implementation Considerations 439 Note: This non-normative section gives some hints for implementing 440 the processing of the RDNSS and DNSSL options in an IPv6 host. 442 For the configuration and management of DNS information, the 443 advertised DNS configuration information can be stored and managed in 444 both the DNS Repository and the Resolver Repository. 446 In environments where the DNS information is stored in user space and 447 ND runs in the kernel, it is necessary to synchronize the DNS 448 information (i.e., RDNSS addresses and DNS search domain names) in 449 kernel space and the Resolver Repository in user space. For the 450 synchronization, an implementation where ND works in the kernel 451 should provide a write operation for updating DNS information from 452 the kernel to the Resolver Repository. One simple approach is to 453 have a daemon (or a program that is called at defined intervals) that 454 keeps monitoring the lifetimes of RDNSS addresses and DNS search 455 domain names all the time. Whenever there is an expired entry in the 456 DNS Repository, the daemon can delete the corresponding entry from 457 the Resolver Repository. 459 6.1. DNS Repository Management 461 For DNS repository management, the kernel or user-space process 462 (depending on where RAs are processed) should maintain two data 463 structures: (i) DNS Server List that keeps the list of RDNSS 464 addresses and (ii) DNS Search List that keeps the list of DNS search 465 domain names. Each entry in these two lists consists of a pair of an 466 RDNSS address (or DNSSL domain name) and Expiration-time as follows: 468 o RDNSS address for DNS Server List: IPv6 address of the Recursive 469 DNS Server, which is available for recursive DNS resolution 470 service in the network advertising the RDNSS option. 472 o DNSSL domain name for DNS Search List: DNS suffix domain names, 473 which is used to perform DNS query searches for short, unqualified 474 domain names in the network advertising the DNSSL option. 476 o Expiration-time for DNS Server List or DNS Search List: The time 477 when this entry becomes invalid. Expiration-time is set to the 478 value of the Lifetime field of the RDNSS option or DNSSL option 479 plus the current system time. Whenever a new RDNSS option with 480 the same address (or DNSSL option with the same domain name) is 481 received on the same interface as a previous RDNSS option (or 482 DNSSL option), this field is updated to have a new expiration 483 time. When Expiration-time becomes less than the current system 484 time, this entry is regarded as expired. 486 6.2. Synchronization between DNS Server List and Resolver Repository 488 When an IPv6 host receives the information of multiple RDNSS 489 addresses within a network (e.g., campus network and company network) 490 through an RA message with RDNSS option(s), it stores the RDNSS 491 addresses (in order) into both the DNS Server List and the Resolver 492 Repository. The processing of the RDNSS consists of (i) the 493 processing of RDNSS option(s) included in an RA message and (ii) the 494 handling of expired RDNSSes. The processing of RDNSS option(s) is as 495 follows: 497 Step (a): Receive and parse the RDNSS option(s). For the RDNSS 498 addresses in each RDNSS option, perform Step (b) through Step (d). 500 Step (b): For each RDNSS address, check the following: If the 501 RDNSS address already exists in the DNS Server List and the RDNSS 502 option's Lifetime field is set to zero, delete the corresponding 503 RDNSS entry from both the DNS Server List and the Resolver 504 Repository in order to prevent the RDNSS address from being used 505 any more for certain reasons in network management, e.g., the 506 termination of the RDNSS or a renumbering situation. That is, the 507 RDNSS can resign from its DNS service because the machine running 508 the RDNSS is out of service intentionally or unintentionally. 509 Also, under the renumbering situation, the RDNSS's IPv6 address 510 will be changed, so the previous RDNSS address should not be used 511 any more. The processing of this RDNSS address is finished here. 512 Otherwise, go to Step (c). 514 Step (c): For each RDNSS address, if it already exists in the DNS 515 Server List, then just update the value of the Expiration-time 516 field according to the procedure specified in the third bullet of 517 Section 6.1. Otherwise, go to Step (d). 519 Step (d): For each RDNSS address, if it does not exist in the DNS 520 Server List, register the RDNSS address and lifetime with the DNS 521 Server List and then insert the RDNSS address in front of the 522 Resolver Repository. In the case where the data structure for the 523 DNS Server List is full of RDNSS entries (that is, has more 524 RDNSSes than the sufficient number discussed in Section 5.3.1), 525 delete from the DNS Server List the entry with the shortest 526 expiration time (i.e., the entry that will expire first). The 527 corresponding RDNSS address is also deleted from the Resolver 528 Repository. For the ordering of RDNSS addresses in an RDNSS 529 option, position the first RDNSS address in the RDNSS option as 530 the first one in the Resolver Repository, the second RDNSS address 531 in the option as the second one in the repository, and so on. 532 This ordering allows the RDNSS addresses in the RDNSS option to be 533 preferred according to their order in the RDNSS option for the DNS 534 name resolution. The processing of these RDNSS addresses is 535 finished here. 537 The handling of expired RDNSSes is as follows: Whenever an entry 538 expires in the DNS Server List, the expired entry is deleted from the 539 DNS Server List, and also the RDNSS address corresponding to the 540 entry is deleted from the Resolver Repository. 542 6.3. Synchronization between DNS Search List and Resolver Repository 544 When an IPv6 host receives the information of multiple DNSSL domain 545 names within a network (e.g., campus network and company network) 546 through an RA message with DNSSL option(s), it stores the DNSSL 547 domain names (in order) into both the DNS Search List and the 548 Resolver Repository. The processing of the DNSSL consists of (i) the 549 processing of DNSSL option(s) included in an RA message and (ii) the 550 handling of expired DNSSLs. The processing of DNSSL option(s) is as 551 follows: 553 Step (a): Receive and parse the DNSSL option(s). For the DNSSL 554 domain names in each DNSSL option, perform Step (b) through Step 555 (d). 557 Step (b): For each DNSSL domain name, check the following: If the 558 DNSSL domain name already exists in the DNS Search List and the 559 DNSSL option's Lifetime field is set to zero, delete the 560 corresponding DNSSL entry from both the DNS Search List and the 561 Resolver Repository in order to prevent the DNSSL domain name from 562 being used any more for certain reasons in network management, 563 e.g., the termination of the RDNSS or a renaming situation. That 564 is, the RDNSS can resign from its DNS service because the machine 565 running the RDNSS is out of service intentionally or 566 unintentionally. Also, under the renaming situation, the DNSSL 567 domain names will be changed, so the previous domain names should 568 not be used any more. The processing of this DNSSL domain name is 569 finished here. Otherwise, go to Step (c). 571 Step (c): For each DNSSL domain name, if it already exists in the 572 DNS Server List, then just update the value of the Expiration-time 573 field according to the procedure specified in the third bullet of 574 Section 6.1. Otherwise, go to Step (d). 576 Step (d): For each DNSSL domain name, if it does not exist in the 577 DNS Search List, register the DNSSL domain name and lifetime with 578 the DNS Search List and then insert the DNSSL domain name in front 579 of the Resolver Repository. In the case where the data structure 580 for the DNS Search List is full of DNSSL domain name entries (that 581 is, has more DNSSL domain names than the sufficient number 582 discussed in Section 5.3.1), delete from the DNS Server List the 583 entry with the shortest expiration time (i.e., the entry that will 584 expire first). The corresponding DNSSL domain name is also 585 deleted from the Resolver Repository. For the ordering of DNSSL 586 domain names in a DNSSL option, position the first DNSSL domain 587 name in the DNSSL option as the first one in the Resolver 588 Repository, the second DNSSL domain name in the option as the 589 second one in the repository, and so on. This ordering allows the 590 DNSSL domain names in the DNSSL option to be preferred according 591 to their order in the DNSSL option for the DNS domain name used by 592 the DNS query. The processing of these DNSSL domain name is 593 finished here. 595 The handling of expired DNSSLs is as follows: Whenever an entry 596 expires in the DNS Search List, the expired entry is deleted from 597 the DNS Search List, and also the DNSSL domain name corresponding 598 to the entry is deleted from the Resolver Repository. 600 7. Security Considerations 602 In this section, we analyze security threats related to DNS options 603 and then suggest recommendations to cope with such security threats. 605 7.1. Security Threats 607 For RDNSS option, an attacker could send an RA with a fraudulent 608 RDNSS address, misleading IPv6 hosts into contacting an unintended 609 DNS server for DNS name resolution. Also, for DNSSL option, an 610 attacker can let IPv6 hosts resolve a host name without DNS suffix 611 into an unintended host's IP address with a fraudulent DNS search 612 list. 614 These attacks are similar to Neighbor Discovery attacks that use 615 Redirect or Neighbor Advertisement messages to redirect traffic to 616 individual addresses of malicious parties. That is, as a rogue 617 router, a malicious node on a LAN can promiscuously receive packets 618 for any router's MAC address and send packets with the router's MAC 619 address as the source MAC address in the L2 header. As a result, L2 620 switches send packets addressed to the router to the malicious node. 621 Also, this attack can send redirects that tell the hosts to send 622 their traffic somewhere else. The malicious node can send 623 unsolicited RA or Neighbor Advertisement (NA) replies, answer RS or 624 Neighbor Solicitation (NS) requests, etc. Thus, the attacks related 625 to RDNSS and DNSSL are similar to both Neighbor Discovery attacks and 626 attacks against unauthenticated DHCP, as both can be used for both 627 "wholesale" traffic redirection and more specific attacks. 629 However, the security of these RA options for DNS configuration does 630 not affect ND protocol security [RFC4861]. This is because learning 631 DNS information via the RA options cannot be worse than learning bad 632 router information via the RA options. Therefore, the vulnerability 633 of ND is not worse and is a subset of the attacks that any node 634 attached to a LAN can do independently of ND. 636 7.2. Recommendations 638 The Secure Neighbor Discovery (SEND) protocol [RFC3971] is used as a 639 security mechanism for ND. It is RECOMMENDED that ND use SEND to 640 allow all the ND options including the RDNSS and DNSSL options to be 641 automatically included in the signatures. Through SEND, the 642 transport for the RA options is integrity-protected; that is, SEND 643 can prevent the spoofing of these DNS options with signatures. Also, 644 SEND enables an IPv6 host to verify that the sender of an RA is 645 actually a router authorized to act as a router. However, since any 646 valid SEND router can still insert RDNSS and DNSSL options, the 647 current SEND cannot verify which one is or is not authorized to send 648 the options. Thus, this verification of the authorized routers for 649 ND options will be required. [ID-csi-send-cert] specifies the usage 650 of extended key for the certificate deployed in SEND. This document 651 defines the roles of routers (i.e., routers acting as proxy and 652 address owner) and explains the authorization of the roles. The 653 mechanism in this document can be extended to verify which routers 654 are authorized to insert RDNSS and DNSSL options. 656 It is common for network devices such as switches to include 657 mechanisms to block unauthorized ports from running a DHCPv6 server 658 to provide protection from rogue DHCP servers. That means that an 659 attacker on other ports cannot insert bogus DNS servers using DHCPv6. 661 The corresponding technique for network devices is RECOMMENDED to 662 block rogue Router Advertisement messages including the RDNSS and 663 DNSSL options from unauthorized nodes. 665 An attacker may provide a bogus DNS Search List option in order to 666 cause the victim to send DNS queries to a specific DNS server when 667 the victim queries non-fully qualified domain names. For this 668 attack, the DNS resolver in IPv6 hosts can mitigate the vulnerability 669 with the recommendations mentioned in [RFC1535], [RFC1536], and 670 [RFC3646]. 672 8. IANA Considerations 674 The RDNSS option defined in this document is using the IPv6 Neighbor 675 Discovery Option type in RFC 5006 [RFC5006] assigned by the IANA as 676 follows: 678 Option Name Type 679 RDNSS option 25 681 The IANA is requested to assign a new IPv6 Neighbor Discovery Option 682 type for the DNSSL option defined in this document: 684 Option Name Type 685 DNSSL option (TBD) 687 The IANA registry for these options is: 689 http://www.iana.org/assignments/icmpv6-parameters 691 9. Acknowledgements 693 This document has greatly benefited from inputs by Robert Hinden, 694 Pekka Savola, Iljitsch van Beijnum, Brian Haberman, Tim Chown, Erik 695 Nordmark, Dan Wing, Jari Arkko, Ben Campbell, Vincent Roca, and Tony 696 Cheneau. The authors sincerely appreciate their contributions. 698 10. References 700 10.1. Normative References 702 [RFC2119] Bradner, S., "Key words for use in RFCs to 703 Indicate Requirement Levels", BCP 14, RFC 2119, 704 March 1997. 706 [RFC4861] Narten, T., Nordmark, E., Simpson, W., and H. 707 Soliman, "Neighbor Discovery for IP Version 6 708 (IPv6)", RFC 4861, September 2007. 710 [RFC4862] Thomson, S., Narten, T., and T. Jinmei, "IPv6 711 Stateless Address Autoconfiguration", RFC 4862, 712 September 2007. 714 [RFC1035] Mockapetris, P., "Domain Names - Implementation 715 and Specification", RFC 1035, November 1987. 717 10.2. Informative References 719 [RFC1034] Mockapetris, P., "Domain Names - Concepts and 720 Facilities", RFC 1034, November 1987. 722 [RFC3315] Droms, R., Ed., "Dynamic Host Configuration 723 Protocol for IPv6 (DHCPv6)", RFC 3315, July 2003. 725 [RFC3736] Droms, R., "Stateless Dynamic Host Configuration 726 Protocol (DHCP) Service for IPv6", RFC 3736, 727 April 2004. 729 [RFC3646] Droms, R., Ed., "DNS Configuration options for 730 Dynamic Host Configuration Protocol for IPv6 731 (DHCPv6)", RFC 3646, December 2003. 733 [RFC5006] Jeong, J., Park, S., Beloeil, L., and S. 734 Madanapalli, "IPv6 Router Advertisement Option 735 for DNS Configuration", RFC 5006, September 2007. 737 [RFC4339] Jeong, J., Ed., "IPv6 Host Configuration of DNS 738 Server Information Approaches", RFC 4339, 739 February 2006. 741 [RFC3971] Arkko, J., Ed., "SEcure Neighbor Discovery 742 (SEND)", RFC 3971, March 2005. 744 [RFC5358] Damas, J. and F. Neves, "Preventing Use of 745 Recursive Nameservers in Reflector Attacks", 746 BCP 140, RFC 5358, October 2008. 748 [RFC2827] Ferguson, P. and D. Senie, "Network Ingress 749 Filtering: Defeating Denial of Service Attacks 750 which employ IP Source Address Spoofing", BCP 38, 751 RFC 2827, May 2000. 753 [RFC1535] Gavron, E., "A Security Problem and Proposed 754 Correction With Widely Deployed DNS Software", 755 RFC 1535, October 1993. 757 [RFC1536] Kumar, A., Postel, J., Neuman, C., Danzig, P., 758 and S. Miller, "Common DNS Implementation Errors 759 and Suggested Fixes", RFC 1536, October 1993. 761 [ID-mif-problem] Blanchet, M. and P. Seite, "Multiple Interfaces 762 Problem Statement", Work in Progress, 763 August 2010. 765 [ID-mif-practice] Wasserman, M. and P. Seite, "Current Practices 766 for Multiple Interface Hosts", Work in Progress, 767 August 2010. 769 [ID-csi-send-cert] Gagliano, R., Krishnan, S., and A. Kukec, 770 "Certificate profile and certificate management 771 for SEND", Work in Progress, June 2010. 773 Appendix A. Changes from RFC 5006 775 The following changes were made from RFC 5006 "IPv6 Router 776 Advertisement Option for DNS Configuration": 778 o Added DNS Search List (DNSSL) Option to support the advertisement 779 of DNS suffixes used in the DNS search along with RDNSS Option in 780 RFC 5006. 782 o Clarified the coexistence of RA options and DHCP options for DNS 783 configuration. 785 o Modified the procedure in IPv6 host: 787 * Clarified the procedure for DNS options in an IPv6 host. 789 * Specified a sufficient number of RDNSS addresses or DNS search 790 domain names as three. 792 * Specified a way to deal with DNS options from multiple sources, 793 such as RA and DHCP. 795 o Modified implementation considerations for DNSSL Option handling. 797 o Modified security considerations to consider more attack scenarios 798 and the corresponding possible solutions. 800 o Modified IANA considerations to require another IPv6 Neighbor 801 Discovery Option type for DNSSL option. 803 Authors' Addresses 805 Jaehoon Paul Jeong 806 Brocade Communications Systems/ETRI 807 6000 Nathan Ln N 808 Plymouth, MN 55442 809 USA 811 Phone: +1 763 268 7173 812 Fax: +1 763 268 6800 813 EMail: pjeong@brocade.com 814 URI: http://www.cs.umn.edu/~jjeong/ 816 Soohong Daniel Park 817 Mobile Platform Laboratory 818 SAMSUNG Electronics 819 416 Maetan-3dong, Yeongtong-Gu 820 Suwon, Gyeonggi-Do 443-742 821 Korea 823 Phone: +82 31 200 4508 824 EMail: soohong.park@samsung.com 826 Luc Beloeil 827 France Telecom R&D 828 42, rue des coutures 829 BP 6243 830 14066 CAEN Cedex 4 831 France 833 Phone: +33 2 40 44 97 40 834 EMail: luc.beloeil@orange-ftgroup.com 836 Syam Madanapalli 837 Ordyn Technologies 838 1st Floor, Creator Building, ITPL 839 Bangalore - 560066 840 India 842 Phone: +91-80-40383000 843 EMail: smadanapalli@gmail.com