Discovery of Designated Resolvers
Apple Inc.
One Apple Park Way
Cupertino, California 95014
United States of America
tpauly@apple.com
Apple Inc.
One Apple Park Way
Cupertino, California 95014
United States of America
ekinnear@apple.com
Cloudflare
101 Townsend St
San Francisco
United States of America
caw@heapingbits.net
Fastly
mcmanus@ducksong.com
Microsoft
tojens@microsoft.com
Internet
ADD
This document defines Discovery of Designated Resolvers (DDR), a
mechanism for DNS clients to use DNS records to discover a resolver's encrypted
DNS configuration. This mechanism can be used to move from unencrypted DNS to
encrypted DNS when only the IP address of an encrypted resolver is known. It can
also be used to discover support for encrypted DNS protocols when the name of an
encrypted resolver is known. This mechanism is designed to be limited to cases
where unencrypted resolvers and their designated resolvers are operated by the same
entity or cooperating entities.
Discussion Venues
Discussion of this document takes place on the
Adaptive DNS Discovery Working Group mailing list (add@ietf.org),
which is archived at .
Source for this draft and an issue tracker can be found at
.
Introduction
When DNS clients wish to use encrypted DNS protocols such as DNS-over-TLS (DoT)
or DNS-over-HTTPS (DoH) , they require additional
information beyond the IP address of the DNS server, such as the resolver's
hostname, non-standard ports, or URL paths. However, common configuration
mechanisms only provide the resolver's IP address during configuration. Such
mechanisms include network provisioning protocols like DHCP and
IPv6 Router Advertisement (RA) options , as well as manual
configuration.
This document defines two mechanisms for clients to discover designated
resolvers using DNS server Service Binding (SVCB, )
records:
- When only an IP address of an Unencrypted Resolver is known, the client
queries a special use domain name to discover DNS SVCB records associated with
the Unencrypted Resolver ().
- When the hostname of an encrypted DNS server is known, the client requests
details by sending a query for a DNS SVCB record. This can be used to discover
alternate encrypted DNS protocols supported by a known server, or to provide
details if a resolver name is provisioned by a network ().
Both of these approaches allow clients to confirm that a discovered Encrypted
Resolver is designated by the originally provisioned resolver. "Designated" in
this context means that the resolvers are operated by the same entity or
cooperating entities; for example, the resolvers are accessible on the same
IP address, or there is a certificate that claims ownership over both resolvers.
Specification of Requirements
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP 14
when, and only when,
they appear in all capitals, as shown here.
Terminology
This document defines the following terms:
-
DDR:
-
Discovery of Designated Resolvers. Refers to the mechanisms defined
in this document.
-
Designated Resolver:
-
A resolver, presumably an Encrypted Resolver, designated by another resolver
for use in its own place. This designation can be authenticated with TLS certificates.
-
Encrypted Resolver:
-
A DNS resolver using any encrypted DNS transport. This includes current
mechanisms such as DoH and DoT as well as future mechanisms.
-
Unencrypted Resolver:
-
A DNS resolver using TCP or UDP port 53.
DNS Service Binding Records
DNS resolvers can advertise one or more Designated Resolvers that
may offer support over encrypted channels and are controlled by the same
entity.
When a client discovers Designated Resolvers, it learns information
such as the supported protocols, ports, and server name to use in certificate
validation. This information is provided in Service Binding (SVCB) records for
DNS Servers, defined by .
The following is an example of an SVCB record describing a DoH server:
The following is an example of an SVCB record describing a DoT server:
If multiple Designated Resolvers are available, using one or more
encrypted DNS protocols, the resolver deployment can indicate a preference using
the priority fields in each SVCB record .
This document focuses on discovering DoH and DoT Designated Resolvers.
Other protocols can also use the format defined by .
However, if any protocol does not involve some form of certificate validation,
new validation mechanisms will need to be defined to support validating
designation as defined in .
Discovery Using Resolver IP Addresses
When a DNS client is configured with an Unencrypted Resolver IP address, it
SHOULD query the resolver for SVCB records for "dns://resolver.arpa" before
making other queries. Specifically, the client issues a query for
_dns.resolver.arpa with the SVCB resource record type (64)
.
If the recursive resolver that receives this query has one or more Designated
Resolvers, it will return the corresponding SVCB records. When responding
to these special queries for "dns://resolver.arpa", the recursive resolver
SHOULD include the A and AAAA records for the name of the Designated Resolver
in the Additional Answers section. This will allow the DNS client to make
queries over an encrypted connection without waiting to resolve the Encrypted
Resolver name per . If no A/AAAA records or SVCB
IP address hints are included, clients will be forced to delay use of the
Encrypted Resolver until an additional DNS lookup for the A and AAAA records
can be made to the Unencrypted Resolver (or some other resolver the DNS client
has been configured to use).
If the recursive resolver that receives this query has no Designated Resolvers,
it SHOULD return NODATA for queries to the "resolver.arpa" SUDN.
Authenticated Discovery
In order to be considered an authenticated Designated Resolver, the
TLS certificate presented by the Encrypted Resolver MUST contain both the domain
name (from the SVCB answer) and the IP address of the designating Unencrypted
Resolver within the SubjectAlternativeName certificate field. The client MUST
check the SubjectAlternativeName field for both the Unencrypted Resolver's IP
address and the advertised name of the Designated Resolver. If the
certificate can be validated, the client SHOULD use the discovered Designated
Resolver for any cases in which it would have otherwise used the
Unencrypted Resolver. If the Designated Resolver has a different IP
address than the Unencrypted Resolver and the TLS certificate does not cover the
Unencrypted Resolver address, the client MUST NOT use the discovered Encrypted
Resolver. Additionally, the client SHOULD suppress any further queries for
Designated Resolvers using this Unencrypted Resolver for the length of
time indicated by the SVCB record's Time to Live (TTL).
If the Designated Resolver and the Unencrypted Resolver share an IP
address, clients MAY choose to opportunistically use the Encrypted Resolver even
without this certificate check ().
If resolving the name of an Encrypted Resolver from an SVCB record yields an
IP address that was not presented in the Additional Answers section or ipv4hint
or ipv6hint fields of the original SVCB query, the connection made to that IP
address MUST pass the same TLS certificate checks before being allowed to replace
a previously known and validated IP address for the same Encrypted Resolver name.
Opportunistic Discovery
There are situations where authenticated discovery of encrypted DNS
configuration over unencrypted DNS is not possible. This includes Unencrypted
Resolvers on non-public IP addresses such as those defined in whose
identity cannot be confirmed using TLS certificates.
Opportunistic Privacy is defined for DoT in Section 4.1 of as a
mode in which clients do not validate the name of the resolver presented in the
certificate. A client MAY use information from the SVCB record for
"dns://resolver.arpa" with this "opportunistic" approach (not validating the
names presented in the SubjectAlternativeName field of the certificate) as long
as the IP address of the Encrypted Resolver does not differ from the IP address
of the Unencrypted Resolver. This approach can be used for any encrypted DNS
protocol that uses TLS.
Discovery Using Resolver Names
A DNS client that already knows the name of an Encrypted Resolver can use DDR
to discover details about all supported encrypted DNS protocols. This situation
can arise if a client has been configured to use a given Encrypted Resolver, or
if a network provisioning protocol (such as DHCP or IPv6 Router Advertisements)
provides a name for an Encrypted Resolver alongside the resolver IP address.
For these cases, the client simply sends a DNS SVCB query using the known name
of the resolver. This query can be issued to the named Encrypted Resolver itself
or to any other resolver. Unlike the case of bootstrapping from an Unencrypted
Resolver (), these records SHOULD be available in the public
DNS.
For example, if the client already knows about a DoT server
resolver.example.com, it can issue an SVCB query for
_dns.resolver.example.com to discover if there are other encrypted DNS
protocols available. In the following example, the SVCB answers indicate that
resolver.example.com supports both DoH and DoT, and that the DoH server
indicates a higher priority than the DoT server.
Often, the various supported encrypted DNS protocols will be accessible using
the same hostname. In the example above, both DoH and DoT use the name
resolver.example.com for their TLS certificates. If a deployment uses a
different hostname for one protocol, but still wants clients to treat both DNS
servers as designated, the TLS certificates MUST include both names in the
SubjectAlternativeName fields. Note that this name verification is not related
to the DNS resolver that provided the SVCB answer.
For example, being able to discover a Designated Resolver for a known
Encrypted Resolver is useful when a client has a DoT configuration for
foo.resolver.example.com but is on a network that blocks DoT traffic. The
client can still send a query to any other accessible resolver (either the local
network resolver or an accessible DoH server) to discover if there is a designated
DoH server for foo.resolver.example.com.
Deployment Considerations
Resolver deployments that support DDR are advised to consider the following
points.
Caching Forwarders
A DNS forwarder SHOULD NOT forward queries for "resolver.arpa" upstream. This
prevents a client from receiving an SVCB record that will fail to authenticate
because the forwarder's IP address is not in the upstream resolver's Designated
Resolver's TLS certificate SAN field. A DNS forwarder which already acts as a
completely blind forwarder MAY choose to forward these queries when the operator
expects that this does not apply, either because the operator knows the upstream
resolver does have the forwarder's IP address in its TLS certificate's SAN field
or that the operator expects clients of the unencrypted resolver to use the SVCB
information opportunistically.
Operators who choose to forward queries for "resolver.arpa" upstream should note
that client behavior is never guaranteed and use of DDR by a resolver does not
communicate a requirement for clients to use the SVCB record when it cannot be
authenticated.
Certificate Management
Resolver owners that support authenticated discovery will need to list valid
referring IP addresses in their TLS certificates. This may pose challenges for
resolvers with a large number of referring IP addresses.
Security Considerations
Since client can receive DNS SVCB answers over unencrypted DNS, on-path
attackers can prevent successful discovery by dropping SVCB packets. Clients
should be aware that it might not be possible to distinguish between resolvers
that do not have any Designated Resolver and such an active attack.
While the IP address of the Unencrypted Resolver is often provisioned over
insecure mechanisms, it can also be provisioned securely, such as via manual
configuration, a VPN, or on a network with protections like RA guard
. An attacker might try to direct Encrypted DNS traffic to itself by
causing the client to think that a discovered Designated Resolver uses
a different IP address from the Unencrypted Resolver. Such an Encrypted Resolver
might have a valid certificate, but be operated by an attacker that is trying to
observe or modify user queries without the knowledge of the client or network.
If the IP address of a Designated Resolver differs from that of an
Unencrypted Resolver, clients MUST validate that the IP address of the
Unencrypted Resolver is covered by the SubjectAlternativeName of the Encrypted
Resolver's TLS certificate ().
Opportunistic use of Encrypted Resolvers MUST be limited to cases where the
Unencrypted Resolver and Designated Resolver have the same IP address
().
IANA Considerations
Special Use Domain Name "resolver.arpa"
This document calls for the creation of the "resolver.arpa" SUDN. This will
allow resolvers to respond to queries directed at themselves rather than a
specific domain name. While this document uses "resolver.arpa" to return SVCB
records indicating designated encrypted capability, the name is generic enough
to allow future reuse for other purposes where the resolver wishes to provide
information about itself to the client.
The "resolver.arpa" SUDN is similar to "ipv4only.arpa" in that the querying
client is not interested in an answer from the authoritative "arpa" name
servers. The intent of the SUDN is to allow clients to communicate with the
Unencrypted Resolver much like "ipv4only.arpa" allows for client-to-middlebox
communication. For more context, see the rationale behind "ipv4only.arpa" in
.
References
Normative References
Specification for DNS over Transport Layer Security (TLS)
This document describes the use of Transport Layer Security (TLS) to provide privacy for DNS. Encryption provided by TLS eliminates opportunities for eavesdropping and on-path tampering with DNS queries in the network, such as discussed in RFC 7626. In addition, this document specifies two usage profiles for DNS over TLS and provides advice on performance considerations to minimize overhead from using TCP and TLS with DNS.
This document focuses on securing stub-to-recursive traffic, as per the charter of the DPRIVE Working Group. It does not prevent future applications of the protocol to recursive-to-authoritative traffic.
DNS Queries over HTTPS (DoH)
This document defines a protocol for sending DNS queries and getting DNS responses over HTTPS. Each DNS query-response pair is mapped into an HTTP exchange.
Service Binding Mapping for DNS Servers
Google LLC
The SVCB DNS record type expresses a bound collection of endpoint
metadata, for use when establishing a connection to a named service.
DNS itself can be such a service, when the server is identified by a
domain name. This document provides the SVCB mapping for named DNS
servers, allowing them to indicate support for new transport
protocols.
Service binding and parameter specification via the DNS (DNS SVCB and HTTPS RRs)
Google
Akamai Technologies
Akamai Technologies
This document specifies the "SVCB" and "HTTPS" DNS resource record
(RR) types to facilitate the lookup of information needed to make
connections to network services, such as for HTTPS origins. SVCB
records allow a service to be provided from multiple alternative
endpoints, each with associated parameters (such as transport
protocol configuration and keys for encrypting the TLS ClientHello).
They also enable aliasing of apex domains, which is not possible with
CNAME. The HTTPS RR is a variation of SVCB for HTTPS and HTTP
origins. By providing more information to the client before it
attempts to establish a connection, these records offer potential
benefits to both performance and privacy.
TO BE REMOVED: This document is being collaborated on in Github at:
https://github.com/MikeBishop/dns-alt-svc
(https://github.com/MikeBishop/dns-alt-svc). The most recent working
version of the document, open issues, etc. should all be available
there. The authors (gratefully) accept pull requests.
Address Allocation for Private Internets
This document describes address allocation for private internets. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.
TLS Encrypted Client Hello
RTFM, Inc.
Fastly
Cloudflare
Cloudflare
This document describes a mechanism in Transport Layer Security (TLS)
for encrypting a ClientHello message under a server public key.
Informative References
DHCP Options and BOOTP Vendor Extensions
This document specifies the current set of DHCP options. Future options will be specified in separate RFCs. The current list of valid options is also available in ftp://ftp.isi.edu/in-notes/iana/assignments. [STANDARDS-TRACK]
IPv6 Router Advertisement Options for DNS Configuration
This document specifies IPv6 Router Advertisement (RA) options (called "DNS RA options") to allow IPv6 routers to advertise a list of DNS Recursive Server Addresses and a DNS Search List to IPv6 hosts.
This document, which obsoletes RFC 6106, defines a higher default value of the lifetime of the DNS RA options to reduce the likelihood of expiry of the options on links with a relatively high rate of packet loss.
Key words for use in RFCs to Indicate Requirement Levels
In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.
Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words
RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.
IPv6 Router Advertisement Guard
Routed protocols are often susceptible to spoof attacks. The canonical solution for IPv6 is Secure Neighbor Discovery (SEND), a solution that is non-trivial to deploy. This document proposes a light-weight alternative and complement to SEND based on filtering in the layer-2 network fabric, using a variety of filtering criteria, including, for example, SEND status. This document is not an Internet Standards Track specification; it is published for informational purposes.
Special Use Domain Name 'ipv4only.arpa'
NAT64 (Network Address and Protocol Translation from IPv6 Clients to IPv4 Servers) allows client devices using IPv6 to communicate with servers that have only IPv4 connectivity.
The specification for how a client discovers its local network's NAT64 prefix (RFC 7050) defines the special name 'ipv4only.arpa' for this purpose. However, in its Domain Name Reservation Considerations section (Section 8.1), that specification (RFC 7050) indicates that the name actually has no particularly special properties that would require special handling.
Consequently, despite the well-articulated special purpose of the name, 'ipv4only.arpa' was not recorded in the Special-Use Domain Names registry as a name with special properties.
This document updates RFC 7050. It describes the special treatment required and formally declares the special properties of the name. It also adds similar declarations for the corresponding reverse mapping names.
DoH Preference Hints for HTTP
Google LLC
Cloudflare
Cloudflare
When using a publicly available DNS-over-HTTPS (DoH) server, some
clients may suffer poor performance when the authoritative DNS server
is located far from the DoH server. For example, a publicly
available DoH server provided by a Content Delivery Network (CDN)
should be able to resolve names hosted by that CDN with good
performance but might take longer to resolve names provided by other
CDNs, or might provide suboptimal results if that CDN is using DNS-
based load balancing and returns different address records depending
or where the DNS query originated from. This document attempts to
lessen these issues by allowing the web server to indicate to the
client which DoH server can best resolve its addresses. This
document defines an HTTP header field that enables web host operators
to inform user agents of the preferred DoH servers to use for
subsequent DNS lookups for the host's domain.
Discussion of this work is encouraged to happen on the ADD IETF
mailing list add@ietf.org or on the GitHub repository which contains
the draft: https://github.com/DavidSchinazi/draft-httpbis-doh-
preference-hints.
Design Choices When Expanding the DNS
IAB
This note discusses how to extend the DNS with new data for a new application. DNS extension discussions too often focus on reuse of the TXT Resource Record Type. This document lists different mechanisms to extend the DNS, and concludes that the use of a new DNS Resource Record Type is the best solution. This memo provides information for the Internet community.
Rationale for using SVCB records
This mechanism uses SVCB/HTTPS resource records
to communicate that a given domain designates a particular Designated
Resolver for clients to use in place of an Unencrypted Resolver (using a SUDN)
or another Encrypted Resolver (using its domain name).
There are various other proposals for how to provide similar functionality.
There are several reasons that this mechanism has chosen SVCB records:
- Discovering encrypted resolver using DNS records keeps client logic for DNS
self-contained and allows a DNS resolver operator to define which resolver names
and IP addresses are related to one another.
- Using DNS records also does not rely on bootstrapping with higher-level
application operations (such as ).
- SVCB records are extensible and allow definition of parameter keys. This makes
them a superior mechanism for extensibility as compared to approaches such as
overloading TXT records. The same keys can be used for discovering Designated
Resolvers of different transport types as well as those advertised by
Unencrypted Resolvers or another Encrypted Resolver.
- Clients and servers that are interested in privacy of names will already need
to support SVCB records in order to use Encrypted TLS Client Hello
. Without encrypting names in TLS, the value of encrypting
DNS is reduced, so pairing the solutions provides the largest benefit.
- Clients that support SVCB will generally send out three queries when accessing
web content on a dual-stack network: A, AAAA, and HTTPS queries. Discovering a
Designated Resolver as part of one of these queries, without having to
add yet another query, minimizes the total number of queries clients send. While
recommends adding new RRTypes for new functionality, SVCB provides
an extension mechanism that simplifies client behavior.