| < draft-hallambaker-privatedns-00.txt | draft-hallambaker-privatedns-01.txt > | |||
|---|---|---|---|---|
| Internet Engineering Task Force (IETF) Phillip Hallam-Baker | Internet Engineering Task Force (IETF) Phillip Hallam-Baker | |||
| Internet-Draft Comodo Group Inc. | Internet-Draft Comodo Group Inc. | |||
| Intended Status: Standards Track May 9, 2014 | Intended Status: Standards Track November 7, 2014 | |||
| Expires: November 10, 2014 | Expires: May 11, 2015 | |||
| Private-DNS | Private-DNS | |||
| draft-hallambaker-privatedns-00 | draft-hallambaker-privatedns-01 | |||
| Abstract | Abstract | |||
| This document describes Private DNS, a transport security mechanism | This document describes Private DNS, a transport security mechanism | |||
| for the DNS protocol. The mechanism may be employed to secure | for the DNS protocol. The mechanism may be employed to secure | |||
| communication between a client and its resolver or between a resolver | communication between a client and its resolver or between a resolver | |||
| and an authoritative server. | and an authoritative server. | |||
| Service binding including key exchange is effected using the JSON | Service binding including key exchange is effected using the JSON | |||
| Service Connect (JCX) Protocol. DNS protocol messages are wrapped in | Service Connect (JCX) Protocol. DNS protocol messages are wrapped in | |||
| skipping to change at page 2, line 15 ¶ | skipping to change at page 2, line 15 ¶ | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction. . . . . . . . . . . . . . . . . . . . . . . . . 3 | 1. Introduction. . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 1.1. Related Work . . . . . . . . . . . . . . . . . . . . . . 3 | 1.1. Related Work . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 | 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 1.3. Defined Terms . . . . . . . . . . . . . . . . . . . . . . 3 | 1.3. Defined Terms . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 2. Architecture . . . . . . . . . . . . . . . . . . . . . . . . . 4 | 2. Architecture . . . . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 2.1. Service Connection . . . . . . . . . . . . . . . . . . . 4 | 2.1. Service Connection . . . . . . . . . . . . . . . . . . . 4 | |||
| 2.1.1. Example: Public Resolver . . . . . . . . . . . . . . 5 | 2.1.1. Example: Public Resolver . . . . . . . . . . . . . . 5 | |||
| 2.1.2. Example: Hybrid Resolver . . . . . . . . . . . . . . 6 | 2.1.2. Example: Hybrid Resolver . . . . . . . . . . . . . . 6 | |||
| 2.2. Query Protocol Binding . . . . . . . . . . . . . . . . . 10 | 2.2. Query Protocol Binding . . . . . . . . . . . . . . . . . 9 | |||
| 2.2.1. Message Binding. . . . . . . . . . . . . . . . . . . 11 | 2.2.1. Message Binding. . . . . . . . . . . . . . . . . . . 10 | |||
| 2.2.2. Query Protocol Example . . . . . . . . . . . . . . . 11 | 2.2.2. Query Protocol Example . . . . . . . . . . . . . . . 10 | |||
| 2.2.3. Authentication Conformance . . . . . . . . . . . . . 14 | 2.2.3. Authentication Conformance . . . . . . . . . . . . . 13 | |||
| 2.2.4. Handling Multiple Requests . . . . . . . . . . . . . 15 | 2.2.4. Handling Multiple Requests . . . . . . . . . . . . . 14 | |||
| 3. Service Connection and Key Exchangee . . . . . . . . . . . . . 15 | 3. Service Connection and Key Exchangee . . . . . . . . . . . . . 14 | |||
| 3.1. UDP Binding . . . . . . . . . . . . . . . . . . . . . . . 15 | 3.1. UDP Binding . . . . . . . . . . . . . . . . . . . . . . . 14 | |||
| 3.2. HTTP Binding . . . . . . . . . . . . . . . . . . . . . . 16 | 3.2. HTTP Binding . . . . . . . . . . . . . . . . . . . . . . 15 | |||
| 4. Security Considerationsns . . . . . . . . . . . . . . . . . . 16 | 4. Security Considerationsns . . . . . . . . . . . . . . . . . . 15 | |||
| 4.1. Confidentialityty . . . . . . . . . . . . . . . . . . . . 16 | 4.1. Confidentiality . . . . . . . . . . . . . . . . . . . . . 15 | |||
| 4.2. Integrity . . . . . . . . . . . . . . . . . . . . . . . . 16 | 4.2. Integrity . . . . . . . . . . . . . . . . . . . . . . . . 15 | |||
| 4.3. Access . . . . . . . . . . . . . . . . . . . . . . . . . 16 | 4.3. Access . . . . . . . . . . . . . . . . . . . . . . . . . 15 | |||
| 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 16 | 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 15 | |||
| 6. Acnowledgements . . . . . . . . . . . . . . . . . . . . . . . 16 | 6. Acnowledgements . . . . . . . . . . . . . . . . . . . . . . . 15 | |||
| 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 17 | 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 16 | |||
| 7.1. Normative References . . . . . . . . . . . . . . . . . . 17 | 7.1. Normative References . . . . . . . . . . . . . . . . . . 16 | |||
| Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 17 | Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 16 | |||
| 1. Introduction. | 1. Introduction. | |||
| Recent events have required urgent consideration of privacy concerns | Recent events have required urgent consideration of privacy concerns | |||
| in Internet protocols. In particular the lack of confidentiality | in Internet protocols. In particular the lack of confidentiality | |||
| controls in the DNS [RFC1035] protocol is of considerable concern. | controls in the DNS [RFC1035] protocol is of considerable concern. | |||
| This document describes Private-DNS, a security enhancement for the | This document describes Private-DNS, a security enhancement for the | |||
| DNS protocol that meets the principal use cases and requirements set | DNS protocol that meets the principal use cases and requirements set | |||
| out in [I-D.hallambaker-dnse]. This enhancement provides for | out in [I-D.hallambaker-dnse]. This enhancement provides for | |||
| encryption and authentication of the DNS protocol messages. | encryption and authentication of the DNS protocol messages. | |||
| Private-DNS makes use of the JSON Service Connect (JCX) Protocol [I- | Private-DNS makes use of the JSON Service Connect (JCX) Protocol [I- | |||
| D.hallambaker-wsconnect] and introduces a new framing protocol. | D.hallambaker-wsconnect] and the UYFM framing protocol described in | |||
| that specification. | ||||
| 1.1. Related Work | 1.1. Related Work | |||
| The proposal approach compliments the integrity controls provided by | The proposal approach compliments the integrity controls provided by | |||
| DNSSEC [RFC4033]. While both provide integrity controls, the controls | DNSSEC [RFC4033]. While both provide integrity controls, the controls | |||
| provided by DNSSEC are based on digital signatures while this | provided by DNSSEC are based on digital signatures while this | |||
| proposal provides controls based on a Message Authentica Code | proposal provides controls based on a Message Authentica Code | |||
| technique. | technique. | |||
| Like the Omnibroker protocol [I-D.hallambaker-omnibroker], this | Like the Omnibroker protocol [I-D.hallambaker-omnibroker], this | |||
| skipping to change at page 6, line 30 ¶ | skipping to change at page 6, line 30 ¶ | |||
| "HS384", | "HS384", | |||
| "HS512", | "HS512", | |||
| "HS256T128"]}} | "HS256T128"]}} | |||
| Since the example.com service does not require authentication, the | Since the example.com service does not require authentication, the | |||
| request is granted immediately and the necessary host connection | request is granted immediately and the necessary host connection | |||
| parameters returned immediately: | parameters returned immediately: | |||
| HTTP/1.1 OK Success | HTTP/1.1 OK Success | |||
| Content-Length: 578 | Content-Length: 578 | |||
| Date: Fri, 09 May 2014 20:58:44 GMT | Date: Tue, 14 Oct 2014 19:34:07 GMT | |||
| Server: Microsoft-HTTPAPI/2.0 | Server: Microsoft-HTTPAPI/2.0 | |||
| { | { | |||
| "TicketResponse": { | "TicketResponse": { | |||
| "Status": 200, | "Status": 200, | |||
| "StatusDescription": "Success", | "StatusDescription": "Success", | |||
| "Cryptographic": [], | "Cryptographic": [], | |||
| "Service": [{ | "Service": [{ | |||
| "Service": "private-dns-resolver", | "Service": "private-dns-resolver", | |||
| "Name": "localhost", | "Name": "localhost", | |||
| "Port": 9090, | "Port": 9090, | |||
| "Priority": 100, | "Priority": 100, | |||
| "Weight": 100, | "Weight": 100, | |||
| "Transport": "UDP", | "Transport": "UDP", | |||
| "Cryptographic": { | "Cryptographic": { | |||
| "Secret": " | "Secret": " | |||
| SwVyt3p_tkMeneeYtqnw5g", | qJq11EcqrvWe2WfyDC2FLg", | |||
| "Encryption": "A128CBC", | "Encryption": "A128CBC", | |||
| "Authentication": "HS256T128", | "Authentication": "HS256T128", | |||
| "Ticket": " | "Ticket": " | |||
| bH0q4n8XQOWbjStHsVCzAzS3fbkV2mbx-HUC8Bxw7r31HXcXRvPp4xWORxSo98N4 | Tpau1M6HuDjwuzwLhw9SWPi9Qx1zfkcQmaj0YRnKV-JCRv2kld06zyobptvuA2F6 | |||
| M6uklYZEEC5OvlYBQ0kETabpBz7-dYo7nYCD6yCFlvE"}}]}} | JGXkM0JGnSVWOPtn235wnIljsg7pZg25vPiofgPuZNY"}}]}} | |||
| 2.1.2. Example: Hybrid Resolver | 2.1.2. Example: Hybrid Resolver | |||
| Following the use case [U-HYBRID], Alice decides to use her personal | Following the use case [U-HYBRID], Alice decides to use her personal | |||
| computer for work under her employer's 'Bring Your Own Device' | computer for work under her employer's 'Bring Your Own Device' | |||
| program. Alice needs access to multiple services within her | program. Alice needs access to multiple services within her | |||
| employer's intranet. | employer's intranet. | |||
| Her system administrator issues her an account name [TBS], a one time | Her system administrator issues her an account name [TBS], a one time | |||
| use PIN [TBS] and the DNS address of the service connection service | use PIN [TBS] and the DNS address of the service connection service | |||
| skipping to change at page 8, line 14 ¶ | skipping to change at page 7, line 26 ¶ | |||
| POST /.well-known/sxs-connect/ HTTP/1.1 | POST /.well-known/sxs-connect/ HTTP/1.1 | |||
| Content-Type: application/json;charset=UTF-8 | Content-Type: application/json;charset=UTF-8 | |||
| Cache-Control: no-store | Cache-Control: no-store | |||
| Host: localhost:8080 | Host: localhost:8080 | |||
| Content-Length: 352 | Content-Length: 352 | |||
| Expect: 100-continue | Expect: 100-continue | |||
| { | { | |||
| "OpenPINRequest": { | "OpenPINRequest": { | |||
| "Service": ["private-dns-resolver"], | ||||
| "Encryption": ["A128CBC", | "Encryption": ["A128CBC", | |||
| "A256CBC", | "A256CBC", | |||
| "A128GCM", | "A128GCM", | |||
| "A256GCM"], | "A256GCM"], | |||
| "Authentication": ["HS256", | "Authentication": ["HS256", | |||
| "HS384", | "HS384", | |||
| "HS512", | "HS512", | |||
| "HS256T128"], | "HS256T128"], | |||
| "Account": "alice", | "Account": "alice", | |||
| "Service": ["private-dns-resolver"], | ||||
| "Domain": "example.com", | "Domain": "example.com", | |||
| "HaveDisplay": false, | "HaveDisplay": false, | |||
| "Challenge": " | "Challenge": " | |||
| YBr17dBu_lSDm4vY66rNBQ"}} | c1CfkTu5XVVLuT2gxaVFjA"}} | |||
| The server provides a challenge for verifying the one time use PIN. | The server provides a challenge for verifying the one time use PIN. | |||
| HTTP/1.1 OK Success | HTTP/1.1 281 Pin code required | |||
| Content-Length: 501 | Content-Length: 511 | |||
| Date: Fri, 09 May 2014 20:58:44 GMT | Date: Tue, 14 Oct 2014 19:34:07 GMT | |||
| Server: Microsoft-HTTPAPI/2.0 | Server: Microsoft-HTTPAPI/2.0 | |||
| { | { | |||
| "OpenPINResponse": { | "OpenPINResponse": { | |||
| "Status": 200, | "Status": 281, | |||
| "StatusDescription": "Success", | "StatusDescription": "Pin code required", | |||
| "Challenge": " | "Challenge": " | |||
| _eIhopTZAfkQR-mW6Y1IPg", | 9W8IxZw-bEQBbnWBWSM9Vw", | |||
| "ChallengeResponse": " | "ChallengeResponse": " | |||
| qRNgrSFhP3g6j-h8vlsIXN8rB5zn8qxgrqRcSFAiT_Q", | 2FPG-xEBcYIo2137in1wxnhqUxmhygB6SsfvzhtYTXE", | |||
| "Cryptographic": { | "Cryptographic": { | |||
| "Secret": " | "Secret": " | |||
| 3RWt4aRqQUA2o82GCz8BXA", | KATjv8Nkix4ITrexxyGBsQ", | |||
| "Encryption": "A128CBC", | "Encryption": "A128CBC", | |||
| "Authentication": "HS256", | "Authentication": "HS256", | |||
| "Ticket": " | "Ticket": " | |||
| QZnH_9rlynU2SorpMeVwuJ8CDVnMhye4lmCXVGKGBedFCApDByEtvYMiOYB5Cseh | vnBXaykCug2eeRVsH-CEqhR3qJvvRQEmm4a1Ldh-G-Zqj7acqA9NtLYVCnJflaWs | |||
| ApY9xc7uFOrVPi9zyrMIrcbFFUCRU6HRPxfPxWgvcmZpVZJli_GKg9eHiyy5osEU | Sd2cMi8-mqdX-5VRVAMFfrxjdaQx4uq7mcr59OUFMRGSb11ZXcMkan9h142NUjmI | |||
| AAPKUwJEGY1TXGf0xDYdaw"}}} | t1MnYRsXWNdFndPE19zMDA"}}} | |||
| Having obtained the challenge value from the service, the client | Having obtained the challenge value from the service, the client | |||
| resends the initial request, having authenticated it this time under | resends the initial request, having authenticated it this time under | |||
| the challenge and one time PIN: | the challenge and one time PIN: | |||
| POST /.well-known/sxs-connect/ HTTP/1.1 | POST /.well-known/sxs-connect/ HTTP/1.1 | |||
| Content-Type: application/json;charset=UTF-8 | Content-Type: application/json;charset=UTF-8 | |||
| Cache-Control: no-store | Cache-Control: no-store | |||
| Session: Value=bqbwaF3dLBxEvMeGiYeatBCtZLmdIRGleGhEYmmnkaw; | Session: Value=uuPiOYOP7kpM3xrYXMWa9JttlhR-VSf604UR6iFbPpY; | |||
| Id=QZnH_9rlynU2SorpMeVwuJ8CDVnMhye4lmCXVGKGBedFCApDByEtvYMiOYB5 | Id=vnBXaykCug2eeRVsH-CEqhR3qJvvRQEmm4a1Ldh-G-Zqj7acqA9NtLYVCnJf | |||
| CsehApY9xc7uFOrVPi9zyrMIrcbFFUCRU6HRPxfPxWgvcmZpVZJli_GKg9eHiyy | laWsSd2cMi8-mqdX-5VRVAMFfrxjdaQx4uq7mcr59OUFMRGSb11ZXcMkan9h142 | |||
| 5osEUAAPKUwJEGY1TXGf0xDYdaw | NUjmIt1MnYRsXWNdFndPE19zMDA | |||
| Host: localhost:8080 | Host: localhost:8080 | |||
| Content-Length: 137 | Content-Length: 137 | |||
| Expect: 100-continue | Expect: 100-continue | |||
| { | { | |||
| "TicketRequest": { | "TicketRequest": { | |||
| "Service": ["private-dns-resolver"], | "Service": ["private-dns-resolver"], | |||
| "ChallengeResponse": " | "ChallengeResponse": " | |||
| mIr09oenHdiMji5i-sTX66KKzP_eXQAd6WXIgF3Y4uc"}} | S_t81MumUqouGaxWQIT1nOJfkUaE1YcXNwQJXkXuqbM"}} | |||
| The server returns a set of host connections for the requested | The server returns a set of host connections for the requested | |||
| services. The scope of the PRIVATE-DNS service is limited to the | services. The scope of the PRIVATE-DNS service is limited to the | |||
| domain tree *.example.net: | domain tree *.example.net: | |||
| HTTP/1.1 OK Success | HTTP/1.1 OK Success | |||
| Content-Length: 858 | Content-Length: 858 | |||
| Date: Fri, 09 May 2014 20:58:44 GMT | Date: Tue, 14 Oct 2014 19:34:07 GMT | |||
| Server: Microsoft-HTTPAPI/2.0 | Server: Microsoft-HTTPAPI/2.0 | |||
| { | { | |||
| "TicketResponse": { | "TicketResponse": { | |||
| "Status": 200, | "Status": 200, | |||
| "StatusDescription": "Success", | "StatusDescription": "Success", | |||
| "Cryptographic": [{ | "Cryptographic": [{ | |||
| "Protocol": "sxs-connect", | "Protocol": "sxs-connect", | |||
| "Secret": " | "Secret": " | |||
| fIRiC7by_MNNyuam0f8yDQ", | UDvvBM8fE42zCs4g2mVnjw", | |||
| "Encryption": "A128CBC", | "Encryption": "A128CBC", | |||
| "Authentication": "HS256", | "Authentication": "HS256", | |||
| "Ticket": " | "Ticket": " | |||
| W76CJuIWZVig0OQVT6eldIl02d4e-Zgv9YrYnTAPgNNIbdeN_2FY30KUwiRPjh2i | ||||
| r-NWiZ2FICQ4ATi2r9oktpMSEeyPRFppvHE6tnPFe9U"}], | WZDn4kOYJCrx6LnhuWwH3U00_aCJBcNRcUZyIV8L_hWVGjtvF8UEWTL1SgRXYcSE | |||
| zVBR9v_ER4HpSEwkYgKLX2crAo2fZMZlqyRW9kh5s88"}], | ||||
| "Service": [{ | "Service": [{ | |||
| "Service": "private-dns-resolver", | "Service": "private-dns-resolver", | |||
| "Name": "localhost", | "Name": "localhost", | |||
| "Port": 9090, | "Port": 9090, | |||
| "Priority": 100, | "Priority": 100, | |||
| "Weight": 100, | "Weight": 100, | |||
| "Transport": "UDP", | "Transport": "UDP", | |||
| "Cryptographic": { | "Cryptographic": { | |||
| "Secret": " | "Secret": " | |||
| Y1klIDYuNfyCIMiqWbQi2w", | IdvuBOccKHwnPFIByHaU6w", | |||
| "Encryption": "A128CBC", | "Encryption": "A128CBC", | |||
| "Authentication": "HS256T128", | "Authentication": "HS256T128", | |||
| "Ticket": " | "Ticket": " | |||
| w_aLDzTjGjHiEDeOFDypBlGfY8a9xdTOnIdAgr2SjyFA3A2T8nVOwwacB9NW4qh9 | xMVgwd-i2nHjbmZDUowVx3yAUHl_gHuh7aNzxVArYepIBMHcpaaNGw4goUsZTMby | |||
| xmLLgDYNyFvNIwTxxJH2ER0HU95VyjNMyrSAAj1zfM8"}}]}} | EOUinBXDXkmVE66ExnA4H4Mgd9GSu48ReM9lKtrff98"}}]}} | |||
| 2.2. Query Protocol Binding | 2.2. Query Protocol Binding | |||
| The Query Protocol Binding is designed to efficiently support the | The Query Protocol Binding is designed to efficiently support the | |||
| following features: | following features: | |||
| * Encryption | * Encryption | |||
| * Prevent use in an Denial of Service attack. | * Prevent use in an Denial of Service attack. | |||
| skipping to change at page 12, line 8 ¶ | skipping to change at page 10, line 41 ¶ | |||
| [TBS at the moment there is no key derrivation function specified and | [TBS at the moment there is no key derrivation function specified and | |||
| the same key is used for encryption and authentication. This is a | the same key is used for encryption and authentication. This is a | |||
| weak approach architecturally as a compromise of one algorithm puts | weak approach architecturally as a compromise of one algorithm puts | |||
| the other at risk and should be fixed. Rather than use k as the key | the other at risk and should be fixed. Rather than use k as the key | |||
| we should use MAC ("encrypt", k) and MAC ("decrypt", k) or something | we should use MAC ("encrypt", k) and MAC ("decrypt", k) or something | |||
| similar. However doing that right requires consulting past RFCs to | similar. However doing that right requires consulting past RFCs to | |||
| find the right derrivation function.] | find the right derrivation function.] | |||
| Ticket value is: | Ticket value is: | |||
| 6c 7d 2a e2 7f 17 40 e5 9b 8d 2b 47 b1 50 b3 03 | 4e 96 ae d4 ce 87 b8 38 f0 bb 3c 0b 87 0f 52 58 | |||
| 34 b7 7d b9 15 da 66 f1 f8 75 02 f0 1c 70 ee bd | f8 bd 43 1d 73 7e 47 10 99 a8 f4 61 19 ca 57 e2 | |||
| f5 1d 77 17 46 f3 e9 e3 15 8e 47 14 a8 f7 c3 78 | 42 46 fd a4 95 dd 3a cf 2a 1b a6 db ee 03 61 7a | |||
| 33 ab a4 95 86 44 10 2e 4e be 56 01 43 49 04 4d | 24 65 e4 33 42 46 9d 25 56 38 fb 67 db 7e 70 9c | |||
| a6 e9 07 3e fe 75 8a 3b 9d 80 83 eb 20 85 96 f1 | 89 63 b2 0e e9 66 0d b9 bc f8 a8 7e 03 ee 64 d6 | |||
| Master key is: | Master key is: | |||
| 4b 05 72 b7 7a 7f b6 43 1e 9d e7 98 b6 a9 f0 e6 | a8 9a b5 d4 47 2a ae f5 9e d9 67 f2 0c 2d 85 2e | |||
| Authentication key is TBS (Master) | Authentication key is TBS (Master) | |||
| 4b 05 72 b7 7a 7f b6 43 1e 9d e7 98 b6 a9 f0 e6 | a8 9a b5 d4 47 2a ae f5 9e d9 67 f2 0c 2d 85 2e | |||
| Encryption key is TBS (Master) | Encryption key is TBS (Master) | |||
| 4b 05 72 b7 7a 7f b6 43 1e 9d e7 98 b6 a9 f0 e6 | a8 9a b5 d4 47 2a ae f5 9e d9 67 f2 0c 2d 85 2e | |||
| 2.2.2.2. Request | 2.2.2.2. Request | |||
| The DNS Request is: [TBS this is a placeholder] | The DNS Request is: [TBS this is a placeholder] | |||
| ;; QUESTION SECTION: | ;; QUESTION SECTION: | |||
| example.com. IN A | example.com. IN A | |||
| In hex: | In hex: | |||
| skipping to change at page 13, line 10 ¶ | skipping to change at page 12, line 6 ¶ | |||
| Note that in a real world example, the request SHOULD be padded to a | Note that in a real world example, the request SHOULD be padded to a | |||
| fixed value (e.g. 1100 bytes) to prevent traffic analysis disclosing | fixed value (e.g. 1100 bytes) to prevent traffic analysis disclosing | |||
| the message contents. for illustrative purposes, a mimimal padding is | the message contents. for illustrative purposes, a mimimal padding is | |||
| applied: | applied: | |||
| The request has the transaction ID which doubles as the | The request has the transaction ID which doubles as the | |||
| initialization vector of the encryption algorithm and ticket | initialization vector of the encryption algorithm and ticket | |||
| identifier prepended and the MAC value appended: | identifier prepended and the MAC value appended: | |||
| Transaction ID: 10 (= 16 bytes) | Transaction ID: 10 (= 16 bytes) | |||
| 23 bd d7 5e c0 eb a7 4d 85 92 fd 94 e0 05 85 a7 | 34 bf 46 58 50 6b 20 7a bb 57 71 04 94 c5 80 06 | |||
| Ticket: 50 (= 80 bytes) | Ticket: 50 (= 80 bytes) | |||
| 6c 7d 2a e2 7f 17 40 e5 9b 8d 2b 47 b1 50 b3 03 | 4e 96 ae d4 ce 87 b8 38 f0 bb 3c 0b 87 0f 52 58 | |||
| 34 b7 7d b9 15 da 66 f1 f8 75 02 f0 1c 70 ee bd | f8 bd 43 1d 73 7e 47 10 99 a8 f4 61 19 ca 57 e2 | |||
| f5 1d 77 17 46 f3 e9 e3 15 8e 47 14 a8 f7 c3 78 | 42 46 fd a4 95 dd 3a cf 2a 1b a6 db ee 03 61 7a | |||
| 33 ab a4 95 86 44 10 2e 4e be 56 01 43 49 04 4d | 24 65 e4 33 42 46 9d 25 56 38 fb 67 db 7e 70 9c | |||
| a6 e9 07 3e fe 75 8a 3b 9d 80 83 eb 20 85 96 f1 | 89 63 b2 0e e9 66 0d b9 bc f8 a8 7e 03 ee 64 d6 | |||
| Encrypted Data: 00 30 (= 48 bytes) | Encrypted Data: 00 30 (= 48 bytes) | |||
| 4c 16 ae b8 e1 8d f7 cf ab f1 d6 e7 d0 07 52 bc | fd e5 f6 48 69 ce 6a bb b3 d4 ef 86 06 e9 79 f7 | |||
| 96 ec a0 df f1 a9 bf fd e2 5c 7c 13 88 31 62 13 | 82 3e 86 d2 ac c5 e9 f4 b6 f3 eb a5 02 5c bf 5d | |||
| fc c3 a4 12 44 25 6a a2 6a fa 97 f7 57 97 fd ce | 07 eb 31 cb 2b 29 90 a9 c7 96 cd bd a9 71 a1 7a | |||
| MAC: 10 (= 16 bytes) | MAC: 10 (= 16 bytes) | |||
| a7 25 0b df 5a 10 bf ac 39 99 b7 6c 19 d2 1d e8 | b9 1d e6 e4 63 93 04 d8 ff 26 8e 17 fa a9 84 aa | |||
| 2.2.2.3. Response | 2.2.2.3. Response | |||
| The recursive resolver locates the records and returns the response. | The recursive resolver locates the records and returns the response. | |||
| The DNS Response is [TBS this is a placeholder] | The DNS Response is [TBS this is a placeholder] | |||
| ;; ANSWER SECTION: | ;; ANSWER SECTION: | |||
| example.com. 38400 IN A 192.168.1.20 | example.com. 38400 IN A 192.168.1.20 | |||
| skipping to change at page 14, line 9 ¶ | skipping to change at page 13, line 9 ¶ | |||
| 00 01 00 01 00 00 00 e3 00 04 42 f9 59 63 c0 2c | 00 01 00 01 00 00 00 e3 00 04 42 f9 59 63 c0 2c | |||
| 00 01 00 01 00 00 00 e3 00 04 42 f9 59 68 | 00 01 00 01 00 00 00 e3 00 04 42 f9 59 68 | |||
| The plaintext payload is the DNS response plus the MAC value of the | The plaintext payload is the DNS response plus the MAC value of the | |||
| request. This response is small enough to fit into a single packet. | request. This response is small enough to fit into a single packet. | |||
| Segment(0) | Segment(0) | |||
| Type code: 04 | Type code: 04 | |||
| Segment length: 00 20 | Segment length: 00 20 | |||
| Data: | Data: | |||
| a7 25 0b df 5a 10 bf ac 39 99 b7 6c 19 d2 1d e8 | b9 1d e6 e4 63 93 04 d8 ff 26 8e 17 fa a9 84 aa | |||
| 24 93 b5 09 df 3d 91 27 98 23 10 99 25 b1 45 9e | 7d ff 40 00 16 91 70 d1 0a 1a 19 a5 1f 3a dc cf | |||
| Segment(1) | Segment(1) | |||
| Type code: 12 | Type code: 12 | |||
| Segment length: 00 5e | Segment length: 00 5e | |||
| Data: | Data: | |||
| 24 1a 81 80 00 01 00 03 00 00 00 00 03 77 77 77 | 24 1a 81 80 00 01 00 03 00 00 00 00 03 77 77 77 | |||
| 06 67 6f 6f 67 6c 65 03 63 6f 6d 00 00 01 00 01 | 06 67 6f 6f 67 6c 65 03 63 6f 6d 00 00 01 00 01 | |||
| c0 0c 00 05 00 01 00 05 28 39 00 12 03 77 77 77 | c0 0c 00 05 00 01 00 05 28 39 00 12 03 77 77 77 | |||
| 01 6c 06 67 6f 6f 67 6c 65 03 63 6f 6d 00 c0 2c | 01 6c 06 67 6f 6f 67 6c 65 03 63 6f 6d 00 c0 2c | |||
| 00 01 00 01 00 00 00 e3 00 04 42 f9 59 63 c0 2c | 00 01 00 01 00 00 00 e3 00 04 42 f9 59 63 c0 2c | |||
| 00 01 00 01 00 00 00 e3 00 04 42 f9 59 68 | 00 01 00 01 00 00 00 e3 00 04 42 f9 59 68 | |||
| The plaintext is encrypted and the transaction identifier and MAC | The plaintext is encrypted and the transaction identifier and MAC | |||
| values added. Note that in a multiple packet response, each response | values added. Note that in a multiple packet response, each response | |||
| has its own MAC value: | has its own MAC value: | |||
| Transaction ID: 10 (= 16 bytes) | Transaction ID: 10 (= 16 bytes) | |||
| cd 36 4b 64 e0 c2 e7 52 90 a4 75 60 a2 af dc 13 | 8e dc 41 ba 32 9f ca 6c b4 83 43 34 88 10 7f ed | |||
| Index: 01 | Index: 01 | |||
| Max Index: 01 | Max Index: 01 | |||
| Clear Response: 00 c8 (= 200) | Clear Response: 00 c8 (= 200) | |||
| Encrypted Data: 00 90 (= 144 bytes) | Encrypted Data: 00 90 (= 144 bytes) | |||
| 59 9a a7 57 56 df 19 28 fe ea c2 e2 60 36 0c aa | ce e6 31 cd 2d 48 01 07 23 77 db 99 ac e1 57 2a | |||
| fb 43 dd d0 94 02 9a f8 d9 d8 75 d4 13 11 d5 18 | 7c f1 9b 7c cd 9e 68 8d 76 97 de 99 eb d5 bb fc | |||
| 08 05 02 e4 43 10 3f 92 63 ec b7 8c 81 9e 70 40 | 4d 17 c6 3f 9b 69 a1 e5 3a 4e 61 36 59 c6 8c 89 | |||
| b4 00 e6 26 39 45 67 d4 1e 1b 87 11 e9 70 83 ee | 5c 17 2e 8c 56 6c 49 71 0a 3a 07 3d d8 1a 18 f1 | |||
| 7e ac 43 02 8e 54 b5 b7 5a 07 44 6f 5f 31 9d 6a | 25 ad 92 fa ef 85 b2 31 78 25 35 b8 e7 c2 c0 92 | |||
| bf 8f d8 22 ba 12 06 8a 36 3a 72 71 3e a7 f2 21 | d3 ad a9 75 1e 10 a2 4d 3d 81 99 19 43 86 3b 29 | |||
| bb 0c c6 44 57 c3 4a 56 0f 1e ec e5 68 c6 08 ff | b5 49 45 49 00 59 6b 7b 80 47 e7 fb 36 99 4b 76 | |||
| 21 b1 4a 07 04 5c 12 62 2b 3b 14 34 83 56 55 72 | 45 8d aa ba e4 04 65 0b 8f 41 2e 58 df 6a ca 41 | |||
| 03 d9 af 1e 7d 0b be ad 40 4f 98 32 ae 65 3c 43 | dc 16 c7 f9 ac 2a 74 ed a4 84 80 1e e1 72 2d c9 | |||
| MAC: 10 (= 16 bytes) | MAC: 10 (= 16 bytes) | |||
| e6 52 62 72 55 4b 95 be da a5 11 5a cd 2e a8 9b | 49 c2 0c 8b 93 df 7f 33 4e 97 52 9a 66 2b 4f 88 | |||
| 2.2.3. Authentication Conformance | 2.2.3. Authentication Conformance | |||
| A Private-DNS server MUST authenticate queries. In the case that the | A Private-DNS server MUST authenticate queries. In the case that the | |||
| UDP binding is used, a server MUST NOT make any response should the | UDP binding is used, a server MUST NOT make any response should the | |||
| verification step fail. This requirement ensures that a Private-DNS | verification step fail. This requirement ensures that a Private-DNS | |||
| service cannot be used to attack other systems in a Denial of Service | service cannot be used to attack other systems in a Denial of Service | |||
| attack through use of packets with forged source addresses. | attack through use of packets with forged source addresses. | |||
| A service MAY provide an error response in the case that a request | A service MAY provide an error response in the case that a request | |||
| skipping to change at page 16, line 43 ¶ | skipping to change at page 15, line 43 ¶ | |||
| MIME content type application/private-dns-p.p. | MIME content type application/private-dns-p.p. | |||
| 4. Security Considerationsns | 4. Security Considerationsns | |||
| The broad security requirements for Private-DNS are set out in [I- | The broad security requirements for Private-DNS are set out in [I- | |||
| D.hallambaker-dnse]. | D.hallambaker-dnse]. | |||
| In due course this section will explain which of the security | In due course this section will explain which of the security | |||
| requirements is met and under which circumstances. | requirements is met and under which circumstances. | |||
| 4.1. Confidentialityty | 4.1. Confidentiality | |||
| 4.2. Integrity | 4.2. Integrity | |||
| 4.3. Access | 4.3. Access | |||
| 5. IANA Considerations | 5. IANA Considerations | |||
| 6. Acnowledgements | 6. Acnowledgements | |||
| 7. References | 7. References | |||
| End of changes. 36 change blocks. | ||||
| 83 lines changed or deleted | 84 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||