| < draft-ietf-add-dnr-06.txt | draft-ietf-add-dnr-07.txt > | |||
|---|---|---|---|---|
| ADD M. Boucadair, Ed. | ADD M. Boucadair, Ed. | |||
| Internet-Draft Orange | Internet-Draft Orange | |||
| Intended status: Standards Track T. Reddy, Ed. | Intended status: Standards Track T. Reddy, Ed. | |||
| Expires: 23 September 2022 Akamai | Expires: 15 October 2022 Akamai | |||
| D. Wing | D. Wing | |||
| Citrix | Citrix | |||
| N. Cook | N. Cook | |||
| Open-Xchange | Open-Xchange | |||
| T. Jensen | T. Jensen | |||
| Microsoft | Microsoft | |||
| 22 March 2022 | 13 April 2022 | |||
| DHCP and Router Advertisement Options for the Discovery of Network- | DHCP and Router Advertisement Options for the Discovery of Network- | |||
| designated Resolvers (DNR) | designated Resolvers (DNR) | |||
| draft-ietf-add-dnr-06 | draft-ietf-add-dnr-07 | |||
| Abstract | Abstract | |||
| The document specifies new DHCP and IPv6 Router Advertisement options | The document specifies new DHCP and IPv6 Router Advertisement options | |||
| to discover encrypted DNS servers (e.g., DNS-over-HTTPS, DNS-over- | to discover encrypted DNS servers (e.g., DNS-over-HTTPS, DNS-over- | |||
| TLS, DNS-over-QUIC). Particularly, it allows to learn an | TLS, DNS-over-QUIC). Particularly, it allows to learn an | |||
| authentication domain name together with a list of IP addresses and a | authentication domain name together with a list of IP addresses and a | |||
| set of service parameters to reach such encrypted DNS servers. | set of service parameters to reach such encrypted DNS servers. | |||
| Status of This Memo | Status of This Memo | |||
| skipping to change at page 1, line 42 ¶ | skipping to change at page 1, line 42 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on 23 September 2022. | This Internet-Draft will expire on 15 October 2022. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2022 IETF Trust and the persons identified as the | Copyright (c) 2022 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents (https://trustee.ietf.org/ | Provisions Relating to IETF Documents (https://trustee.ietf.org/ | |||
| license-info) in effect on the date of publication of this document. | license-info) in effect on the date of publication of this document. | |||
| Please review these documents carefully, as they describe your rights | Please review these documents carefully, as they describe your rights | |||
| skipping to change at page 2, line 20 ¶ | skipping to change at page 2, line 20 ¶ | |||
| extracted from this document must include Revised BSD License text as | extracted from this document must include Revised BSD License text as | |||
| described in Section 4.e of the Trust Legal Provisions and are | described in Section 4.e of the Trust Legal Provisions and are | |||
| provided without warranty as described in the Revised BSD License. | provided without warranty as described in the Revised BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
| 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 3. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 3. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 3.1. Configuration Data for Encrypted DNS . . . . . . . . . . 4 | 3.1. Configuration Data for Encrypted DNS . . . . . . . . . . 4 | |||
| 3.2. Handling Configuration Data Conflicts . . . . . . . . . . 5 | 3.2. Handling Configuration Data Conflicts . . . . . . . . . . 6 | |||
| 3.3. Connection Establishment . . . . . . . . . . . . . . . . 5 | 3.3. Connection Establishment . . . . . . . . . . . . . . . . 6 | |||
| 3.4. Multihoming Considerations . . . . . . . . . . . . . . . 6 | 3.4. Multihoming Considerations . . . . . . . . . . . . . . . 7 | |||
| 4. DHCPv6 Encrypted DNS Option . . . . . . . . . . . . . . . . . 6 | 4. DHCPv6 Encrypted DNS Option . . . . . . . . . . . . . . . . . 7 | |||
| 4.1. Option Format . . . . . . . . . . . . . . . . . . . . . . 6 | 4.1. Option Format . . . . . . . . . . . . . . . . . . . . . . 7 | |||
| 4.2. DHCPv6 Client Behavior . . . . . . . . . . . . . . . . . 8 | 4.2. DHCPv6 Client Behavior . . . . . . . . . . . . . . . . . 9 | |||
| 5. DHCPv4 Encrypted DNS Option . . . . . . . . . . . . . . . . . 8 | 5. DHCPv4 Encrypted DNS Option . . . . . . . . . . . . . . . . . 9 | |||
| 5.1. Option Format . . . . . . . . . . . . . . . . . . . . . . 8 | 5.1. Option Format . . . . . . . . . . . . . . . . . . . . . . 9 | |||
| 5.2. DHCPv4 Client Behavior . . . . . . . . . . . . . . . . . 10 | 5.2. DHCPv4 Client Behavior . . . . . . . . . . . . . . . . . 11 | |||
| 6. IPv6 RA Encrypted DNS Option . . . . . . . . . . . . . . . . 10 | 6. IPv6 RA Encrypted DNS Option . . . . . . . . . . . . . . . . 12 | |||
| 6.1. Option Format . . . . . . . . . . . . . . . . . . . . . . 10 | 6.1. Option Format . . . . . . . . . . . . . . . . . . . . . . 12 | |||
| 6.2. IPv6 Host Behavior . . . . . . . . . . . . . . . . . . . 12 | 6.2. IPv6 Host Behavior . . . . . . . . . . . . . . . . . . . 14 | |||
| 7. Security Considerations . . . . . . . . . . . . . . . . . . . 12 | 7. Security Considerations . . . . . . . . . . . . . . . . . . . 14 | |||
| 7.1. Spoofing Attacks . . . . . . . . . . . . . . . . . . . . 13 | 7.1. Spoofing Attacks . . . . . . . . . . . . . . . . . . . . 14 | |||
| 7.2. Deletion Attacks . . . . . . . . . . . . . . . . . . . . 14 | 7.2. Deletion Attacks . . . . . . . . . . . . . . . . . . . . 15 | |||
| 7.3. Passive Attacks . . . . . . . . . . . . . . . . . . . . . 14 | 7.3. Passive Attacks . . . . . . . . . . . . . . . . . . . . . 15 | |||
| 7.4. Wireless Security - Authentication Attacks . . . . . . . 14 | 7.4. Wireless Security - Authentication Attacks . . . . . . . 15 | |||
| 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 14 | 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 16 | |||
| 8.1. DHCPv6 Option . . . . . . . . . . . . . . . . . . . . . . 15 | 8.1. DHCPv6 Option . . . . . . . . . . . . . . . . . . . . . . 16 | |||
| 8.2. DHCPv4 Option . . . . . . . . . . . . . . . . . . . . . . 15 | 8.2. DHCPv4 Option . . . . . . . . . . . . . . . . . . . . . . 16 | |||
| 8.3. Neighbor Discovery Option . . . . . . . . . . . . . . . . 15 | 8.3. Neighbor Discovery Option . . . . . . . . . . . . . . . . 17 | |||
| 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 15 | 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 17 | |||
| 10. Contributing Authors . . . . . . . . . . . . . . . . . . . . 16 | 10. Contributing Authors . . . . . . . . . . . . . . . . . . . . 17 | |||
| 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 16 | 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 18 | |||
| 11.1. Normative References . . . . . . . . . . . . . . . . . . 16 | 11.1. Normative References . . . . . . . . . . . . . . . . . . 18 | |||
| 11.2. Informative References . . . . . . . . . . . . . . . . . 17 | 11.2. Informative References . . . . . . . . . . . . . . . . . 18 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 20 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 21 | |||
| 1. Introduction | 1. Introduction | |||
| This document focuses on the support of encrypted DNS such as DNS- | This document focuses on the support of encrypted DNS such as DNS- | |||
| over-HTTPS (DoH) [RFC8484], DNS-over-TLS (DoT) [RFC7858], or DNS- | over-HTTPS (DoH) [RFC8484], DNS-over-TLS (DoT) [RFC7858], or DNS- | |||
| over-QUIC (DoQ) [I-D.ietf-dprive-dnsoquic] in local networks. | over-QUIC (DoQ) [I-D.ietf-dprive-dnsoquic] in local networks. | |||
| In particular, the document specifies how a local encrypted DNS | In particular, the document specifies how a local encrypted DNS | |||
| server can be discovered by connected hosts by means of DHCPv4 | server can be discovered by connected hosts by means of DHCPv4 | |||
| [RFC2132], DHCPv6 [RFC8415], and IPv6 Router Advertisement (RA) | [RFC2132], DHCPv6 [RFC8415], and IPv6 Router Advertisement (RA) | |||
| [RFC4861] options. These options are designed to convey the | [RFC4861] options. These options are designed to convey the | |||
| following information: the DNS Authentication Domain Name (ADN), a | following information: the DNS Authentication Domain Name (ADN), a | |||
| list of IP addresses, and a set of service parameters. | list of IP addresses, and a set of service parameters. This | |||
| procedure is called Discovery of Network-designated Resolvers (DNR). | ||||
| The options defined in this document can be deployed in a variety of | The options defined in this document can be deployed in a variety of | |||
| deployments (e.g., local networks with Customer Premises Equipment | deployments (e.g., local networks with Customer Premises Equipment | |||
| (CPEs) that may or may not be managed by an Internet Service Provider | (CPEs) that may or may not be managed by an Internet Service Provider | |||
| (ISP), local networks with or without DNS forwarders). It is out of | (ISP), local networks with or without DNS forwarders). It is out of | |||
| the scope of this document to provide an inventory of such | the scope of this document to provide an inventory of such | |||
| deployments. | deployments. | |||
| 2. Terminology | 2. Terminology | |||
| skipping to change at page 3, line 32 ¶ | skipping to change at page 3, line 33 ¶ | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | |||
| "OPTIONAL" in this document are to be interpreted as described in BCP | "OPTIONAL" in this document are to be interpreted as described in BCP | |||
| 14 [RFC2119] [RFC8174] when, and only when, they appear in all | 14 [RFC2119] [RFC8174] when, and only when, they appear in all | |||
| capitals, as shown here. | capitals, as shown here. | |||
| This document makes use of the terms defined in [RFC8499]. The | This document makes use of the terms defined in [RFC8499]. The | |||
| following additional terms are used: | following additional terms are used: | |||
| Do53: refers to unencrypted DNS. | Do53: refers to unencrypted DNS. | |||
| DNR: refers to the Discovery of Network-designated Resolvers | ||||
| procedure. | ||||
| Encrypted DNS: refers to a scheme where DNS exchanges are | Encrypted DNS: refers to a scheme where DNS exchanges are | |||
| transported over an encrypted channel. Examples of encrypted DNS | transported over an encrypted channel. Examples of encrypted DNS | |||
| are DoT, DoH, or DoQ. | are DoT, DoH, or DoQ. | |||
| Encrypted DNS options: refers to the options defined in Sections 4, | Encrypted DNS options: refers to the options defined in Sections 4, | |||
| 5, and 6. | 5, and 6. | |||
| DHCP: refers to both DHCPv4 and DHCPv6. | DHCP: refers to both DHCPv4 and DHCPv6. | |||
| 3. Overview | 3. Overview | |||
| skipping to change at page 5, line 10 ¶ | skipping to change at page 5, line 18 ¶ | |||
| Because distinct encrypted DNS protocols may be provisioned by a | Because distinct encrypted DNS protocols may be provisioned by a | |||
| network (e.g., DoT, DoH, and DoQ) and that some of these protocols | network (e.g., DoT, DoH, and DoQ) and that some of these protocols | |||
| may make use of customized port numbers instead of default ones, the | may make use of customized port numbers instead of default ones, the | |||
| Encrypted DNS options are designed to return a set of service | Encrypted DNS options are designed to return a set of service | |||
| parameters. These parameters are encoded following the same rules | parameters. These parameters are encoded following the same rules | |||
| for encoding SvcParams in Section 2.1 of [I-D.ietf-dnsop-svcb-https]. | for encoding SvcParams in Section 2.1 of [I-D.ietf-dnsop-svcb-https]. | |||
| This encoding approach may increase the size of the options but it | This encoding approach may increase the size of the options but it | |||
| has the merit to rely upon an existing IANA registry and, thus, to | has the merit to rely upon an existing IANA registry and, thus, to | |||
| accommodate new encrypted DNS protocols and service parameters that | accommodate new encrypted DNS protocols and service parameters that | |||
| may be defined in the future. For example, "dohpath" service | may be defined in the future. At least the following service | |||
| parameter (Section 5.1 of [I-D.ietf-add-svcb-dns]) supplies a | parameters are RECOMMENDED to be supported by a DNR implementation: | |||
| relative DoH URI Template. | ||||
| alpn: Used to indicate the set of supported protocols (Section 7.1 | ||||
| of [I-D.ietf-dnsop-svcb-https]). | ||||
| port: Used to indicate the target port number for the encrypted DNS | ||||
| connection (Section 7.2 of [I-D.ietf-dnsop-svcb-https]). | ||||
| ech: Used to enable Encrypted ClientHello (ECH) (Section 7.3 of | ||||
| [I-D.ietf-dnsop-svcb-https]). | ||||
| dohpath: Used to supply a relative DoH URI Template (Section 5.1 of | ||||
| [I-D.ietf-add-svcb-dns]). | ||||
| A single option is used to convey both the ADN and IP addresses | A single option is used to convey both the ADN and IP addresses | |||
| because otherwise means to correlate an IP address with an ADN will | because otherwise means to correlate an IP address with an ADN will | |||
| be required if, for example, more than one ADN is supported by the | be required if, for example, more than one ADN is supported by the | |||
| network. | network. | |||
| The DHCP options defined in Sections 4 and 5 follow the option | The DHCP options defined in Sections 4 and 5 follow the option | |||
| ordering guidelines in Section 17 of [RFC7227]. | ordering guidelines in Section 17 of [RFC7227]. Likewise, the RA | |||
| option (Section 6) adheres to the recommendations in Section 9 of | ||||
| [RFC4861]. | ||||
| AliasMode (Section 2.4.2 of [I-D.ietf-dnsop-svcb-https]) is not | ServiceMode (Section 2.4.3 of [I-D.ietf-dnsop-svcb-https]) SHOULD be | |||
| supported because such a mode will trigger additional Do53 queries | used because the Encrypted DNS options are self-contained and do not | |||
| while the data can be supplied directly by DHCP servers. The reader | require any additional DNS queries. The reader may refer to | |||
| may refer to [RFC7969] for an overview of advanced capabilities that | [RFC7969] for an overview of advanced capabilities that are supported | |||
| are supported by DHCP servers to populate configuration data (e.g., | by DHCP servers to populate configuration data (e.g., issue DNS | |||
| issue DNS queries). | queries). | |||
| In contexts where putting additional complexity on requesting hosts | ||||
| is acceptable, returning an ADN only can be considered. The supplied | ||||
| ADN will be processed by a host following the procedure in Section 5 | ||||
| of [I-D.ietf-add-ddr]. Note that this mode may be subject to active | ||||
| attacks, which can be mitigated by DNSSEC. | ||||
| Other mechanisms may be considered in other contexts (e.g., secure | ||||
| discovery) for the provisioning of encrypted DNS servers. It is | ||||
| RECOMMENDED that at least the following DNR information is made | ||||
| available to a requesting host: | ||||
| * A service priority whenever the discovery mechanism does not rely | ||||
| on implicit ordering if multiple instances of the encrypted DNS | ||||
| are used. | ||||
| * An authentication domain name. | ||||
| * A list of IP addresses to locate the encrypted DNS server. | ||||
| * A set of service parameters. | ||||
| 3.2. Handling Configuration Data Conflicts | 3.2. Handling Configuration Data Conflicts | |||
| If the encrypted DNS is discovered by a host using both RA and DHCP, | If the encrypted DNS is discovered by a host using both RA and DHCP, | |||
| the rules discussed in Section 5.3.1 of [RFC8106] MUST be followed. | the rules discussed in Section 5.3.1 of [RFC8106] MUST be followed. | |||
| DHCP/RA options to discover encrypted DNS servers (including, DoH URI | DHCP/RA options to discover encrypted DNS servers (including, DoH URI | |||
| Templates) takes precedence over DDR [I-D.ietf-add-ddr] since DDR | Templates) takes precedence over Discovery of Designated Resolvers | |||
| uses Do53 to an external DNS resolver, which is susceptible to both | (DDR) [I-D.ietf-add-ddr] since DDR uses Do53 to an external DNS | |||
| internal and external attacks whereas DHCP/RA is typically protected | resolver, which is susceptible to both internal and external attacks | |||
| using the mechanisms discussed in Section 7.1. | whereas DHCP/RA is typically protected using the mechanisms discussed | |||
| in Section 7.1. | ||||
| 3.3. Connection Establishment | 3.3. Connection Establishment | |||
| If the local DNS client supports one of the discovered Encrypted DNS | If the local DNS client supports one of the discovered Encrypted DNS | |||
| protocols identified by Application Layer Protocol Negotiation (ALPN) | protocols identified by Application Layer Protocol Negotiation (ALPN) | |||
| protocol identifiers, the DNS client establishes an encrypted DNS | protocol identifiers, the DNS client establishes an encrypted DNS | |||
| session following the order of the discovered servers. The client | session following the order of the discovered servers. The client | |||
| follows the mechanism discussed in Section 8 of [RFC8310] to | follows the mechanism discussed in Section 8 of [RFC8310] to | |||
| authenticate the DNS server certificate using the authentication | authenticate the DNS server certificate using the authentication | |||
| domain name conveyed in the Encrypted DNS options. ALPN-related | domain name conveyed in the Encrypted DNS options. ALPN-related | |||
| skipping to change at page 6, line 24 ¶ | skipping to change at page 7, line 24 ¶ | |||
| 4. DHCPv6 Encrypted DNS Option | 4. DHCPv6 Encrypted DNS Option | |||
| 4.1. Option Format | 4.1. Option Format | |||
| The format of the DHCPv6 Encrypted DNS option is shown in Figure 1. | The format of the DHCPv6 Encrypted DNS option is shown in Figure 1. | |||
| 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| | OPTION_V6_DNR | Option-length | | | OPTION_V6_DNR | Option-length | | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| | Service Priority | Addr Length | | | Service Priority | ADN Length | | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ||||
| ~ ipv6-address(es) ~ | ||||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| | ADN Length | | | ||||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | ||||
| ~ authentication-domain-name ~ | ~ authentication-domain-name ~ | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| | Addr Length | | | ||||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | ||||
| ~ ipv6-address(es) ~ | ||||
| | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ||||
| | | | | ||||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | ||||
| ~ Service Parameters (SvcParams) ~ | ~ Service Parameters (SvcParams) ~ | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| Figure 1: DHCPv6 Encrypted DNS Option | Figure 1: DHCPv6 Encrypted DNS Option | |||
| The fields of the option shown in Figure 1 are as follows: | The fields of the option shown in Figure 1 are as follows: | |||
| Option-code: OPTION_V6_DNR (TBA1, see Section 8.1) | Option-code: OPTION_V6_DNR (TBA1, see Section 8.1) | |||
| Option-length: Length of the enclosed data in octets. | Option-length: Length of the enclosed data in octets. The option | |||
| length is ('ADN Length' + 4) when only an ADN is included in the | ||||
| option. | ||||
| Service Priority: The priority of this OPTION_V6_DNR instance | Service Priority: The priority of this OPTION_V6_DNR instance | |||
| compared to other instances. This field is encoded following the | compared to other instances. This field is encoded following the | |||
| rules specified in Section 2.4.1 of [I-D.ietf-dnsop-svcb-https]. | rules specified in Section 2.4.1 of [I-D.ietf-dnsop-svcb-https]. | |||
| AliasMode (Section 2.4.2 of [I-D.ietf-dnsop-svcb-https]) is not | ||||
| supported. As such, this field MUST NOT be set to 0. | ||||
| Addr Length: Length of enclosed IPv6 addresses in octets. It MUST | ||||
| be a multiple of 16. | ||||
| ipv6-address(es) (variable length): Indicates one or more IPv6 | ||||
| addresses to reach the encrypted DNS server. An address can be | ||||
| link-local, ULA, or GUA. The format of this field is shown in | ||||
| Figure 2. | ||||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ||||
| | | | ||||
| | ipv6-address | | ||||
| | | | ||||
| | | | ||||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ||||
| | ... | | ||||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ||||
| Figure 2: Format of the IPv6 Addresses Field | ||||
| ADN Length: Length of the authentication-domain-name field in | ADN Length: Length of the authentication-domain-name field in | |||
| octets. | octets. | |||
| authentication-domain-name (variable length): A fully qualified | authentication-domain-name (variable length): A fully qualified | |||
| domain name of the encrypted DNS server. This field is formatted | domain name of the encrypted DNS server. This field is formatted | |||
| as specified in Section 10 of [RFC8415]. | as specified in Section 10 of [RFC8415]. | |||
| An example of the authentication-domain-name encoding is shown in | An example of the authentication-domain-name encoding is shown in | |||
| Figure 3. This example conveys the FQDN "doh1.example.com.", and | Figure 2. This example conveys the FQDN "doh1.example.com.", and | |||
| the resulting Option-length field is 18. | the resulting Option-length field is 18. | |||
| +------+------+------+------+------+------+------+------+------+ | +------+------+------+------+------+------+------+------+------+ | |||
| | 0x04 | d | o | h | 1 | 0x07 | e | x | a | | | 0x04 | d | o | h | 1 | 0x07 | e | x | a | | |||
| +------+------+------+------+------+------+------+------+------+ | +------+------+------+------+------+------+------+------+------+ | |||
| | m | p | l | e | 0x03 | c | o | m | 0x00 | | | m | p | l | e | 0x03 | c | o | m | 0x00 | | |||
| +------+------+------+------+------+------+------+------+------+ | +------+------+------+------+------+------+------+------+------+ | |||
| Figure 3: An Example of the DNS authentication-domain-name | Figure 2: An Example of the DNS authentication-domain-name | |||
| Encoding | Encoding | |||
| Addr Length: Length of enclosed IPv6 addresses in octets. It MUST | ||||
| be a multiple of 16 for ServiceMode. | ||||
| ipv6-address(es) (variable length): Indicates one or more IPv6 | ||||
| addresses to reach the encrypted DNS server. An address can be | ||||
| link-local, ULA, or GUA. The format of this field is shown in | ||||
| Figure 3. | ||||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ||||
| | | | ||||
| | ipv6-address | | ||||
| | | | ||||
| | | | ||||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ||||
| | ... | | ||||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ||||
| Figure 3: Format of the IPv6 Addresses Field | ||||
| Service Parameters (SvcParams) (variable length): Specifies a set of | Service Parameters (SvcParams) (variable length): Specifies a set of | |||
| service parameters that are encoded following the rules in | service parameters that are encoded following the rules in | |||
| Section 2.1 of [I-D.ietf-dnsop-svcb-https]. Service parameters | Section 2.1 of [I-D.ietf-dnsop-svcb-https]. Service parameters | |||
| may include, for example, a list of ALPN protocol identifiers or | may include, for example, a list of ALPN protocol identifiers or | |||
| alternate port numbers. The service parameters MUST NOT include | alternate port numbers. The service parameters MUST NOT include | |||
| "ipv4hint" or "ipv6hint" SvcParams as they are superseded by the | "ipv4hint" or "ipv6hint" SvcParams as they are superseded by the | |||
| included IP addresses. | included IP addresses. | |||
| If no port service parameter is included, this indicates that | If no port service parameter is included, this indicates that | |||
| default port numbers should be used. As a reminder, the default | default port numbers should be used. As a reminder, the default | |||
| skipping to change at page 8, line 14 ¶ | skipping to change at page 9, line 18 ¶ | |||
| The length of this field is ('Option-length' - 6 - 'ADN Length' - | The length of this field is ('Option-length' - 6 - 'ADN Length' - | |||
| 'Addr Length'). | 'Addr Length'). | |||
| 4.2. DHCPv6 Client Behavior | 4.2. DHCPv6 Client Behavior | |||
| To discover an encrypted DNS server, the DHCPv6 client MUST include | To discover an encrypted DNS server, the DHCPv6 client MUST include | |||
| OPTION_V6_DNR in an Option Request Option (ORO), as in Sections | OPTION_V6_DNR in an Option Request Option (ORO), as in Sections | |||
| 18.2.1, 18.2.2, 18.2.4, 18.2.5, 18.2.6, and 21.7 of [RFC8415]. | 18.2.1, 18.2.2, 18.2.4, 18.2.5, 18.2.6, and 21.7 of [RFC8415]. | |||
| The DHCP client MUST be prepared to receive multiple instances of the | The DHCPv6 client MUST be prepared to receive multiple instances of | |||
| OPTION_V6_DNR option; each option is to be treated as a separate | the OPTION_V6_DNR option; each option is to be treated as a separate | |||
| encrypted DNS server. These instances SHOULD be processed following | encrypted DNS server. These instances SHOULD be processed following | |||
| their service priority (i.e., smaller service priority indicates a | their service priority (i.e., smaller service priority indicates a | |||
| higher preference). | higher preference). | |||
| The DHCPv6 client MUST silently discard multicast and host loopback | The DHCPv6 client MUST silently discard multicast and host loopback | |||
| addresses conveyed in OPTION_V6_DNR. | addresses conveyed in OPTION_V6_DNR. | |||
| 5. DHCPv4 Encrypted DNS Option | 5. DHCPv4 Encrypted DNS Option | |||
| 5.1. Option Format | 5.1. Option Format | |||
| The format of the DHCPv4 Encrypted DNS option is illustrated in | The format of the DHCPv4 Encrypted DNS option is illustrated in | |||
| Figure 4. | Figure 4. | |||
| 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 | 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| | TBA2 | Length | | | TBA2 | Length | | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| | Service Priority | | | Service Priority | | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| | Addr Length | | | ||||
| +-+-+-+-+-+-+-+-+ + | ||||
| ~ IPv4 Address(es) ~ | ||||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ||||
| | ADN Length | | | | ADN Length | | | |||
| +-+-+-+-+-+-+-+-+ + | +-+-+-+-+-+-+-+-+ | | |||
| ~ authentication-domain-name ~ | ~ authentication-domain-name ~ | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| | Addr Length | | | ||||
| +-+-+-+-+-+-+-+-+ | | ||||
| ~ IPv4 Address(es) ~ | ||||
| | +-+-+-+-+-+-+-+-+ | ||||
| | | | | ||||
| +-+-+-+-+-+-+-+-+ | | ||||
| ~Service Parameters (SvcParams) ~ | ~Service Parameters (SvcParams) ~ | |||
| | | | ||||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| Figure 4: DHCPv4 Encrypted DNS Option | Figure 4: DHCPv4 Encrypted DNS Option | |||
| The fields of the option shown in Figure 4 are as follows: | The fields of the option shown in Figure 4 are as follows: | |||
| Code: OPTION_V4_DNR (TBA2, see Section 8.2). | Code: OPTION_V4_DNR (TBA2, see Section 8.2). | |||
| Length: Indicates the length of the enclosed data in octets. | Length: Indicates the length of the enclosed data in octets. The | |||
| option length is ('ADN Length' + 3) when only an ADN is included | ||||
| in the option. | ||||
| Service Priority: The priority of this OPTION_V4_DNR instance | Service Priority: The priority of this OPTION_V4_DNR instance | |||
| compared to other instances. This field is encoded following the | compared to other instances. This field is encoded following the | |||
| rules specified in Section 2.4.1 of [I-D.ietf-dnsop-svcb-https]. | rules specified in Section 2.4.1 of [I-D.ietf-dnsop-svcb-https]. | |||
| It MUST NOT be set to 0. | ||||
| Addr Length: Indicates the length of included IPv4 addresses in | ||||
| octets. It MUST be a multiple of 4. | ||||
| IPv4 Address(es) (variable length): Indicates one or more IPv4 | ||||
| addresses to reach the encrypted DNS server. Both private and | ||||
| public IPv4 addresses can be included in this field. The format | ||||
| of this field is shown in Figure 5. This format assumes that an | ||||
| IPv4 address is encoded as a1.a2.a3.a4. | ||||
| 0 8 16 24 32 40 48 | ||||
| +-----+-----+-----+-----+-----+-----+-- | ||||
| | a1 | a2 | a3 | a4 | a1 | a2 | ... | ||||
| +-----+-----+-----+-----+-----+-----+-- | ||||
| IPv4 Address 1 IPv4 Address 2 ... | ||||
| Figure 5: Format of the IPv4 Addresses Field | ||||
| ADN Length: Indicates the length of the authentication-domain-name | ADN Length: Indicates the length of the authentication-domain-name | |||
| in octets. | in octets. | |||
| authentication-domain-name (variable length): Includes the | authentication-domain-name (variable length): Includes the | |||
| authentication domain name of the encrypted DNS server. This | authentication domain name of the encrypted DNS server. This | |||
| field is formatted as specified in Section 10 of [RFC8415]. The | field is formatted as specified in Section 10 of [RFC8415]. The | |||
| format of this field is shown in Figure 6. The values s1, s2, s3, | format of this field is shown in Figure 5. The values s1, s2, s3, | |||
| etc. represent the domain name labels in the domain name encoding. | etc. represent the domain name labels in the domain name encoding. | |||
| +-----+-----+-----+-----+-----+-- | +-----+-----+-----+-----+-----+-- | |||
| | s1 | s2 | s3 | s4 | s5 | ... | | s1 | s2 | s3 | s4 | s5 | ... | |||
| +-----+-----+-----+-----+-----+-- | +-----+-----+-----+-----+-----+-- | |||
| authentication-domain-name | authentication-domain-name | |||
| Figure 6: Format of the Authentication Domain Name Field | Figure 5: Format of the Authentication Domain Name Field | |||
| Addr Length: Indicates the length of included IPv4 addresses in | ||||
| octets. It MUST be a multiple of 4 for ServiceMode. | ||||
| IPv4 Address(es) (variable length): Indicates one or more IPv4 | ||||
| addresses to reach the encrypted DNS server. Both private and | ||||
| public IPv4 addresses can be included in this field. The format | ||||
| of this field is shown in Figure 6. This format assumes that an | ||||
| IPv4 address is encoded as a1.a2.a3.a4. | ||||
| 0 8 16 24 32 40 48 | ||||
| +-----+-----+-----+-----+-----+-----+-- | ||||
| | a1 | a2 | a3 | a4 | a1 | a2 | ... | ||||
| +-----+-----+-----+-----+-----+-----+-- | ||||
| IPv4 Address 1 IPv4 Address 2 ... | ||||
| Figure 6: Format of the IPv4 Addresses Field | ||||
| Service Paramters (SvcParams) (variable length): Specifies a set of | Service Paramters (SvcParams) (variable length): Specifies a set of | |||
| service parameters that are encoded following the rules in | service parameters that are encoded following the rules in | |||
| Section 2.1 of [I-D.ietf-dnsop-svcb-https]. Service parameters | Section 2.1 of [I-D.ietf-dnsop-svcb-https]. Service parameters | |||
| may include, for example, a list of ALPN protocol identifiers or | may include, for example, a list of ALPN protocol identifiers or | |||
| alternate port numbers. The service parameters MUST NOT include | alternate port numbers. The service parameters MUST NOT include | |||
| "ipv4hint" or "ipv6hint" SvcParams as they are superseded by the | "ipv4hint" or "ipv6hint" SvcParams as they are superseded by the | |||
| included IP addresses. | included IP addresses. | |||
| If no port service parameter is included, this indicates that | If no port service parameter is included, this indicates that | |||
| skipping to change at page 11, line 8 ¶ | skipping to change at page 12, line 22 ¶ | |||
| This section defines a new Neighbor Discovery option [RFC4861]: IPv6 | This section defines a new Neighbor Discovery option [RFC4861]: IPv6 | |||
| RA Encrypted DNS option. This option is useful in contexts similar | RA Encrypted DNS option. This option is useful in contexts similar | |||
| to those discussed in Section 1.1 of [RFC8106]. | to those discussed in Section 1.1 of [RFC8106]. | |||
| The format of the IPv6 RA Encrypted DNS option is illustrated in | The format of the IPv6 RA Encrypted DNS option is illustrated in | |||
| Figure 7. | Figure 7. | |||
| 0 1 2 3 | 0 1 2 3 | |||
| 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| | TBA3 | Length | Addr Length | | | TBA3 | Length | Service Priority | | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| | Lifetime | | | Lifetime | | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| ~ ipv6-address(es) ~ | ||||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ||||
| | ADN Length | | | | ADN Length | | | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | |||
| ~ authentication-domain-name ~ | ~ authentication-domain-name ~ | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| | SvcParams Length | | | | Addr Length | | | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | |||
| ~ ipv6-address(es) ~ | ||||
| | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ||||
| | | SvcParams Length | | ||||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ||||
| ~ Service Parameters (SvcParams) ~ | ~ Service Parameters (SvcParams) ~ | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| Figure 7: RA Encrypted DNS Option | Figure 7: RA Encrypted DNS Option | |||
| The fields of the option shown in Figure 7 are as follows: | The fields of the option shown in Figure 7 are as follows: | |||
| Type: 8-bit identifier of the Encrypted DNS Option as assigned by | Type: 8-bit identifier of the Encrypted DNS option as assigned by | |||
| IANA (TBA3, see Section 8.3). | IANA (TBA3, see Section 8.3). | |||
| Length: 8-bit unsigned integer. The length of the option (including | Length: 8-bit unsigned integer. The length of the option (including | |||
| the Type and Length fields) is in units of 8 octets. | the Type and Length fields) is in units of 8 octets. | |||
| Addr Length: 16-bit unsigned integer. This field indicates the | Service Priority: The priority of this Encrypted DNS option instance | |||
| length of enclosed IPv6 addresses in octets. It MUST be a | compared to other instances. This field is encoded following the | |||
| multiple of 16. | rules specified in Section 2.4.1 of [I-D.ietf-dnsop-svcb-https]. | |||
| Lifetime: 32-bit unsigned integer. The maximum time in seconds | Lifetime: 32-bit unsigned integer. The maximum time in seconds | |||
| (relative to the time the packet is received) over which the | (relative to the time the packet is received) over which the | |||
| discovered Authentication Domain Name is valid. | discovered Authentication Domain Name is valid. | |||
| The value of Lifetime SHOULD by default be at least 3 * | The value of Lifetime SHOULD by default be at least 3 * | |||
| MaxRtrAdvInterval, where MaxRtrAdvInterval is the maximum RA | MaxRtrAdvInterval, where MaxRtrAdvInterval is the maximum RA | |||
| interval as defined in [RFC4861]. | interval as defined in [RFC4861]. | |||
| A value of all one bits (0xffffffff) represents infinity. | A value of all one bits (0xffffffff) represents infinity. | |||
| A value of zero means that this Authentication Domain Name MUST no | A value of zero means that this Authentication Domain Name MUST no | |||
| longer be used. | longer be used. | |||
| ADN Length: 16-bit unsigned integer. This field indicates the | ||||
| length of the authentication-domain-name field in octets. | ||||
| authentication-domain-name (variable length): The domain name of the | ||||
| encrypted DNS server. This field is formatted as specified in | ||||
| Section 10 of [RFC8415]. | ||||
| Addr Length: 16-bit unsigned integer. This field indicates the | ||||
| length of enclosed IPv6 addresses in octets. It MUST be a | ||||
| multiple of 16 for ServiceMode. | ||||
| ipv6-address(es) (variable length): One or more IPv6 addresses of | ipv6-address(es) (variable length): One or more IPv6 addresses of | |||
| the encrypted DNS server. An address can be link-local, ULA, or | the encrypted DNS server. An address can be link-local, ULA, or | |||
| GUA. | GUA. | |||
| All of the addresses share the same Lifetime value. Similar to | All of the addresses share the same Lifetime value. Similar to | |||
| [RFC8106], if it is desirable to have different Lifetime values | [RFC8106], if it is desirable to have different Lifetime values | |||
| per IP address, multiple Encrypted DNS options may be used. | per IP address, multiple Encrypted DNS options may be used. | |||
| The format of this field is shown in Figure 2. | The format of this field is shown in Figure 3. | |||
| ADN Length: 16-bit unsigned integer. This field indicates the | ||||
| length of the authentication-domain-name field in octets. | ||||
| authentication-domain-name (variable length): The domain name of the | ||||
| encrypted DNS server. This field is formatted as specified in | ||||
| Section 10 of [RFC8415]. | ||||
| SvcParams Length: 16-bit unsigned integer. This field indicates the | SvcParams Length: 16-bit unsigned integer. This field indicates the | |||
| length of the Service Parameters field in octets. | length of the Service Parameters field in octets. | |||
| Service Paramters (SvcParams) (variable length): Specifies a set of | Service Paramters (SvcParams) (variable length): Specifies a set of | |||
| service parameters that are encoded following the rules in | service parameters that are encoded following the rules in | |||
| Section 2.1 of [I-D.ietf-dnsop-svcb-https]. Service parameters | Section 2.1 of [I-D.ietf-dnsop-svcb-https]. Service parameters | |||
| may include, for example, a list of ALPN protocol identifiers or | may include, for example, a list of ALPN protocol identifiers or | |||
| alternate port numbers. The service parameters MUST NOT include | alternate port numbers. The service parameters MUST NOT include | |||
| "ipv4hint" or "ipv6hint" SvcParams as they are superseded by the | "ipv4hint" or "ipv6hint" SvcParams as they are superseded by the | |||
| included IP addresses. | included IP addresses. | |||
| If no port service parameter is included, this indicates that | If no port service parameter is included, this indicates that | |||
| default port numbers should be used. | default port numbers should be used. | |||
| The option MUST be padded with zeros so that the full enclosed data | The option MUST be padded with zeros so that the full enclosed data | |||
| is a multiple of 8 octets (Section 4.6 of [RFC4861]). | is a multiple of 8 octets (Section 4.6 of [RFC4861]). | |||
| Multiple Encrypted DNS options may be returned to an IPv6 host. | ||||
| Similar to [RFC8106], these options are ordered in the preference for | ||||
| use by the IPv6 host. | ||||
| 6.2. IPv6 Host Behavior | 6.2. IPv6 Host Behavior | |||
| The procedure for DNS configuration is the same as it is with any | The procedure for DNS configuration is the same as it is with any | |||
| other Neighbor Discovery option [RFC4861]. In addition, the host | other Neighbor Discovery option [RFC4861]. In addition, the host | |||
| follows the procedure described in Section 5.3.1 of [RFC8106]. | follows the procedure described in Section 5.3.1 of [RFC8106] with | |||
| the formatting requirements in Section 6.1 substituted for the length | ||||
| validation. | ||||
| The host MUST be prepared to receive multiple Encrypted DNS options | ||||
| in RAs. These instances SHOULD be processed following their service | ||||
| priority (i.e., smaller service priority indicates a higher | ||||
| preference). | ||||
| The host MUST silently discard multicast and host loopback addresses | The host MUST silently discard multicast and host loopback addresses | |||
| conveyed in the Encrypted DNS options. | conveyed in the Encrypted DNS options. | |||
| 7. Security Considerations | 7. Security Considerations | |||
| 7.1. Spoofing Attacks | 7.1. Spoofing Attacks | |||
| DHCP/RA messages are not encrypted or protected against modification | DHCP/RA messages are not encrypted or protected against modification | |||
| within the LAN. Unless mitigated (described below), the content of | within the LAN. Unless mitigated (described below), the content of | |||
| DHCP and RA messages can be spoofed or modified by active attackers, | DHCP and RA messages can be spoofed or modified by active attackers, | |||
| such as compromised devices within the local network. An active | such as compromised devices within the local network. An active | |||
| attacker (Section 3.3 of [RFC3552]) can spoof the DHCP/RA response to | attacker (Section 3.3 of [RFC3552]) can spoof the DHCP/RA response to | |||
| provide the attacker's Encrypted DNS server. Note that such an | provide the attacker's Encrypted DNS server. Note that such an | |||
| attacker can launch other attacks as discussed in Section 22 of | attacker can launch other attacks as discussed in Section 22 of | |||
| [RFC8415]. The attacker can get a domain name with a domain- | [RFC8415]. The attacker can get a domain name with a domain- | |||
| skipping to change at page 16, line 8 ¶ | skipping to change at page 17, line 28 ¶ | |||
| Table 2 | Table 2 | |||
| 9. Acknowledgements | 9. Acknowledgements | |||
| Many thanks to Christian Jacquenet and Michael Richardson for the | Many thanks to Christian Jacquenet and Michael Richardson for the | |||
| review. | review. | |||
| Thanks to Stephen Farrell, Martin Thomson, Vittorio Bertola, Stephane | Thanks to Stephen Farrell, Martin Thomson, Vittorio Bertola, Stephane | |||
| Bortzmeyer, Ben Schwartz, Iain Sharp, and Chris Box for the comments. | Bortzmeyer, Ben Schwartz, Iain Sharp, and Chris Box for the comments. | |||
| Thanks to Mark Nottingham for the feedback on HTTP redirection. | Thanks to Mark Nottingham for the feedback on HTTP redirection that | |||
| was discussed in previous versions of this specification. | ||||
| The use of DHCP to retrieve an authentication domain name was | The use of DHCP to retrieve an authentication domain name was | |||
| discussed in Section 7.3.1 of [RFC8310] and | discussed in Section 7.3.1 of [RFC8310] and | |||
| [I-D.pusateri-dhc-dns-driu]. | [I-D.pusateri-dhc-dns-driu]. | |||
| Thanks to Bernie Volz for the review of the DHCP part. | Thanks to Bernie Volz for the review of the DHCP part. | |||
| 10. Contributing Authors | 10. Contributing Authors | |||
| Nicolai Leymann | Nicolai Leymann | |||
| skipping to change at page 18, line 8 ¶ | skipping to change at page 19, line 30 ¶ | |||
| <https://papers.mathyvanhoef.com/dragonblood.pdf>. | <https://papers.mathyvanhoef.com/dragonblood.pdf>. | |||
| [Evil-Twin] | [Evil-Twin] | |||
| The Unicode Consortium, "Evil twin (wireless networks)", | The Unicode Consortium, "Evil twin (wireless networks)", | |||
| <https://en.wikipedia.org/wiki/ | <https://en.wikipedia.org/wiki/ | |||
| Evil_twin_(wireless_networks)>. | Evil_twin_(wireless_networks)>. | |||
| [I-D.ietf-add-ddr] | [I-D.ietf-add-ddr] | |||
| Pauly, T., Kinnear, E., Wood, C. A., McManus, P., and T. | Pauly, T., Kinnear, E., Wood, C. A., McManus, P., and T. | |||
| Jensen, "Discovery of Designated Resolvers", Work in | Jensen, "Discovery of Designated Resolvers", Work in | |||
| Progress, Internet-Draft, draft-ietf-add-ddr-05, 31 | Progress, Internet-Draft, draft-ietf-add-ddr-06, 4 April | |||
| January 2022, <https://www.ietf.org/archive/id/draft-ietf- | 2022, <https://www.ietf.org/archive/id/draft-ietf-add-ddr- | |||
| add-ddr-05.txt>. | 06.txt>. | |||
| [I-D.ietf-add-svcb-dns] | [I-D.ietf-add-svcb-dns] | |||
| Schwartz, B., "Service Binding Mapping for DNS Servers", | Schwartz, B., "Service Binding Mapping for DNS Servers", | |||
| Work in Progress, Internet-Draft, draft-ietf-add-svcb-dns- | Work in Progress, Internet-Draft, draft-ietf-add-svcb-dns- | |||
| 02, 1 February 2022, <https://www.ietf.org/archive/id/ | 02, 1 February 2022, <https://www.ietf.org/archive/id/ | |||
| draft-ietf-add-svcb-dns-02.txt>. | draft-ietf-add-svcb-dns-02.txt>. | |||
| [I-D.ietf-dprive-dnsoquic] | [I-D.ietf-dprive-dnsoquic] | |||
| Huitema, C., Dickinson, S., and A. Mankin, "DNS over | Huitema, C., Dickinson, S., and A. Mankin, "DNS over | |||
| Dedicated QUIC Connections", Work in Progress, Internet- | Dedicated QUIC Connections", Work in Progress, Internet- | |||
| End of changes. 41 change blocks. | ||||
| 130 lines changed or deleted | 186 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||