| < draft-ietf-ipsecme-split-dns-01.txt | draft-ietf-ipsecme-split-dns-02.txt > | |||
|---|---|---|---|---|
| Network T. Pauly | Network T. Pauly | |||
| Internet-Draft Apple Inc. | Internet-Draft Apple Inc. | |||
| Intended status: Standards Track P. Wouters | Intended status: Standards Track P. Wouters | |||
| Expires: January 20, 2018 Red Hat | Expires: January 30, 2018 Red Hat | |||
| July 19, 2017 | July 29, 2017 | |||
| Split DNS Configuration for IKEv2 | Split DNS Configuration for IKEv2 | |||
| draft-ietf-ipsecme-split-dns-01 | draft-ietf-ipsecme-split-dns-02 | |||
| Abstract | Abstract | |||
| This document defines two Configuration Payload Attribute Types for | This document defines two Configuration Payload Attribute Types for | |||
| the IKEv2 protocol that add support for private DNS domains. These | the IKEv2 protocol that add support for private DNS domains. These | |||
| domains should be resolved using DNS servers reachable through an | domains should be resolved using DNS servers reachable through an | |||
| IPsec connection, while leaving all other DNS resolution unchanged. | IPsec connection, while leaving all other DNS resolution unchanged. | |||
| This approach of resolving a subset of domains using non-public DNS | This approach of resolving a subset of domains using non-public DNS | |||
| servers is referred to as "Split DNS". | servers is referred to as "Split DNS". | |||
| skipping to change at page 1, line 36 ¶ | skipping to change at page 1, line 36 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on January 20, 2018. | This Internet-Draft will expire on January 30, 2018. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2017 IETF Trust and the persons identified as the | Copyright (c) 2017 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 2, line 24 ¶ | skipping to change at page 2, line 24 ¶ | |||
| 3.2. Configuration Reply . . . . . . . . . . . . . . . . . . . 4 | 3.2. Configuration Reply . . . . . . . . . . . . . . . . . . . 4 | |||
| 3.3. Mapping DNS Servers to Domains . . . . . . . . . . . . . 5 | 3.3. Mapping DNS Servers to Domains . . . . . . . . . . . . . 5 | |||
| 3.4. Example Exchanges . . . . . . . . . . . . . . . . . . . . 5 | 3.4. Example Exchanges . . . . . . . . . . . . . . . . . . . . 5 | |||
| 3.4.1. Simple Case . . . . . . . . . . . . . . . . . . . . . 5 | 3.4.1. Simple Case . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 3.4.2. Requesting Domains and DNSSEC trust anchors . . . . . 6 | 3.4.2. Requesting Domains and DNSSEC trust anchors . . . . . 6 | |||
| 4. Payload Formats . . . . . . . . . . . . . . . . . . . . . . . 6 | 4. Payload Formats . . . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 4.1. INTERNAL_DNS_DOMAIN Configuration Attribute Type . . . . 6 | 4.1. INTERNAL_DNS_DOMAIN Configuration Attribute Type . . . . 6 | |||
| 4.2. INTERNAL_DNSSEC_TA Configuration Attribute . . . . . . . 7 | 4.2. INTERNAL_DNSSEC_TA Configuration Attribute . . . . . . . 7 | |||
| 5. Split DNS Usage Guidelines . . . . . . . . . . . . . . . . . 7 | 5. Split DNS Usage Guidelines . . . . . . . . . . . . . . . . . 7 | |||
| 6. Security Considerations . . . . . . . . . . . . . . . . . . . 9 | 6. Security Considerations . . . . . . . . . . . . . . . . . . . 9 | |||
| 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 | 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 | |||
| 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 10 | 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 10 | |||
| 8.1. Normative References . . . . . . . . . . . . . . . . . . 10 | 8.1. Normative References . . . . . . . . . . . . . . . . . . 10 | |||
| 8.2. Informative References . . . . . . . . . . . . . . . . . 10 | 8.2. Informative References . . . . . . . . . . . . . . . . . 10 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 11 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 11 | |||
| 1. Introduction | 1. Introduction | |||
| Split DNS is a common configuration for secure tunnels, such as | Split DNS is a common configuration for secure tunnels, such as | |||
| Virtual Private Networks in which host machines private to an | Virtual Private Networks in which host machines private to an | |||
| organization can only be resolved using internal DNS resolvers | organization can only be resolved using internal DNS resolvers | |||
| skipping to change at page 5, line 12 ¶ | skipping to change at page 5, line 12 ¶ | |||
| Each INTERNAL_DNS_DOMAIN represents a domain that the DNS servers | Each INTERNAL_DNS_DOMAIN represents a domain that the DNS servers | |||
| address listed in INTERNAL_IP4_DNS and INTERNAL_IP6_DNS can resolve. | address listed in INTERNAL_IP4_DNS and INTERNAL_IP6_DNS can resolve. | |||
| If the CFG_REQUEST included INTERNAL_DNS_DOMAIN attributes with non- | If the CFG_REQUEST included INTERNAL_DNS_DOMAIN attributes with non- | |||
| zero lengths, the content MAY be ignored or be interpreted as a | zero lengths, the content MAY be ignored or be interpreted as a | |||
| suggestion by the responder. | suggestion by the responder. | |||
| For each DNS domain specified in an INTERNAL_DNS_DOMAIN attribute, | For each DNS domain specified in an INTERNAL_DNS_DOMAIN attribute, | |||
| one or more INTERNAL_DNSSEC_TA attributes MAY be included by the | one or more INTERNAL_DNSSEC_TA attributes MAY be included by the | |||
| responder. This attribute lists the corresponding internal DNSSEC | responder. This attribute lists the corresponding internal DNSSEC | |||
| trust anchor in the DNS wire format of a DS record as specified in | trust anchor in the DNS presentation format of a DS record as | |||
| [RFC4034]. The INTERNAL_DNSSEC_TA attribute MUST immediately follow | specified in [RFC4034]. The INTERNAL_DNSSEC_TA attribute MUST | |||
| the INTERNAL_DNS_DOMAIN attribute that it applies to. | immediately follow the INTERNAL_DNS_DOMAIN attribute that it applies | |||
| to. | ||||
| 3.3. Mapping DNS Servers to Domains | 3.3. Mapping DNS Servers to Domains | |||
| All DNS servers provided in the CFG_REPLY MUST support resolving | All DNS servers provided in the CFG_REPLY MUST support resolving | |||
| hostnames within all INTERNAL_DNS_DOMAIN domains. In other words, | hostnames within all INTERNAL_DNS_DOMAIN domains. In other words, | |||
| the INTERNAL_DNS_DOMAIN attributes in a CFG_REPLY payload form a | the INTERNAL_DNS_DOMAIN attributes in a CFG_REPLY payload form a | |||
| single list of Split DNS domains that applies to the entire list of | single list of Split DNS domains that applies to the entire list of | |||
| INTERNAL_IP4_DNS and INTERNAL_IP6_DNS attributes. | INTERNAL_IP4_DNS and INTERNAL_IP6_DNS attributes. | |||
| 3.4. Example Exchanges | 3.4. Example Exchanges | |||
| skipping to change at page 6, line 45 ¶ | skipping to change at page 6, line 45 ¶ | |||
| 4. Payload Formats | 4. Payload Formats | |||
| 4.1. INTERNAL_DNS_DOMAIN Configuration Attribute Type | 4.1. INTERNAL_DNS_DOMAIN Configuration Attribute Type | |||
| 1 2 3 | 1 2 3 | |||
| 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | |||
| +-+-----------------------------+-------------------------------+ | +-+-----------------------------+-------------------------------+ | |||
| |R| Attribute Type | Length | | |R| Attribute Type | Length | | |||
| +-+-----------------------------+-------------------------------+ | +-+-----------------------------+-------------------------------+ | |||
| | | | | | | |||
| ~ Domain Name ~ | ~ Domain Name in DNS presentation format ~ | |||
| | | | | | | |||
| +---------------------------------------------------------------+ | +---------------------------------------------------------------+ | |||
| o Reserved (1 bit) - Defined in IKEv2 RFC [RFC7296]. | o Reserved (1 bit) - Defined in IKEv2 RFC [RFC7296]. | |||
| o Attribute Type (15 bits) 25 - INTERNAL_DNS_DOMAIN. | o Attribute Type (15 bits) 25 - INTERNAL_DNS_DOMAIN. | |||
| o Length (2 octets, unsigned integer) - Length of domain name. | o Length (2 octets, unsigned integer) - Length of domain name. | |||
| o Domain Name (0 or more octets) - A domain or subdomain used for | o Domain Name (0 or more octets) - A Fully Qualified Domain Name | |||
| Split DNS rules, such as example.com in DNS wire format. | used for Split DNS rules, such as example.com, in DNS presentation | |||
| format and optionally using IDNA [RFC5890] for Internationalized | ||||
| Domain Names. The value is NOT null-terminated. | ||||
| 4.2. INTERNAL_DNSSEC_TA Configuration Attribute | 4.2. INTERNAL_DNSSEC_TA Configuration Attribute | |||
| 1 2 3 | 1 2 3 | |||
| 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | |||
| +-+-----------------------------+-------------------------------+ | +-+-----------------------------+-------------------------------+ | |||
| |R| Attribute Type | Length | | |R| Attribute Type | Length | | |||
| +-+-----------------------------+---------------+---------------+ | +-+-----------------------------+---------------+---------------+ | |||
| | Key Tag | Algorithm | Digest Type | | | Key Tag | Algorithm | Digest Type | | |||
| +-------------------------------+---------------+---------------+ | +-------------------------------+---------------+---------------+ | |||
| skipping to change at page 7, line 41 ¶ | skipping to change at page 7, line 43 ¶ | |||
| o Key Tag value (0 or 2 octets, unsigned integer) - Key Tag as | o Key Tag value (0 or 2 octets, unsigned integer) - Key Tag as | |||
| specified in [RFC4034] Section 5.1 | specified in [RFC4034] Section 5.1 | |||
| o DNSKEY algorithm (0 or 1 octet) - Value from the IANA DNS Security | o DNSKEY algorithm (0 or 1 octet) - Value from the IANA DNS Security | |||
| Algorithm Numbers Registry | Algorithm Numbers Registry | |||
| o DS algorithm (0 or 1 octet) - Value from the IANA Delegation | o DS algorithm (0 or 1 octet) - Value from the IANA Delegation | |||
| Signer (DS) Resource Record (RR) Type Digest Algorithms Registry | Signer (DS) Resource Record (RR) Type Digest Algorithms Registry | |||
| o Digest (0 or more octets) - The digest as specified in [RFC4034] | o Digest (0 or more octets) - The digest as specified in [RFC4034] | |||
| Section 5.1 in wire format. | Section 5.1 in presentation format. | |||
| 5. Split DNS Usage Guidelines | 5. Split DNS Usage Guidelines | |||
| If a CFG_REPLY payload contains no INTERNAL_DNS_DOMAIN attributes, | If a CFG_REPLY payload contains no INTERNAL_DNS_DOMAIN attributes, | |||
| the client MAY use the provided INTERNAL_IP4_DNS or INTERNAL_IP6_DNS | the client MAY use the provided INTERNAL_IP4_DNS or INTERNAL_IP6_DNS | |||
| servers as the default DNS server(s) for all queries. | servers as the default DNS server(s) for all queries. | |||
| If a client is configured by local policy to only accept a limited | If a client is configured by local policy to only accept a limited | |||
| number of INTERNAL_DNS_DOMAIN values, the client MUST ignore any | number of INTERNAL_DNS_DOMAIN values, the client MUST ignore any | |||
| other INTERNAL_DNS_DOMAIN values. | other INTERNAL_DNS_DOMAIN values. | |||
| skipping to change at page 9, line 41 ¶ | skipping to change at page 9, line 43 ¶ | |||
| accept insecure delegations for domains that are DNSSEC signed in the | accept insecure delegations for domains that are DNSSEC signed in the | |||
| public DNS view, for which it has not explicitely requested such | public DNS view, for which it has not explicitely requested such | |||
| deletation by specifying the domain specifically using a | deletation by specifying the domain specifically using a | |||
| INTERNAL_DNS_DOMAIN(domain) request. | INTERNAL_DNS_DOMAIN(domain) request. | |||
| A domain that is served via INTERNAL_DNS_DOMAIN should pay close | A domain that is served via INTERNAL_DNS_DOMAIN should pay close | |||
| attention to their use of indirect reference RRtypes such as CNAME, | attention to their use of indirect reference RRtypes such as CNAME, | |||
| DNAME, MX or SRV records so that resolving works as intended when | DNAME, MX or SRV records so that resolving works as intended when | |||
| all, some or none of the IPsec connections are established. | all, some or none of the IPsec connections are established. | |||
| The content of INTERNAL_DNS_DOMAIN and INTERNAL_DNSSEC_TA may be | ||||
| passed to another (DNS) program for processing. The content MUST be | ||||
| verified and sanitized before passing it to other software. For | ||||
| example, domain names are limited to alphanumeric characters and the | ||||
| minus ("-") and underscore ("_") symbol and if other other characters | ||||
| are present, the entire payload could be ignored and not passed to | ||||
| DNS software, or the malicious characters could be filtered out | ||||
| before passing the payload to DNS software. | ||||
| 7. IANA Considerations | 7. IANA Considerations | |||
| This document defines two new IKEv2 Configuration Payload Attribute | This document defines two new IKEv2 Configuration Payload Attribute | |||
| Types, which are allocated from the "IKEv2 Configuration Payload | Types, which are allocated from the "IKEv2 Configuration Payload | |||
| Attribute Types" namespace. | Attribute Types" namespace. | |||
| Multi- | Multi- | |||
| Value Attribute Type Valued Length Reference | Value Attribute Type Valued Length Reference | |||
| ------ ------------------- ------ ---------- --------------- | ------ ------------------- ------ ---------- --------------- | |||
| 25 INTERNAL_DNS_DOMAIN YES 0 or more [this document] | 25 INTERNAL_DNS_DOMAIN YES 0 or more [this document] | |||
| End of changes. 9 change blocks. | ||||
| 12 lines changed or deleted | 24 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||