| < draft-reddy-add-resolver-info-04.txt | draft-reddy-add-resolver-info-05.txt > | |||
|---|---|---|---|---|
| ADD WG T. Reddy | ADD WG T. Reddy | |||
| Internet-Draft Akamai | Internet-Draft Akamai | |||
| Intended status: Standards Track M. Boucadair | Intended status: Standards Track M. Boucadair | |||
| Expires: April 10, 2022 Orange | Expires: 15 October 2022 Orange | |||
| October 7, 2021 | 13 April 2022 | |||
| DNS Resolver Information | DNS Resolver Information | |||
| draft-reddy-add-resolver-info-04 | draft-reddy-add-resolver-info-05 | |||
| Abstract | Abstract | |||
| This document specifies a method for DNS resolvers to publish | This document specifies a method for DNS resolvers to publish | |||
| information about themselves. Clients can use the resolver | information about themselves. Clients can use the resolver | |||
| information to identify the capabilities of DNS resolvers. | information to identify the capabilities of DNS resolvers. | |||
| Status of This Memo | Status of This Memo | |||
| This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
| skipping to change at page 1, line 33 ¶ | skipping to change at page 1, line 33 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on April 10, 2022. | This Internet-Draft will expire on 15 October 2022. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2021 IETF Trust and the persons identified as the | Copyright (c) 2022 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents (https://trustee.ietf.org/ | |||
| (https://trustee.ietf.org/license-info) in effect on the date of | license-info) in effect on the date of publication of this document. | |||
| publication of this document. Please review these documents | Please review these documents carefully, as they describe your rights | |||
| carefully, as they describe your rights and restrictions with respect | and restrictions with respect to this document. Code Components | |||
| to this document. Code Components extracted from this document must | extracted from this document must include Revised BSD License text as | |||
| include Simplified BSD License text as described in Section 4.e of | described in Section 4.e of the Trust Legal Provisions and are | |||
| the Trust Legal Provisions and are provided without warranty as | provided without warranty as described in the Revised BSD License. | |||
| described in the Simplified BSD License. | ||||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
| 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 2 | 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
| 3. Retrieving Resolver Information . . . . . . . . . . . . . . . 3 | 3. Retrieving Resolver Information . . . . . . . . . . . . . . . 3 | |||
| 4. Format of the Resolver Information . . . . . . . . . . . . . 3 | 4. Format of the Resolver Information . . . . . . . . . . . . . 3 | |||
| 5. Resolver Information . . . . . . . . . . . . . . . . . . . . 3 | 5. Resolver Information . . . . . . . . . . . . . . . . . . . . 3 | |||
| 6. Security Considerations . . . . . . . . . . . . . . . . . . . 5 | 6. Security Considerations . . . . . . . . . . . . . . . . . . . 5 | |||
| 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5 | 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 7.1. RESINFO RRtype . . . . . . . . . . . . . . . . . . . . . 5 | 7.1. RESINFO RRtype . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 7.2. DNS Resolver Information Registration . . . . . . . . . . 5 | 7.2. DNS Resolver Information Registration . . . . . . . . . . 5 | |||
| 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 7 | 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 7 | 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 9.1. Normative References . . . . . . . . . . . . . . . . . . 7 | 9.1. Normative References . . . . . . . . . . . . . . . . . . 6 | |||
| 9.2. Informative References . . . . . . . . . . . . . . . . . 8 | 9.2. Informative References . . . . . . . . . . . . . . . . . 7 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 8 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 8 | |||
| 1. Introduction | 1. Introduction | |||
| Historically, DNS stub resolvers communicated with recursive | Historically, DNS stub resolvers communicated with recursive | |||
| resolvers without needing to know anything about the features | resolvers without needing to know anything about the features | |||
| supported by these recursive resolvers. As more and more recursive | supported by these recursive resolvers. As more and more recursive | |||
| resolvers expose different features that may impact the delivered DNS | resolvers expose different features that may impact the delivered DNS | |||
| service, means to help stub resolvers to identify the capabilities of | service, means to help stub resolvers to identify the capabilities of | |||
| the resolver are valuable. Typically, stub resolvers can discover | the resolver are valuable. Typically, stub resolvers can discover | |||
| skipping to change at page 3, line 26 ¶ | skipping to change at page 3, line 26 ¶ | |||
| Section 5. If the resolver understands the RESINFO RRtype, the RRset | Section 5. If the resolver understands the RESINFO RRtype, the RRset | |||
| in the Answer section MUST have exactly one record. | in the Answer section MUST have exactly one record. | |||
| The client can retrieve the resolver information using the RESINFO | The client can retrieve the resolver information using the RESINFO | |||
| RRtype and QNAME of the domain name that is used to authenticate the | RRtype and QNAME of the domain name that is used to authenticate the | |||
| DNS server (referred to as ADN in [I-D.ietf-add-dnr]). | DNS server (referred to as ADN in [I-D.ietf-add-dnr]). | |||
| If the special use domain name "resolver.arpa" defined in | If the special use domain name "resolver.arpa" defined in | |||
| [I-D.ietf-add-ddr] is used to discover the Encrypted DNS server, the | [I-D.ietf-add-ddr] is used to discover the Encrypted DNS server, the | |||
| client can retrieve the resolver information using the RESINFO RRtype | client can retrieve the resolver information using the RESINFO RRtype | |||
| and a QNAME of "resolver.arpa". | and QNAME of the designated resolver. | |||
| 4. Format of the Resolver Information | 4. Format of the Resolver Information | |||
| The resolver information is returned as a JSON object. Precisely, | The resolver information is returned as a JSON object. Precisely, | |||
| the JSON object MUST use the I-JSON message format [RFC7493]. | the JSON object MUST use the I-JSON message format [RFC7493]. | |||
| Note that [RFC7493] was based on [RFC7159], but [RFC7159] was | Note that [RFC7493] was based on [RFC7159], but [RFC7159] was | |||
| replaced by [RFC8259]. Requiring the use of I-JSON instead of | replaced by [RFC8259]. Requiring the use of I-JSON instead of | |||
| more general JSON format greatly increases the likelihood of | more general JSON format greatly increases the likelihood of | |||
| interoperability. | interoperability. | |||
| skipping to change at page 4, line 6 ¶ | skipping to change at page 4, line 4 ¶ | |||
| All names in the returned object MUST either be defined in the IANA | All names in the returned object MUST either be defined in the IANA | |||
| registry Section 7.2 or begin with the substring "temp-" for names | registry Section 7.2 or begin with the substring "temp-" for names | |||
| defined for local use only. | defined for local use only. | |||
| 5. Resolver Information | 5. Resolver Information | |||
| The resolver information includes the following attributes: | The resolver information includes the following attributes: | |||
| qnameminimization: If the DNS server supports QNAME minimisation | qnameminimization: If the DNS server supports QNAME minimisation | |||
| [RFC7816] to improve DNS privacy, the parameter value is set to | [RFC7816] to improve DNS privacy, the parameter value is set to | |||
| true. This is a mandatory attribute. | true. This is a mandatory attribute. | |||
| extendeddnserror: If the DNS server supports extended DNS error | extendeddnserror: If the DNS server supports extended DNS error | |||
| (EDE) [RFC8914] to return additional information about the cause | (EDE) [RFC8914] to return additional information about the cause | |||
| of DNS errors, the parameter lists the possible extended DNS error | of DNS errors, the parameter lists the possible extended DNS error | |||
| codes that can be returned by the DNS server. This is an optional | codes that can be returned by the DNS server. This is an optional | |||
| attribute. | attribute. | |||
| Note that the extended error code "Blocked" defined in | ||||
| Section 4.16 of [RFC8914] identifies access to domains is | ||||
| blocked due to an policy by the operator of the DNS server, | ||||
| extended error code "Censored" defined in Section 4.17 of | ||||
| [RFC8914] identifies access to domains is blocked based on a | ||||
| requirement from an external entity and the extended error code | ||||
| "Filtered" defined in Section 4.18 of [RFC8914] identifies | ||||
| access to domains is blocked based on the request from the | ||||
| client to blacklist domains. | ||||
| clientauth: If the DNS server requires client authentication, the | ||||
| parameter value is set to true. For example, when not on the | ||||
| enterprise network (e.g., coffee shop) yet needing to access the | ||||
| enterprise Encrypted DNS server, roaming users can use client | ||||
| authentication to access the Enterprise-provided Encrypted DNS | ||||
| server. This is an optional attribute. | ||||
| resinfourl: An URL that points to the generic unstructured resolver | resinfourl: An URL that points to the generic unstructured resolver | |||
| information (e.g., DoH APIs supported, possible HTTP status codes | information (e.g., DoH APIs supported, possible HTTP status codes | |||
| returned by the DoH server, how to report a problem) for | returned by the DoH server, how to report a problem) for | |||
| troubleshooting purpose. The server MUST support the content-type | troubleshooting purpose. The server MUST support the content-type | |||
| 'text/html'. This is a mandatory attribute. | 'text/html'. The DNS client MUST reject the URL if the scheme is | |||
| not "https". The client MUST validate that both the encrypted DNS | ||||
| identityurl: An URL that points to a human-friendly description of | server and the resolver information server are owned and managed | |||
| the resolver identity to display to the end-user. The server MUST | by the same entity by establishing a TLS connection to the domain | |||
| support the content-type 'text/plain'. This is a mandatory | name in the URL and checking if the subjectAltName entry in the | |||
| server certificate includes the name of the encrypted DNS server. | ||||
| If this match fails, the client MUST ignore the resolver | ||||
| information. As such, the URL should be treated only as | ||||
| diagnostic information for IT staff. This is a mandatory | ||||
| attribute. | attribute. | |||
| New attributes can be defined as per the procedure defined in | New attributes can be defined as per the procedure defined in | |||
| Section 7.2. | Section 7.2. | |||
| As specified in [RFC7493], the I-JSON object is encoded as UTF8. | As specified in [RFC7493], the I-JSON object is encoded as UTF8. | |||
| [RFC7493] explicitly allows the returned objects to be in any order. | [RFC7493] explicitly allows the returned objects to be in any order. | |||
| Figure 1 shows an example of resolver information. | Figure 1 shows an example of resolver information. | |||
| { | { | |||
| "qnameminimization": true, | "qnameminimization": true, | |||
| "extendeddnserror": [ | "extendeddnserror": [ | |||
| 15, | 15, | |||
| 16, | 16, | |||
| 17 | 17 | |||
| ], | ], | |||
| "clientauth": false, | ||||
| "resinfourl": "https://resolver.example.com/guide", | "resinfourl": "https://resolver.example.com/guide", | |||
| "identityurl": "https://resolver.example.com/user-friendly-name" | ||||
| } | } | |||
| Figure 1: An Example of Resolver Information | Figure 1: An Example of Resolver Information | |||
| 6. Security Considerations | 6. Security Considerations | |||
| Unless a DNS request to retrieve the resolver information is | Unless a DNS request to retrieve the resolver information is | |||
| encrypted (e.g., sent over DNS-over-TLS (DoT) [RFC7858] or DNS-over- | encrypted (e.g., sent over DNS-over-TLS (DoT) [RFC7858] or DNS-over- | |||
| HTTPS (DoH)) [RFC8484], the response is susceptible to forgery. The | HTTPS (DoH)) [RFC8484], the response is susceptible to forgery. The | |||
| DNS resolver information can be retrieved after the encrypted | DNS resolver information can be retrieved after the encrypted | |||
| connection is established to the DNS server or retrieved before the | connection is established to the DNS server or retrieved before the | |||
| encrypted connection is established to the DNS server by using local | encrypted connection is established to the DNS server by using local | |||
| DNSSEC validation. | DNSSEC validation. | |||
| skipping to change at page 6, line 21 ¶ | skipping to change at page 6, line 7 ¶ | |||
| Value Type: The type of data to be used in the JSON object. | Value Type: The type of data to be used in the JSON object. | |||
| Description: Provides a description of the attribute | Description: Provides a description of the attribute | |||
| Specification: The reference specification for the registered | Specification: The reference specification for the registered | |||
| element. | element. | |||
| The initial content of this registry is provided in Table 1. | The initial content of this registry is provided in Table 1. | |||
| +-------------------+---------+---------------------+---------------+ | +===================+=========+===================+===============+ | |||
| | Name | Value | Specification | Specification | | | Name | Value | Specification | Specification | | |||
| | | Type | | | | | | Type | | | | |||
| +-------------------+---------+---------------------+---------------+ | +===================+=========+===================+===============+ | |||
| | qnameminimization | boolean | Indicates whether | [RFCXXXX] | | | qnameminimization | boolean | Indicates whether | [RFCXXXX] | | |||
| | | | qnameminimization | | | | | | qnameminimization | | | |||
| | | | is enabled or not | | | | | | is enabled or not | | | |||
| | extendeddnserror | number | Lists the set of | [RFCXXXX] | | +-------------------+---------+-------------------+---------------+ | |||
| | | | extended DNS errors | | | | extendeddnserror | number | Lists the set of | [RFCXXXX] | | |||
| | clientauth | boolean | Indicates whether | [RFCXXXX] | | | | | extended DNS | | | |||
| | | | client | | | | | | errors | | | |||
| | | | authentication is | | | +-------------------+---------+-------------------+---------------+ | |||
| | | | required or not | | | | resinfourl | string | Provides an | [RFCXXXX] | | |||
| | resinfourl | string | Provides an | [RFCXXXX] | | | | | unstructured | | | |||
| | | | unstructured | | | | | | resolver | | | |||
| | | | resolver | | | | | | information that | | | |||
| | | | information that is | | | | | | is used for | | | |||
| | | | used for | | | | | | troubleshooting | | | |||
| | | | troubleshooting | | | +-------------------+---------+-------------------+---------------+ | |||
| | identityurl | string | Points to a human- | [RFCXXXX] | | ||||
| | | | friendly | | | ||||
| | | | description of the | | | ||||
| | | | resolver identity | | | ||||
| | | | to display to the | | | ||||
| | | | end-user | | | ||||
| +-------------------+---------+---------------------+---------------+ | ||||
| Table 1: Initial RESINFO Registry | Table 1: Initial RESINFO Registry | |||
| 8. Acknowledgments | 8. Acknowledgments | |||
| This specification leverages the work that has been documented in | This specification leverages the work that has been documented in | |||
| [I-D.pp-add-resinfo]. | [I-D.pp-add-resinfo]. | |||
| Thanks to Tommy Jensen, Vittorio Bertola, Vinny Parla, Chris Box, Ben | Thanks to Tommy Jensen, Vittorio Bertola, Vinny Parla, Chris Box, Ben | |||
| Schwartz, Tony Finch, and Shashank Jain for the discussion and | Schwartz, Tony Finch, Daniel Kahn Gillmor, Eric Rescorla and Shashank | |||
| comments. | Jain for the discussion and comments. | |||
| 9. References | 9. References | |||
| 9.1. Normative References | 9.1. Normative References | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, | Requirement Levels", BCP 14, RFC 2119, | |||
| DOI 10.17487/RFC2119, March 1997, | DOI 10.17487/RFC2119, March 1997, | |||
| <https://www.rfc-editor.org/info/rfc2119>. | <https://www.rfc-editor.org/info/rfc2119>. | |||
| skipping to change at page 8, line 9 ¶ | skipping to change at page 7, line 31 ¶ | |||
| [RFC8914] Kumari, W., Hunt, E., Arends, R., Hardaker, W., and D. | [RFC8914] Kumari, W., Hunt, E., Arends, R., Hardaker, W., and D. | |||
| Lawrence, "Extended DNS Errors", RFC 8914, | Lawrence, "Extended DNS Errors", RFC 8914, | |||
| DOI 10.17487/RFC8914, October 2020, | DOI 10.17487/RFC8914, October 2020, | |||
| <https://www.rfc-editor.org/info/rfc8914>. | <https://www.rfc-editor.org/info/rfc8914>. | |||
| 9.2. Informative References | 9.2. Informative References | |||
| [I-D.ietf-add-ddr] | [I-D.ietf-add-ddr] | |||
| Pauly, T., Kinnear, E., Wood, C. A., McManus, P., and T. | Pauly, T., Kinnear, E., Wood, C. A., McManus, P., and T. | |||
| Jensen, "Discovery of Designated Resolvers", draft-ietf- | Jensen, "Discovery of Designated Resolvers", Work in | |||
| add-ddr-03 (work in progress), October 2021. | Progress, Internet-Draft, draft-ietf-add-ddr-06, 4 April | |||
| 2022, <https://www.ietf.org/archive/id/draft-ietf-add-ddr- | ||||
| 06.txt>. | ||||
| [I-D.ietf-add-dnr] | [I-D.ietf-add-dnr] | |||
| Boucadair, M., Reddy, T., Wing, D., Cook, N., and T. | Boucadair, M., Reddy, T., Wing, D., Cook, N., and T. | |||
| Jensen, "DHCP and Router Advertisement Options for the | Jensen, "DHCP and Router Advertisement Options for the | |||
| Discovery of Network-designated Resolvers (DNR)", draft- | Discovery of Network-designated Resolvers (DNR)", Work in | |||
| ietf-add-dnr-02 (work in progress), May 2021. | Progress, Internet-Draft, draft-ietf-add-dnr-06, 22 March | |||
| 2022, <https://www.ietf.org/archive/id/draft-ietf-add-dnr- | ||||
| 06.txt>. | ||||
| [I-D.pp-add-resinfo] | [I-D.pp-add-resinfo] | |||
| Sood, P. and P. Hoffman, "DNS Resolver Information Self- | Sood, P. and P. Hoffman, "DNS Resolver Information Self- | |||
| publication", draft-pp-add-resinfo-02 (work in progress), | publication", Work in Progress, Internet-Draft, draft-pp- | |||
| June 2020. | add-resinfo-02, 30 June 2020, | |||
| <https://www.ietf.org/archive/id/draft-pp-add-resinfo- | ||||
| 02.txt>. | ||||
| [RFC7858] Hu, Z., Zhu, L., Heidemann, J., Mankin, A., Wessels, D., | [RFC7858] Hu, Z., Zhu, L., Heidemann, J., Mankin, A., Wessels, D., | |||
| and P. Hoffman, "Specification for DNS over Transport | and P. Hoffman, "Specification for DNS over Transport | |||
| Layer Security (TLS)", RFC 7858, DOI 10.17487/RFC7858, May | Layer Security (TLS)", RFC 7858, DOI 10.17487/RFC7858, May | |||
| 2016, <https://www.rfc-editor.org/info/rfc7858>. | 2016, <https://www.rfc-editor.org/info/rfc7858>. | |||
| [RFC8259] Bray, T., Ed., "The JavaScript Object Notation (JSON) Data | [RFC8259] Bray, T., Ed., "The JavaScript Object Notation (JSON) Data | |||
| Interchange Format", STD 90, RFC 8259, | Interchange Format", STD 90, RFC 8259, | |||
| DOI 10.17487/RFC8259, December 2017, | DOI 10.17487/RFC8259, December 2017, | |||
| <https://www.rfc-editor.org/info/rfc8259>. | <https://www.rfc-editor.org/info/rfc8259>. | |||
| skipping to change at page 9, line 4 ¶ | skipping to change at page 8, line 28 ¶ | |||
| [RFC8499] Hoffman, P., Sullivan, A., and K. Fujiwara, "DNS | [RFC8499] Hoffman, P., Sullivan, A., and K. Fujiwara, "DNS | |||
| Terminology", BCP 219, RFC 8499, DOI 10.17487/RFC8499, | Terminology", BCP 219, RFC 8499, DOI 10.17487/RFC8499, | |||
| January 2019, <https://www.rfc-editor.org/info/rfc8499>. | January 2019, <https://www.rfc-editor.org/info/rfc8499>. | |||
| [RRTYPE] IANA, "Resource Record (RR) TYPEs", | [RRTYPE] IANA, "Resource Record (RR) TYPEs", | |||
| <http://www.iana.org/assignments/dns-parameters/dns- | <http://www.iana.org/assignments/dns-parameters/dns- | |||
| parameters.xhtml#dns-parameters-4>. | parameters.xhtml#dns-parameters-4>. | |||
| Authors' Addresses | Authors' Addresses | |||
| Tirumaleswar Reddy | Tirumaleswar Reddy | |||
| Akamai | Akamai | |||
| Embassy Golf Link Business Park | Embassy Golf Link Business Park | |||
| Bangalore, Karnataka 560071 | Bangalore 560071 | |||
| Karnataka | ||||
| India | India | |||
| Email: kondtir@gmail.com | Email: kondtir@gmail.com | |||
| Mohamed Boucadair | Mohamed Boucadair | |||
| Orange | Orange | |||
| Rennes 35000 | 35000 Rennes | |||
| France | France | |||
| Email: mohamed.boucadair@orange.com | Email: mohamed.boucadair@orange.com | |||
| End of changes. 23 change blocks. | ||||
| 81 lines changed or deleted | 65 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||