< draft-reddy-add-resolver-info-04.txt   draft-reddy-add-resolver-info-05.txt >
ADD WG T. Reddy ADD WG T. Reddy
Internet-Draft Akamai Internet-Draft Akamai
Intended status: Standards Track M. Boucadair Intended status: Standards Track M. Boucadair
Expires: April 10, 2022 Orange Expires: 15 October 2022 Orange
October 7, 2021 13 April 2022
DNS Resolver Information DNS Resolver Information
draft-reddy-add-resolver-info-04 draft-reddy-add-resolver-info-05
Abstract Abstract
This document specifies a method for DNS resolvers to publish This document specifies a method for DNS resolvers to publish
information about themselves. Clients can use the resolver information about themselves. Clients can use the resolver
information to identify the capabilities of DNS resolvers. information to identify the capabilities of DNS resolvers.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
skipping to change at page 1, line 33 skipping to change at page 1, line 33
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on April 10, 2022. This Internet-Draft will expire on 15 October 2022.
Copyright Notice Copyright Notice
Copyright (c) 2021 IETF Trust and the persons identified as the Copyright (c) 2022 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents (https://trustee.ietf.org/
(https://trustee.ietf.org/license-info) in effect on the date of license-info) in effect on the date of publication of this document.
publication of this document. Please review these documents Please review these documents carefully, as they describe your rights
carefully, as they describe your rights and restrictions with respect and restrictions with respect to this document. Code Components
to this document. Code Components extracted from this document must extracted from this document must include Revised BSD License text as
include Simplified BSD License text as described in Section 4.e of described in Section 4.e of the Trust Legal Provisions and are
the Trust Legal Provisions and are provided without warranty as provided without warranty as described in the Revised BSD License.
described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 2
3. Retrieving Resolver Information . . . . . . . . . . . . . . . 3 3. Retrieving Resolver Information . . . . . . . . . . . . . . . 3
4. Format of the Resolver Information . . . . . . . . . . . . . 3 4. Format of the Resolver Information . . . . . . . . . . . . . 3
5. Resolver Information . . . . . . . . . . . . . . . . . . . . 3 5. Resolver Information . . . . . . . . . . . . . . . . . . . . 3
6. Security Considerations . . . . . . . . . . . . . . . . . . . 5 6. Security Considerations . . . . . . . . . . . . . . . . . . . 5
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5
7.1. RESINFO RRtype . . . . . . . . . . . . . . . . . . . . . 5 7.1. RESINFO RRtype . . . . . . . . . . . . . . . . . . . . . 5
7.2. DNS Resolver Information Registration . . . . . . . . . . 5 7.2. DNS Resolver Information Registration . . . . . . . . . . 5
8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 7 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 6
9. References . . . . . . . . . . . . . . . . . . . . . . . . . 7 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 6
9.1. Normative References . . . . . . . . . . . . . . . . . . 7 9.1. Normative References . . . . . . . . . . . . . . . . . . 6
9.2. Informative References . . . . . . . . . . . . . . . . . 8 9.2. Informative References . . . . . . . . . . . . . . . . . 7
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 8 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 8
1. Introduction 1. Introduction
Historically, DNS stub resolvers communicated with recursive Historically, DNS stub resolvers communicated with recursive
resolvers without needing to know anything about the features resolvers without needing to know anything about the features
supported by these recursive resolvers. As more and more recursive supported by these recursive resolvers. As more and more recursive
resolvers expose different features that may impact the delivered DNS resolvers expose different features that may impact the delivered DNS
service, means to help stub resolvers to identify the capabilities of service, means to help stub resolvers to identify the capabilities of
the resolver are valuable. Typically, stub resolvers can discover the resolver are valuable. Typically, stub resolvers can discover
skipping to change at page 3, line 26 skipping to change at page 3, line 26
Section 5. If the resolver understands the RESINFO RRtype, the RRset Section 5. If the resolver understands the RESINFO RRtype, the RRset
in the Answer section MUST have exactly one record. in the Answer section MUST have exactly one record.
The client can retrieve the resolver information using the RESINFO The client can retrieve the resolver information using the RESINFO
RRtype and QNAME of the domain name that is used to authenticate the RRtype and QNAME of the domain name that is used to authenticate the
DNS server (referred to as ADN in [I-D.ietf-add-dnr]). DNS server (referred to as ADN in [I-D.ietf-add-dnr]).
If the special use domain name "resolver.arpa" defined in If the special use domain name "resolver.arpa" defined in
[I-D.ietf-add-ddr] is used to discover the Encrypted DNS server, the [I-D.ietf-add-ddr] is used to discover the Encrypted DNS server, the
client can retrieve the resolver information using the RESINFO RRtype client can retrieve the resolver information using the RESINFO RRtype
and a QNAME of "resolver.arpa". and QNAME of the designated resolver.
4. Format of the Resolver Information 4. Format of the Resolver Information
The resolver information is returned as a JSON object. Precisely, The resolver information is returned as a JSON object. Precisely,
the JSON object MUST use the I-JSON message format [RFC7493]. the JSON object MUST use the I-JSON message format [RFC7493].
Note that [RFC7493] was based on [RFC7159], but [RFC7159] was Note that [RFC7493] was based on [RFC7159], but [RFC7159] was
replaced by [RFC8259]. Requiring the use of I-JSON instead of replaced by [RFC8259]. Requiring the use of I-JSON instead of
more general JSON format greatly increases the likelihood of more general JSON format greatly increases the likelihood of
interoperability. interoperability.
skipping to change at page 4, line 6 skipping to change at page 4, line 4
All names in the returned object MUST either be defined in the IANA All names in the returned object MUST either be defined in the IANA
registry Section 7.2 or begin with the substring "temp-" for names registry Section 7.2 or begin with the substring "temp-" for names
defined for local use only. defined for local use only.
5. Resolver Information 5. Resolver Information
The resolver information includes the following attributes: The resolver information includes the following attributes:
qnameminimization: If the DNS server supports QNAME minimisation qnameminimization: If the DNS server supports QNAME minimisation
[RFC7816] to improve DNS privacy, the parameter value is set to [RFC7816] to improve DNS privacy, the parameter value is set to
true. This is a mandatory attribute. true. This is a mandatory attribute.
extendeddnserror: If the DNS server supports extended DNS error extendeddnserror: If the DNS server supports extended DNS error
(EDE) [RFC8914] to return additional information about the cause (EDE) [RFC8914] to return additional information about the cause
of DNS errors, the parameter lists the possible extended DNS error of DNS errors, the parameter lists the possible extended DNS error
codes that can be returned by the DNS server. This is an optional codes that can be returned by the DNS server. This is an optional
attribute. attribute.
Note that the extended error code "Blocked" defined in
Section 4.16 of [RFC8914] identifies access to domains is
blocked due to an policy by the operator of the DNS server,
extended error code "Censored" defined in Section 4.17 of
[RFC8914] identifies access to domains is blocked based on a
requirement from an external entity and the extended error code
"Filtered" defined in Section 4.18 of [RFC8914] identifies
access to domains is blocked based on the request from the
client to blacklist domains.
clientauth: If the DNS server requires client authentication, the
parameter value is set to true. For example, when not on the
enterprise network (e.g., coffee shop) yet needing to access the
enterprise Encrypted DNS server, roaming users can use client
authentication to access the Enterprise-provided Encrypted DNS
server. This is an optional attribute.
resinfourl: An URL that points to the generic unstructured resolver resinfourl: An URL that points to the generic unstructured resolver
information (e.g., DoH APIs supported, possible HTTP status codes information (e.g., DoH APIs supported, possible HTTP status codes
returned by the DoH server, how to report a problem) for returned by the DoH server, how to report a problem) for
troubleshooting purpose. The server MUST support the content-type troubleshooting purpose. The server MUST support the content-type
'text/html'. This is a mandatory attribute. 'text/html'. The DNS client MUST reject the URL if the scheme is
not "https". The client MUST validate that both the encrypted DNS
identityurl: An URL that points to a human-friendly description of server and the resolver information server are owned and managed
the resolver identity to display to the end-user. The server MUST by the same entity by establishing a TLS connection to the domain
support the content-type 'text/plain'. This is a mandatory name in the URL and checking if the subjectAltName entry in the
server certificate includes the name of the encrypted DNS server.
If this match fails, the client MUST ignore the resolver
information. As such, the URL should be treated only as
diagnostic information for IT staff. This is a mandatory
attribute. attribute.
New attributes can be defined as per the procedure defined in New attributes can be defined as per the procedure defined in
Section 7.2. Section 7.2.
As specified in [RFC7493], the I-JSON object is encoded as UTF8. As specified in [RFC7493], the I-JSON object is encoded as UTF8.
[RFC7493] explicitly allows the returned objects to be in any order. [RFC7493] explicitly allows the returned objects to be in any order.
Figure 1 shows an example of resolver information. Figure 1 shows an example of resolver information.
{ {
"qnameminimization": true, "qnameminimization": true,
"extendeddnserror": [ "extendeddnserror": [
15, 15,
16, 16,
17 17
], ],
"clientauth": false,
"resinfourl": "https://resolver.example.com/guide", "resinfourl": "https://resolver.example.com/guide",
"identityurl": "https://resolver.example.com/user-friendly-name"
} }
Figure 1: An Example of Resolver Information Figure 1: An Example of Resolver Information
6. Security Considerations 6. Security Considerations
Unless a DNS request to retrieve the resolver information is Unless a DNS request to retrieve the resolver information is
encrypted (e.g., sent over DNS-over-TLS (DoT) [RFC7858] or DNS-over- encrypted (e.g., sent over DNS-over-TLS (DoT) [RFC7858] or DNS-over-
HTTPS (DoH)) [RFC8484], the response is susceptible to forgery. The HTTPS (DoH)) [RFC8484], the response is susceptible to forgery. The
DNS resolver information can be retrieved after the encrypted DNS resolver information can be retrieved after the encrypted
connection is established to the DNS server or retrieved before the connection is established to the DNS server or retrieved before the
encrypted connection is established to the DNS server by using local encrypted connection is established to the DNS server by using local
DNSSEC validation. DNSSEC validation.
skipping to change at page 6, line 21 skipping to change at page 6, line 7
Value Type: The type of data to be used in the JSON object. Value Type: The type of data to be used in the JSON object.
Description: Provides a description of the attribute Description: Provides a description of the attribute
Specification: The reference specification for the registered Specification: The reference specification for the registered
element. element.
The initial content of this registry is provided in Table 1. The initial content of this registry is provided in Table 1.
+-------------------+---------+---------------------+---------------+ +===================+=========+===================+===============+
| Name | Value | Specification | Specification | | Name | Value | Specification | Specification |
| | Type | | | | | Type | | |
+-------------------+---------+---------------------+---------------+ +===================+=========+===================+===============+
| qnameminimization | boolean | Indicates whether | [RFCXXXX] | | qnameminimization | boolean | Indicates whether | [RFCXXXX] |
| | | qnameminimization | | | | | qnameminimization | |
| | | is enabled or not | | | | | is enabled or not | |
| extendeddnserror | number | Lists the set of | [RFCXXXX] | +-------------------+---------+-------------------+---------------+
| | | extended DNS errors | | | extendeddnserror | number | Lists the set of | [RFCXXXX] |
| clientauth | boolean | Indicates whether | [RFCXXXX] | | | | extended DNS | |
| | | client | | | | | errors | |
| | | authentication is | | +-------------------+---------+-------------------+---------------+
| | | required or not | | | resinfourl | string | Provides an | [RFCXXXX] |
| resinfourl | string | Provides an | [RFCXXXX] | | | | unstructured | |
| | | unstructured | | | | | resolver | |
| | | resolver | | | | | information that | |
| | | information that is | | | | | is used for | |
| | | used for | | | | | troubleshooting | |
| | | troubleshooting | | +-------------------+---------+-------------------+---------------+
| identityurl | string | Points to a human- | [RFCXXXX] |
| | | friendly | |
| | | description of the | |
| | | resolver identity | |
| | | to display to the | |
| | | end-user | |
+-------------------+---------+---------------------+---------------+
Table 1: Initial RESINFO Registry Table 1: Initial RESINFO Registry
8. Acknowledgments 8. Acknowledgments
This specification leverages the work that has been documented in This specification leverages the work that has been documented in
[I-D.pp-add-resinfo]. [I-D.pp-add-resinfo].
Thanks to Tommy Jensen, Vittorio Bertola, Vinny Parla, Chris Box, Ben Thanks to Tommy Jensen, Vittorio Bertola, Vinny Parla, Chris Box, Ben
Schwartz, Tony Finch, and Shashank Jain for the discussion and Schwartz, Tony Finch, Daniel Kahn Gillmor, Eric Rescorla and Shashank
comments. Jain for the discussion and comments.
9. References 9. References
9.1. Normative References 9.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
skipping to change at page 8, line 9 skipping to change at page 7, line 31
[RFC8914] Kumari, W., Hunt, E., Arends, R., Hardaker, W., and D. [RFC8914] Kumari, W., Hunt, E., Arends, R., Hardaker, W., and D.
Lawrence, "Extended DNS Errors", RFC 8914, Lawrence, "Extended DNS Errors", RFC 8914,
DOI 10.17487/RFC8914, October 2020, DOI 10.17487/RFC8914, October 2020,
<https://www.rfc-editor.org/info/rfc8914>. <https://www.rfc-editor.org/info/rfc8914>.
9.2. Informative References 9.2. Informative References
[I-D.ietf-add-ddr] [I-D.ietf-add-ddr]
Pauly, T., Kinnear, E., Wood, C. A., McManus, P., and T. Pauly, T., Kinnear, E., Wood, C. A., McManus, P., and T.
Jensen, "Discovery of Designated Resolvers", draft-ietf- Jensen, "Discovery of Designated Resolvers", Work in
add-ddr-03 (work in progress), October 2021. Progress, Internet-Draft, draft-ietf-add-ddr-06, 4 April
2022, <https://www.ietf.org/archive/id/draft-ietf-add-ddr-
06.txt>.
[I-D.ietf-add-dnr] [I-D.ietf-add-dnr]
Boucadair, M., Reddy, T., Wing, D., Cook, N., and T. Boucadair, M., Reddy, T., Wing, D., Cook, N., and T.
Jensen, "DHCP and Router Advertisement Options for the Jensen, "DHCP and Router Advertisement Options for the
Discovery of Network-designated Resolvers (DNR)", draft- Discovery of Network-designated Resolvers (DNR)", Work in
ietf-add-dnr-02 (work in progress), May 2021. Progress, Internet-Draft, draft-ietf-add-dnr-06, 22 March
2022, <https://www.ietf.org/archive/id/draft-ietf-add-dnr-
06.txt>.
[I-D.pp-add-resinfo] [I-D.pp-add-resinfo]
Sood, P. and P. Hoffman, "DNS Resolver Information Self- Sood, P. and P. Hoffman, "DNS Resolver Information Self-
publication", draft-pp-add-resinfo-02 (work in progress), publication", Work in Progress, Internet-Draft, draft-pp-
June 2020. add-resinfo-02, 30 June 2020,
<https://www.ietf.org/archive/id/draft-pp-add-resinfo-
02.txt>.
[RFC7858] Hu, Z., Zhu, L., Heidemann, J., Mankin, A., Wessels, D., [RFC7858] Hu, Z., Zhu, L., Heidemann, J., Mankin, A., Wessels, D.,
and P. Hoffman, "Specification for DNS over Transport and P. Hoffman, "Specification for DNS over Transport
Layer Security (TLS)", RFC 7858, DOI 10.17487/RFC7858, May Layer Security (TLS)", RFC 7858, DOI 10.17487/RFC7858, May
2016, <https://www.rfc-editor.org/info/rfc7858>. 2016, <https://www.rfc-editor.org/info/rfc7858>.
[RFC8259] Bray, T., Ed., "The JavaScript Object Notation (JSON) Data [RFC8259] Bray, T., Ed., "The JavaScript Object Notation (JSON) Data
Interchange Format", STD 90, RFC 8259, Interchange Format", STD 90, RFC 8259,
DOI 10.17487/RFC8259, December 2017, DOI 10.17487/RFC8259, December 2017,
<https://www.rfc-editor.org/info/rfc8259>. <https://www.rfc-editor.org/info/rfc8259>.
skipping to change at page 9, line 4 skipping to change at page 8, line 28
[RFC8499] Hoffman, P., Sullivan, A., and K. Fujiwara, "DNS [RFC8499] Hoffman, P., Sullivan, A., and K. Fujiwara, "DNS
Terminology", BCP 219, RFC 8499, DOI 10.17487/RFC8499, Terminology", BCP 219, RFC 8499, DOI 10.17487/RFC8499,
January 2019, <https://www.rfc-editor.org/info/rfc8499>. January 2019, <https://www.rfc-editor.org/info/rfc8499>.
[RRTYPE] IANA, "Resource Record (RR) TYPEs", [RRTYPE] IANA, "Resource Record (RR) TYPEs",
<http://www.iana.org/assignments/dns-parameters/dns- <http://www.iana.org/assignments/dns-parameters/dns-
parameters.xhtml#dns-parameters-4>. parameters.xhtml#dns-parameters-4>.
Authors' Addresses Authors' Addresses
Tirumaleswar Reddy Tirumaleswar Reddy
Akamai Akamai
Embassy Golf Link Business Park Embassy Golf Link Business Park
Bangalore, Karnataka 560071 Bangalore 560071
Karnataka
India India
Email: kondtir@gmail.com Email: kondtir@gmail.com
Mohamed Boucadair Mohamed Boucadair
Orange Orange
Rennes 35000 35000 Rennes
France France
Email: mohamed.boucadair@orange.com Email: mohamed.boucadair@orange.com
 End of changes. 23 change blocks. 
81 lines changed or deleted 65 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/