| < draft-schwartz-svcb-dns-02.txt | draft-schwartz-svcb-dns-03.txt > | |||
|---|---|---|---|---|
| add B. Schwartz | add B. Schwartz | |||
| Internet-Draft Google LLC | Internet-Draft Google LLC | |||
| Intended status: Standards Track 17 February 2021 | Intended status: Standards Track 19 April 2021 | |||
| Expires: 21 August 2021 | Expires: 21 October 2021 | |||
| Service Binding Mapping for DNS Servers | Service Binding Mapping for DNS Servers | |||
| draft-schwartz-svcb-dns-02 | draft-schwartz-svcb-dns-03 | |||
| Abstract | Abstract | |||
| The SVCB DNS record type expresses a bound collection of endpoint | The SVCB DNS record type expresses a bound collection of endpoint | |||
| metadata, for use when establishing a connection to a named service. | metadata, for use when establishing a connection to a named service. | |||
| DNS itself can be such a service, when the server is identified by a | DNS itself can be such a service, when the server is identified by a | |||
| domain name. This document provides the SVCB mapping for named DNS | domain name. This document provides the SVCB mapping for named DNS | |||
| servers, allowing them to indicate support for new transport | servers, allowing them to indicate support for new transport | |||
| protocols. | protocols. | |||
| skipping to change at page 1, line 46 ¶ | skipping to change at page 1, line 46 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on 21 August 2021. | This Internet-Draft will expire on 21 October 2021. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2021 IETF Trust and the persons identified as the | Copyright (c) 2021 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents (https://trustee.ietf.org/ | Provisions Relating to IETF Documents (https://trustee.ietf.org/ | |||
| license-info) in effect on the date of publication of this document. | license-info) in effect on the date of publication of this document. | |||
| Please review these documents carefully, as they describe your rights | Please review these documents carefully, as they describe your rights | |||
| skipping to change at page 2, line 25 ¶ | skipping to change at page 2, line 25 ¶ | |||
| extracted from this document must include Simplified BSD License text | extracted from this document must include Simplified BSD License text | |||
| as described in Section 4.e of the Trust Legal Provisions and are | as described in Section 4.e of the Trust Legal Provisions and are | |||
| provided without warranty as described in the Simplified BSD License. | provided without warranty as described in the Simplified BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
| 2. Conventions and Definitions . . . . . . . . . . . . . . . . . 3 | 2. Conventions and Definitions . . . . . . . . . . . . . . . . . 3 | |||
| 3. Name form . . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 3. Name form . . . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 4. Applicable existing SvcParamKeys . . . . . . . . . . . . . . 3 | 4. Applicable existing SvcParamKeys . . . . . . . . . . . . . . 3 | |||
| 4.1. alpn and no-default-alpn . . . . . . . . . . . . . . . . 3 | 4.1. alpn . . . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 4.2. port . . . . . . . . . . . . . . . . . . . . . . . . . . 4 | 4.2. port . . . . . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 4.3. Other applicable SvcParamKeys . . . . . . . . . . . . . . 4 | 4.3. Other applicable SvcParamKeys . . . . . . . . . . . . . . 4 | |||
| 5. New SvcParamKeys . . . . . . . . . . . . . . . . . . . . . . 4 | 5. New SvcParamKeys . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 5.1. dohpath . . . . . . . . . . . . . . . . . . . . . . . . . 4 | 5.1. dohpath . . . . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 6. Limitations . . . . . . . . . . . . . . . . . . . . . . . . . 4 | 6. Limitations . . . . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 7. Relationship to DNS URIs . . . . . . . . . . . . . . . . . . 5 | 7. Relationship to DNS URIs . . . . . . . . . . . . . . . . . . 5 | |||
| 8. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 5 | 8. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 9. Security Considerations . . . . . . . . . . . . . . . . . . . 5 | 9. Security Considerations . . . . . . . . . . . . . . . . . . . 5 | |||
| 9.1. Adversary on the query path . . . . . . . . . . . . . . . 5 | 9.1. Adversary on the query path . . . . . . . . . . . . . . . 5 | |||
| 9.2. Adversary on the transport path . . . . . . . . . . . . . 6 | 9.2. Adversary on the transport path . . . . . . . . . . . . . 6 | |||
| 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6 | 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 | |||
| 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 7 | 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 7 | |||
| 11.1. Normative References . . . . . . . . . . . . . . . . . . 7 | 11.1. Normative References . . . . . . . . . . . . . . . . . . 7 | |||
| 11.2. Informative References . . . . . . . . . . . . . . . . . 8 | 11.2. Informative References . . . . . . . . . . . . . . . . . 8 | |||
| Appendix A. Mapping Summary . . . . . . . . . . . . . . . . . . 8 | Appendix A. Mapping Summary . . . . . . . . . . . . . . . . . . 8 | |||
| Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 9 | Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 9 | |||
| Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 9 | Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 9 | |||
| 1. Introduction | 1. Introduction | |||
| The SVCB record type [SVCB] provides clients with information about | The SVCB record type [SVCB] provides clients with information about | |||
| skipping to change at page 3, line 27 ¶ | skipping to change at page 3, line 27 ¶ | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | |||
| "OPTIONAL" in this document are to be interpreted as described in BCP | "OPTIONAL" in this document are to be interpreted as described in BCP | |||
| 14 [RFC2119] [RFC8174] when, and only when, they appear in all | 14 [RFC2119] [RFC8174] when, and only when, they appear in all | |||
| capitals, as shown here. | capitals, as shown here. | |||
| 3. Name form | 3. Name form | |||
| Names are formed using Port-Prefix Naming ([SVCB] Section 2.3). For | Names are formed using Port-Prefix Naming ([SVCB] Section 2.3). For | |||
| example, a DNS service identified by the name "dns1.example.com" and | example, a DNS service identified by the name "dns1.example.com" and | |||
| (unusually) the non-default port number 5353 would be represented as | (unusually) the non-default port number 5353 would be represented as | |||
| "_5353._dns.dns1.example.com.". | "_5353._dns.dns1.example.com.". A DNS service using the default port | |||
| number of 53 would be represented as "_dns.dns1.example.com.". | ||||
| 4. Applicable existing SvcParamKeys | 4. Applicable existing SvcParamKeys | |||
| 4.1. alpn and no-default-alpn | 4.1. alpn | |||
| These keys indicate the set of supported protocols ([SVCB] | This key indicates the set of supported protocols ([SVCB] | |||
| Section 6.1). The default protocol is "dot", indicating support for | Section 6.1). There is no default protocol, so the "no-default-alpn" | |||
| DNS over TLS [DOT]. | key does not apply, and the "alpn" key MUST be present. | |||
| If the protocol set contains any HTTP versions (e.g. "h2", "h3"), | If the protocol set contains any HTTP versions (e.g. "h2", "h3"), | |||
| then the record indicates support for DNS over HTTPS [DOH], and the | then the record indicates support for DNS over HTTPS [DOH], and the | |||
| "dohpath" key MUST be present (Section 5.1). All keys specified for | "dohpath" key MUST be present (Section 5.1). All keys specified for | |||
| use with the HTTPS record are also permissible, and apply to the | use with the HTTPS record are also permissible, and apply to the | |||
| resulting HTTP connection. | resulting HTTP connection. | |||
| If the protocol set contains protocols with different default ports, | If the protocol set contains protocols with different default ports, | |||
| and no port key is specified, then protocols are contacted separately | and no port key is specified, then protocols are contacted separately | |||
| on their default ports. Note that in this configuration, ALPN | on their default ports. Note that in this configuration, ALPN | |||
| negotiation does not defend against cross-protocol downgrade attacks. | negotiation does not defend against cross-protocol downgrade attacks. | |||
| These keys are automatically mandatory if present. (See Section 7 of | ||||
| [SVCB] for the definition of "automatically mandatory".) | ||||
| 4.2. port | 4.2. port | |||
| This key is used to indicate the target port for connection (([SVCB] | This key is used to indicate the target port for connection (([SVCB] | |||
| Section 6.2)). If omitted, the client SHALL use the default port for | Section 6.2)). If omitted, the client SHALL use the default port for | |||
| each transport protocol (853 for DNS over TLS, 443 for DNS over | each transport protocol (853 for DNS over TLS [DOT], 443 for DNS over | |||
| HTTPS). | HTTPS). | |||
| This key is automatically mandatory if present. | This key is automatically mandatory if present. (See Section 7 of | |||
| [SVCB] for the definition of "automatically mandatory".) | ||||
| 4.3. Other applicable SvcParamKeys | 4.3. Other applicable SvcParamKeys | |||
| These SvcParamKeys apply to the "dns" scheme without modification: | These SvcParamKeys apply to the "dns" scheme without modification: | |||
| * echconfig | * echconfig | |||
| * ipv4hint | * ipv4hint | |||
| * ipv6hint | * ipv6hint | |||
| skipping to change at page 5, line 15 ¶ | skipping to change at page 5, line 15 ¶ | |||
| 7. Relationship to DNS URIs | 7. Relationship to DNS URIs | |||
| The "dns:" URI scheme [DNSURI] describes a way to represent DNS | The "dns:" URI scheme [DNSURI] describes a way to represent DNS | |||
| queries as URIs. This scheme optionally includes an authority, | queries as URIs. This scheme optionally includes an authority, | |||
| comprised of a host and port number (with a default of 53). DNS URIs | comprised of a host and port number (with a default of 53). DNS URIs | |||
| normally omit the authority, or specify an IP address, but a hostname | normally omit the authority, or specify an IP address, but a hostname | |||
| is allowed, in which case it is suitable for use with this mapping. | is allowed, in which case it is suitable for use with this mapping. | |||
| 8. Examples | 8. Examples | |||
| * A resolver at "simple.example" that supports DNS over TLS on port | ||||
| 853 (implicitly, as this is its default port): | ||||
| _dns.simple.example. 7200 IN SVCB 1 alpn=dot simple.example. | ||||
| * A resolver at "doh.example" that supports only DNS over HTTPS (DNS | ||||
| over TLS is disabled): _dns.doh.example. 7200 IN SVCB 1 | ||||
| doh.example. ( alpn=h2 dohpath=/dns-query{?dns} ) | ||||
| * A resolver at "resolver.example" that supports | * A resolver at "resolver.example" that supports | |||
| - DNS over TLS on "resolver.example", port 853 and 8530, with | - DNS over TLS on "resolver.example" ports 853 (implicit in | |||
| record 1) and 8530 (explicit in record 2), with | ||||
| "resolver.example" as the Authentication Domain Name, | "resolver.example" as the Authentication Domain Name, | |||
| - DNS over HTTPS at "https://resolver.example/dns-query{?dns}", | - DNS over HTTPS at "https://resolver.example/dns-query{?dns}" | |||
| and | (record 1), and | |||
| - an experimental protocol on "fooexp.resolver.example:5353": | - an experimental protocol on "fooexp.resolver.example:5353" | |||
| (record 3): | ||||
| $ORIGIN example. | $ORIGIN resolver.example. | |||
| _dns.resolver 7200 IN SVCB 1 resolver ( | _dns 7200 IN SVCB 1 @ alpn=dot,h2,h3 dohpath=/dns-query{?dns} | |||
| alpn=h2,h3 echconfig=... dohpath=/dns-query{?dns} ) | SVCB 2 @ alpn=dot port=8530 | |||
| _dns.resolver 7200 IN SVCB 2 resolver ( | SVCB 3 fooexp port=5353 alpn=foo foo-info=... | |||
| port=8530 echconfig=... ) | ||||
| _dns.resolver 7200 IN SVCB 3 fooexp.resolver ( port=5353 | ||||
| echconfig=... alpn=foo no-default-alpn foo-info=... ) | ||||
| * A nameserver at "ns.example" whose service configuration is | * A nameserver at "ns.example" whose service configuration is | |||
| published on a different domain: | published on a different domain: | |||
| $ORIGIN example. | $ORIGIN example. | |||
| _dns.ns 7200 IN SVCB 0 _dns.ns.nic | _dns.ns 7200 IN SVCB 0 _dns.ns.nic | |||
| 9. Security Considerations | 9. Security Considerations | |||
| 9.1. Adversary on the query path | 9.1. Adversary on the query path | |||
| skipping to change at page 8, line 5 ¶ | skipping to change at page 8, line 9 ¶ | |||
| [RFC6570] Gregorio, J., Fielding, R., Hadley, M., Nottingham, M., | [RFC6570] Gregorio, J., Fielding, R., Hadley, M., Nottingham, M., | |||
| and D. Orchard, "URI Template", RFC 6570, | and D. Orchard, "URI Template", RFC 6570, | |||
| DOI 10.17487/RFC6570, March 2012, | DOI 10.17487/RFC6570, March 2012, | |||
| <https://www.rfc-editor.org/info/rfc6570>. | <https://www.rfc-editor.org/info/rfc6570>. | |||
| [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | |||
| 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | |||
| May 2017, <https://www.rfc-editor.org/info/rfc8174>. | May 2017, <https://www.rfc-editor.org/info/rfc8174>. | |||
| [SVCB] Schwartz, B. M., Bishop, M., and E. Nygren, "Service | [SVCB] Schwartz, B., Bishop, M., and E. Nygren, "Service binding | |||
| binding and parameter specification via the DNS (DNS SVCB | and parameter specification via the DNS (DNS SVCB and | |||
| and HTTPS RRs)", Work in Progress, Internet-Draft, draft- | HTTPS RRs)", Work in Progress, Internet-Draft, draft-ietf- | |||
| ietf-dnsop-svcb-https-02, 2 November 2020, | dnsop-svcb-https-02, 2 November 2020, | |||
| <https://www.ietf.org/archive/id/draft-ietf-dnsop-svcb- | <http://www.ietf.org/internet-drafts/draft-ietf-dnsop- | |||
| https-02.txt>. | svcb-https-02.txt>. | |||
| 11.2. Informative References | 11.2. Informative References | |||
| [Attrleaf] Crocker, D., "Scoped Interpretation of DNS Resource | [Attrleaf] Crocker, D., "Scoped Interpretation of DNS Resource | |||
| Records through "Underscored" Naming of Attribute Leaves", | Records through "Underscored" Naming of Attribute Leaves", | |||
| BCP 222, RFC 8552, DOI 10.17487/RFC8552, March 2019, | BCP 222, RFC 8552, DOI 10.17487/RFC8552, March 2019, | |||
| <https://www.rfc-editor.org/info/rfc8552>. | <https://www.rfc-editor.org/info/rfc8552>. | |||
| [DNSURI] Josefsson, S., "Domain Name System Uniform Resource | [DNSURI] Josefsson, S., "Domain Name System Uniform Resource | |||
| Identifiers", RFC 4501, DOI 10.17487/RFC4501, May 2006, | Identifiers", RFC 4501, DOI 10.17487/RFC4501, May 2006, | |||
| skipping to change at page 8, line 36 ¶ | skipping to change at page 9, line 13 ¶ | |||
| SVCB. | SVCB. | |||
| +=================+========================================+ | +=================+========================================+ | |||
| +=================+========================================+ | +=================+========================================+ | |||
| | *Mapped scheme* | "dns" | | | *Mapped scheme* | "dns" | | |||
| +-----------------+----------------------------------------+ | +-----------------+----------------------------------------+ | |||
| | *RR type* | SVCB (64) | | | *RR type* | SVCB (64) | | |||
| +-----------------+----------------------------------------+ | +-----------------+----------------------------------------+ | |||
| | *Name prefix* | "_dns" for port 53, else "_$PORT._dns" | | | *Name prefix* | "_dns" for port 53, else "_$PORT._dns" | | |||
| +-----------------+----------------------------------------+ | +-----------------+----------------------------------------+ | |||
| | *Automatically | "port", "no-default-alpn" | | | *Required keys* | alpn | | |||
| | Mandatory Keys* | | | ||||
| +-----------------+----------------------------------------+ | +-----------------+----------------------------------------+ | |||
| | *SvcParam | "alpn": ["dot"] | | | *Automatically | port | | |||
| | defaults* | | | | Mandatory Keys* | | | |||
| +-----------------+----------------------------------------+ | +-----------------+----------------------------------------+ | |||
| | *Special | Supports all HTTPS RR SvcParamKeys | | | *Special | Supports all HTTPS RR SvcParamKeys | | |||
| | behaviors* | | | | behaviors* | | | |||
| +-----------------+----------------------------------------+ | +-----------------+----------------------------------------+ | |||
| | | Overrides the HTTPS RR for DoH | | | | Overrides the HTTPS RR for DoH | | |||
| +-----------------+----------------------------------------+ | +-----------------+----------------------------------------+ | |||
| | | Default port is per-transport | | | | Default port is per-transport | | |||
| +-----------------+----------------------------------------+ | +-----------------+----------------------------------------+ | |||
| | | No encrypted -> cleartext fallback | | | | No encrypted -> cleartext fallback | | |||
| +-----------------+----------------------------------------+ | +-----------------+----------------------------------------+ | |||
| End of changes. 19 change blocks. | ||||
| 37 lines changed or deleted | 43 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||