idnits 2.17.1 draft-boucadair-opsawg-add-encrypted-dns-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- == There are 6 instances of lines with non-RFC2606-compliant FQDNs in the document. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 546 has weird spacing: '...Address ipv6...' == Line 547 has weird spacing: '...Address ipv4...' -- The document date (June 3, 2021) is 1029 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: 'RFC2131' is defined on line 610, but no explicit reference was found in the text == Outdated reference: A later version (-16) exists of draft-ietf-add-dnr-00 == Outdated reference: A later version (-12) exists of draft-ietf-dprive-dnsoquic-02 -- Obsolete informational reference (is this intentional?): RFC 8499 (Obsoleted by RFC 9499) Summary: 0 errors (**), 0 flaws (~~), 7 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 opsawg M. Boucadair 3 Internet-Draft Orange 4 Intended status: Standards Track T. Reddy 5 Expires: December 5, 2021 McAfee 6 June 3, 2021 8 RADIUS Extensions for Encrypted DNS 9 draft-boucadair-opsawg-add-encrypted-dns-00 11 Abstract 13 This document specifies new Remote Authentication Dial-In User 14 Service (RADIUS) attributes that carry an authentication domain name, 15 a list of IP addresses, and a set of service parameters of encrypted 16 DNS resolvers. 18 Status of This Memo 20 This Internet-Draft is submitted in full conformance with the 21 provisions of BCP 78 and BCP 79. 23 Internet-Drafts are working documents of the Internet Engineering 24 Task Force (IETF). Note that other groups may also distribute 25 working documents as Internet-Drafts. The list of current Internet- 26 Drafts is at https://datatracker.ietf.org/drafts/current/. 28 Internet-Drafts are draft documents valid for a maximum of six months 29 and may be updated, replaced, or obsoleted by other documents at any 30 time. It is inappropriate to use Internet-Drafts as reference 31 material or to cite them other than as "work in progress." 33 This Internet-Draft will expire on December 5, 2021. 35 Copyright Notice 37 Copyright (c) 2021 IETF Trust and the persons identified as the 38 document authors. All rights reserved. 40 This document is subject to BCP 78 and the IETF Trust's Legal 41 Provisions Relating to IETF Documents 42 (https://trustee.ietf.org/license-info) in effect on the date of 43 publication of this document. Please review these documents 44 carefully, as they describe your rights and restrictions with respect 45 to this document. Code Components extracted from this document must 46 include Simplified BSD License text as described in Section 4.e of 47 the Trust Legal Provisions and are provided without warranty as 48 described in the Simplified BSD License. 50 Table of Contents 52 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 53 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 5 54 3. Encrypted DNS RADIUS Attributes . . . . . . . . . . . . . . . 5 55 3.1. IPv6-Encrypted-DNS Attribute . . . . . . . . . . . . . . 6 56 3.2. IPv4-Encrypted-DNS Attribute . . . . . . . . . . . . . . 7 57 3.3. RADIUS TLVs for Encrypted DNS . . . . . . . . . . . . . . 8 58 3.3.1. Encrypted-DNS-ADN TLV . . . . . . . . . . . . . . . . 9 59 3.3.2. Encrypted-DNS-IPv6-Address TLV . . . . . . . . . . . 9 60 3.3.3. Encrypted-DNS-IPv4-Address TLV . . . . . . . . . . . 10 61 3.3.4. Encrypted-DNS-SvcParams TLV . . . . . . . . . . . . . 10 62 4. Security Considerations . . . . . . . . . . . . . . . . . . . 11 63 5. Table of Attributes . . . . . . . . . . . . . . . . . . . . . 11 64 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11 65 6.1. New RADIUS Attributes . . . . . . . . . . . . . . . . . . 11 66 6.2. New RADIUS TLVs . . . . . . . . . . . . . . . . . . . . . 12 67 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 12 68 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 12 69 8.1. Normative References . . . . . . . . . . . . . . . . . . 12 70 8.2. Informative References . . . . . . . . . . . . . . . . . 13 71 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 14 73 1. Introduction 75 In the context of broadband services, ISPs traditionally provide DNS 76 resolvers to their customers. To that aim, ISPs deploy dedicated 77 mechanisms to advertise a list of DNS Recursive DNS server(s) to 78 their customers (e.g., DHCP, IPv6 Router Advertisement). The 79 information used to populate DHCP messages and/or IPv6 Router 80 Advertisements relies upon specific Remote Authentication Dial-In 81 User Service (RADIUS) [RFC2865] attributes such as the DNS-Server- 82 IPv6-Address Attribute specified in [RFC6911]. 84 With the advent of Encrypted DNS (e.g., DNS-over-HTTPS (DoH) 85 [RFC8484], DNS-over-TLS (DoT) [RFC7858], or DNS-over-QUIC (DoQ) 86 [I-D.ietf-dprive-dnsoquic]), additional means are required to 87 provision hosts with network-designated Encrypted DNS. To fill that 88 void, [I-D.ietf-add-dnr] leverages existing protocols such as DHCP 89 and IPv6 Router Advertisement to provide hosts with the required 90 information to connect to an Encrypted DNS server. However, there 91 are no RADIUS attributes that can be used to populate the discovery 92 messages discussed in [I-D.ietf-add-dnr]. 94 This document specifies two new RADIUS attributes: IPv6-Encrypted-DNS 95 (Section 3.1) and IPv4-Encrypted-DNS (Section 3.2) Attributes. Note 96 that two attributes are specified in order to accommodate both IPv4 97 and IPv6 deployment contexts while taking into account the 98 constraints in Section 3.4 of [RFC6158]. 100 Typical deployment scenarios are similar to those described, for 101 instance, in Section 2 of [RFC6911]. Some of these deployments may 102 rely upon the mechanisms defined in [RFC4014] or [RFC7037], which 103 allows a Network Access Server (NAS) to pass attributes obtained from 104 a RADIUS server to a DHCP server. For illustration purposes, 105 Figure 1 shows an example where a Customer Premises Equipment (CPE) 106 is provided with an Encrypted DNS server. This example assumes that 107 the NAS embeds both RADIUS client and DHCPv6 server capabilities. 109 +-------------+ +-------------+ +-------+ 110 | CPE | | NAS | | AAA | 111 |DHCPv6 client| |DHCPv6 server| |Server | 112 +------+------+ +------+------+ +---+---+ 113 | | | 114 o-----DHCPv6 Solicit----->| | 115 | o----Access-Request ---->| 116 | | | 117 | |<----Access-Accept------o 118 | | IPv6-Encrypted-DNS | 119 |<--DHCPv6 Advertisement--o | 120 | (OPTION_V6_DNR) | | 121 | | | 122 o-----DHCPv6 Request----->| | 123 | | | 124 |<------DHCPv6 Reply------o | 125 | (OPTION_V6_DNR) | | 126 | | | 128 DHCPv6 RADIUS 130 Figure 1: Example of RADIUS IPv6 Encrypted DNS 132 Upon receipt of the DHCPv6 Solicit message from a CPE, the NAS sends 133 a RADIUS Access-Request message to the AAA server. Once the AAA 134 server receives the request, it replies with an Access-Accept message 135 (possibly after having sent a RADIUS Access-Challenge message and 136 assuming the CPE is entitled to connect to the network) that carries 137 a list of parameters to be used for this session, and which include 138 the Encrypted DNS information. The content of the IPv6-Encrypted-DNS 139 Attribute is then used by the NAS to complete the DHCPv6 procedure 140 that the CPE initiated to retrieve information about the encrypted 141 DNS service to use. The procedure defined in [I-D.ietf-add-dnr] is 142 thus followed between the DHCPv6 client and the DHCPv6 server. The 143 same procedure is followed between the DHCPv6 client on endpoints 144 serviced by the CPE and the DHCPv6 server on CPE. 146 Upon change of the any Encrypted DNS-related information (e.g., ADN, 147 IPv6 address), the RADIUS server sends a RADIUS CoA message [RFC5176] 148 that carries the RADIUS IPv6-Encrypted-DNS Attributed to the NAS. 149 Once that message is accepted by the NAS, it replies with a RADIUS 150 CoA ACK message. The NAS replaces the old Encrypted DNS server 151 information with the new one and sends a DHCPv6 Reconfigure message 152 to cause the DHCPv6 client to initiate a Renew/Reply message exchange 153 with the DHCPv6 server. 155 Figure 2 shows another example where a CPE is provided an Encrypted 156 DNS server, but the CPE uses DHCPv4 to retrieve its encrypted DNS 157 server. 159 +-------------+ +-------------+ +-------+ 160 | CPE | | NAS | | AAA | 161 |DHCPv4 client| |DHCPv4 server| |Server | 162 +------+------+ +------+------+ +---+---+ 163 | | | 164 o------DHCPDISCOVER------>| | 165 | o----Access-Request ---->| 166 | | | 167 | |<----Access-Accept------o 168 | | IPv4-Encrypted-DNS | 169 |<-----DHCPOFFER----------o | 170 | (OPTION_V4_DNR) | | 171 | | | 172 o-----DHCPREQUEST-------->| | 173 | (OPTION_V4_DNR) | | 174 | | | 175 |<-------DHCPACK----------o | 176 | (OPTION_V4_DNR) | | 177 | | | 179 DHCPv4 RADIUS 181 Figure 2: Example of RADIUS IPv4 Encrypted DNS 183 For the particular case of DoH [RFC8484], the attributes defined in 184 Section 3 can also be used for redirection purposes. For example, a 185 DoH server may redirect DoH clients to other DoH servers (e.g., local 186 forwarders hosted by a CPE). To that aim, when a DoH query is 187 received from a DoH client, the DoH servers interacts with an AAA 188 server to check whether redirection should be enabled for this 189 client. If such redirection is to be enabled, the AAA server returns 190 IPv4-Encrypted-DNS and/or IPv6-Encrypted-DNS Attributes that will be 191 used to populate the DoH redirection response that will then be sent 192 to the DoH client. The DoH client may contact the DoH server using 193 the information supplied in the redirection response. 195 +-------+ +-------+ +-------+ 196 | DoH | | DoH | | AAA | 197 |Client | |Server | |Server | 198 +---+---+ +---+---+ +---+---+ 199 | | | 200 o---DoH Query-------------->| | 201 | o---Access-Request---------->| 202 | |<--Access-Accept------------o 203 | | IPv4-Encrypted-DNS/ | 204 |<--------------------------o IPv6-Encrypted-DNS | 205 | Redirect to (ADN, | | 206 | IP addresses, | | 207 | service parameters)| | 208 | | | 210 Figure 3: Example of DoH Redirection 212 Other deployment scenarios can be envisaged, however it is out of the 213 scope of this document to provide a comprehensive list of those 214 deployments. 216 This document adheres to [RFC8044] for defining the new attributes. 218 2. Terminology 220 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 221 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 222 "OPTIONAL" in this document are to be interpreted as described in BCP 223 14 [RFC2119][RFC8174] when, and only when, they appear in all 224 capitals, as shown here. 226 This document makes use of the terms defined in [RFC8499]. The 227 following additional terms are used: 229 Encrypted DNS: refers to a scheme where DNS exchanges are 230 transported over an encrypted channel. Examples of encrypted DNS 231 are DNS-over-TLS (DoT) [RFC7858], DNS-over-HTTPS (DoH) [RFC8484], 232 or DNS-over-QUIC (DoQ) [I-D.ietf-dprive-dnsoquic]. 234 3. Encrypted DNS RADIUS Attributes 236 Both IPv6-Encrypted-DNS and IPv4-Encrypted-DNS have the same format 237 shown in Figure 4. The description of the fields is provided in 238 Sections 3.1 and 3.2. 240 These attributes and their embedded TLVs (Section 3.3) are defined 241 with globally unique names and follow the guidelines in Section 2.7.1 242 of [RFC6929]. 244 0 1 2 3 245 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 246 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 247 | Type | Length | Extended-Type | Value ... 248 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 250 Figure 4: Format of IPv6-Encrypted-DNS and IPv4-Encrypted-DNS 251 Attributes 253 3.1. IPv6-Encrypted-DNS Attribute 255 This attribute is of type "tlv" as defined in Section 2.3 of 256 [RFC6929]. 258 The IPv6-Encrypted-DNS Attribute includes the authentication domain 259 name, a list of IPv6 addresses, and a set of service parameters of an 260 encrypted DNS resolver. 262 Because multiple IPv6-Encrypted-DNS Attributes may be provisioned to 263 a requesting host, multiple instances of the IPv6-Encrypted-DNS 264 attribute MAY be included; each instance of the attribute carries a 265 distinct Encrypted DNS server. 267 The IPv6-Encrypted-DNS Attribute MAY appear in a RADIUS Access-Accept 268 packet. It MAY also appear in a RADIUS Access-Request packet as a 269 hint to the RADIUS server to indicate a preference. However, the 270 server is not required to honor such a preference. 272 The IPv6-Encrypted-DNS Attribute MAY appear in a RADIUS CoA-Request 273 packet. 275 The IPv6-Encrypted-DNS Attribute MAY appear in a RADIUS Accounting- 276 Request packet. 278 The IPv6-Encrypted-DNS Attribute MUST NOT appear in any other RADIUS 279 packet. 281 The IPv6-Encrypted-DNS Attribute is structured as follows: 283 Type 285 241 287 Length 289 This field indicates the total length, in octets, of all fields of 290 this attribute, including the Type, Length, Extended-Type, and the 291 entire length of the embedded TLVs. 293 Extended-Type 295 TBA1 (see Section 6.1). 297 Value 299 This field contains a set of TLVs as follows: 301 Encrypted-DNS-ADN TLV: The IPv6-Encrypted-DNS Attribute MUST 302 include exactly one instance of Encrypted-DNS-ADN TLV 303 (Section 3.3.1). 305 Encrypted-DNS-IPv6-Address TLV: The IPv6-Encrypted-DNS Attribute 306 MUST include one or multiple instances of Encrypted-DNS- 307 IPv6-Address TLV (Section 3.3.2). 309 Encrypted-DNS-SvcParams TLV: The IPv6-Encrypted-DNS Attribute 310 SHOULD include one instance of Encrypted-DNS-SvcParams TLV 311 (Section 3.3.4). 313 The IPv6-Encrypted-DNS Attribute is associated with the following 314 identifier: 241.TBA1. 316 3.2. IPv4-Encrypted-DNS Attribute 318 This attribute is of type "tlv" as defined in Section 2.3 of 319 [RFC6929]. 321 The IPv4-Encrypted-DNS Attribute includes the authentication domain 322 name, a list of IPv4 addresses, and a set of service parameters of an 323 encrypted DNS resolver. 325 Because multiple IPv4-Encrypted-DNS attributes may be provisioned to 326 a requesting host, multiple instances of the IPv4-Encrypted-DNS 327 attribute MAY be included; each instance of the attribute carries a 328 distinct Encrypted DNS server. 330 The IPv4-Encrypted-DNS Attribute MAY appear in a RADIUS Access-Accept 331 packet. It MAY also appear in a RADIUS Access-Request packet as a 332 hint to the RADIUS server to indicate a preference. However, the 333 server is not required to honor such a preference. 335 The IPv4-Encrypted-DNS Attribute MAY appear in a RADIUS CoA-Request 336 packet. 338 The IPv4-Encrypted-DNS Attribute MAY appear in a RADIUS Accounting- 339 Request packet. 341 The IPv4-Encrypted-DNS Attribute MUST NOT appear in any other RADIUS 342 packet. 344 The IPv4-Encrypted-DNS Attribute is structured as follows: 346 Type 348 241 350 Length 352 This field indicates the total length, in octets, of all fields of 353 this attribute, including the Type, Length, Extended-Type, and the 354 entire length of the embedded TLVs. 356 Extended-Type 358 TBA2 (see Section 6.1). 360 Value 362 This field contains a set of TLVs as follows: 364 Encrypted-DNS-ADN TLV: The IPv4-Encrypted-DNS Attribute MUST 365 include exactly one instance of Encrypted-DNS-ADN TLV 366 (Section 3.3.1). 368 Encrypted-DNS-IPv4-Address TLV: The IPv4-Encrypted-DNS Attribute 369 MUST include one or multiple instances of Encrypted-DNS- 370 IPv4-Address TLV (Section 3.3.3). 372 Encrypted-DNS-SvcParams TLV: The IPv4-Encrypted-DNS Attribute 373 SHOULD include one instance of Encrypted-DNS-SvcParams TLV 374 (Section 3.3.4). 376 The IPv4-Encrypted-DNS Attribute is associated with the following 377 identifier: 241.TBA2. 379 3.3. RADIUS TLVs for Encrypted DNS 381 The TLVs defined in the following subsections use the format defined 382 in [RFC6929]. These TLVs have the same name and number when 383 encapsulated in any of the parent attributes defined in Sections 3.1 384 and 3.2. 386 The encoding of the "Value" field of these TLVs follows the 387 recommendation of [RFC6158]. 389 3.3.1. Encrypted-DNS-ADN TLV 391 TLV-Type 393 TBA3 (see Section 6.2). 395 TLV-Length 397 Length of included ADN + 2 octets. 399 Data Type 401 The Encrypted-DNS-ADN TLV is of type text (Section 3.4 of 402 [RFC8044]). 404 TLV-Value 406 This field includes a fully qualified domain name of the Encrypted 407 DNS server. This field is formatted as specified in Section 10 of 408 [RFC8415]. 410 This TLV is identified as 241.TBA1.TBA3 when included in the IPv6- 411 Encrypted-DNS Attribute (Section 3.1) and as 241.TBA2.TBA3 when 412 included in the IPv4-Encrypted-DNS Attribute (Section 3.2). 414 3.3.2. Encrypted-DNS-IPv6-Address TLV 416 TLV-Type 418 TBA4 (see Section 6.2). 420 TLV-Length 422 18 424 Data Type 426 The Encrypted-DNS-IPv6-Address TLV is of type ip6addr (Section 3.9 427 of [RFC8044]). 429 TLV-Value 431 This field includes an IPv6 address (128 bits) of the Encrypted 432 DNS server. 434 The Encrypted-DNS-IPv6-Address attribute MUST NOT include 435 multicast and host loopback addresses [RFC6890]. 437 This TLV is identified as 241.TBA1.TBA4 as part of the IPv6- 438 Encrypted-DNS Attribute (Section 3.1). 440 3.3.3. Encrypted-DNS-IPv4-Address TLV 442 TLV-Type 444 TBA5 (see Section 6.2). 446 TLV-Length 448 6 450 Data Type 452 The Encrypted-DNS-IPv4-Address TLV is of type ip4addr (Section 3.8 453 of [RFC8044]). 455 TLV-Value 457 This field includes an IPv4 address (32 bits) of the Encrypted DNS 458 server. 460 The Encrypted-DNS-IPv4-Address attribute MUST NOT include 461 multicast and host loopback addresses. 463 This TLV is identified as 241.TBA1.TBA5 as part of the IPv4- 464 Encrypted-DNS Attribute (Section 3.2). 466 3.3.4. Encrypted-DNS-SvcParams TLV 468 TLV-Type 470 TBA6 (see Section 6.2). 472 TLV-Length 474 Length of included service parameters + 2 octets. 476 Data Type 478 The Encrypted-DNS-SvcParams TLV is of type text (Section 3.4 of 479 [RFC8044]). 481 TLV-Value 483 Specifies a set of service parameters that are encoded following 484 the rules in [I-D.ietf-add-dnr]. Service parameters may include, 485 for example, a list of ALPN protocol identifiers or alternate port 486 numbers. 488 The service parameters MUST NOT include "ipv4hint" or "ipv6hint" 489 SvcParams as they are superseded by the included IP addresses. 491 This TLV is identified as 241.TBA1.TBA6 when included in the IPv6- 492 Encrypted-DNS Attribute (Section 3.1) and as 241.TBA2.TBA6 when 493 included in the IPv4-Encrypted-DNS Attribute (Section 3.2). 495 4. Security Considerations 497 RADIUS-related security considerations are discussed in [RFC2865]. 499 Security considerations (including traffic theft) are discussed in 500 [I-D.ietf-add-dnr]. 502 5. Table of Attributes 504 The following table provides a guide as what type of RADIUS packets 505 that may contain these attributes, and in what quantity. 507 Access- Access- Access- Challenge Acct. # Attribute 508 Request Accept Reject Request 509 0+ 0+ 0 0 0+ TBA1 IPv6-Encrypted-DNS 510 0+ 0+ 0 0 0+ TBA2 IPv4-Encrypted-DNS 512 CoA-Request CoA-ACK CoA-NACK # Attribute 513 0+ 0 0 TBA1 IPv6-Encrypted-DNS 514 0+ 0 0 TBA1 IPv4-Encrypted-DNS 516 The following table defines the meaning of the above table entries: 518 0 This attribute MUST NOT be present in packet. 519 0+ Zero or more instances of this attribute MAY be present in packet. 521 6. IANA Considerations 523 6.1. New RADIUS Attributes 525 IANA is requested to assign two new RADIUS attribute types from the 526 IANA registry "Radius Attribute Types" located at 527 http://www.iana.org/assignments/radius-types: 529 IPv6-Encrypted-DNS (241.TBA1) 531 IPv4-Encrypted-DNS (241.TBA2) 532 Type Description Data Type Reference 533 -------- ------------------ --------- ------------- 534 241.TBA1 IPv6-Encrypted-DNS tlv This-Document 535 241.TBA2 IPv4-Encrypted-DNS tlv This-Document 537 6.2. New RADIUS TLVs 539 IANA is requested to create a new registry called "RADIUS Encrypted 540 DNS TLVs". The registry is initillay populated as follows: 542 Value Description Data Type Reference 543 ----- ------------------------- --------- ------------- 544 0 Reserved 545 1 Encrypted-DNS-ADN text Section 3.3.1 546 2 Encrypted-DNS-IPv6-Address ipv6addr Section 3.3.2 547 3 Encrypted-DNS-IPv4-Address ipv4addr Section 3.3.3 548 4 Encrypted-DNS-SvcParams text Section 3.3.4 549 5-255 Unassigned 551 7. Acknowledgements 553 Thanks to Christian Jacquenet for the review. 555 8. References 557 8.1. Normative References 559 [I-D.ietf-add-dnr] 560 Boucadair, M., Reddy, T., Wing, D., Cook, N., and T. 561 Jensen, "DHCP and Router Advertisement Options for the 562 Discovery of Network-designated Resolvers (DNR)", draft- 563 ietf-add-dnr-00 (work in progress), February 2021. 565 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 566 Requirement Levels", BCP 14, RFC 2119, 567 DOI 10.17487/RFC2119, March 1997, 568 . 570 [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, 571 "Remote Authentication Dial In User Service (RADIUS)", 572 RFC 2865, DOI 10.17487/RFC2865, June 2000, 573 . 575 [RFC6158] DeKok, A., Ed. and G. Weber, "RADIUS Design Guidelines", 576 BCP 158, RFC 6158, DOI 10.17487/RFC6158, March 2011, 577 . 579 [RFC6890] Cotton, M., Vegoda, L., Bonica, R., Ed., and B. Haberman, 580 "Special-Purpose IP Address Registries", BCP 153, 581 RFC 6890, DOI 10.17487/RFC6890, April 2013, 582 . 584 [RFC6929] DeKok, A. and A. Lior, "Remote Authentication Dial In User 585 Service (RADIUS) Protocol Extensions", RFC 6929, 586 DOI 10.17487/RFC6929, April 2013, 587 . 589 [RFC8044] DeKok, A., "Data Types in RADIUS", RFC 8044, 590 DOI 10.17487/RFC8044, January 2017, 591 . 593 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 594 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 595 May 2017, . 597 [RFC8415] Mrugalski, T., Siodelski, M., Volz, B., Yourtchenko, A., 598 Richardson, M., Jiang, S., Lemon, T., and T. Winters, 599 "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)", 600 RFC 8415, DOI 10.17487/RFC8415, November 2018, 601 . 603 8.2. Informative References 605 [I-D.ietf-dprive-dnsoquic] 606 Huitema, C., Mankin, A., and S. Dickinson, "Specification 607 of DNS over Dedicated QUIC Connections", draft-ietf- 608 dprive-dnsoquic-02 (work in progress), February 2021. 610 [RFC2131] Droms, R., "Dynamic Host Configuration Protocol", 611 RFC 2131, DOI 10.17487/RFC2131, March 1997, 612 . 614 [RFC4014] Droms, R. and J. Schnizlein, "Remote Authentication Dial- 615 In User Service (RADIUS) Attributes Suboption for the 616 Dynamic Host Configuration Protocol (DHCP) Relay Agent 617 Information Option", RFC 4014, DOI 10.17487/RFC4014, 618 February 2005, . 620 [RFC5176] Chiba, M., Dommety, G., Eklund, M., Mitton, D., and B. 621 Aboba, "Dynamic Authorization Extensions to Remote 622 Authentication Dial In User Service (RADIUS)", RFC 5176, 623 DOI 10.17487/RFC5176, January 2008, 624 . 626 [RFC6911] Dec, W., Ed., Sarikaya, B., Zorn, G., Ed., Miles, D., and 627 B. Lourdelet, "RADIUS Attributes for IPv6 Access 628 Networks", RFC 6911, DOI 10.17487/RFC6911, April 2013, 629 . 631 [RFC7037] Yeh, L. and M. Boucadair, "RADIUS Option for the DHCPv6 632 Relay Agent", RFC 7037, DOI 10.17487/RFC7037, October 633 2013, . 635 [RFC7858] Hu, Z., Zhu, L., Heidemann, J., Mankin, A., Wessels, D., 636 and P. Hoffman, "Specification for DNS over Transport 637 Layer Security (TLS)", RFC 7858, DOI 10.17487/RFC7858, May 638 2016, . 640 [RFC8484] Hoffman, P. and P. McManus, "DNS Queries over HTTPS 641 (DoH)", RFC 8484, DOI 10.17487/RFC8484, October 2018, 642 . 644 [RFC8499] Hoffman, P., Sullivan, A., and K. Fujiwara, "DNS 645 Terminology", BCP 219, RFC 8499, DOI 10.17487/RFC8499, 646 January 2019, . 648 Authors' Addresses 650 Mohamed Boucadair 651 Orange 652 Rennes 35000 653 France 655 Email: mohamed.boucadair@orange.com 657 Tirumaleswar Reddy 658 McAfee, Inc. 659 Embassy Golf Link Business Park 660 Bangalore, Karnataka 560071 661 India 663 Email: kondtir@gmail.com