idnits 2.17.1 draft-boucadair-opsawg-add-encrypted-dns-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- == There are 6 instances of lines with non-RFC2606-compliant FQDNs in the document. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 528 has weird spacing: '...Address ipv6...' == Line 529 has weird spacing: '...Address ipv4...' -- The document date (June 8, 2021) is 1053 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: 'RFC2131' is defined on line 593, but no explicit reference was found in the text == Outdated reference: A later version (-16) exists of draft-ietf-add-dnr-00 == Outdated reference: A later version (-12) exists of draft-ietf-dprive-dnsoquic-02 -- Obsolete informational reference (is this intentional?): RFC 8499 (Obsoleted by RFC 9499) Summary: 0 errors (**), 0 flaws (~~), 7 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 opsawg M. Boucadair 3 Internet-Draft Orange 4 Intended status: Standards Track T. Reddy 5 Expires: December 10, 2021 McAfee 6 June 8, 2021 8 RADIUS Extensions for Encrypted DNS 9 draft-boucadair-opsawg-add-encrypted-dns-01 11 Abstract 13 This document specifies new Remote Authentication Dial-In User 14 Service (RADIUS) attributes that carry an authentication domain name, 15 a list of IP addresses, and a set of service parameters of encrypted 16 DNS resolvers. 18 Status of This Memo 20 This Internet-Draft is submitted in full conformance with the 21 provisions of BCP 78 and BCP 79. 23 Internet-Drafts are working documents of the Internet Engineering 24 Task Force (IETF). Note that other groups may also distribute 25 working documents as Internet-Drafts. The list of current Internet- 26 Drafts is at https://datatracker.ietf.org/drafts/current/. 28 Internet-Drafts are draft documents valid for a maximum of six months 29 and may be updated, replaced, or obsoleted by other documents at any 30 time. It is inappropriate to use Internet-Drafts as reference 31 material or to cite them other than as "work in progress." 33 This Internet-Draft will expire on December 10, 2021. 35 Copyright Notice 37 Copyright (c) 2021 IETF Trust and the persons identified as the 38 document authors. All rights reserved. 40 This document is subject to BCP 78 and the IETF Trust's Legal 41 Provisions Relating to IETF Documents 42 (https://trustee.ietf.org/license-info) in effect on the date of 43 publication of this document. Please review these documents 44 carefully, as they describe your rights and restrictions with respect 45 to this document. Code Components extracted from this document must 46 include Simplified BSD License text as described in Section 4.e of 47 the Trust Legal Provisions and are provided without warranty as 48 described in the Simplified BSD License. 50 Table of Contents 52 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 53 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 54 3. Encrypted DNS RADIUS Attributes . . . . . . . . . . . . . . . 5 55 3.1. IPv6-Encrypted-DNS Attribute . . . . . . . . . . . . . . 5 56 3.2. IPv4-Encrypted-DNS Attribute . . . . . . . . . . . . . . 7 57 3.3. RADIUS TLVs for Encrypted DNS . . . . . . . . . . . . . . 8 58 3.3.1. Encrypted-DNS-ADN TLV . . . . . . . . . . . . . . . . 8 59 3.3.2. Encrypted-DNS-IPv6-Address TLV . . . . . . . . . . . 9 60 3.3.3. Encrypted-DNS-IPv4-Address TLV . . . . . . . . . . . 9 61 3.3.4. Encrypted-DNS-SvcParams TLV . . . . . . . . . . . . . 10 62 4. Security Considerations . . . . . . . . . . . . . . . . . . . 11 63 5. Table of Attributes . . . . . . . . . . . . . . . . . . . . . 11 64 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11 65 6.1. New RADIUS Attributes . . . . . . . . . . . . . . . . . . 11 66 6.2. New RADIUS TLVs . . . . . . . . . . . . . . . . . . . . . 11 67 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 12 68 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 12 69 8.1. Normative References . . . . . . . . . . . . . . . . . . 12 70 8.2. Informative References . . . . . . . . . . . . . . . . . 13 71 Appendix A. Other Usages of the Attributes . . . . . . . . . . . 14 72 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 15 74 1. Introduction 76 In the context of broadband services, ISPs traditionally provide DNS 77 resolvers to their customers. To that aim, ISPs deploy dedicated 78 mechanisms to advertise a list of DNS Recursive DNS server(s) to 79 their customers (e.g., DHCP, IPv6 Router Advertisement). The 80 information used to populate DHCP messages and/or IPv6 Router 81 Advertisements relies upon specific Remote Authentication Dial-In 82 User Service (RADIUS) [RFC2865] attributes such as the DNS-Server- 83 IPv6-Address Attribute specified in [RFC6911]. 85 With the advent of Encrypted DNS (e.g., DNS-over-HTTPS (DoH) 86 [RFC8484], DNS-over-TLS (DoT) [RFC7858], or DNS-over-QUIC (DoQ) 87 [I-D.ietf-dprive-dnsoquic]), additional means are required to 88 provision hosts with network-designated Encrypted DNS. To fill that 89 void, [I-D.ietf-add-dnr] leverages existing protocols such as DHCP 90 and IPv6 Router Advertisement to provide hosts with the required 91 information to connect to an Encrypted DNS server. However, there 92 are no RADIUS attributes that can be used to populate the discovery 93 messages discussed in [I-D.ietf-add-dnr]. 95 This document specifies two new RADIUS attributes: IPv6-Encrypted-DNS 96 (Section 3.1) and IPv4-Encrypted-DNS (Section 3.2) Attributes. Note 97 that two attributes are specified in order to accommodate both IPv4 98 and IPv6 deployment contexts while taking into account the 99 constraints in Section 3.4 of [RFC6158]. 101 Typical deployment scenarios are similar to those described, for 102 instance, in Section 2 of [RFC6911]. Some of these deployments may 103 rely upon the mechanisms defined in [RFC4014] or [RFC7037], which 104 allows a Network Access Server (NAS) to pass attributes obtained from 105 a RADIUS server to a DHCP server. For illustration purposes, 106 Figure 1 shows an example where a Customer Premises Equipment (CPE) 107 is provided with an Encrypted DNS server. This example assumes that 108 the NAS embeds both RADIUS client and DHCPv6 server capabilities. 110 +-------------+ +-------------+ +-------+ 111 | CPE | | NAS | | AAA | 112 |DHCPv6 client| |DHCPv6 server| |Server | 113 +------+------+ +------+------+ +---+---+ 114 | | | 115 o-----DHCPv6 Solicit----->| | 116 | o----Access-Request ---->| 117 | | | 118 | |<----Access-Accept------o 119 | | IPv6-Encrypted-DNS | 120 |<--DHCPv6 Advertisement--o | 121 | (OPTION_V6_DNR) | | 122 | | | 123 o-----DHCPv6 Request----->| | 124 | | | 125 |<------DHCPv6 Reply------o | 126 | (OPTION_V6_DNR) | | 127 | | | 129 DHCPv6 RADIUS 131 Figure 1: Example of RADIUS IPv6 Encrypted DNS 133 Upon receipt of the DHCPv6 Solicit message from a CPE, the NAS sends 134 a RADIUS Access-Request message to the AAA server. Once the AAA 135 server receives the request, it replies with an Access-Accept message 136 (possibly after having sent a RADIUS Access-Challenge message and 137 assuming the CPE is entitled to connect to the network) that carries 138 a list of parameters to be used for this session, and which include 139 the Encrypted DNS information. The content of the IPv6-Encrypted-DNS 140 Attribute is then used by the NAS to complete the DHCPv6 procedure 141 that the CPE initiated to retrieve information about the encrypted 142 DNS service to use. The procedure defined in [I-D.ietf-add-dnr] is 143 thus followed between the DHCPv6 client and the DHCPv6 server. The 144 same procedure is followed between the DHCPv6 client on endpoints 145 serviced by the CPE and the DHCPv6 server on CPE. 147 Upon change of the any Encrypted DNS-related information (e.g., ADN, 148 IPv6 address), the RADIUS server sends a RADIUS CoA message [RFC5176] 149 that carries the RADIUS IPv6-Encrypted-DNS Attributed to the NAS. 150 Once that message is accepted by the NAS, it replies with a RADIUS 151 CoA ACK message. The NAS replaces the old Encrypted DNS server 152 information with the new one and sends a DHCPv6 Reconfigure message 153 to cause the DHCPv6 client to initiate a Renew/Reply message exchange 154 with the DHCPv6 server. 156 Figure 2 shows another example where a CPE is provided an Encrypted 157 DNS server, but the CPE uses DHCPv4 to retrieve its encrypted DNS 158 server. 160 +-------------+ +-------------+ +-------+ 161 | CPE | | NAS | | AAA | 162 |DHCPv4 client| |DHCPv4 server| |Server | 163 +------+------+ +------+------+ +---+---+ 164 | | | 165 o------DHCPDISCOVER------>| | 166 | o----Access-Request ---->| 167 | | | 168 | |<----Access-Accept------o 169 | | IPv4-Encrypted-DNS | 170 |<-----DHCPOFFER----------o | 171 | (OPTION_V4_DNR) | | 172 | | | 173 o-----DHCPREQUEST-------->| | 174 | (OPTION_V4_DNR) | | 175 | | | 176 |<-------DHCPACK----------o | 177 | (OPTION_V4_DNR) | | 178 | | | 180 DHCPv4 RADIUS 182 Figure 2: Example of RADIUS IPv4 Encrypted DNS 184 Other deployment scenarios can be envisaged (e.g., Appendix A), 185 however it is out of the scope of this document to provide a 186 comprehensive list of those deployments. 188 This document adheres to [RFC8044] for defining the new attributes. 190 2. Terminology 192 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 193 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 194 "OPTIONAL" in this document are to be interpreted as described in BCP 195 14 [RFC2119][RFC8174] when, and only when, they appear in all 196 capitals, as shown here. 198 This document makes use of the terms defined in [RFC8499]. The 199 following additional terms are used: 201 Encrypted DNS: refers to a scheme where DNS exchanges are 202 transported over an encrypted channel. Examples of encrypted DNS 203 are DNS-over-TLS (DoT) [RFC7858], DNS-over-HTTPS (DoH) [RFC8484], 204 or DNS-over-QUIC (DoQ) [I-D.ietf-dprive-dnsoquic]. 206 *-Encrypted-DNS refers to IPv6-Encrypted-DNS and IPv4-Encrypted-DNS 207 Attributes. 209 Encrypted-DNS-* refers to any of these attributes: Encrypted-DNS- 210 ADN, Encrypted-DNS-IPv6-Address, Encrypted-DNS-IPv4-Address, and 211 Encrypted-DNS-SvcParams. 213 3. Encrypted DNS RADIUS Attributes 215 Both IPv6-Encrypted-DNS and IPv4-Encrypted-DNS have the same format 216 shown in Figure 3. The description of the fields is provided in 217 Sections 3.1 and 3.2. 219 These attributes and their embedded TLVs (Section 3.3) are defined 220 with globally unique names and follow the guidelines in Section 2.7.1 221 of [RFC6929]. 223 0 1 2 3 224 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 225 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 226 | Type | Length | Extended-Type | Value ... 227 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 229 Figure 3: Format of IPv6-Encrypted-DNS and IPv4-Encrypted-DNS 230 Attributes 232 The value field of *-Encrypted-DNS and Encrypted-DNS-* Attributes is 233 encoded in clear and not encrypted as, for example, Tunnel-Password 234 Attribute [RFC2868]. 236 3.1. IPv6-Encrypted-DNS Attribute 238 This attribute is of type "tlv" as defined in Section 2.3 of 239 [RFC6929]. 241 The IPv6-Encrypted-DNS Attribute includes the authentication domain 242 name, a list of IPv6 addresses, and a set of service parameters of an 243 encrypted DNS resolver [I-D.ietf-add-dnr]. 245 Because multiple IPv6-Encrypted-DNS Attributes may be provisioned to 246 a requesting host, multiple instances of the IPv6-Encrypted-DNS 247 attribute MAY be included; each instance of the attribute carries a 248 distinct Encrypted DNS server. 250 The IPv6-Encrypted-DNS Attribute MAY appear in a RADIUS Access-Accept 251 packet. It MAY also appear in a RADIUS Access-Request packet as a 252 hint to the RADIUS server to indicate a preference. However, the 253 server is not required to honor such a preference. 255 The IPv6-Encrypted-DNS Attribute MAY appear in a RADIUS CoA-Request 256 packet. 258 The IPv6-Encrypted-DNS Attribute MAY appear in a RADIUS Accounting- 259 Request packet. 261 The IPv6-Encrypted-DNS Attribute MUST NOT appear in any other RADIUS 262 packet. 264 The IPv6-Encrypted-DNS Attribute is structured as follows: 266 Type 268 241 270 Length 272 This field indicates the total length, in octets, of all fields of 273 this attribute, including the Type, Length, Extended-Type, and the 274 entire length of the embedded TLVs. 276 Extended-Type 278 TBA1 (see Section 6.1). 280 Value 282 This field contains a set of TLVs as follows: 284 Encrypted-DNS-ADN TLV: The IPv6-Encrypted-DNS Attribute MUST 285 include exactly one instance of Encrypted-DNS-ADN TLV 286 (Section 3.3.1). 288 Encrypted-DNS-IPv6-Address TLV: The IPv6-Encrypted-DNS Attribute 289 MUST include one or multiple instances of Encrypted-DNS- 290 IPv6-Address TLV (Section 3.3.2). 292 Encrypted-DNS-SvcParams TLV: The IPv6-Encrypted-DNS Attribute 293 SHOULD include one instance of Encrypted-DNS-SvcParams TLV 294 (Section 3.3.4). 296 The IPv6-Encrypted-DNS Attribute is associated with the following 297 identifier: 241.TBA1. 299 3.2. IPv4-Encrypted-DNS Attribute 301 This attribute is of type "tlv" as defined in Section 2.3 of 302 [RFC6929]. 304 The IPv4-Encrypted-DNS Attribute includes the authentication domain 305 name, a list of IPv4 addresses, and a set of service parameters of an 306 encrypted DNS resolver [I-D.ietf-add-dnr]. 308 Because multiple IPv4-Encrypted-DNS attributes may be provisioned to 309 a requesting host, multiple instances of the IPv4-Encrypted-DNS 310 attribute MAY be included; each instance of the attribute carries a 311 distinct Encrypted DNS server. 313 The IPv4-Encrypted-DNS Attribute MAY appear in a RADIUS Access-Accept 314 packet. It MAY also appear in a RADIUS Access-Request packet as a 315 hint to the RADIUS server to indicate a preference. However, the 316 server is not required to honor such a preference. 318 The IPv4-Encrypted-DNS Attribute MAY appear in a RADIUS CoA-Request 319 packet. 321 The IPv4-Encrypted-DNS Attribute MAY appear in a RADIUS Accounting- 322 Request packet. 324 The IPv4-Encrypted-DNS Attribute MUST NOT appear in any other RADIUS 325 packet. 327 The IPv4-Encrypted-DNS Attribute is structured as follows: 329 Type 331 241 333 Length 334 This field indicates the total length, in octets, of all fields of 335 this attribute, including the Type, Length, Extended-Type, and the 336 entire length of the embedded TLVs. 338 Extended-Type 340 TBA2 (see Section 6.1). 342 Value 344 This field contains a set of TLVs as follows: 346 Encrypted-DNS-ADN TLV: The IPv4-Encrypted-DNS Attribute MUST 347 include exactly one instance of Encrypted-DNS-ADN TLV 348 (Section 3.3.1). 350 Encrypted-DNS-IPv4-Address TLV: The IPv4-Encrypted-DNS Attribute 351 MUST include one or multiple instances of Encrypted-DNS- 352 IPv4-Address TLV (Section 3.3.3). 354 Encrypted-DNS-SvcParams TLV: The IPv4-Encrypted-DNS Attribute 355 SHOULD include one instance of Encrypted-DNS-SvcParams TLV 356 (Section 3.3.4). 358 The IPv4-Encrypted-DNS Attribute is associated with the following 359 identifier: 241.TBA2. 361 3.3. RADIUS TLVs for Encrypted DNS 363 The TLVs defined in the following subsections use the format defined 364 in [RFC6929]. These TLVs have the same name and number when 365 encapsulated in any of the parent attributes defined in Sections 3.1 366 and 3.2. 368 The encoding of the "Value" field of these TLVs follows the 369 recommendation of [RFC6158]. 371 3.3.1. Encrypted-DNS-ADN TLV 373 TLV-Type 375 TBA3 (see Section 6.2). 377 TLV-Length 379 Length of included ADN + 2 octets. 381 Data Type 382 The Encrypted-DNS-ADN TLV is of type text (Section 3.4 of 383 [RFC8044]). 385 TLV-Value 387 This field includes a fully qualified domain name of the Encrypted 388 DNS server. This field is formatted as specified in Section 10 of 389 [RFC8415]. 391 This TLV is identified as 241.TBA1.TBA3 when included in the IPv6- 392 Encrypted-DNS Attribute (Section 3.1) and as 241.TBA2.TBA3 when 393 included in the IPv4-Encrypted-DNS Attribute (Section 3.2). 395 3.3.2. Encrypted-DNS-IPv6-Address TLV 397 TLV-Type 399 TBA4 (see Section 6.2). 401 TLV-Length 403 18 405 Data Type 407 The Encrypted-DNS-IPv6-Address TLV is of type ip6addr (Section 3.9 408 of [RFC8044]). 410 TLV-Value 412 This field includes an IPv6 address (128 bits) of the Encrypted 413 DNS server. 415 The Encrypted-DNS-IPv6-Address attribute MUST NOT include 416 multicast and host loopback addresses [RFC6890]. 418 This TLV is identified as 241.TBA1.TBA4 as part of the IPv6- 419 Encrypted-DNS Attribute (Section 3.1). 421 3.3.3. Encrypted-DNS-IPv4-Address TLV 423 TLV-Type 425 TBA5 (see Section 6.2). 427 TLV-Length 429 6 431 Data Type 433 The Encrypted-DNS-IPv4-Address TLV is of type ip4addr (Section 3.8 434 of [RFC8044]). 436 TLV-Value 438 This field includes an IPv4 address (32 bits) of the Encrypted DNS 439 server. 441 The Encrypted-DNS-IPv4-Address attribute MUST NOT include 442 multicast and host loopback addresses. 444 This TLV is identified as 241.TBA1.TBA5 as part of the IPv4- 445 Encrypted-DNS Attribute (Section 3.2). 447 3.3.4. Encrypted-DNS-SvcParams TLV 449 TLV-Type 451 TBA6 (see Section 6.2). 453 TLV-Length 455 Length of included service parameters + 2 octets. 457 Data Type 459 The Encrypted-DNS-SvcParams TLV is of type text (Section 3.4 of 460 [RFC8044]). 462 TLV-Value 464 Specifies a set of service parameters that are encoded following 465 the rules in [I-D.ietf-add-dnr]. Service parameters may include, 466 for example, a list of ALPN protocol identifiers or alternate port 467 numbers. 469 The service parameters MUST NOT include "ipv4hint" or "ipv6hint" 470 SvcParams as they are superseded by the included IP addresses. 472 This TLV is identified as 241.TBA1.TBA6 when included in the IPv6- 473 Encrypted-DNS Attribute (Section 3.1) and as 241.TBA2.TBA6 when 474 included in the IPv4-Encrypted-DNS Attribute (Section 3.2). 476 4. Security Considerations 478 RADIUS-related security considerations are discussed in [RFC2865]. 480 Security considerations (including traffic theft) are discussed in 481 [I-D.ietf-add-dnr]. 483 5. Table of Attributes 485 The following table provides a guide as what type of RADIUS packets 486 that may contain these attributes, and in what quantity. 488 Access- Access- Access- Challenge Acct. # Attribute 489 Request Accept Reject Request 490 0+ 0+ 0 0 0+ TBA1 IPv6-Encrypted-DNS 491 0+ 0+ 0 0 0+ TBA2 IPv4-Encrypted-DNS 493 CoA-Request CoA-ACK CoA-NACK # Attribute 494 0+ 0 0 TBA1 IPv6-Encrypted-DNS 495 0+ 0 0 TBA1 IPv4-Encrypted-DNS 497 The following table defines the meaning of the above table entries: 499 0 This attribute MUST NOT be present in packet. 500 0+ Zero or more instances of this attribute MAY be present in packet. 502 6. IANA Considerations 504 6.1. New RADIUS Attributes 506 IANA is requested to assign two new RADIUS attribute types from the 507 IANA registry "Radius Attribute Types" located at 508 http://www.iana.org/assignments/radius-types: 510 IPv6-Encrypted-DNS (241.TBA1) 512 IPv4-Encrypted-DNS (241.TBA2) 514 Type Description Data Type Reference 515 -------- ------------------ --------- ------------- 516 241.TBA1 IPv6-Encrypted-DNS tlv This-Document 517 241.TBA2 IPv4-Encrypted-DNS tlv This-Document 519 6.2. New RADIUS TLVs 521 IANA is requested to create a new registry called "RADIUS Encrypted 522 DNS TLVs". The registry is initially populated as follows: 524 Value Description Data Type Reference 525 ----- ------------------------- --------- ------------- 526 0 Reserved 527 1 Encrypted-DNS-ADN text Section 3.3.1 528 2 Encrypted-DNS-IPv6-Address ipv6addr Section 3.3.2 529 3 Encrypted-DNS-IPv4-Address ipv4addr Section 3.3.3 530 4 Encrypted-DNS-SvcParams text Section 3.3.4 531 5-255 Unassigned 533 7. Acknowledgements 535 Thanks to Christian Jacquenet, Neil Cook, and Alan Dekok for the 536 review and suggestions. 538 8. References 540 8.1. Normative References 542 [I-D.ietf-add-dnr] 543 Boucadair, M., Reddy, T., Wing, D., Cook, N., and T. 544 Jensen, "DHCP and Router Advertisement Options for the 545 Discovery of Network-designated Resolvers (DNR)", draft- 546 ietf-add-dnr-00 (work in progress), February 2021. 548 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 549 Requirement Levels", BCP 14, RFC 2119, 550 DOI 10.17487/RFC2119, March 1997, 551 . 553 [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, 554 "Remote Authentication Dial In User Service (RADIUS)", 555 RFC 2865, DOI 10.17487/RFC2865, June 2000, 556 . 558 [RFC6158] DeKok, A., Ed. and G. Weber, "RADIUS Design Guidelines", 559 BCP 158, RFC 6158, DOI 10.17487/RFC6158, March 2011, 560 . 562 [RFC6890] Cotton, M., Vegoda, L., Bonica, R., Ed., and B. Haberman, 563 "Special-Purpose IP Address Registries", BCP 153, 564 RFC 6890, DOI 10.17487/RFC6890, April 2013, 565 . 567 [RFC6929] DeKok, A. and A. Lior, "Remote Authentication Dial In User 568 Service (RADIUS) Protocol Extensions", RFC 6929, 569 DOI 10.17487/RFC6929, April 2013, 570 . 572 [RFC8044] DeKok, A., "Data Types in RADIUS", RFC 8044, 573 DOI 10.17487/RFC8044, January 2017, 574 . 576 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 577 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 578 May 2017, . 580 [RFC8415] Mrugalski, T., Siodelski, M., Volz, B., Yourtchenko, A., 581 Richardson, M., Jiang, S., Lemon, T., and T. Winters, 582 "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)", 583 RFC 8415, DOI 10.17487/RFC8415, November 2018, 584 . 586 8.2. Informative References 588 [I-D.ietf-dprive-dnsoquic] 589 Huitema, C., Mankin, A., and S. Dickinson, "Specification 590 of DNS over Dedicated QUIC Connections", draft-ietf- 591 dprive-dnsoquic-02 (work in progress), February 2021. 593 [RFC2131] Droms, R., "Dynamic Host Configuration Protocol", 594 RFC 2131, DOI 10.17487/RFC2131, March 1997, 595 . 597 [RFC2868] Zorn, G., Leifer, D., Rubens, A., Shriver, J., Holdrege, 598 M., and I. Goyret, "RADIUS Attributes for Tunnel Protocol 599 Support", RFC 2868, DOI 10.17487/RFC2868, June 2000, 600 . 602 [RFC4014] Droms, R. and J. Schnizlein, "Remote Authentication Dial- 603 In User Service (RADIUS) Attributes Suboption for the 604 Dynamic Host Configuration Protocol (DHCP) Relay Agent 605 Information Option", RFC 4014, DOI 10.17487/RFC4014, 606 February 2005, . 608 [RFC5176] Chiba, M., Dommety, G., Eklund, M., Mitton, D., and B. 609 Aboba, "Dynamic Authorization Extensions to Remote 610 Authentication Dial In User Service (RADIUS)", RFC 5176, 611 DOI 10.17487/RFC5176, January 2008, 612 . 614 [RFC6911] Dec, W., Ed., Sarikaya, B., Zorn, G., Ed., Miles, D., and 615 B. Lourdelet, "RADIUS Attributes for IPv6 Access 616 Networks", RFC 6911, DOI 10.17487/RFC6911, April 2013, 617 . 619 [RFC7037] Yeh, L. and M. Boucadair, "RADIUS Option for the DHCPv6 620 Relay Agent", RFC 7037, DOI 10.17487/RFC7037, October 621 2013, . 623 [RFC7858] Hu, Z., Zhu, L., Heidemann, J., Mankin, A., Wessels, D., 624 and P. Hoffman, "Specification for DNS over Transport 625 Layer Security (TLS)", RFC 7858, DOI 10.17487/RFC7858, May 626 2016, . 628 [RFC8484] Hoffman, P. and P. McManus, "DNS Queries over HTTPS 629 (DoH)", RFC 8484, DOI 10.17487/RFC8484, October 2018, 630 . 632 [RFC8499] Hoffman, P., Sullivan, A., and K. Fujiwara, "DNS 633 Terminology", BCP 219, RFC 8499, DOI 10.17487/RFC8499, 634 January 2019, . 636 Appendix A. Other Usages of the Attributes 638 For the particular case of DoH [RFC8484], the attributes defined in 639 Section 3 can also be used for redirection purposes. For example, a 640 DoH server may redirect DoH clients to other DoH servers (e.g., local 641 forwarders hosted by a CPE). To that aim, when a DoH query is 642 received from a DoH client, the DoH servers interacts with an AAA 643 server to check whether redirection should be enabled for this 644 client. If such redirection is to be enabled, the AAA server returns 645 IPv4-Encrypted-DNS and/or IPv6-Encrypted-DNS Attributes that will be 646 used to populate the DoH redirection response that will then be sent 647 to the DoH client. The DoH client may contact the DoH server using 648 the information supplied in the redirection response. 650 +-------+ +-------+ +-------+ 651 | DoH | | DoH | | AAA | 652 |Client | |Server | |Server | 653 +---+---+ +---+---+ +---+---+ 654 | | | 655 o---DoH Query-------------->| | 656 | o---Access-Request---------->| 657 | |<--Access-Accept------------o 658 | | IPv4-Encrypted-DNS/ | 659 |<--------------------------o IPv6-Encrypted-DNS | 660 | Redirect to (ADN, | | 661 | IP addresses, | | 662 | service parameters)| | 663 | | | 665 Figure 4: Example of DoH Redirection 667 Authors' Addresses 669 Mohamed Boucadair 670 Orange 671 Rennes 35000 672 France 674 Email: mohamed.boucadair@orange.com 676 Tirumaleswar Reddy 677 McAfee, Inc. 678 Embassy Golf Link Business Park 679 Bangalore, Karnataka 560071 680 India 682 Email: kondtir@gmail.com