idnits 2.17.1 draft-ietf-6man-dns-options-bis-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- -- The draft header indicates that this document obsoletes RFC5006, but the abstract doesn't seem to mention this, which it should. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (April 5, 2010) is 5132 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Obsolete informational reference (is this intentional?): RFC 3315 (Obsoleted by RFC 8415) -- Obsolete informational reference (is this intentional?): RFC 3736 (Obsoleted by RFC 8415) -- Obsolete informational reference (is this intentional?): RFC 5006 (Obsoleted by RFC 6106) -- Obsolete informational reference (is this intentional?): RFC 3775 (Obsoleted by RFC 6275) Summary: 0 errors (**), 0 flaws (~~), 1 warning (==), 6 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group J. Jeong, Ed. 3 Internet-Draft Brocade/ETRI 4 Obsoletes: 5006 (if approved) S. Park 5 Intended status: Standards Track SAMSUNG Electronics 6 Expires: October 7, 2010 L. Beloeil 7 France Telecom R&D 8 S. Madanapalli 9 Ordyn Technologies 10 April 5, 2010 12 IPv6 Router Advertisement Options for DNS Configuration RFC 5006-bis 13 draft-ietf-6man-dns-options-bis-00 15 Abstract 17 This document specifies IPv6 Router Advertisement options to allow 18 IPv6 routers to advertise a list of DNS recursive server addresses 19 and a DNS search list to IPv6 hosts. 21 Status of This Memo 23 This Internet-Draft is submitted to IETF in full conformance with the 24 provisions of BCP 78 and BCP 79. 26 Internet-Drafts are working documents of the Internet Engineering 27 Task Force (IETF), its areas, and its working groups. Note that 28 other groups may also distribute working documents as Internet- 29 Drafts. 31 Internet-Drafts are draft documents valid for a maximum of six months 32 and may be updated, replaced, or obsoleted by other documents at any 33 time. It is inappropriate to use Internet-Drafts as reference 34 material or to cite them other than as "work in progress." 36 The list of current Internet-Drafts can be accessed at 37 http://www.ietf.org/ietf/1id-abstracts.txt. 39 The list of Internet-Draft Shadow Directories can be accessed at 40 http://www.ietf.org/shadow.html. 42 This Internet-Draft will expire on October 7, 2010. 44 Copyright Notice 46 Copyright (c) 2010 IETF Trust and the persons identified as the 47 document authors. All rights reserved. 49 This document is subject to BCP 78 and the IETF Trust's Legal 50 Provisions Relating to IETF Documents 51 (http://trustee.ietf.org/license-info) in effect on the date of 52 publication of this document. Please review these documents 53 carefully, as they describe your rights and restrictions with respect 54 to this document. Code Components extracted from this document must 55 include Simplified BSD License text as described in Section 4.e of 56 the Trust Legal Provisions and are provided without warranty as 57 described in the Simplified BSD License. 59 Table of Contents 61 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 62 1.1. Applicability Statements . . . . . . . . . . . . . . . . . 3 63 1.2. Coexistence of RA Options and DHCP Options for DNS 64 Configuration . . . . . . . . . . . . . . . . . . . . . . 4 65 2. Requirements Language . . . . . . . . . . . . . . . . . . . . 4 66 3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 5 67 4. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 68 5. Neighbor Discovery Extension . . . . . . . . . . . . . . . . . 6 69 5.1. Recursive DNS Server Option . . . . . . . . . . . . . . . 6 70 5.2. DNS Search List Option . . . . . . . . . . . . . . . . . . 7 71 5.3. Procedure of DNS Configuration . . . . . . . . . . . . . . 8 72 5.3.1. Procedure in IPv6 Host . . . . . . . . . . . . . . . . 8 73 6. Implementation Considerations . . . . . . . . . . . . . . . . 9 74 6.1. DNS Repository Management . . . . . . . . . . . . . . . . 9 75 6.2. Synchronization between DNS Server List and Resolver 76 Repository . . . . . . . . . . . . . . . . . . . . . . . . 10 77 6.3. Synchronization between DNS Search List and Resolver 78 Repository . . . . . . . . . . . . . . . . . . . . . . . . 11 79 7. Security Considerations . . . . . . . . . . . . . . . . . . . 12 80 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13 81 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 13 82 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 14 83 10.1. Normative References . . . . . . . . . . . . . . . . . . . 14 84 10.2. Informative References . . . . . . . . . . . . . . . . . . 14 86 1. Introduction 88 The purpose of this document is to standardize IPv6 Router 89 Advertisement (RA) option for DNS configuration in IPv6 hosts 90 specified in [RFC5006] and also to define a new RA option for Domain 91 Name Search lists. 93 Neighbor Discovery (ND) for IP Version 6 and IPv6 Stateless Address 94 Autoconfiguration provide ways to configure either fixed or mobile 95 nodes with one or more IPv6 addresses, default routers and some other 96 parameters [RFC4861][RFC4862]. Most Internet services are identified 97 by using a DNS name. The two RA options defined in this document 98 provide the DNS information needed for an IPv6 host to reach Internet 99 services. 101 It is infeasible for nomadic hosts, such as laptops, to be configured 102 manually with a DNS resolver each time they connect to a different 103 wireless LAN (WLAN) such as IEEE 802.11 a/b/g [IEEE-802.11] 104 [IEEE-802.11a][IEEE-802.11b][IEEE-802.11g]. This document defines a 105 mechanism based on IPv6 RA options to allow IPv6 hosts to perform the 106 automatic DNS configuration. As an alternative to the DNS 107 configuration provided by DHCP [RFC3315][RFC3736][RFC3646], the RA- 108 based DNS configuration can allow network operators or users to 109 select an appropriate automatic DNS configuration for IPv6 hosts, 110 depending on the types of their networks [RFC4339]. 112 1.1. Applicability Statements 114 RA-based DNS configuration is a useful alternative in networks where 115 an IPv6 host's address is autoconfigured through IPv6 stateless 116 address autoconfiguration, where the delays in acquiring server 117 addresses and communicating with the servers are critical, or where 118 the network operator or host operator does not want the additional 119 operational complexity of running DHCPv6 to provide the same 120 information to all hosts on the network. RA-based DNS configuration 121 allows the host to acquire the DNS configuration (i.e., DNS recursive 122 server addresses and DNS search list) for the link(s) to which the 123 host is connected. Furthermore, it learns this DNS configuration 124 from the same RA message that provides configuration information for 125 the link, thereby avoiding also running DHCPv6. This can be 126 beneficial in some mobile environments, such as with Mobile IPv6 127 [RFC3775]. 129 The advantages and disadvantages of the RA-based approach are 130 discussed in [RFC4339] along with other approaches, such as the DHCP 131 and well-known anycast addresses approaches. 133 1.2. Coexistence of RA Options and DHCP Options for DNS Configuration 135 Two protocols exist to configure the DNS information on a host, the 136 Router Advertisement options described in this document and the 137 DHCPv6 options described in [RFC3646]. They can be used together 138 [RFC4339]. To order the RA and DHCP approaches, the O (Other 139 stateful configuration) flag can be used in the RA message [RFC4861]. 140 The O flag is defined along with the M (Managed address 141 configuration) flag in the Router Advertisement Message Format of 142 [RFC4861] as follows: 144 Fields: 146 M 1-bit "Managed address configuration" flag. When 147 set, it indicates that addresses are available via 148 Dynamic Host Configuration Protocol (DHCPv6) in 149 [RFC3315]. 151 If the M flag is set, the O flag is redundant and 152 can be ignored because DHCPv6 will return all 153 available configuration information. 155 O 1-bit "Other configuration" flag. When set, it 156 indicates that other configuration information is 157 available via DHCPv6. Examples of such information 158 are DNS-related information or information on other 159 servers within the network. 161 Note: If neither M nor O flags are set, this indicates that no 162 information is available via DHCPv6. 164 Based on the definition of the O flag above, if RA options for DNS 165 configuration are included in the RA messages, an IPv6 host may 166 perform another DNS configuration through DHCPv6 only when the O flag 167 is set. On the other hand, if no RA options for DNS configuration 168 are included in the RA messages, an IPv6 host may perform DNS 169 configuration through DHCPv6 regardless of whether the O flag is set 170 or not. 172 2. Requirements Language 174 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 175 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 176 document are to be interpreted as described in [RFC2119]. 178 3. Terminology 180 This document uses the terminology described in [RFC4861] and 181 [RFC4862]. In addition, four new terms are defined below: 183 o Recursive DNS Server (RDNSS): Server which provides a recursive 184 DNS resolution service for translating domain names into IP 185 addresses as defined in [RFC1034] and [RFC1035]. 187 o RDNSS Option: IPv6 RA option to deliver the RDNSS information to 188 IPv6 hosts [RFC4861]. 190 o DNS Search List (DNSSL): The list of DNS suffix domain names used 191 by IPv6 hosts when they perform DNS query searches for short, 192 unqualified domain names. 194 o DNSSL Option: IPv6 RA option to deliver the DNSSL information to 195 IPv6 hosts. 197 o DNS Repository: Two data structures for managing DNS Configuration 198 Information in the IPv6 protocol stack in addition to Neighbor 199 Cache and Destination Cache for Neighbor Discovery [RFC4861]. The 200 first data structure is the DNS Server List for RDNSS addresses 201 and the second is the DNS Search List for DNS search domain names. 203 o Resolver Repository: Configuration repository with RDNSS addresses 204 and a DNS search list that a DNS resolver on the host uses for DNS 205 name resolution; for example, the Unix resolver file (i.e., /etc/ 206 resolv.conf) and Windows registry. 208 4. Overview 210 This document standardizes the ND option called RDNSS option defined 211 in [RFC5006] that contains the addresses of recursive DNS servers. 212 This document also defines a new ND option called DNSSL option for 213 Domain Search List. This is for two reasons for the new option, the 214 first is to maintain parity with the DHCPv6 options for DNS 215 configuration [RFC3646], so that RA and DHCPv6 do not unnecessarily 216 diverge and so that RA can provide the same DNS configuration as 217 DHCPv6. The second reason is that a Domain Search List is useful to 218 support multi-homed hosts querying DNS servers which provide 219 different answers [ID-savolainen]. 221 Existing ND transport mechanisms (i.e., advertisements and 222 solicitations) are used. This works in the same way that hosts learn 223 about routers and prefixes. An IPv6 host can configure the IPv6 224 addresses of one or more RDNSSes via RA messages periodically sent by 225 a router or solicited by a Router Solicitation (RS). 227 Through the RDNSS and DNSSL options, along with the prefix 228 information option based on the ND protocol ([RFC4861] and 229 [RFC4862]), an IPv6 host can perform the network configuration of its 230 IPv6 address and the DNS information simultaneously without needing 231 DHCPv6 for the DNS configuration. The RA options for RDNSS and DNSSL 232 can be used on any network that supports the use of ND. 234 This approach requires the manual configuration or other automatic 235 mechanisms (e.g., DHCPv6 or vendor proprietary configuration 236 mechanisms) to configure the DNS information in routers sending the 237 advertisements. The automatic configuration of RDNSS addresses and a 238 DNS search list in routers is out of scope for this document. 240 5. Neighbor Discovery Extension 242 The IPv6 DNS configuration mechanism in this document needs two new 243 ND options in Neighbor Discovery: (i) the Recursive DNS Server 244 (RDNSS) option and (ii) the DNS Search List (DNSSL) option. 246 5.1. Recursive DNS Server Option 248 The RDNSS option contains one or more IPv6 addresses of recursive DNS 249 servers. All of the addresses share the same lifetime value. If it 250 is desirable to have different lifetime values, multiple RDNSS 251 options can be used. Figure 1 shows the format of the RDNSS option. 253 0 1 2 3 254 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 255 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 256 | Type | Length | Reserved | 257 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 258 | Lifetime | 259 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 260 | | 261 : Addresses of IPv6 Recursive DNS Servers : 262 | | 263 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 265 Figure 1: Recursive DNS Server (RDNSS) Option Format 267 Fields: 269 Type 8-bit identifier of the RDNSS option type as assigned 270 by the IANA: 25 272 Length 8-bit unsigned integer. The length of the option 273 (including the Type and Length fields) is in units of 274 8 octets. The minimum value is 3 if one IPv6 address 275 is contained in the option. Every additional RDNSS 276 address increases the length by 2. The Length field 277 is used by the receiver to determine the number of 278 IPv6 addresses in the option. 280 Lifetime 32-bit unsigned integer. The maximum time, in 281 seconds (relative to the time the packet is sent), 282 over which this RDNSS address MAY be used for name 283 resolution. Hosts MAY send a Router Solicitation to 284 ensure the RDNSS information is fresh before the 285 interval expires. In order to provide fixed hosts 286 with stable DNS service and allow mobile hosts to 287 prefer local RDNSSes to remote RDNSSes, the value of 288 Lifetime should be at least as long as the Maximum RA 289 Interval (MaxRtrAdvInterval) in [RFC4861], and be at 290 most as long as two times MaxRtrAdvInterval; Lifetime 291 SHOULD be bounded as follows: MaxRtrAdvInterval <= 292 Lifetime <= 2*MaxRtrAdvInterval. A value of all one 293 bits (0xffffffff) represents infinity. A value of 294 zero means that the RDNSS address MUST no longer be 295 used. 297 Addresses of IPv6 Recursive DNS Servers 298 One or more 128-bit IPv6 addresses of the recursive 299 DNS servers. The number of addresses is determined 300 by the Length field. That is, the number of 301 addresses is equal to (Length - 1) / 2. 303 5.2. DNS Search List Option 305 The DNSSL option contains one or more domain names of DNS suffixes. 306 All of the domain names share the same lifetime value. If it is 307 desirable to have different lifetime values, multiple DNSSL options 308 can be used. Figure 2 shows the format of the DNSSL option. 310 0 1 2 3 311 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 312 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 313 | Type | Length | Reserved | 314 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 315 | Lifetime | 316 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 317 | | 318 : Domain Names of DNS Search List : 319 | | 320 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 322 Figure 2: DNS Search List (DNSSL) Option Format 324 Fields: 326 Type 8-bit identifier of the RDNSS option type as assigned 327 by the IANA: (TBD) 329 Length 8-bit unsigned integer. The length of the option 330 (including the Type and Length fields) is in units of 331 8 octets. The minimum value is 2 if at least one 332 domain name is contained in the option. The Length 333 field is set to a multiple of 8 octets to accommodate 334 all the domain names in the field of Domain Names of 335 DNS Search List. 337 Lifetime 32-bit unsigned integer. The maximum time, in 338 seconds (relative to the time the packet is sent), 339 over which this DNSSL domain name MAY be used for 340 name resolution. The Lifetime value has the same 341 semantics as with RDNSS option. That is, Lifetime 342 SHOULD be bounded as follows: MaxRtrAdvInterval <= 343 Lifetime <= 2*MaxRtrAdvInterval. A value of all one 344 bits (0xffffffff) represents infinity. A value of 345 zero means that the DNSSL domain name MUST no longer 346 be used. 348 Domain Names of DNS Search List 349 One or more domain names of DNS search list that MUST 350 be encoded in the non-compressed form, using the 351 technique described in Section 3.1 of [RFC1035]. The 352 size of this field is a multiple of 8 octets. The 353 remaining octets other than the encoding parts for 354 the domain names are padded with zeros. 356 5.3. Procedure of DNS Configuration 358 The procedure of DNS configuration through the RDNSS and DNSSL 359 options is the same as with any other ND option [RFC4861]. 361 5.3.1. Procedure in IPv6 Host 363 When an IPv6 host receives DNS options (i.e., RDNSS option and DNSSL 364 option) through RA messages, it checks whether the options are valid 365 or not as follow: 367 o If the DNS options are valid, the host SHOULD copy the values of 368 the options into the DNS Repository and the Resolver Repository in 369 order; the value of the Length field in the RDNSS option is 370 greater than or equal to the minimum value (3) and also the value 371 of the Length field in the DNSSL option is greater than or equal 372 to the minimum value (2). 374 o If the DNS options are invalid, the host MUST discard the options; 375 for example, the Length field in the RDNSS option has a value less 376 than 3 or the Length field in the DNSSL option has a value less 377 than 2. 379 When the IPv6 host has gathered a sufficient number of RDNSS 380 addresses (or DNS search domain names), it MAY ignore additional 381 RDNSS addresses (or DNS search domain names) within an RDNSS (or 382 DNSSL) option and/or additional RDNSS (or DNSSL) options within an 383 RA. 385 6. Implementation Considerations 387 Note: This non-normative section gives some hints for implementing 388 the processing of the RDNSS and DNSSL options in an IPv6 host. 390 For the configuration and management of DNS information, the 391 advertised DNS configuration information can be stored and managed in 392 both the DNS Repository and the Resolver Repository. 394 In environments where the DNS information is stored in user space and 395 ND runs in the kernel, it is necessary to synchronize the DNS 396 information (i.e., RDNSS addresses and DNS search domain names) in 397 kernel space and the Resolver Repository in user space. For the 398 synchronization, an implementation where ND works in the kernel 399 should provide a write operation for updating DNS information from 400 the kernel to the Resolver Repository. One simple approach is to 401 have a daemon (or a program that is called at defined intervals) that 402 keeps monitoring the lifetimes of RDNSS addresses and DNS search 403 domain names all the time. Whenever there is an expired entry in the 404 DNS Repository, the daemon can delete the corresponding entry from 405 the Resolver Repository. 407 6.1. DNS Repository Management 409 For DNS repository management, the kernel or user-space process 410 (depending on where RAs are processed) should maintain two data 411 structures: (i) DNS Server List that keeps the list of RDNSS 412 addresses and (ii) DNS Search List that keeps the list of DNS search 413 domain names. Each entry in these two lists consists of a pair of an 414 RDNSS address (or DNSSL domain name) and Expiration-time as follows: 416 o RDNSS address for DNS Server List: IPv6 address of the Recursive 417 DNS Server, which is available for recursive DNS resolution 418 service in the network advertising the RDNSS option; such a 419 network is called "site" in this document. 421 o DNSSL domain name for DNS Search List: DNS suffix domain names, 422 which is used to perform DNS query searches for short, unqualified 423 domain names in the network advertising the DNSSL option; such a 424 network is called "site" in this document. 426 o Expiration-time for DNS Server List or DNS Search List: The time 427 when this entry becomes invalid. Expiration-time is set to the 428 value of the Lifetime field of the RDNSS option or DNSSL option 429 plus the current system time. Whenever a new RDNSS option with 430 the same address (or DNSSL option with the same domain name) is 431 received on the same interface as a previous RDNSS option (or 432 DNSSL option), this field is updated to have a new expiration 433 time. When Expiration-time becomes less than the current system 434 time, this entry is regarded as expired. 436 Note: An RDNSS address or a DNSSL domain name MUST be used only as 437 long as both the RA router lifetime and the option lifetime have 438 not expired. The reason is that the RDNSS may not be currently 439 reachable, that the DNSSL domain name is not valid any more, or 440 that these options do not provide service to the host's current 441 address (e.g., due to network ingress filtering 442 [RFC2827][RFC5358]). 444 6.2. Synchronization between DNS Server List and Resolver Repository 446 When an IPv6 host receives the information of multiple RDNSS 447 addresses within a site through an RA message with RDNSS option(s), 448 it stores the RDNSS addresses (in order) into both the DNS Server 449 List and the Resolver Repository. The processing of the RDNSS 450 option(s) included in an RA message is as follows: 452 Step (a): Receive and parse the RDNSS option(s). For the RDNSS 453 addresses in each RDNSS option, perform Step (b) through Step (d). 454 Note that Step (e) is performed whenever an entry expires in the 455 DNS Server List. 457 Step (b): For each RDNSS address, check the following: If the 458 RDNSS address already exists in the DNS Server List and the RDNSS 459 option's Lifetime field is set to zero, delete the corresponding 460 RDNSS entry from both the DNS Server List and the Resolver 461 Repository in order to prevent the RDNSS address from being used 462 any more for certain reasons in network management, e.g., the 463 termination of the RDNSS or a renumbering situation. The 464 processing of this RDNSS address is finished here. Otherwise, go 465 to Step (c). 467 Step (c): For each RDNSS address, if it already exists in the DNS 468 Server List, then just update the value of the Expiration-time 469 field according to the procedure specified in the second bullet of 470 Section 6.1. Otherwise, go to Step (d). 472 Step (d): For each RDNSS address, if it does not exist in the DNS 473 Server List, register the RDNSS address and lifetime with the DNS 474 Server List and then insert the RDNSS address in front of the 475 Resolver Repository. In the case where the data structure for the 476 DNS Server List is full of RDNSS entries, delete from the DNS 477 Server List the entry with the shortest expiration time (i.e., the 478 entry that will expire first). The corresponding RDNSS address is 479 also deleted from the Resolver Repository. In the order in the 480 RDNSS option, position the newly added RDNSS addresses in front of 481 the Resolver Repository so that the new RDNSS addresses may be 482 preferred according to their order in the RDNSS option for the DNS 483 name resolution. The processing of these RDNSS addresses is 484 finished here. Note that, in the case where there are several 485 routers advertising RDNSS option(s) in a subnet, the RDNSSes that 486 have been announced recently are preferred. 488 Step (e): Delete each expired entry from the DNS Server List, and 489 delete the RDNSS address corresponding to the entry from the 490 Resolver Repository. 492 6.3. Synchronization between DNS Search List and Resolver Repository 494 When an IPv6 host receives the information of multiple DNSSL domain 495 names within a site through an RA message with DNSSL option(s), it 496 stores the DNSSL domain names (in order) into both the DNS Search 497 List and the Resolver Repository. The processing of the DNSSL 498 option(s) included in an RA message is as follows: 500 Step (a): Receive and parse the DNSSL option(s). For the DNSSL 501 domain names in each DNSSL option, perform Step (b) through Step 502 (d). Note that Step (e) is performed whenever an entry expires in 503 the DNS Search List. 505 Step (b): For each DNSSL domain name, check the following: If the 506 DNSSL domain name already exists in the DNS Search List and the 507 DNSSL option's Lifetime field is set to zero, delete the 508 corresponding DNSSL entry from both the DNS Search List and the 509 Resolver Repository in order to prevent the DNSSL domain name from 510 being used any more for certain reasons in network management, 511 e.g., the termination of the RDNSS or a renaming situation. The 512 processing of this DNSSL domain name is finished here. Otherwise, 513 go to Step (c). 515 Step (c): For each DNSSL domain name, if it already exists in the 516 DNS Server List, then just update the value of the Expiration-time 517 field according to the procedure specified in the second bullet of 518 Section 6.1. Otherwise, go to Step (d). 520 Step (d): For each DNSSL domain name, if it does not exist in the 521 DNS Search List, register the DNSSL domain name and lifetime with 522 the DNS Search List and then insert the DNSSL domain name in front 523 of the Resolver Repository. In the case where the data structure 524 for the DNS Search List is full of DNSSL domain name entries, 525 delete from the DNS Server List the entry with the shortest 526 expiration time (i.e., the entry that will expire first). The 527 corresponding DNSSL domain name is also deleted from the Resolver 528 Repository. In the order in the DNSSL option, position the newly 529 added DNSSL domain names in front of the Resolver Repository so 530 that the new DNSSL domain names may be preferred according to 531 their order in the DNSSL option for the DNS domain name used by 532 the DNS query. The processing of these DNSSL domain name is 533 finished here. Note that, in the case where there are several 534 routers advertising DNSSL option(s) in a subnet, the DNSSL domain 535 names that have been announced recently are preferred. 537 Step (e): Delete each expired entry from the DNS Search List, and 538 delete the DNSSL domain name corresponding to the entry from the 539 Resolver Repository. 541 7. Security Considerations 543 The security of the RA options for DNS configuration does not affect 544 ND protocol security [RFC4861]. This is because learning DNS 545 information via the RA options cannot be worse than learning bad 546 router information via the RA options. It can be claimed that the 547 vulnerability of ND is not worse and is a subset of the attacks that 548 any node attached to a LAN can do independently of ND. A malicious 549 node on a LAN can promiscuously receive packets for any router's MAC 550 address and send packets with the router's MAC address as the source 551 MAC address in the L2 header. As a result, L2 switches send packets 552 addressed to the router to the malicious node. Also, this attack can 553 send redirects that tell the hosts to send their traffic somewhere 554 else. The malicious node can send unsolicited RA or Neighbor 555 Advertisement (NA) replies, answer RS or Neighbor Solicitation (NS) 556 requests, etc. Also, an attacker could configure a host to send out 557 an RA with a fraudulent RDNSS address, which is presumably an easier 558 avenue of attack than becoming a rogue router and having to process 559 all traffic for the subnet. It is necessary to disable the RA RDNSS 560 option or DNSSL option in both routers and clients administratively 561 to avoid this problem. All of this can be done independently of 562 implementing ND. Therefore, it can be claimed that the RA options 563 for RDNSS and DNSSL has vulnerabilities similar to those existing in 564 unauthenticated DHCPv6. 566 It is common for network devices such as switches to include 567 mechanisms to block unauthorized ports from running a DHCPv6 server 568 to provide protection from rogue DHCP servers. That means that an 569 attacker on other ports cannot insert bogus DNS servers using DHCPv6. 570 The corresponding technique for network devices is recommended to 571 block rogue Router Advertisement messages including the RDNSS and 572 DNSSL options from unauthorized nodes. 574 An attacker may provide a bogus DNS Search List option in order to 575 cause the victim to send DNS queries to a specific DNS server when 576 the victim queries non-fully qualified domain names. For this 577 attack, the DNS resolver in IPv6 hosts can mitigate the vulnerability 578 with the recommendations in [RFC1535], [RFC1536], and [RFC3646]. 580 If the Secure Neighbor Discovery (SEND) protocol is used as a 581 security mechanism for ND, all the ND options including the RDNSS and 582 DNSSL options are automatically included in the signatures [RFC3971], 583 so the transport for the RA options is integrity-protected. However, 584 since any valid SEND node can still insert RDNSS and DNSSL options, 585 SEND cannot verify who is or is not authorized to send the options. 587 8. IANA Considerations 589 The RDNSS option defined in this document is using the IPv6 Neighbor 590 Discovery Option type in RFC 5006 [RFC5006] assigned by the IANA as 591 follows: 593 Option Name Type 594 RDNSS option 25 596 The IANA is requested to assign a new IPv6 Neighbor Discovery Option 597 type for the DNSSL option defined in this document: 599 Option Name Type 600 DNSSL option (TBD) 602 The IANA registry for these options is: 604 http://www.iana.org/assignments/icmpv6-parameters 606 9. Acknowledgements 608 This document has greatly benefited from inputs by Robert Hinden, 609 Pekka Savola, Iljitsch van Beijnum, Brian Haberman, Tim Chown, Erik 610 Nordmark, and Dan Wing. The authors sincerely appreciate their 611 contributions. 613 10. References 614 10.1. Normative References 616 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 617 Requirement Levels", BCP 14, RFC 2119, March 1997. 619 [RFC4861] Narten, T., Nordmark, E., Simpson, W., and H. 620 Soliman, "Neighbor Discovery for IP Version 6 621 (IPv6)", RFC 4861, September 2007. 623 [RFC4862] Thomson, S., Narten, T., and T. Jinmei, "IPv6 624 Stateless Address Autoconfiguration", RFC 4862, 625 September 2007. 627 10.2. Informative References 629 [RFC1034] Mockapetris, P., "Domain Names - Concepts and 630 Facilities", RFC 1034, November 1987. 632 [RFC1035] Mockapetris, P., "Domain Names - Implementation and 633 Specification", RFC 1035, November 1987. 635 [RFC3315] Droms, R., Ed., "Dynamic Host Configuration Protocol 636 for IPv6 (DHCPv6)", RFC 3315, July 2003. 638 [RFC3736] Droms, R., "Stateless Dynamic Host Configuration 639 Protocol (DHCP) Service for IPv6", RFC 3736, 640 April 2004. 642 [RFC3646] Droms, R., Ed., "DNS Configuration options for 643 Dynamic Host Configuration Protocol for IPv6 644 (DHCPv6)", RFC 3646, December 2003. 646 [RFC5006] Jeong, J., Park, S., Beloeil, L., and S. 647 Madanapalli, "IPv6 Router Advertisement Option for 648 DNS Configuration", RFC 5006, September 2007. 650 [RFC4339] Jeong, J., Ed., "IPv6 Host Configuration of DNS 651 Server Information Approaches", RFC 4339, 652 February 2006. 654 [RFC3775] Johnson, D., Perkins, C., and J. Arkko, "Mobility 655 Support in IPv6", RFC 3775, June 2004. 657 [RFC3971] Arkko, J., Ed., "SEcure Neighbor Discovery (SEND)", 658 RFC 3971, March 2005. 660 [IEEE-802.11] ANSI/IEEE Std 802.11, "Part 11: Wireless LAN Medium 661 Access Control (MAC) and Physical Layer (PHY) 662 Specifications", March 1999. 664 [IEEE-802.11a] IEEE Std 802.11a, "Part 11: Wireless LAN Medium 665 Access Control (MAC) and Physical Layer (PHY) 666 specifications: High-speed Physical Layer in the 5 667 GHZ Band", September 1999. 669 [IEEE-802.11b] IEEE Std 802.11b, "Part 11: Wireless LAN Medium 670 Access Control (MAC) and Physical Layer (PHY) 671 specifications: Higher-Speed Physical Layer 672 Extension in the 2.4 GHz Band", September 1999. 674 [IEEE-802.11g] IEEE P802.11g/D8.2, "Part 11: Wireless LAN Medium 675 Access Control (MAC) and Physical Layer (PHY) 676 specifications: Further Higher Data Rate Extension 677 in the 2.4 GHz Band", April 2003. 679 [RFC5358] Damas, J. and F. Neves, "Preventing Use of Recursive 680 Nameservers in Reflector Attacks", BCP 140, 681 RFC 5358, October 2008. 683 [RFC2827] Ferguson, P. and D. Senie, "Network Ingress 684 Filtering: Defeating Denial of Service Attacks which 685 employ IP Source Address Spoofing", BCP 38, 686 RFC 2827, May 2000. 688 [ID-savolainen] Savolainen, T., "Preventing Use of Recursive 689 Nameservers in Reflector Attacks", Work in Progress, 690 February 2010. 692 [RFC1535] Gavron, E., "A Security Problem and Proposed 693 Correction With Widely Deployed DNS Software", 694 RFC 1535, October 1993. 696 [RFC1536] Kumar, A., Postel, J., Neuman, C., Danzig, P., and 697 S. Miller, "Common DNS Implementation Errors and 698 Suggested Fixes", RFC 1536, October 1993. 700 Authors' Addresses 702 Jaehoon Paul Jeong (editor) 703 Brocade Communications Systems/ETRI 704 6000 Nathan Ln N 705 Plymouth, MN 55442 706 USA 708 Phone: +1 763 268 7173 709 Fax: +1 763 268 6800 710 EMail: pjeong@brocade.com 711 URI: http://www.cs.umn.edu/~jjeong/ 713 Soohong Daniel Park 714 Mobile Platform Laboratory 715 SAMSUNG Electronics 716 416 Maetan-3dong, Yeongtong-Gu 717 Suwon, Gyeonggi-Do 443-742 718 Korea 720 Phone: +82 31 200 4508 721 EMail: soohong.park@samsung.com 723 Luc Beloeil 724 France Telecom R&D 725 42, rue des coutures 726 BP 6243 727 14066 CAEN Cedex 4 728 France 730 Phone: +33 02 3175 9391 731 EMail: luc.beloeil@orange-ftgroup.com 733 Syam Madanapalli 734 Ordyn Technologies 735 1st Floor, Creator Building, ITPL 736 Bangalore - 560066 737 India 739 Phone: +91-80-40383000 740 EMail: smadanapalli@gmail.com