idnits 2.17.1 draft-ietf-6man-dns-options-bis-02.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- -- The draft header indicates that this document obsoletes RFC5006, but the abstract doesn't seem to mention this, which it should. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (May 24, 2010) is 5086 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Obsolete informational reference (is this intentional?): RFC 3315 (Obsoleted by RFC 8415) -- Obsolete informational reference (is this intentional?): RFC 3736 (Obsoleted by RFC 8415) -- Obsolete informational reference (is this intentional?): RFC 5006 (Obsoleted by RFC 6106) Summary: 0 errors (**), 0 flaws (~~), 1 warning (==), 5 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group J. Jeong, Ed. 3 Internet-Draft Brocade/ETRI 4 Obsoletes: 5006 (if approved) S. Park 5 Intended status: Standards Track SAMSUNG Electronics 6 Expires: November 25, 2010 L. Beloeil 7 France Telecom R&D 8 S. Madanapalli 9 Ordyn Technologies 10 May 24, 2010 12 IPv6 Router Advertisement Options for DNS Configuration RFC 5006-bis 13 draft-ietf-6man-dns-options-bis-02 15 Abstract 17 This document specifies IPv6 Router Advertisement options to allow 18 IPv6 routers to advertise a list of DNS recursive server addresses 19 and a DNS search list to IPv6 hosts. 21 Status of This Memo 23 This Internet-Draft is submitted to IETF in full conformance with the 24 provisions of BCP 78 and BCP 79. 26 Internet-Drafts are working documents of the Internet Engineering 27 Task Force (IETF), its areas, and its working groups. Note that 28 other groups may also distribute working documents as Internet- 29 Drafts. 31 Internet-Drafts are draft documents valid for a maximum of six months 32 and may be updated, replaced, or obsoleted by other documents at any 33 time. It is inappropriate to use Internet-Drafts as reference 34 material or to cite them other than as "work in progress." 36 The list of current Internet-Drafts can be accessed at 37 http://www.ietf.org/ietf/1id-abstracts.txt. 39 The list of Internet-Draft Shadow Directories can be accessed at 40 http://www.ietf.org/shadow.html. 42 This Internet-Draft will expire on November 25, 2010. 44 Copyright Notice 46 Copyright (c) 2010 IETF Trust and the persons identified as the 47 document authors. All rights reserved. 49 This document is subject to BCP 78 and the IETF Trust's Legal 50 Provisions Relating to IETF Documents 51 (http://trustee.ietf.org/license-info) in effect on the date of 52 publication of this document. Please review these documents 53 carefully, as they describe your rights and restrictions with respect 54 to this document. Code Components extracted from this document must 55 include Simplified BSD License text as described in Section 4.e of 56 the Trust Legal Provisions and are provided without warranty as 57 described in the Simplified BSD License. 59 Table of Contents 61 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 62 1.1. Applicability Statements . . . . . . . . . . . . . . . . . 3 63 1.2. Coexistence of RA Options and DHCP Options for DNS 64 Configuration . . . . . . . . . . . . . . . . . . . . . . 4 65 2. Requirements Language . . . . . . . . . . . . . . . . . . . . 4 66 3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 67 4. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 68 5. Neighbor Discovery Extension . . . . . . . . . . . . . . . . . 5 69 5.1. Recursive DNS Server Option . . . . . . . . . . . . . . . 5 70 5.2. DNS Search List Option . . . . . . . . . . . . . . . . . . 7 71 5.3. Procedure of DNS Configuration . . . . . . . . . . . . . . 8 72 5.3.1. Procedure in IPv6 Host . . . . . . . . . . . . . . . . 8 73 6. Implementation Considerations . . . . . . . . . . . . . . . . 9 74 6.1. DNS Repository Management . . . . . . . . . . . . . . . . 9 75 6.2. Synchronization between DNS Server List and Resolver 76 Repository . . . . . . . . . . . . . . . . . . . . . . . . 10 77 6.3. Synchronization between DNS Search List and Resolver 78 Repository . . . . . . . . . . . . . . . . . . . . . . . . 11 79 7. Security Considerations . . . . . . . . . . . . . . . . . . . 12 80 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13 81 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 13 82 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 13 83 10.1. Normative References . . . . . . . . . . . . . . . . . . . 13 84 10.2. Informative References . . . . . . . . . . . . . . . . . . 14 85 Appendix A. Changes from RFC 5006 . . . . . . . . . . . . . . . . 14 87 1. Introduction 89 The purpose of this document is to standardize IPv6 Router 90 Advertisement (RA) option for DNS configuration in IPv6 hosts 91 specified in an earlier experimental specification [RFC5006] and also 92 to define a new RA option for Domain Name Search lists. 94 Neighbor Discovery (ND) for IP Version 6 and IPv6 Stateless Address 95 Autoconfiguration provide ways to configure either fixed or mobile 96 nodes with one or more IPv6 addresses, default routers and some other 97 parameters [RFC4861][RFC4862]. Most Internet services are identified 98 by using a DNS name. The two RA options defined in this document 99 provide the DNS information needed for an IPv6 host to reach Internet 100 services. 102 It is infeasible to manually configure nomadic hosts each time they 103 connect to a different network. While a one-time static 104 configuration is possible, it is generally not desirable on general- 105 purpose hosts such as laptops. For instance, locally defined name 106 spaces would not be available to the host if it were to run its own 107 name server software directly connected to the global DNS. 109 The DNS information can also be provided through DHCP 110 [RFC3315][RFC3736][RFC3646]. However, the access to DNS is a 111 fundamental requirement for almost all hosts, so IPv6 stateless 112 autoconfiguration cannot stand on its own as an alternative 113 deployment model in any practical network without any support for DNS 114 configuration. 116 These issues are not pressing in dual stack networks as long as a DNS 117 server is available on the IPv4 side, but become more critical with 118 the deployment of IPv6-only networks. As a result, this document 119 defines a mechanism based on IPv6 RA options to allow IPv6 hosts to 120 perform the automatic DNS configuration. 122 1.1. Applicability Statements 124 RA-based DNS configuration is a useful alternative in networks where 125 an IPv6 host's address is autoconfigured through IPv6 stateless 126 address autoconfiguration, and where there is either no DHCPv6 127 infrastructure at all or some hosts do not have a DHCPv6 client. The 128 intention is to enable the full configuration of basic networking 129 information for hosts without requiring DHCPv6. However, when in 130 many networks some additional information needs to be distributed, 131 those networks are likely to employ DHCPv6. In these networks RA- 132 based DNS configuration may not be needed. 134 RA-based DNS configuration allows an IPv6 host to acquire the DNS 135 configuration (i.e., DNS recursive server addresses and DNS search 136 list) for the link(s) to which the host is connected. Furthermore, 137 the host learns this DNS configuration from the same RA message that 138 provides configuration information for the link, thereby avoiding 139 also running DHCPv6. 141 The advantages and disadvantages of the RA-based approach are 142 discussed in [RFC4339] along with other approaches, such as the DHCP 143 and well-known anycast addresses approaches. 145 1.2. Coexistence of RA Options and DHCP Options for DNS Configuration 147 Two protocols exist to configure the DNS information on a host, the 148 Router Advertisement options described in this document and the 149 DHCPv6 options described in [RFC3646]. They can be used together. 150 The rules governing the decision to use stateful configuration 151 mechanisms are specified in [RFC4861]. Hosts conforming to this 152 specification MUST extract DNS information from Router Advertisement 153 messages, unless static DNS configuration has been specified by the 154 user. If there is DNS information available from multiple Router 155 Advertisements and/or from DHCP, the host MUST maintain an ordered 156 list of this information as specified in Section 5.3.1. 158 2. Requirements Language 160 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 161 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 162 document are to be interpreted as described in [RFC2119]. 164 3. Terminology 166 This document uses the terminology described in [RFC4861] and 167 [RFC4862]. In addition, four new terms are defined below: 169 o Recursive DNS Server (RDNSS): Server which provides a recursive 170 DNS resolution service for translating domain names into IP 171 addresses as defined in [RFC1034] and [RFC1035]. 173 o RDNSS Option: IPv6 RA option to deliver the RDNSS information to 174 IPv6 hosts [RFC4861]. 176 o DNS Search List (DNSSL): The list of DNS suffix domain names used 177 by IPv6 hosts when they perform DNS query searches for short, 178 unqualified domain names. 180 o DNSSL Option: IPv6 RA option to deliver the DNSSL information to 181 IPv6 hosts. 183 o DNS Repository: Two data structures for managing DNS Configuration 184 Information in the IPv6 protocol stack in addition to Neighbor 185 Cache and Destination Cache for Neighbor Discovery [RFC4861]. The 186 first data structure is the DNS Server List for RDNSS addresses 187 and the second is the DNS Search List for DNS search domain names. 189 o Resolver Repository: Configuration repository with RDNSS addresses 190 and a DNS search list that a DNS resolver on the host uses for DNS 191 name resolution; for example, the Unix resolver file (i.e., /etc/ 192 resolv.conf) and Windows registry. 194 4. Overview 196 This document standardizes the ND option called RDNSS option defined 197 in [RFC5006] that contains the addresses of recursive DNS servers. 198 This document also defines a new ND option called DNSSL option for 199 Domain Search List. This is to maintain parity with the DHCPv6 200 options and to ensure that there is necessary functionality to 201 determine the search domains. 203 Existing ND message (i.e., Router Advertisement) is used to carry 204 this information. An IPv6 host can configure the IPv6 addresses of 205 one or more RDNSSes via RA messages. Through the RDNSS and DNSSL 206 options, along with the prefix information option based on the ND 207 protocol ([RFC4861] and [RFC4862]), an IPv6 host can perform the 208 network configuration of its IPv6 address and the DNS information 209 simultaneously without needing DHCPv6 for the DNS configuration. The 210 RA options for RDNSS and DNSSL can be used on any network that 211 supports the use of ND. 213 This approach requires the manual configuration or other automatic 214 mechanisms (e.g., DHCPv6 or vendor proprietary configuration 215 mechanisms) to configure the DNS information in routers sending the 216 advertisements. The automatic configuration of RDNSS addresses and a 217 DNS search list in routers is out of scope for this document. 219 5. Neighbor Discovery Extension 221 The IPv6 DNS configuration mechanism in this document needs two new 222 ND options in Neighbor Discovery: (i) the Recursive DNS Server 223 (RDNSS) option and (ii) the DNS Search List (DNSSL) option. 225 5.1. Recursive DNS Server Option 227 The RDNSS option contains one or more IPv6 addresses of recursive DNS 228 servers. All of the addresses share the same lifetime value. If it 229 is desirable to have different lifetime values, multiple RDNSS 230 options can be used. Figure 1 shows the format of the RDNSS option. 232 0 1 2 3 233 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 234 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 235 | Type | Length | Reserved | 236 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 237 | Lifetime | 238 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 239 | | 240 : Addresses of IPv6 Recursive DNS Servers : 241 | | 242 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 244 Figure 1: Recursive DNS Server (RDNSS) Option Format 246 Fields: 247 Type 8-bit identifier of the RDNSS option type as assigned 248 by the IANA: 25 250 Length 8-bit unsigned integer. The length of the option 251 (including the Type and Length fields) is in units of 252 8 octets. The minimum value is 3 if one IPv6 address 253 is contained in the option. Every additional RDNSS 254 address increases the length by 2. The Length field 255 is used by the receiver to determine the number of 256 IPv6 addresses in the option. 258 Lifetime 32-bit unsigned integer. The maximum time, in 259 seconds (relative to the time the packet is sent), 260 over which this RDNSS address MAY be used for name 261 resolution. Hosts MAY send a Router Solicitation to 262 ensure the RDNSS information is fresh before the 263 interval expires. In order to provide fixed hosts 264 with stable DNS service and allow mobile hosts to 265 prefer local RDNSSes to remote RDNSSes, the value of 266 Lifetime should be at least as long as the Maximum RA 267 Interval (MaxRtrAdvInterval) in [RFC4861], and be at 268 most as long as two times MaxRtrAdvInterval; Lifetime 269 SHOULD be bounded as follows: MaxRtrAdvInterval <= 270 Lifetime <= 2*MaxRtrAdvInterval. A value of all one 271 bits (0xffffffff) represents infinity. A value of 272 zero means that the RDNSS address MUST no longer be 273 used. 275 Addresses of IPv6 Recursive DNS Servers 276 One or more 128-bit IPv6 addresses of the recursive 277 DNS servers. The number of addresses is determined 278 by the Length field. That is, the number of 279 addresses is equal to (Length - 1) / 2. 281 5.2. DNS Search List Option 283 The DNSSL option contains one or more domain names of DNS suffixes. 284 All of the domain names share the same lifetime value. If it is 285 desirable to have different lifetime values, multiple DNSSL options 286 can be used. Figure 2 shows the format of the DNSSL option. 288 0 1 2 3 289 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 290 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 291 | Type | Length | Reserved | 292 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 293 | Lifetime | 294 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 295 | | 296 : Domain Names of DNS Search List : 297 | | 298 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 300 Figure 2: DNS Search List (DNSSL) Option Format 302 Fields: 303 Type 8-bit identifier of the RDNSS option type as assigned 304 by the IANA: (TBD) 306 Length 8-bit unsigned integer. The length of the option 307 (including the Type and Length fields) is in units of 308 8 octets. The minimum value is 2 if at least one 309 domain name is contained in the option. The Length 310 field is set to a multiple of 8 octets to accommodate 311 all the domain names in the field of Domain Names of 312 DNS Search List. 314 Lifetime 32-bit unsigned integer. The maximum time, in 315 seconds (relative to the time the packet is sent), 316 over which this DNSSL domain name MAY be used for 317 name resolution. The Lifetime value has the same 318 semantics as with RDNSS option. That is, Lifetime 319 SHOULD be bounded as follows: MaxRtrAdvInterval <= 320 Lifetime <= 2*MaxRtrAdvInterval. A value of all one 321 bits (0xffffffff) represents infinity. A value of 322 zero means that the DNSSL domain name MUST no longer 323 be used. 325 Domain Names of DNS Search List 326 One or more domain names of DNS search list that MUST 327 be encoded in the non-compressed form, using the 328 technique described in Section 3.1 of [RFC1035]. The 329 size of this field is a multiple of 8 octets. The 330 remaining octets other than the encoding parts for 331 the domain names are padded with zeros. 333 Note: An RDNSS address or a DNSSL domain name MUST be used only as 334 long as both the RA router lifetime and the option lifetime have 335 not expired. The reason is that in the current network to which 336 an IPv6 host is connected, the RDNSS may not be currently 337 reachable, that the DNSSL domain name is not valid any more, or 338 that these options do not provide service to the host's current 339 address (e.g., due to network ingress filtering 340 [RFC2827][RFC5358]). 342 5.3. Procedure of DNS Configuration 344 The procedure of DNS configuration through the RDNSS and DNSSL 345 options is the same as with any other ND option [RFC4861]. 347 5.3.1. Procedure in IPv6 Host 349 When an IPv6 host receives DNS options (i.e., RDNSS option and DNSSL 350 option) through RA messages, it checks whether the options are valid 351 or not as follow: 353 o If the DNS options are valid, the host SHOULD copy the values of 354 the options into the DNS Repository and the Resolver Repository in 355 order; the value of the Length field in the RDNSS option is 356 greater than or equal to the minimum value (3) and also the value 357 of the Length field in the DNSSL option is greater than or equal 358 to the minimum value (2). 360 o If the DNS options are invalid, the host MUST discard the options; 361 for example, the Length field in the RDNSS option has a value less 362 than 3 or the Length field in the DNSSL option has a value less 363 than 2. 365 When the IPv6 host has gathered a sufficient number (e.g., three) of 366 RDNSS addresses (or DNS search domain names), it MAY ignore 367 additional RDNSS addresses (or DNS search domain names) within an 368 RDNSS (or DNSSL) option and/or additional RDNSS (or DNSSL) options 369 within an RA. 371 In the case where the DNS options of RDNSS and DNSSL can be obtained 372 from multiple sources, such as RA and DHCP, the IPv6 host can keep 373 some DNS options from RA and some from DHCP; for example, two RDNSS 374 addresses (or DNS search domain names) from RA and one RDNSS address 375 (or DNS search domain name) from DHCP. 377 6. Implementation Considerations 379 Note: This non-normative section gives some hints for implementing 380 the processing of the RDNSS and DNSSL options in an IPv6 host. 382 For the configuration and management of DNS information, the 383 advertised DNS configuration information can be stored and managed in 384 both the DNS Repository and the Resolver Repository. 386 In environments where the DNS information is stored in user space and 387 ND runs in the kernel, it is necessary to synchronize the DNS 388 information (i.e., RDNSS addresses and DNS search domain names) in 389 kernel space and the Resolver Repository in user space. For the 390 synchronization, an implementation where ND works in the kernel 391 should provide a write operation for updating DNS information from 392 the kernel to the Resolver Repository. One simple approach is to 393 have a daemon (or a program that is called at defined intervals) that 394 keeps monitoring the lifetimes of RDNSS addresses and DNS search 395 domain names all the time. Whenever there is an expired entry in the 396 DNS Repository, the daemon can delete the corresponding entry from 397 the Resolver Repository. 399 6.1. DNS Repository Management 401 For DNS repository management, the kernel or user-space process 402 (depending on where RAs are processed) should maintain two data 403 structures: (i) DNS Server List that keeps the list of RDNSS 404 addresses and (ii) DNS Search List that keeps the list of DNS search 405 domain names. Each entry in these two lists consists of a pair of an 406 RDNSS address (or DNSSL domain name) and Expiration-time as follows: 408 o RDNSS address for DNS Server List: IPv6 address of the Recursive 409 DNS Server, which is available for recursive DNS resolution 410 service in the network advertising the RDNSS option. 412 o DNSSL domain name for DNS Search List: DNS suffix domain names, 413 which is used to perform DNS query searches for short, unqualified 414 domain names in the network advertising the DNSSL option. 416 o Expiration-time for DNS Server List or DNS Search List: The time 417 when this entry becomes invalid. Expiration-time is set to the 418 value of the Lifetime field of the RDNSS option or DNSSL option 419 plus the current system time. Whenever a new RDNSS option with 420 the same address (or DNSSL option with the same domain name) is 421 received on the same interface as a previous RDNSS option (or 422 DNSSL option), this field is updated to have a new expiration 423 time. When Expiration-time becomes less than the current system 424 time, this entry is regarded as expired. 426 6.2. Synchronization between DNS Server List and Resolver Repository 428 When an IPv6 host receives the information of multiple RDNSS 429 addresses within a network (e.g., campus network and company network) 430 through an RA message with RDNSS option(s), it stores the RDNSS 431 addresses (in order) into both the DNS Server List and the Resolver 432 Repository. The processing of the RDNSS option(s) included in an RA 433 message is as follows: 435 Step (a): Receive and parse the RDNSS option(s). For the RDNSS 436 addresses in each RDNSS option, perform Step (b) through Step (d). 437 Note that Step (e) is performed whenever an entry expires in the 438 DNS Server List. 440 Step (b): For each RDNSS address, check the following: If the 441 RDNSS address already exists in the DNS Server List and the RDNSS 442 option's Lifetime field is set to zero, delete the corresponding 443 RDNSS entry from both the DNS Server List and the Resolver 444 Repository in order to prevent the RDNSS address from being used 445 any more for certain reasons in network management, e.g., the 446 termination of the RDNSS or a renumbering situation. The 447 processing of this RDNSS address is finished here. Otherwise, go 448 to Step (c). 450 Step (c): For each RDNSS address, if it already exists in the DNS 451 Server List, then just update the value of the Expiration-time 452 field according to the procedure specified in the second bullet of 453 Section 6.1. Otherwise, go to Step (d). 455 Step (d): For each RDNSS address, if it does not exist in the DNS 456 Server List, register the RDNSS address and lifetime with the DNS 457 Server List and then insert the RDNSS address in front of the 458 Resolver Repository. In the case where the data structure for the 459 DNS Server List is full of RDNSS entries, delete from the DNS 460 Server List the entry with the shortest expiration time (i.e., the 461 entry that will expire first). The corresponding RDNSS address is 462 also deleted from the Resolver Repository. In the order in the 463 RDNSS option, position the newly added RDNSS addresses in front of 464 the Resolver Repository so that the new RDNSS addresses may be 465 preferred according to their order in the RDNSS option for the DNS 466 name resolution. The processing of these RDNSS addresses is 467 finished here. Note that, in the case where there are several 468 routers advertising RDNSS option(s) in a subnet, the RDNSSes that 469 have been announced recently are preferred. 471 Step (e): Delete each expired entry from the DNS Server List, and 472 delete the RDNSS address corresponding to the entry from the 473 Resolver Repository. 475 6.3. Synchronization between DNS Search List and Resolver Repository 477 When an IPv6 host receives the information of multiple DNSSL domain 478 names within a network (e.g., campus network and company network) 479 through an RA message with DNSSL option(s), it stores the DNSSL 480 domain names (in order) into both the DNS Search List and the 481 Resolver Repository. The processing of the DNSSL option(s) included 482 in an RA message is as follows: 484 Step (a): Receive and parse the DNSSL option(s). For the DNSSL 485 domain names in each DNSSL option, perform Step (b) through Step 486 (d). Note that Step (e) is performed whenever an entry expires in 487 the DNS Search List. 489 Step (b): For each DNSSL domain name, check the following: If the 490 DNSSL domain name already exists in the DNS Search List and the 491 DNSSL option's Lifetime field is set to zero, delete the 492 corresponding DNSSL entry from both the DNS Search List and the 493 Resolver Repository in order to prevent the DNSSL domain name from 494 being used any more for certain reasons in network management, 495 e.g., the termination of the RDNSS or a renaming situation. The 496 processing of this DNSSL domain name is finished here. Otherwise, 497 go to Step (c). 499 Step (c): For each DNSSL domain name, if it already exists in the 500 DNS Server List, then just update the value of the Expiration-time 501 field according to the procedure specified in the second bullet of 502 Section 6.1. Otherwise, go to Step (d). 504 Step (d): For each DNSSL domain name, if it does not exist in the 505 DNS Search List, register the DNSSL domain name and lifetime with 506 the DNS Search List and then insert the DNSSL domain name in front 507 of the Resolver Repository. In the case where the data structure 508 for the DNS Search List is full of DNSSL domain name entries, 509 delete from the DNS Server List the entry with the shortest 510 expiration time (i.e., the entry that will expire first). The 511 corresponding DNSSL domain name is also deleted from the Resolver 512 Repository. In the order in the DNSSL option, position the newly 513 added DNSSL domain names in front of the Resolver Repository so 514 that the new DNSSL domain names may be preferred according to 515 their order in the DNSSL option for the DNS domain name used by 516 the DNS query. The processing of these DNSSL domain name is 517 finished here. Note that, in the case where there are several 518 routers advertising DNSSL option(s) in a subnet, the DNSSL domain 519 names that have been announced recently are preferred. 521 Step (e): Delete each expired entry from the DNS Search List, and 522 delete the DNSSL domain name corresponding to the entry from the 523 Resolver Repository. 525 7. Security Considerations 527 The security of the RA options for DNS configuration does not affect 528 ND protocol security [RFC4861]. This is because learning DNS 529 information via the RA options cannot be worse than learning bad 530 router information via the RA options. It can be claimed that the 531 vulnerability of ND is not worse and is a subset of the attacks that 532 any node attached to a LAN can do independently of ND. A malicious 533 node on a LAN can promiscuously receive packets for any router's MAC 534 address and send packets with the router's MAC address as the source 535 MAC address in the L2 header. As a result, L2 switches send packets 536 addressed to the router to the malicious node. Also, this attack can 537 send redirects that tell the hosts to send their traffic somewhere 538 else. The malicious node can send unsolicited RA or Neighbor 539 Advertisement (NA) replies, answer RS or Neighbor Solicitation (NS) 540 requests, etc. Also, an attacker could configure a host to send out 541 an RA with a fraudulent RDNSS address, which is presumably an easier 542 avenue of attack than becoming a rogue router and having to process 543 all traffic for the subnet. It is necessary to disable the RA RDNSS 544 option or DNSSL option in both routers and clients administratively 545 to avoid this problem. All of this can be done independently of 546 implementing ND. Therefore, it can be claimed that the RA options 547 for RDNSS and DNSSL has vulnerabilities similar to those existing in 548 unauthenticated DHCPv6. 550 It is common for network devices such as switches to include 551 mechanisms to block unauthorized ports from running a DHCPv6 server 552 to provide protection from rogue DHCP servers. That means that an 553 attacker on other ports cannot insert bogus DNS servers using DHCPv6. 554 The corresponding technique for network devices is recommended to 555 block rogue Router Advertisement messages including the RDNSS and 556 DNSSL options from unauthorized nodes. 558 An attacker may provide a bogus DNS Search List option in order to 559 cause the victim to send DNS queries to a specific DNS server when 560 the victim queries non-fully qualified domain names. For this 561 attack, the DNS resolver in IPv6 hosts can mitigate the vulnerability 562 with the recommendations in [RFC1535], [RFC1536], and [RFC3646]. 564 If the Secure Neighbor Discovery (SEND) protocol is used as a 565 security mechanism for ND, all the ND options including the RDNSS and 566 DNSSL options are automatically included in the signatures [RFC3971], 567 so the transport for the RA options is integrity-protected. However, 568 since any valid SEND node can still insert RDNSS and DNSSL options, 569 SEND cannot verify who is or is not authorized to send the options. 571 8. IANA Considerations 573 The RDNSS option defined in this document is using the IPv6 Neighbor 574 Discovery Option type in RFC 5006 [RFC5006] assigned by the IANA as 575 follows: 577 Option Name Type 578 RDNSS option 25 580 The IANA is requested to assign a new IPv6 Neighbor Discovery Option 581 type for the DNSSL option defined in this document: 583 Option Name Type 584 DNSSL option (TBD) 586 The IANA registry for these options is: 588 http://www.iana.org/assignments/icmpv6-parameters 590 9. Acknowledgements 592 This document has greatly benefited from inputs by Robert Hinden, 593 Pekka Savola, Iljitsch van Beijnum, Brian Haberman, Tim Chown, Erik 594 Nordmark, Dan Wing, and Jari Arkko. The authors sincerely appreciate 595 their contributions. 597 10. References 599 10.1. Normative References 601 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 602 Requirement Levels", BCP 14, RFC 2119, March 1997. 604 [RFC4861] Narten, T., Nordmark, E., Simpson, W., and H. Soliman, 605 "Neighbor Discovery for IP Version 6 (IPv6)", RFC 4861, 606 September 2007. 608 [RFC4862] Thomson, S., Narten, T., and T. Jinmei, "IPv6 Stateless 609 Address Autoconfiguration", RFC 4862, September 2007. 611 10.2. Informative References 613 [RFC1034] Mockapetris, P., "Domain Names - Concepts and Facilities", 614 RFC 1034, November 1987. 616 [RFC1035] Mockapetris, P., "Domain Names - Implementation and 617 Specification", RFC 1035, November 1987. 619 [RFC3315] Droms, R., Ed., "Dynamic Host Configuration Protocol for 620 IPv6 (DHCPv6)", RFC 3315, July 2003. 622 [RFC3736] Droms, R., "Stateless Dynamic Host Configuration Protocol 623 (DHCP) Service for IPv6", RFC 3736, April 2004. 625 [RFC3646] Droms, R., Ed., "DNS Configuration options for Dynamic 626 Host Configuration Protocol for IPv6 (DHCPv6)", RFC 3646, 627 December 2003. 629 [RFC5006] Jeong, J., Park, S., Beloeil, L., and S. Madanapalli, 630 "IPv6 Router Advertisement Option for DNS Configuration", 631 RFC 5006, September 2007. 633 [RFC4339] Jeong, J., Ed., "IPv6 Host Configuration of DNS Server 634 Information Approaches", RFC 4339, February 2006. 636 [RFC3971] Arkko, J., Ed., "SEcure Neighbor Discovery (SEND)", 637 RFC 3971, March 2005. 639 [RFC5358] Damas, J. and F. Neves, "Preventing Use of Recursive 640 Nameservers in Reflector Attacks", BCP 140, RFC 5358, 641 October 2008. 643 [RFC2827] Ferguson, P. and D. Senie, "Network Ingress Filtering: 644 Defeating Denial of Service Attacks which employ IP Source 645 Address Spoofing", BCP 38, RFC 2827, May 2000. 647 [RFC1535] Gavron, E., "A Security Problem and Proposed Correction 648 With Widely Deployed DNS Software", RFC 1535, 649 October 1993. 651 [RFC1536] Kumar, A., Postel, J., Neuman, C., Danzig, P., and S. 652 Miller, "Common DNS Implementation Errors and Suggested 653 Fixes", RFC 1536, October 1993. 655 Appendix A. Changes from RFC 5006 657 The following changes were made from RFC 5006 "IPv6 Router 658 Advertisement Option for DNS Configuration": 660 o Added DNS Search List (DNSSL) Option to support the advertisement 661 of DNS suffixes used in the DNS search along with RDNSS Option in 662 RFC 5006. 664 o Clarified the coexistence of RA options and DHCP options for DNS 665 configuration. 667 o Modified the procedure in IPv6 host: 669 * Clarified the procedure for DNS options in an IPv6 host. 671 * Specified a sufficient number of RDNSS addresses or DNS search 672 domain names as three. 674 * Specified a way to deal with DNS options from multiple sources, 675 such as RA and DHCP. 677 o Modified implementation considerations for DNSSL Option handling. 679 o Modified security considerations to consider more attack scenarios 680 and the corresponding possible solutions. 682 o Modified IANA considerations to require another IPv6 Neighbor 683 Discovery Option type for DNSSL option. 685 Authors' Addresses 687 Jaehoon Paul Jeong (editor) 688 Brocade Communications Systems/ETRI 689 6000 Nathan Ln N 690 Plymouth, MN 55442 691 USA 693 Phone: +1 763 268 7173 694 Fax: +1 763 268 6800 695 EMail: pjeong@brocade.com 696 URI: http://www.cs.umn.edu/~jjeong/ 697 Soohong Daniel Park 698 Mobile Platform Laboratory 699 SAMSUNG Electronics 700 416 Maetan-3dong, Yeongtong-Gu 701 Suwon, Gyeonggi-Do 443-742 702 Korea 704 Phone: +82 31 200 4508 705 EMail: soohong.park@samsung.com 707 Luc Beloeil 708 France Telecom R&D 709 42, rue des coutures 710 BP 6243 711 14066 CAEN Cedex 4 712 France 714 Phone: +33 02 3175 9391 715 EMail: luc.beloeil@orange-ftgroup.com 717 Syam Madanapalli 718 Ordyn Technologies 719 1st Floor, Creator Building, ITPL 720 Bangalore - 560066 721 India 723 Phone: +91-80-40383000 724 EMail: smadanapalli@gmail.com