idnits 2.17.1 draft-ietf-add-ddr-06.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- == There are 7 instances of lines with non-RFC2606-compliant FQDNs in the document. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (4 April 2022) is 753 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: A later version (-09) exists of draft-ietf-add-svcb-dns-02 == Outdated reference: A later version (-12) exists of draft-ietf-dnsop-svcb-https-08 == Outdated reference: A later version (-16) exists of draft-ietf-add-dnr-06 == Outdated reference: A later version (-18) exists of draft-ietf-tls-esni-14 Summary: 0 errors (**), 0 flaws (~~), 6 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 ADD T. Pauly 3 Internet-Draft E. Kinnear 4 Intended status: Standards Track Apple Inc. 5 Expires: 6 October 2022 C. A. Wood 6 Cloudflare 7 P. McManus 8 Fastly 9 T. Jensen 10 Microsoft 11 4 April 2022 13 Discovery of Designated Resolvers 14 draft-ietf-add-ddr-06 16 Abstract 18 This document defines Discovery of Designated Resolvers (DDR), a 19 mechanism for DNS clients to use DNS records to discover a resolver's 20 encrypted DNS configuration. This mechanism can be used to move from 21 unencrypted DNS to encrypted DNS when only the IP address of a 22 resolver is known. This mechanism is designed to be limited to cases 23 where unencrypted resolvers and their designated resolvers are 24 operated by the same entity or cooperating entities. It can also be 25 used to discover support for encrypted DNS protocols when the name of 26 an encrypted resolver is known. 28 Discussion Venues 30 This note is to be removed before publishing as an RFC. 32 Discussion of this document takes place on the Adaptive DNS Discovery 33 Working Group mailing list (add@ietf.org), which is archived at 34 https://mailarchive.ietf.org/arch/browse/add/. 36 Source for this draft and an issue tracker can be found at 37 https://github.com/ietf-wg-add/draft-ietf-add-ddr. 39 Status of This Memo 41 This Internet-Draft is submitted in full conformance with the 42 provisions of BCP 78 and BCP 79. 44 Internet-Drafts are working documents of the Internet Engineering 45 Task Force (IETF). Note that other groups may also distribute 46 working documents as Internet-Drafts. The list of current Internet- 47 Drafts is at https://datatracker.ietf.org/drafts/current/. 49 Internet-Drafts are draft documents valid for a maximum of six months 50 and may be updated, replaced, or obsoleted by other documents at any 51 time. It is inappropriate to use Internet-Drafts as reference 52 material or to cite them other than as "work in progress." 54 This Internet-Draft will expire on 6 October 2022. 56 Copyright Notice 58 Copyright (c) 2022 IETF Trust and the persons identified as the 59 document authors. All rights reserved. 61 This document is subject to BCP 78 and the IETF Trust's Legal 62 Provisions Relating to IETF Documents (https://trustee.ietf.org/ 63 license-info) in effect on the date of publication of this document. 64 Please review these documents carefully, as they describe your rights 65 and restrictions with respect to this document. Code Components 66 extracted from this document must include Revised BSD License text as 67 described in Section 4.e of the Trust Legal Provisions and are 68 provided without warranty as described in the Revised BSD License. 70 Table of Contents 72 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 73 1.1. Specification of Requirements . . . . . . . . . . . . . . 3 74 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 75 3. DNS Service Binding Records . . . . . . . . . . . . . . . . . 4 76 4. Discovery Using Resolver IP Addresses . . . . . . . . . . . . 5 77 4.1. Use of Designated Resolvers . . . . . . . . . . . . . . . 6 78 4.2. Verified Discovery . . . . . . . . . . . . . . . . . . . 7 79 4.3. Opportunistic Discovery . . . . . . . . . . . . . . . . . 8 80 5. Discovery Using Resolver Names . . . . . . . . . . . . . . . 8 81 6. Deployment Considerations . . . . . . . . . . . . . . . . . . 9 82 6.1. Caching Forwarders . . . . . . . . . . . . . . . . . . . 9 83 6.2. Certificate Management . . . . . . . . . . . . . . . . . 10 84 6.3. Server Name Handling . . . . . . . . . . . . . . . . . . 10 85 6.4. Handling non-DDR queries for resolver.arpa . . . . . . . 10 86 6.5. Interaction with Network-Designated Resolvers . . . . . . 10 87 7. Security Considerations . . . . . . . . . . . . . . . . . . . 11 88 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11 89 8.1. Special Use Domain Name "resolver.arpa" . . . . . . . . . 12 90 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 12 91 9.1. Normative References . . . . . . . . . . . . . . . . . . 12 92 9.2. Informative References . . . . . . . . . . . . . . . . . 13 93 Appendix A. Rationale for using SVCB records . . . . . . . . . . 15 94 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 15 96 1. Introduction 98 When DNS clients wish to use encrypted DNS protocols such as DNS- 99 over-TLS (DoT) [RFC7858] or DNS-over-HTTPS (DoH) [RFC8484], they 100 require additional information beyond the IP address of the DNS 101 server, such as the resolver's hostname, non-standard ports, or URL 102 paths. However, common configuration mechanisms only provide the 103 resolver's IP address during configuration. Such mechanisms include 104 network provisioning protocols like DHCP [RFC2132] and IPv6 Router 105 Advertisement (RA) options [RFC8106], as well as manual 106 configuration. 108 This document defines two mechanisms for clients to discover 109 designated resolvers using DNS server Service Binding (SVCB, 110 [I-D.ietf-dnsop-svcb-https]) records: 112 1. When only an IP address of an Unencrypted Resolver is known, the 113 client queries a special use domain name (SUDN) [RFC6761] to 114 discover DNS SVCB records associated with one or more Encrypted 115 Resolvers the Unencrypted Resolver has designated for use when 116 support for DNS encryption is requested (Section 4). 118 2. When the hostname of an Encrypted Resolver is known, the client 119 requests details by sending a query for a DNS SVCB record. This 120 can be used to discover alternate encrypted DNS protocols 121 supported by a known server, or to provide details if a resolver 122 name is provisioned by a network (Section 5). 124 Both of these approaches allow clients to confirm that a discovered 125 Encrypted Resolver is designated by the originally provisioned 126 resolver. "Designated" in this context means that the resolvers are 127 operated by the same entity or cooperating entities; for example, the 128 resolvers are accessible on the same IP address, or there is a 129 certificate that claims ownership over the IP address for the 130 original designating resolver. 132 1.1. Specification of Requirements 134 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 135 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 136 "OPTIONAL" in this document are to be interpreted as described in BCP 137 14 [RFC2119] [RFC8174] when, and only when, they appear in all 138 capitals, as shown here. 140 2. Terminology 142 This document defines the following terms: 144 DDR: Discovery of Designated Resolvers. Refers to the mechanisms 145 defined in this document. 147 Designated Resolver: A resolver, presumably an Encrypted Resolver, 148 designated by another resolver for use in its own place. This 149 designation can be verified with TLS certificates. 151 Encrypted Resolver: A DNS resolver using any encrypted DNS 152 transport. This includes current mechanisms such as DoH and DoT 153 as well as future mechanisms. 155 Unencrypted Resolver: A DNS resolver using TCP or UDP port 53. 157 3. DNS Service Binding Records 159 DNS resolvers can advertise one or more Designated Resolvers that may 160 offer support over encrypted channels and are controlled by the same 161 entity. 163 When a client discovers Designated Resolvers, it learns information 164 such as the supported protocols and ports. This information is 165 provided in ServiceMode Service Binding (SVCB) records for DNS 166 Servers, although AliasMode SVCB records can be used to direct 167 clients to the needed ServiceMode SVCB record per 168 [I-D.ietf-dnsop-svcb-https]. The formatting of these records, 169 including the DNS-unique parameters such as "dohpath", are defined by 170 [I-D.ietf-add-svcb-dns]. 172 The following is an example of an SVCB record describing a DoH server 173 discovered by querying for _dns.example.net: 175 _dns.example.net. 7200 IN SVCB 1 example.net. ( 176 alpn=h2 dohpath=/dns-query{?dns} ) 178 The following is an example of an SVCB record describing a DoT server 179 discovered by querying for _dns.example.net: 181 _dns.example.net 7200 IN SVCB 1 dot.example.net ( 182 alpn=dot port=8530 ) 184 If multiple Designated Resolvers are available, using one or more 185 encrypted DNS protocols, the resolver deployment can indicate a 186 preference using the priority fields in each SVCB record 187 [I-D.ietf-dnsop-svcb-https]. 189 If the client encounters a mandatory parameter in an SVCB record it 190 does not understand, it MUST NOT use that record to discover a 191 Designated Resolver. The client can still use others records in the 192 same response if the client can understand all of their mandatory 193 parameters. This allows future encrypted deployments to 194 simultaneously support protocols even if a given client is not aware 195 of all those protocols. For example, if the Unencrypted Resolver 196 returns three SVCB records, one for DoH, one for DoT, and one for a 197 yet-to-exist protocol, a client which only supports DoH and DoT 198 should be able to use those records while safely ignoring the third 199 record. 201 To avoid name lookup deadlock, Designated Resolvers SHOULD follow the 202 guidance in Section 10 of [RFC8484] regarding the avoidance of DNS- 203 based references that block the completion of the TLS handshake. 205 This document focuses on discovering DoH and DoT Designated 206 Resolvers. Other protocols can also use the format defined by 207 [I-D.ietf-add-svcb-dns]. However, if any protocol does not involve 208 some form of certificate validation, new validation mechanisms will 209 need to be defined to support validating designation as defined in 210 Section 4.2. 212 4. Discovery Using Resolver IP Addresses 214 When a DNS client is configured with an Unencrypted Resolver IP 215 address, it SHOULD query the resolver for SVCB records for 216 "dns://resolver.arpa" before making other queries. Specifically, the 217 client issues a query for _dns.resolver.arpa with the SVCB resource 218 record type (64) [I-D.ietf-dnsop-svcb-https]. 220 Because this query is for an SUDN, which no entity can claim 221 ownership over, the ServiceMode SVCB response MUST NOT use the "." 222 value for the TargetName. Instead, the domain name used for DoT or 223 used to construct the DoH template MUST be provided. 225 The following is an example of an SVCB record describing a DoH server 226 discovered by querying for _dns.resolver.arpa: 228 _dns.resolver.arpa 7200 IN SVCB 1 doh.example.net ( 229 alpn=h2 dohpath=/dns-query{?dns} ) 231 The following is an example of an SVCB record describing a DoT server 232 discovered by querying for _dns.resolver.arpa: 234 _dns.resolver.arpa 7200 IN SVCB 1 dot.example.net ( 235 alpn=dot port=8530 ) 237 If the recursive resolver that receives this query has one or more 238 Designated Resolvers, it will return the corresponding SVCB records. 239 When responding to these special queries for "dns://resolver.arpa", 240 the recursive resolver SHOULD include the A and AAAA records for the 241 name of the Designated Resolver in the Additional Answers section. 242 This will allow the DNS client to make queries over an encrypted 243 connection without waiting to resolve the Encrypted Resolver name per 244 [I-D.ietf-dnsop-svcb-https]. If no A/AAAA records or SVCB IP address 245 hints are included, clients will be forced to delay use of the 246 Encrypted Resolver until an additional DNS lookup for the A and AAAA 247 records can be made to the Unencrypted Resolver (or some other 248 resolver the DNS client has been configured to use). 250 If the recursive resolver that receives this query has no Designated 251 Resolvers, it SHOULD return NODATA for queries to the "resolver.arpa" 252 SUDN. 254 4.1. Use of Designated Resolvers 256 When a client discovers Designated Resolvers from an Unencrypted 257 Resolver IP address, it can choose to use these Designated Resolvers 258 either automatically, or based on some other policy, heuristic, or 259 user choice. 261 This document defines two preferred methods to automatically use 262 Designated Resolvers: 264 * Verified Discovery Section 4.2, for when a TLS certificate can be 265 used to validate the resolver's identity. 267 * Opportunistic Discovery Section 4.3, for when a resolver is 268 accessed using a non-public IP address. 270 A client MAY additionally use a discovered Designated Resolver 271 without either of these methods, based on implementation-specific 272 policy or user input. Details of such policy are out of scope of 273 this document. Clients SHOULD NOT automatically use a Designated 274 Resolver without some sort of validation, such as the two methods 275 defined in this document or a future mechanism. 277 A client MUST NOT use a Designated Resolver designated by one 278 Unencrypted Resolver in place of another Unencrypted Resolver. As 279 these are known only by IP address, this means each unique IP address 280 used for unencrypted DNS requires its own designation discovery. 281 This ensures queries are being sent to a party designated by the 282 resolver originally being used. 284 Generally, clients also SHOULD NOT reuse the Designated Resolver 285 discovered from an Unencrypted Resolver over one network connection 286 in place of the same Unencrypted Resolver on another network 287 connection. Instead, clients SHOULD repeat the discovery process on 288 the other network connection. 290 However, if a given Unencrypted Resolver designates a Designated 291 Resolver that uses a public IP address and can be verified using the 292 mechanism described in Section 4.2, it MAY be used on different 293 network connections so long as the subsequent connections over other 294 networks can also be successfully verified using the mechanism 295 described in Section 4.2. This is a tradeoff between performance (by 296 having no delay in establishing an encrypted DNS connection on the 297 new network) and functionality (if the Unencrypted Resolver intends 298 to designate different Designated Resolvers based on the network from 299 which clients connect). 301 4.2. Verified Discovery 303 Verified Discovery is a mechanism that allows automatic use of a 304 Designated Resolver that supports DNS encryption that performs a TLS 305 handshake. 307 In order to be considered a verified Designated Resolver, the TLS 308 certificate presented by the Designated Resolver MUST contain the IP 309 address of the designating Unencrypted Resolver in a subjectAltName 310 extension. If the certificate can be validated, the client SHOULD 311 use the discovered Designated Resolver for any cases in which it 312 would have otherwise used the Unencrypted Resolver. If the 313 Designated Resolver has a different IP address than the Unencrypted 314 Resolver and the TLS certificate does not cover the Unencrypted 315 Resolver address, the client MUST NOT automatically use the 316 discovered Designated Resolver. Additionally, the client SHOULD 317 suppress any further queries for Designated Resolvers using this 318 Unencrypted Resolver for the length of time indicated by the SVCB 319 record's Time to Live (TTL). 321 If the Designated Resolver and the Unencrypted Resolver share an IP 322 address, clients MAY choose to opportunistically use the Designated 323 Resolver even without this certificate check (Section 4.3). 325 If resolving the name of a Designated Resolver from an SVCB record 326 yields an IP address that was not presented in the Additional Answers 327 section or ipv4hint or ipv6hint fields of the original SVCB query, 328 the connection made to that IP address MUST pass the same TLS 329 certificate checks before being allowed to replace a previously known 330 and validated IP address for the same Designated Resolver name. 332 4.3. Opportunistic Discovery 334 There are situations where Verified Discovery of encrypted DNS 335 configuration over unencrypted DNS is not possible. This includes 336 Unencrypted Resolvers on non-public IP addresses such as those 337 defined in [RFC1918] whose identity cannot be confirmed using TLS 338 certificates. 340 Opportunistic Privacy is defined for DoT in Section 4.1 of [RFC7858] 341 as a mode in which clients do not validate the name of the resolver 342 presented in the certificate. A client MAY use information from the 343 SVCB record for "dns://resolver.arpa" with this "opportunistic" 344 approach (not validating the names presented in the 345 SubjectAlternativeName field of the certificate) as long as the IP 346 address of the Encrypted Resolver does not differ from the IP address 347 of the Unencrypted Resolver. Clients SHOULD use this mode only for 348 resolvers using non-public IP addresses. This approach can be used 349 for any encrypted DNS protocol that uses TLS. 351 5. Discovery Using Resolver Names 353 A DNS client that already knows the name of an Encrypted Resolver can 354 use DDR to discover details about all supported encrypted DNS 355 protocols. This situation can arise if a client has been configured 356 to use a given Encrypted Resolver, or if a network provisioning 357 protocol (such as DHCP or IPv6 Router Advertisements) provides a name 358 for an Encrypted Resolver alongside the resolver IP address. 360 For these cases, the client simply sends a DNS SVCB query using the 361 known name of the resolver. This query can be issued to the named 362 Encrypted Resolver itself or to any other resolver. Unlike the case 363 of bootstrapping from an Unencrypted Resolver (Section 4), these 364 records SHOULD be available in the public DNS. 366 For example, if the client already knows about a DoT server 367 resolver.example.com, it can issue an SVCB query for 368 _dns.resolver.example.com to discover if there are other encrypted 369 DNS protocols available. In the following example, the SVCB answers 370 indicate that resolver.example.com supports both DoH and DoT, and 371 that the DoH server indicates a higher priority than the DoT server. 373 _dns.resolver.example.com. 7200 IN SVCB 1 resolver.example.com. ( 374 alpn=h2 dohpath=/dns-query{?dns} ) 375 _dns.resolver.example.com. 7200 IN SVCB 1 resolver.example.com. ( 376 alpn=dot ) 378 Clients MUST validate that for any Encrypted Resolver discovered 379 using a known resolver name, the TLS certificate of the resolver 380 contains the known name in a subjectAltName extension. In the 381 example above, this means that both servers need to have certificates 382 that cover the name resolver.example.com. Often, the various 383 supported encrypted DNS protocols will be specified such that the 384 SVCB TargetName matches the known name, as is true in the example 385 above. However, even when the TargetName is different (for example, 386 if the DoH server had a TargetName of doh.example.com), the clients 387 still check for the original known resolver name in the certificate. 389 Note that this resolver validation is not related to the DNS resolver 390 that provided the SVCB answer. 392 As another example, being able to discover a Designated Resolver for 393 a known Encrypted Resolver is useful when a client has a DoT 394 configuration for foo.resolver.example.com but is on a network that 395 blocks DoT traffic. The client can still send a query to any other 396 accessible resolver (either the local network resolver or an 397 accessible DoH server) to discover if there is a designated DoH 398 server for foo.resolver.example.com. 400 6. Deployment Considerations 402 Resolver deployments that support DDR are advised to consider the 403 following points. 405 6.1. Caching Forwarders 407 A DNS forwarder SHOULD NOT forward queries for "resolver.arpa" 408 upstream. This prevents a client from receiving an SVCB record that 409 will fail to authenticate because the forwarder's IP address is not 410 in the upstream resolver's Designated Resolver's TLS certificate SAN 411 field. A DNS forwarder which already acts as a completely blind 412 forwarder MAY choose to forward these queries when the operator 413 expects that this does not apply, either because the operator knows 414 the upstream resolver does have the forwarder's IP address in its TLS 415 certificate's SAN field or that the operator expects clients of the 416 unencrypted resolver to use the SVCB information opportunistically. 418 Operators who choose to forward queries for "resolver.arpa" upstream 419 should note that client behavior is never guaranteed and use of DDR 420 by a resolver does not communicate a requirement for clients to use 421 the SVCB record when it cannot be verified. 423 6.2. Certificate Management 425 Resolver owners that support Verified Discovery will need to list 426 valid referring IP addresses in their TLS certificates. This may 427 pose challenges for resolvers with a large number of referring IP 428 addresses. 430 6.3. Server Name Handling 432 Clients MUST NOT use "resolver.arpa" as the server name either in the 433 TLS Server Name Indication (SNI) ([RFC8446]) for DoT or DoH 434 connections, or in the URI host for DoH requests. 436 When performing discovery using resolver IP addresses, clients MUST 437 use the IP address as the URI host for DoH requests. 439 Note that since IP addresses are not supported by default in the TLS 440 SNI, resolvers that support discovery using IP addresses will need to 441 be configured to present the appropriate TLS certificate when no SNI 442 is present for both DoT and DoH. 444 6.4. Handling non-DDR queries for resolver.arpa 446 DNS resolvers that support DDR by responding to queries for 447 _dns.resolver.arpa SHOULD treat resolver.arpa as a locally served 448 zone per [RFC6303]. In practice, this means that resolvers SHOULD 449 respond to queries of any type other than SVCB for _dns.resolver.arpa 450 with NODATA and queries of any type for any domain name under 451 resolver.arpa with NODATA. 453 6.5. Interaction with Network-Designated Resolvers 455 Discovery of network-designated resolvers (DNR, [I-D.ietf-add-dnr]) 456 allows a network to provide designation of resolvers directly through 457 DHCP [RFC2132] [RFC8415] and IPv6 Router Advertisement (RA) [RFC4861] 458 options. When such indications are present, clients can suppress 459 queries for "resolver.arpa" to the unencrypted DNS server indicated 460 by the network over DHCP or RAs, and the DNR indications SHOULD take 461 precedence over those discovered using "resolver.arpa" for the same 462 resolver if there is a conflict. 464 The designated resolver information in DNR might not contain a full 465 set of SvcParams needed to connect to an encrypted resolver. In such 466 a case, the client can use an SVCB query using a resolver name, as 467 described in Section 5, to the authentication-domain-name (ADN). 469 7. Security Considerations 471 Since clients can receive DNS SVCB answers over unencrypted DNS, on- 472 path attackers can prevent successful discovery by dropping SVCB 473 packets. Clients should be aware that it might not be possible to 474 distinguish between resolvers that do not have any Designated 475 Resolver and such an active attack. To limit the impact of discovery 476 queries being dropped either maliciously or unintentionally, clients 477 can re-send their SVCB queries periodically. 479 DoH resolvers that allow discovery using DNS SVCB answers over 480 unencrypted DNS MUST NOT provide differentiated behavior based on the 481 HTTP path alone, since an attacker could modify the "dohpath" 482 parameter. 484 While the IP address of the Unencrypted Resolver is often provisioned 485 over insecure mechanisms, it can also be provisioned securely, such 486 as via manual configuration, a VPN, or on a network with protections 487 like RA guard [RFC6105]. An attacker might try to direct Encrypted 488 DNS traffic to itself by causing the client to think that a 489 discovered Designated Resolver uses a different IP address from the 490 Unencrypted Resolver. Such a Designated Resolver might have a valid 491 certificate, but be operated by an attacker that is trying to observe 492 or modify user queries without the knowledge of the client or 493 network. 495 If the IP address of a Designated Resolver differs from that of an 496 Unencrypted Resolver, clients applying Verified Discovery 497 (Section 4.2) MUST validate that the IP address of the Unencrypted 498 Resolver is covered by the SubjectAlternativeName of the Designated 499 Resolver's TLS certificate. 501 Clients using Opportunistic Discovery (Section 4.3) MUST be limited 502 to cases where the Unencrypted Resolver and Designated Resolver have 503 the same IP address. 505 The constraints on the use of Designated Resolvers specified here 506 apply specifically to the automatic discovery mechanisms defined in 507 this document, which are referred to as Verified Discovery and 508 Opportunistic Discovery. Clients MAY use some other mechanism to 509 verify and use Designated Resolvers discovered using the DNS SVCB 510 record. However, use of such an alternate mechanism needs to take 511 into account the attack scenarios detailed here. 513 8. IANA Considerations 514 8.1. Special Use Domain Name "resolver.arpa" 516 This document calls for the addition of "resolver.arpa" to the 517 Special-Use Domain Names (SUDN) registry established by [RFC6761]. 518 This will allow resolvers to respond to queries directed at 519 themselves rather than a specific domain name. While this document 520 uses "resolver.arpa" to return SVCB records indicating designated 521 encrypted capability, the name is generic enough to allow future 522 reuse for other purposes where the resolver wishes to provide 523 information about itself to the client. 525 The "resolver.arpa" SUDN is similar to "ipv4only.arpa" in that the 526 querying client is not interested in an answer from the authoritative 527 "arpa" name servers. The intent of the SUDN is to allow clients to 528 communicate with the Unencrypted Resolver much like "ipv4only.arpa" 529 allows for client-to-middlebox communication. For more context, see 530 the rationale behind "ipv4only.arpa" in [RFC8880]. 532 IANA is requested to add an entry in "Transport-Independent Locally- 533 Served DNS Zones" registry for 'resolver.arpa.' with the description 534 "DNS Resolver Special-Use Domain", listing this document as the 535 reference. 537 9. References 539 9.1. Normative References 541 [I-D.ietf-add-svcb-dns] 542 Schwartz, B., "Service Binding Mapping for DNS Servers", 543 Work in Progress, Internet-Draft, draft-ietf-add-svcb-dns- 544 02, 1 February 2022, 545 . 548 [I-D.ietf-dnsop-svcb-https] 549 Schwartz, B., Bishop, M., and E. Nygren, "Service binding 550 and parameter specification via the DNS (DNS SVCB and 551 HTTPS RRs)", Work in Progress, Internet-Draft, draft-ietf- 552 dnsop-svcb-https-08, 12 October 2021, 553 . 556 [RFC1918] Rekhter, Y., Moskowitz, B., Karrenberg, D., de Groot, G. 557 J., and E. Lear, "Address Allocation for Private 558 Internets", BCP 5, RFC 1918, DOI 10.17487/RFC1918, 559 February 1996, . 561 [RFC6303] Andrews, M., "Locally Served DNS Zones", BCP 163, 562 RFC 6303, DOI 10.17487/RFC6303, July 2011, 563 . 565 [RFC6761] Cheshire, S. and M. Krochmal, "Special-Use Domain Names", 566 RFC 6761, DOI 10.17487/RFC6761, February 2013, 567 . 569 [RFC7858] Hu, Z., Zhu, L., Heidemann, J., Mankin, A., Wessels, D., 570 and P. Hoffman, "Specification for DNS over Transport 571 Layer Security (TLS)", RFC 7858, DOI 10.17487/RFC7858, May 572 2016, . 574 [RFC8484] Hoffman, P. and P. McManus, "DNS Queries over HTTPS 575 (DoH)", RFC 8484, DOI 10.17487/RFC8484, October 2018, 576 . 578 9.2. Informative References 580 [I-D.ietf-add-dnr] 581 Boucadair, M., Reddy, T., Wing, D., Cook, N., and T. 582 Jensen, "DHCP and Router Advertisement Options for the 583 Discovery of Network-designated Resolvers (DNR)", Work in 584 Progress, Internet-Draft, draft-ietf-add-dnr-06, 22 March 585 2022, . 588 [I-D.ietf-tls-esni] 589 Rescorla, E., Oku, K., Sullivan, N., and C. A. Wood, "TLS 590 Encrypted Client Hello", Work in Progress, Internet-Draft, 591 draft-ietf-tls-esni-14, 13 February 2022, 592 . 595 [I-D.schinazi-httpbis-doh-preference-hints] 596 Schinazi, D., Sullivan, N., and J. Kipp, "DoH Preference 597 Hints for HTTP", Work in Progress, Internet-Draft, draft- 598 schinazi-httpbis-doh-preference-hints-02, 13 July 2020, 599 . 602 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 603 Requirement Levels", BCP 14, RFC 2119, 604 DOI 10.17487/RFC2119, March 1997, 605 . 607 [RFC2132] Alexander, S. and R. Droms, "DHCP Options and BOOTP Vendor 608 Extensions", RFC 2132, DOI 10.17487/RFC2132, March 1997, 609 . 611 [RFC4861] Narten, T., Nordmark, E., Simpson, W., and H. Soliman, 612 "Neighbor Discovery for IP version 6 (IPv6)", RFC 4861, 613 DOI 10.17487/RFC4861, September 2007, 614 . 616 [RFC5507] IAB, Faltstrom, P., Ed., Austein, R., Ed., and P. Koch, 617 Ed., "Design Choices When Expanding the DNS", RFC 5507, 618 DOI 10.17487/RFC5507, April 2009, 619 . 621 [RFC6105] Levy-Abegnoli, E., Van de Velde, G., Popoviciu, C., and J. 622 Mohacsi, "IPv6 Router Advertisement Guard", RFC 6105, 623 DOI 10.17487/RFC6105, February 2011, 624 . 626 [RFC8106] Jeong, J., Park, S., Beloeil, L., and S. Madanapalli, 627 "IPv6 Router Advertisement Options for DNS Configuration", 628 RFC 8106, DOI 10.17487/RFC8106, March 2017, 629 . 631 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 632 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 633 May 2017, . 635 [RFC8415] Mrugalski, T., Siodelski, M., Volz, B., Yourtchenko, A., 636 Richardson, M., Jiang, S., Lemon, T., and T. Winters, 637 "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)", 638 RFC 8415, DOI 10.17487/RFC8415, November 2018, 639 . 641 [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol 642 Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, 643 . 645 [RFC8880] Cheshire, S. and D. Schinazi, "Special Use Domain Name 646 'ipv4only.arpa'", RFC 8880, DOI 10.17487/RFC8880, August 647 2020, . 649 Appendix A. Rationale for using SVCB records 651 This mechanism uses SVCB/HTTPS resource records 652 [I-D.ietf-dnsop-svcb-https] to communicate that a given domain 653 designates a particular Designated Resolver for clients to use in 654 place of an Unencrypted Resolver (using a SUDN) or another Encrypted 655 Resolver (using its domain name). 657 There are various other proposals for how to provide similar 658 functionality. There are several reasons that this mechanism has 659 chosen SVCB records: 661 * Discovering encrypted resolver using DNS records keeps client 662 logic for DNS self-contained and allows a DNS resolver operator to 663 define which resolver names and IP addresses are related to one 664 another. 666 * Using DNS records also does not rely on bootstrapping with higher- 667 level application operations (such as 668 [I-D.schinazi-httpbis-doh-preference-hints]). 670 * SVCB records are extensible and allow definition of parameter 671 keys. This makes them a superior mechanism for extensibility as 672 compared to approaches such as overloading TXT records. The same 673 keys can be used for discovering Designated Resolvers of different 674 transport types as well as those advertised by Unencrypted 675 Resolvers or another Encrypted Resolver. 677 * Clients and servers that are interested in privacy of names will 678 already need to support SVCB records in order to use Encrypted TLS 679 Client Hello [I-D.ietf-tls-esni]. Without encrypting names in 680 TLS, the value of encrypting DNS is reduced, so pairing the 681 solutions provides the largest benefit. 683 * Clients that support SVCB will generally send out three queries 684 when accessing web content on a dual-stack network: A, AAAA, and 685 HTTPS queries. Discovering a Designated Resolver as part of one 686 of these queries, without having to add yet another query, 687 minimizes the total number of queries clients send. While 688 [RFC5507] recommends adding new RRTypes for new functionality, 689 SVCB provides an extension mechanism that simplifies client 690 behavior. 692 Authors' Addresses 693 Tommy Pauly 694 Apple Inc. 695 One Apple Park Way 696 Cupertino, California 95014, 697 United States of America 698 Email: tpauly@apple.com 700 Eric Kinnear 701 Apple Inc. 702 One Apple Park Way 703 Cupertino, California 95014, 704 United States of America 705 Email: ekinnear@apple.com 707 Christopher A. Wood 708 Cloudflare 709 101 Townsend St 710 San Francisco, 711 United States of America 712 Email: caw@heapingbits.net 714 Patrick McManus 715 Fastly 716 Email: mcmanus@ducksong.com 718 Tommy Jensen 719 Microsoft 720 Email: tojens@microsoft.com