idnits 2.17.1 draft-ietf-add-ddr-07.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- == There are 9 instances of lines with non-RFC2606-compliant FQDNs in the document. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (24 June 2022) is 670 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: A later version (-09) exists of draft-ietf-add-svcb-dns-03 == Outdated reference: A later version (-12) exists of draft-ietf-dnsop-svcb-https-10 == Outdated reference: A later version (-16) exists of draft-ietf-add-dnr-08 == Outdated reference: A later version (-18) exists of draft-ietf-tls-esni-14 Summary: 0 errors (**), 0 flaws (~~), 6 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 ADD T. Pauly 3 Internet-Draft E. Kinnear 4 Intended status: Standards Track Apple Inc. 5 Expires: 26 December 2022 C. A. Wood 6 Cloudflare 7 P. McManus 8 Fastly 9 T. Jensen 10 Microsoft 11 24 June 2022 13 Discovery of Designated Resolvers 14 draft-ietf-add-ddr-07 16 Abstract 18 This document defines Discovery of Designated Resolvers (DDR), a 19 mechanism for DNS clients to use DNS records to discover a resolver's 20 encrypted DNS configuration. This mechanism can be used to move from 21 unencrypted DNS to encrypted DNS when only the IP address of a 22 resolver is known. This mechanism is designed to be limited to cases 23 where unencrypted resolvers and their designated resolvers are 24 operated by the same entity or cooperating entities. It can also be 25 used to discover support for encrypted DNS protocols when the name of 26 an encrypted resolver is known. 28 Discussion Venues 30 This note is to be removed before publishing as an RFC. 32 Discussion of this document takes place on the Adaptive DNS Discovery 33 Working Group mailing list (add@ietf.org), which is archived at 34 https://mailarchive.ietf.org/arch/browse/add/. 36 Source for this draft and an issue tracker can be found at 37 https://github.com/ietf-wg-add/draft-ietf-add-ddr. 39 Status of This Memo 41 This Internet-Draft is submitted in full conformance with the 42 provisions of BCP 78 and BCP 79. 44 Internet-Drafts are working documents of the Internet Engineering 45 Task Force (IETF). Note that other groups may also distribute 46 working documents as Internet-Drafts. The list of current Internet- 47 Drafts is at https://datatracker.ietf.org/drafts/current/. 49 Internet-Drafts are draft documents valid for a maximum of six months 50 and may be updated, replaced, or obsoleted by other documents at any 51 time. It is inappropriate to use Internet-Drafts as reference 52 material or to cite them other than as "work in progress." 54 This Internet-Draft will expire on 26 December 2022. 56 Copyright Notice 58 Copyright (c) 2022 IETF Trust and the persons identified as the 59 document authors. All rights reserved. 61 This document is subject to BCP 78 and the IETF Trust's Legal 62 Provisions Relating to IETF Documents (https://trustee.ietf.org/ 63 license-info) in effect on the date of publication of this document. 64 Please review these documents carefully, as they describe your rights 65 and restrictions with respect to this document. Code Components 66 extracted from this document must include Revised BSD License text as 67 described in Section 4.e of the Trust Legal Provisions and are 68 provided without warranty as described in the Revised BSD License. 70 Table of Contents 72 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 73 1.1. Specification of Requirements . . . . . . . . . . . . . . 3 74 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 75 3. DNS Service Binding Records . . . . . . . . . . . . . . . . . 4 76 4. Discovery Using Resolver IP Addresses . . . . . . . . . . . . 5 77 4.1. Use of Designated Resolvers . . . . . . . . . . . . . . . 6 78 4.1.1. Use of Designated Resolvers across network changes . 7 79 4.2. Verified Discovery . . . . . . . . . . . . . . . . . . . 7 80 4.3. Opportunistic Discovery . . . . . . . . . . . . . . . . . 8 81 5. Discovery Using Resolver Names . . . . . . . . . . . . . . . 9 82 6. Deployment Considerations . . . . . . . . . . . . . . . . . . 10 83 6.1. Caching Forwarders . . . . . . . . . . . . . . . . . . . 10 84 6.2. Certificate Management . . . . . . . . . . . . . . . . . 10 85 6.3. Server Name Handling . . . . . . . . . . . . . . . . . . 10 86 6.4. Handling non-DDR queries for resolver.arpa . . . . . . . 11 87 6.5. Interaction with Network-Designated Resolvers . . . . . . 11 88 7. Security Considerations . . . . . . . . . . . . . . . . . . . 11 89 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12 90 8.1. Special Use Domain Name "resolver.arpa" . . . . . . . . . 12 91 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 13 92 9.1. Normative References . . . . . . . . . . . . . . . . . . 13 93 9.2. Informative References . . . . . . . . . . . . . . . . . 14 94 Appendix A. Rationale for using SVCB records . . . . . . . . . . 16 95 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 16 97 1. Introduction 99 When DNS clients wish to use encrypted DNS protocols such as DNS- 100 over-TLS (DoT) [RFC7858], DNS-over-QUIC (DoQ) [RFC9250], or DNS-over- 101 HTTPS (DoH) [RFC8484], they require additional information beyond the 102 IP address of the DNS server, such as the resolver's hostname, non- 103 standard ports, or URI templates. However, common configuration 104 mechanisms only provide the resolver's IP address during 105 configuration. Such mechanisms include network provisioning 106 protocols like DHCP [RFC2132] [RFC8415] and IPv6 Router Advertisement 107 (RA) options [RFC8106], as well as manual configuration. 109 This document defines two mechanisms for clients to discover 110 designated resolvers using DNS server Service Binding (SVCB, 111 [I-D.ietf-dnsop-svcb-https]) records: 113 1. When only an IP address of an Unencrypted Resolver is known, the 114 client queries a special use domain name (SUDN) [RFC6761] to 115 discover DNS SVCB records associated with one or more Encrypted 116 Resolvers the Unencrypted Resolver has designated for use when 117 support for DNS encryption is requested (Section 4). 119 2. When the hostname of an Encrypted Resolver is known, the client 120 requests details by sending a query for a DNS SVCB record. This 121 can be used to discover alternate encrypted DNS protocols 122 supported by a known server, or to provide details if a resolver 123 name is provisioned by a network (Section 5). 125 Both of these approaches allow clients to confirm that a discovered 126 Encrypted Resolver is designated by the originally provisioned 127 resolver. "Designated" in this context means that the resolvers are 128 operated by the same entity or cooperating entities; for example, the 129 resolvers are accessible on the same IP address, or there is a 130 certificate that claims ownership over the IP address for the 131 original designating resolver. 133 1.1. Specification of Requirements 135 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 136 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 137 "OPTIONAL" in this document are to be interpreted as described in BCP 138 14 [RFC2119] [RFC8174] when, and only when, they appear in all 139 capitals, as shown here. 141 2. Terminology 143 This document defines the following terms: 145 DDR: Discovery of Designated Resolvers. Refers to the mechanisms 146 defined in this document. 148 Designated Resolver: A resolver, presumably an Encrypted Resolver, 149 designated by another resolver for use in its own place. This 150 designation can be verified with TLS certificates. 152 Encrypted Resolver: A DNS resolver using any encrypted DNS 153 transport. This includes current mechanisms such as DoH, DoT, and 154 DoQ, as well as future mechanisms. 156 Unencrypted Resolver: A DNS resolver using TCP or UDP port 53 157 without encryption. 159 3. DNS Service Binding Records 161 DNS resolvers can advertise one or more Designated Resolvers that may 162 offer support over encrypted channels and are controlled by the same 163 entity. 165 When a client discovers Designated Resolvers, it learns information 166 such as the supported protocols and ports. This information is 167 provided in ServiceMode Service Binding (SVCB) records for DNS 168 Servers, although AliasMode SVCB records can be used to direct 169 clients to the needed ServiceMode SVCB record per 170 [I-D.ietf-dnsop-svcb-https]. The formatting of these records, 171 including the DNS-unique parameters such as "dohpath", are defined by 172 [I-D.ietf-add-svcb-dns]. 174 The following is an example of an SVCB record describing a DoH server 175 discovered by querying for _dns.example.net: 177 _dns.example.net. 7200 IN SVCB 1 example.net. ( 178 alpn=h2 dohpath=/dns-query{?dns} ) 180 The following is an example of an SVCB record describing a DoT server 181 discovered by querying for _dns.example.net: 183 _dns.example.net. 7200 IN SVCB 1 dot.example.net ( 184 alpn=dot port=8530 ) 186 The following is an example of an SVCB record describing a DoQ server 187 discovered by querying for _dns.example.net: 189 _dns.example.net. 7200 IN SVCB 1 doq.example.net ( 190 alpn=doq port=8530 ) 192 If multiple Designated Resolvers are available, using one or more 193 encrypted DNS protocols, the resolver deployment can indicate a 194 preference using the priority fields in each SVCB record 195 [I-D.ietf-dnsop-svcb-https]. 197 If the client encounters a mandatory parameter in an SVCB record it 198 does not understand, it MUST NOT use that record to discover a 199 Designated Resolver. The client can still use others records in the 200 same response if the client can understand all of their mandatory 201 parameters. This allows future encrypted deployments to 202 simultaneously support protocols even if a given client is not aware 203 of all those protocols. For example, if the Unencrypted Resolver 204 returns three SVCB records, one for DoH, one for DoT, and one for a 205 yet-to-exist protocol, a client which only supports DoH and DoT 206 should be able to use those records while safely ignoring the third 207 record. 209 To avoid name lookup deadlock, Designated Resolvers SHOULD follow the 210 guidance in Section 10 of [RFC8484] regarding the avoidance of DNS- 211 based references that block the completion of the TLS handshake. 213 This document focuses on discovering DoH, DoT, and DoQ Designated 214 Resolvers. Other protocols can also use the format defined by 215 [I-D.ietf-add-svcb-dns]. However, if any protocol does not involve 216 some form of certificate validation, new validation mechanisms will 217 need to be defined to support validating designation as defined in 218 Section 4.2. 220 4. Discovery Using Resolver IP Addresses 222 When a DNS client is configured with an Unencrypted Resolver IP 223 address, it SHOULD query the resolver for SVCB records for 224 "dns://resolver.arpa" before making other queries. Specifically, the 225 client issues a query for _dns.resolver.arpa with the SVCB resource 226 record type (64) [I-D.ietf-dnsop-svcb-https]. 228 Because this query is for an SUDN, which no entity can claim 229 ownership over, the ServiceMode SVCB response MUST NOT use the "." 230 value for the TargetName. Instead, the domain name used for DoT/DoQ 231 or used to construct the DoH template MUST be provided. 233 The following is an example of an SVCB record describing a DoH server 234 discovered by querying for _dns.resolver.arpa: 236 _dns.resolver.arpa. 7200 IN SVCB 1 doh.example.net ( 237 alpn=h2 dohpath=/dns-query{?dns} ) 239 The following is an example of an SVCB record describing a DoT server 240 discovered by querying for _dns.resolver.arpa: 242 _dns.resolver.arpa. 7200 IN SVCB 1 dot.example.net ( 243 alpn=dot port=8530 ) 245 The following is an example of an SVCB record describing a DoQ server 246 discovered by querying for _dns.resolver.arpa: 248 _dns.resolver.arpa. 7200 IN SVCB 1 doq.example.net ( 249 alpn=doq port=8530 ) 251 If the recursive resolver that receives this query has one or more 252 Designated Resolvers, it will return the corresponding SVCB records. 253 When responding to these special queries for "dns://resolver.arpa", 254 the recursive resolver SHOULD include the A and AAAA records for the 255 name of the Designated Resolver in the Additional Answers section. 256 This will allow the DNS client to make queries over an encrypted 257 connection without waiting to resolve the Encrypted Resolver name per 258 [I-D.ietf-dnsop-svcb-https]. If no A/AAAA records or SVCB IP address 259 hints are included, clients will be forced to delay use of the 260 Encrypted Resolver until an additional DNS lookup for the A and AAAA 261 records can be made to the Unencrypted Resolver (or some other 262 resolver the DNS client has been configured to use). 264 Designated Resolvers SHOULD be accessible using the IP address 265 families that are supported by their associated Unencrypted 266 Resolvers. If an Unencrypted Resolver is accessible using an IPv4 267 address, it ought to provide an A record for an IPv4 address of the 268 Designated Resolver; similarly, if it is accessible using an IPv6 269 address, it ought to provide a AAAA record an IPv6 address of the 270 Designated Resolver. The Designated Resolver can supported more 271 address families than the Unencrypted Resolver, but it ought not to 272 support fewer. If this is not done, clients that only have 273 connectivity over one address family might not be able to access the 274 Designated Resolver. 276 If the recursive resolver that receives this query has no Designated 277 Resolvers, it SHOULD return NODATA for queries to the "resolver.arpa" 278 SUDN. 280 4.1. Use of Designated Resolvers 282 When a client discovers Designated Resolvers from an Unencrypted 283 Resolver IP address, it can choose to use these Designated Resolvers 284 either automatically, or based on some other policy, heuristic, or 285 user choice. 287 This document defines two preferred methods to automatically use 288 Designated Resolvers: 290 * Verified Discovery Section 4.2, for when a TLS certificate can be 291 used to validate the resolver's identity. 293 * Opportunistic Discovery Section 4.3, for when a resolver's IP 294 address is a private or local address. 296 A client MAY additionally use a discovered Designated Resolver 297 without either of these methods, based on implementation-specific 298 policy or user input. Details of such policy are out of scope of 299 this document. Clients SHOULD NOT automatically use a Designated 300 Resolver without some sort of validation, such as the two methods 301 defined in this document or a future mechanism. 303 A client MUST NOT use a Designated Resolver designated by one 304 Unencrypted Resolver in place of another Unencrypted Resolver. As 305 these are known only by IP address, this means each unique IP address 306 used for unencrypted DNS requires its own designation discovery. 307 This ensures queries are being sent to a party designated by the 308 resolver originally being used. 310 4.1.1. Use of Designated Resolvers across network changes 312 Generally, clients also SHOULD NOT reuse the Designated Resolver 313 discovered from an Unencrypted Resolver over one network connection 314 in place of the same Unencrypted Resolver on another network 315 connection. Instead, clients SHOULD repeat the discovery process on 316 the other network connection. 318 However, if a given Unencrypted Resolver designates a Designated 319 Resolver that does not use a private or local IP address and can be 320 verified using the mechanism described in Section 4.2, it MAY be used 321 on different network connections so long as the subsequent 322 connections over other networks can also be successfully verified 323 using the mechanism described in Section 4.2. This is a tradeoff 324 between performance (by having no delay in establishing an encrypted 325 DNS connection on the new network) and functionality (if the 326 Unencrypted Resolver intends to designate different Designated 327 Resolvers based on the network from which clients connect). 329 4.2. Verified Discovery 331 Verified Discovery is a mechanism that allows automatic use of a 332 Designated Resolver that supports DNS encryption that performs a TLS 333 handshake. 335 In order to be considered a verified Designated Resolver, the TLS 336 certificate presented by the Designated Resolver MUST contain the IP 337 address of the designating Unencrypted Resolver in a subjectAltName 338 extension. If the certificate can be validated, the client SHOULD 339 use the discovered Designated Resolver for any cases in which it 340 would have otherwise used the Unencrypted Resolver. If the 341 Designated Resolver has a different IP address than the Unencrypted 342 Resolver and the TLS certificate does not cover the Unencrypted 343 Resolver address, the client MUST NOT automatically use the 344 discovered Designated Resolver. Additionally, the client SHOULD 345 suppress any further queries for Designated Resolvers using this 346 Unencrypted Resolver for the length of time indicated by the SVCB 347 record's Time to Live (TTL). 349 If the Designated Resolver and the Unencrypted Resolver share an IP 350 address, clients MAY choose to opportunistically use the Designated 351 Resolver even without this certificate check (Section 4.3). 353 If resolving the name of a Designated Resolver from an SVCB record 354 yields an IP address that was not presented in the Additional Answers 355 section or ipv4hint or ipv6hint fields of the original SVCB query, 356 the connection made to that IP address MUST pass the same TLS 357 certificate checks before being allowed to replace a previously known 358 and validated IP address for the same Designated Resolver name. 360 4.3. Opportunistic Discovery 362 There are situations where Verified Discovery of encrypted DNS 363 configuration over unencrypted DNS is not possible. This includes 364 Unencrypted Resolvers on private IP addresses [RFC1918], Unique Local 365 Addresses (ULAs) [RFC4193], and Link Local Addresses [RFC3927] 366 [RFC4291], whose identity cannot be confirmed using TLS certificates. 368 Opportunistic Privacy is defined for DoT in Section 4.1 of [RFC7858] 369 as a mode in which clients do not validate the name of the resolver 370 presented in the certificate. Opportunistic Privacy similarly 371 applies to DoQ [RFC9250]. A client MAY use information from the SVCB 372 record for "dns://resolver.arpa" with this "opportunistic" approach 373 (not validating the names presented in the SubjectAlternativeName 374 field of the certificate) as long as the IP address of the Encrypted 375 Resolver does not differ from the IP address of the Unencrypted 376 Resolver. Clients SHOULD use this mode only for resolvers using 377 private or local IP addresses. This approach can be used for any 378 encrypted DNS protocol that uses TLS. 380 5. Discovery Using Resolver Names 382 A DNS client that already knows the name of an Encrypted Resolver can 383 use DDR to discover details about all supported encrypted DNS 384 protocols. This situation can arise if a client has been configured 385 to use a given Encrypted Resolver, or if a network provisioning 386 protocol (such as DHCP or IPv6 Router Advertisements) provides a name 387 for an Encrypted Resolver alongside the resolver IP address, such as 388 by using Discovery of Network Resolvers (DNR) [I-D.ietf-add-dnr]. 390 For these cases, the client simply sends a DNS SVCB query using the 391 known name of the resolver. This query can be issued to the named 392 Encrypted Resolver itself or to any other resolver. Unlike the case 393 of bootstrapping from an Unencrypted Resolver (Section 4), these 394 records SHOULD be available in the public DNS. 396 For example, if the client already knows about a DoT server 397 resolver.example.com, it can issue an SVCB query for 398 _dns.resolver.example.com to discover if there are other encrypted 399 DNS protocols available. In the following example, the SVCB answers 400 indicate that resolver.example.com supports both DoH and DoT, and 401 that the DoH server indicates a higher priority than the DoT server. 403 _dns.resolver.example.com. 7200 IN SVCB 1 resolver.example.com. ( 404 alpn=h2 dohpath=/dns-query{?dns} ) 405 _dns.resolver.example.com. 7200 IN SVCB 1 resolver.example.com. ( 406 alpn=dot ) 408 Clients MUST validate that for any Encrypted Resolver discovered 409 using a known resolver name, the TLS certificate of the resolver 410 contains the known name in a subjectAltName extension. In the 411 example above, this means that both servers need to have certificates 412 that cover the name resolver.example.com. Often, the various 413 supported encrypted DNS protocols will be specified such that the 414 SVCB TargetName matches the known name, as is true in the example 415 above. However, even when the TargetName is different (for example, 416 if the DoH server had a TargetName of doh.example.com), the clients 417 still check for the original known resolver name in the certificate. 419 Note that this resolver validation is not related to the DNS resolver 420 that provided the SVCB answer. 422 As another example, being able to discover a Designated Resolver for 423 a known Encrypted Resolver is useful when a client has a DoT 424 configuration for foo.resolver.example.com but is on a network that 425 blocks DoT traffic. The client can still send a query to any other 426 accessible resolver (either the local network resolver or an 427 accessible DoH server) to discover if there is a designated DoH 428 server for foo.resolver.example.com. 430 6. Deployment Considerations 432 Resolver deployments that support DDR are advised to consider the 433 following points. 435 6.1. Caching Forwarders 437 A DNS forwarder SHOULD NOT forward queries for "resolver.arpa" 438 upstream. This prevents a client from receiving an SVCB record that 439 will fail to authenticate because the forwarder's IP address is not 440 in the upstream resolver's Designated Resolver's TLS certificate SAN 441 field. A DNS forwarder which already acts as a completely blind 442 forwarder MAY choose to forward these queries when the operator 443 expects that this does not apply, either because the operator knows 444 that the upstream resolver does have the forwarder's IP address in 445 its TLS certificate's SAN field or that the operator expects clients 446 of the unencrypted resolver to use the SVCB information 447 opportunistically. 449 Operators who choose to forward queries for "resolver.arpa" upstream 450 should note that client behavior is never guaranteed and use of DDR 451 by a resolver does not communicate a requirement for clients to use 452 the SVCB record when it cannot be verified. 454 6.2. Certificate Management 456 Resolver owners that support Verified Discovery will need to list 457 valid referring IP addresses in their TLS certificates. This may 458 pose challenges for resolvers with a large number of referring IP 459 addresses. 461 6.3. Server Name Handling 463 Clients MUST NOT use "resolver.arpa" as the server name either in the 464 TLS Server Name Indication (SNI) ([RFC8446]) for DoT, DoQ, or DoH 465 connections, or in the URI host for DoH requests. 467 When performing discovery using resolver IP addresses, clients MUST 468 use the IP address as the URI host for DoH requests. 470 Note that since IP addresses are not supported by default in the TLS 471 SNI, resolvers that support discovery using IP addresses will need to 472 be configured to present the appropriate TLS certificate when no SNI 473 is present for DoT, DoQ, and DoH. 475 6.4. Handling non-DDR queries for resolver.arpa 477 DNS resolvers that support DDR by responding to queries for 478 _dns.resolver.arpa SHOULD treat resolver.arpa as a locally served 479 zone per [RFC6303]. In practice, this means that resolvers SHOULD 480 respond to queries of any type other than SVCB for _dns.resolver.arpa 481 with NODATA and queries of any type for any domain name under 482 resolver.arpa with NODATA. 484 6.5. Interaction with Network-Designated Resolvers 486 Discovery of network-designated resolvers (DNR, [I-D.ietf-add-dnr]) 487 allows a network to provide designation of resolvers directly through 488 DHCP [RFC2132] [RFC8415] and IPv6 Router Advertisement (RA) [RFC4861] 489 options. When such indications are present, clients can suppress 490 queries for "resolver.arpa" to the unencrypted DNS server indicated 491 by the network over DHCP or RAs, and the DNR indications SHOULD take 492 precedence over those discovered using "resolver.arpa" for the same 493 resolver if there is a conflict. 495 The designated resolver information in DNR might not contain a full 496 set of SvcParams needed to connect to an encrypted resolver. In such 497 a case, the client can use an SVCB query using a resolver name, as 498 described in Section 5, to the authentication-domain-name (ADN). 500 7. Security Considerations 502 Since clients can receive DNS SVCB answers over unencrypted DNS, on- 503 path attackers can prevent successful discovery by dropping SVCB 504 packets. Clients should be aware that it might not be possible to 505 distinguish between resolvers that do not have any Designated 506 Resolver and such an active attack. To limit the impact of discovery 507 queries being dropped either maliciously or unintentionally, clients 508 can re-send their SVCB queries periodically. 510 DoH resolvers that allow discovery using DNS SVCB answers over 511 unencrypted DNS MUST NOT provide differentiated behavior based on the 512 HTTP path alone, since an attacker could modify the "dohpath" 513 parameter. 515 While the IP address of the Unencrypted Resolver is often provisioned 516 over insecure mechanisms, it can also be provisioned securely, such 517 as via manual configuration, a VPN, or on a network with protections 518 like RA guard [RFC6105]. An attacker might try to direct Encrypted 519 DNS traffic to itself by causing the client to think that a 520 discovered Designated Resolver uses a different IP address from the 521 Unencrypted Resolver. Such a Designated Resolver might have a valid 522 certificate, but be operated by an attacker that is trying to observe 523 or modify user queries without the knowledge of the client or 524 network. 526 If the IP address of a Designated Resolver differs from that of an 527 Unencrypted Resolver, clients applying Verified Discovery 528 (Section 4.2) MUST validate that the IP address of the Unencrypted 529 Resolver is covered by the SubjectAlternativeName of the Designated 530 Resolver's TLS certificate. 532 Clients using Opportunistic Discovery (Section 4.3) MUST be limited 533 to cases where the Unencrypted Resolver and Designated Resolver have 534 the same IP address. 536 The constraints on the use of Designated Resolvers specified here 537 apply specifically to the automatic discovery mechanisms defined in 538 this document, which are referred to as Verified Discovery and 539 Opportunistic Discovery. Clients MAY use some other mechanism to 540 verify and use Designated Resolvers discovered using the DNS SVCB 541 record. However, use of such an alternate mechanism needs to take 542 into account the attack scenarios detailed here. 544 8. IANA Considerations 546 8.1. Special Use Domain Name "resolver.arpa" 548 This document calls for the addition of "resolver.arpa" to the 549 Special-Use Domain Names (SUDN) registry established by [RFC6761]. 550 This will allow resolvers to respond to queries directed at 551 themselves rather than a specific domain name. While this document 552 uses "resolver.arpa" to return SVCB records indicating designated 553 encrypted capability, the name is generic enough to allow future 554 reuse for other purposes where the resolver wishes to provide 555 information about itself to the client. 557 The "resolver.arpa" SUDN is similar to "ipv4only.arpa" in that the 558 querying client is not interested in an answer from the authoritative 559 "arpa" name servers. The intent of the SUDN is to allow clients to 560 communicate with the Unencrypted Resolver much like "ipv4only.arpa" 561 allows for client-to-middlebox communication. For more context, see 562 the rationale behind "ipv4only.arpa" in [RFC8880]. 564 IANA is requested to add an entry in "Transport-Independent Locally- 565 Served DNS Zones" registry for 'resolver.arpa.' with the description 566 "DNS Resolver Special-Use Domain", listing this document as the 567 reference. 569 9. References 571 9.1. Normative References 573 [I-D.ietf-add-svcb-dns] 574 Schwartz, B., "Service Binding Mapping for DNS Servers", 575 Work in Progress, Internet-Draft, draft-ietf-add-svcb-dns- 576 03, 22 April 2022, . 579 [I-D.ietf-dnsop-svcb-https] 580 Schwartz, B., Bishop, M., and E. Nygren, "Service binding 581 and parameter specification via the DNS (DNS SVCB and 582 HTTPS RRs)", Work in Progress, Internet-Draft, draft-ietf- 583 dnsop-svcb-https-10, 24 May 2022, 584 . 587 [RFC1918] Rekhter, Y., Moskowitz, B., Karrenberg, D., de Groot, G. 588 J., and E. Lear, "Address Allocation for Private 589 Internets", BCP 5, RFC 1918, DOI 10.17487/RFC1918, 590 February 1996, . 592 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 593 Requirement Levels", BCP 14, RFC 2119, 594 DOI 10.17487/RFC2119, March 1997, 595 . 597 [RFC3927] Cheshire, S., Aboba, B., and E. Guttman, "Dynamic 598 Configuration of IPv4 Link-Local Addresses", RFC 3927, 599 DOI 10.17487/RFC3927, May 2005, 600 . 602 [RFC4193] Hinden, R. and B. Haberman, "Unique Local IPv6 Unicast 603 Addresses", RFC 4193, DOI 10.17487/RFC4193, October 2005, 604 . 606 [RFC4291] Hinden, R. and S. Deering, "IP Version 6 Addressing 607 Architecture", RFC 4291, DOI 10.17487/RFC4291, February 608 2006, . 610 [RFC6303] Andrews, M., "Locally Served DNS Zones", BCP 163, 611 RFC 6303, DOI 10.17487/RFC6303, July 2011, 612 . 614 [RFC6761] Cheshire, S. and M. Krochmal, "Special-Use Domain Names", 615 RFC 6761, DOI 10.17487/RFC6761, February 2013, 616 . 618 [RFC7858] Hu, Z., Zhu, L., Heidemann, J., Mankin, A., Wessels, D., 619 and P. Hoffman, "Specification for DNS over Transport 620 Layer Security (TLS)", RFC 7858, DOI 10.17487/RFC7858, May 621 2016, . 623 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 624 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 625 May 2017, . 627 [RFC8484] Hoffman, P. and P. McManus, "DNS Queries over HTTPS 628 (DoH)", RFC 8484, DOI 10.17487/RFC8484, October 2018, 629 . 631 [RFC9250] Huitema, C., Dickinson, S., and A. Mankin, "DNS over 632 Dedicated QUIC Connections", RFC 9250, 633 DOI 10.17487/RFC9250, May 2022, 634 . 636 9.2. Informative References 638 [I-D.ietf-add-dnr] 639 Boucadair, M., Reddy, T., Wing, D., Cook, N., and T. 640 Jensen, "DHCP and Router Advertisement Options for the 641 Discovery of Network-designated Resolvers (DNR)", Work in 642 Progress, Internet-Draft, draft-ietf-add-dnr-08, 12 June 643 2022, . 646 [I-D.ietf-tls-esni] 647 Rescorla, E., Oku, K., Sullivan, N., and C. A. Wood, "TLS 648 Encrypted Client Hello", Work in Progress, Internet-Draft, 649 draft-ietf-tls-esni-14, 13 February 2022, 650 . 653 [I-D.schinazi-httpbis-doh-preference-hints] 654 Schinazi, D., Sullivan, N., and J. Kipp, "DoH Preference 655 Hints for HTTP", Work in Progress, Internet-Draft, draft- 656 schinazi-httpbis-doh-preference-hints-02, 13 July 2020, 657 . 660 [RFC2132] Alexander, S. and R. Droms, "DHCP Options and BOOTP Vendor 661 Extensions", RFC 2132, DOI 10.17487/RFC2132, March 1997, 662 . 664 [RFC4861] Narten, T., Nordmark, E., Simpson, W., and H. Soliman, 665 "Neighbor Discovery for IP version 6 (IPv6)", RFC 4861, 666 DOI 10.17487/RFC4861, September 2007, 667 . 669 [RFC5507] IAB, Faltstrom, P., Ed., Austein, R., Ed., and P. Koch, 670 Ed., "Design Choices When Expanding the DNS", RFC 5507, 671 DOI 10.17487/RFC5507, April 2009, 672 . 674 [RFC6105] Levy-Abegnoli, E., Van de Velde, G., Popoviciu, C., and J. 675 Mohacsi, "IPv6 Router Advertisement Guard", RFC 6105, 676 DOI 10.17487/RFC6105, February 2011, 677 . 679 [RFC8106] Jeong, J., Park, S., Beloeil, L., and S. Madanapalli, 680 "IPv6 Router Advertisement Options for DNS Configuration", 681 RFC 8106, DOI 10.17487/RFC8106, March 2017, 682 . 684 [RFC8415] Mrugalski, T., Siodelski, M., Volz, B., Yourtchenko, A., 685 Richardson, M., Jiang, S., Lemon, T., and T. Winters, 686 "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)", 687 RFC 8415, DOI 10.17487/RFC8415, November 2018, 688 . 690 [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol 691 Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, 692 . 694 [RFC8880] Cheshire, S. and D. Schinazi, "Special Use Domain Name 695 'ipv4only.arpa'", RFC 8880, DOI 10.17487/RFC8880, August 696 2020, . 698 Appendix A. Rationale for using SVCB records 700 This mechanism uses SVCB/HTTPS resource records 701 [I-D.ietf-dnsop-svcb-https] to communicate that a given domain 702 designates a particular Designated Resolver for clients to use in 703 place of an Unencrypted Resolver (using a SUDN) or another Encrypted 704 Resolver (using its domain name). 706 There are various other proposals for how to provide similar 707 functionality. There are several reasons that this mechanism has 708 chosen SVCB records: 710 * Discovering encrypted resolver using DNS records keeps client 711 logic for DNS self-contained and allows a DNS resolver operator to 712 define which resolver names and IP addresses are related to one 713 another. 715 * Using DNS records also does not rely on bootstrapping with higher- 716 level application operations (such as 717 [I-D.schinazi-httpbis-doh-preference-hints]). 719 * SVCB records are extensible and allow definition of parameter 720 keys. This makes them a superior mechanism for extensibility as 721 compared to approaches such as overloading TXT records. The same 722 keys can be used for discovering Designated Resolvers of different 723 transport types as well as those advertised by Unencrypted 724 Resolvers or another Encrypted Resolver. 726 * Clients and servers that are interested in privacy of names will 727 already need to support SVCB records in order to use Encrypted TLS 728 Client Hello [I-D.ietf-tls-esni]. Without encrypting names in 729 TLS, the value of encrypting DNS is reduced, so pairing the 730 solutions provides the largest benefit. 732 * Clients that support SVCB will generally send out three queries 733 when accessing web content on a dual-stack network: A, AAAA, and 734 HTTPS queries. Discovering a Designated Resolver as part of one 735 of these queries, without having to add yet another query, 736 minimizes the total number of queries clients send. While 737 [RFC5507] recommends adding new RRTypes for new functionality, 738 SVCB provides an extension mechanism that simplifies client 739 behavior. 741 Authors' Addresses 742 Tommy Pauly 743 Apple Inc. 744 One Apple Park Way 745 Cupertino, California 95014, 746 United States of America 747 Email: tpauly@apple.com 749 Eric Kinnear 750 Apple Inc. 751 One Apple Park Way 752 Cupertino, California 95014, 753 United States of America 754 Email: ekinnear@apple.com 756 Christopher A. Wood 757 Cloudflare 758 101 Townsend St 759 San Francisco, 760 United States of America 761 Email: caw@heapingbits.net 763 Patrick McManus 764 Fastly 765 Email: mcmanus@ducksong.com 767 Tommy Jensen 768 Microsoft 769 Email: tojens@microsoft.com