idnits 2.17.1 draft-ietf-add-svcb-dns-02.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (1 February 2022) is 812 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: A later version (-12) exists of draft-ietf-dnsop-svcb-https-08 Summary: 0 errors (**), 0 flaws (~~), 2 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 add B. Schwartz 3 Internet-Draft Google LLC 4 Intended status: Standards Track 1 February 2022 5 Expires: 5 August 2022 7 Service Binding Mapping for DNS Servers 8 draft-ietf-add-svcb-dns-02 10 Abstract 12 The SVCB DNS record type expresses a bound collection of endpoint 13 metadata, for use when establishing a connection to a named service. 14 DNS itself can be such a service, when the server is identified by a 15 domain name. This document provides the SVCB mapping for named DNS 16 servers, allowing them to indicate support for new transport 17 protocols. 19 Discussion Venues 21 This note is to be removed before publishing as an RFC. 23 Discussion of this document takes place on the ADD Working Group 24 mailing list (add@ietf.org), which is archived at 25 https://mailarchive.ietf.org/arch/browse/add/. 27 Source for this draft and an issue tracker can be found at 28 https://github.com/bemasc/svcb-dns. 30 Status of This Memo 32 This Internet-Draft is submitted in full conformance with the 33 provisions of BCP 78 and BCP 79. 35 Internet-Drafts are working documents of the Internet Engineering 36 Task Force (IETF). Note that other groups may also distribute 37 working documents as Internet-Drafts. The list of current Internet- 38 Drafts is at https://datatracker.ietf.org/drafts/current/. 40 Internet-Drafts are draft documents valid for a maximum of six months 41 and may be updated, replaced, or obsoleted by other documents at any 42 time. It is inappropriate to use Internet-Drafts as reference 43 material or to cite them other than as "work in progress." 45 This Internet-Draft will expire on 5 August 2022. 47 Copyright Notice 49 Copyright (c) 2022 IETF Trust and the persons identified as the 50 document authors. All rights reserved. 52 This document is subject to BCP 78 and the IETF Trust's Legal 53 Provisions Relating to IETF Documents (https://trustee.ietf.org/ 54 license-info) in effect on the date of publication of this document. 55 Please review these documents carefully, as they describe your rights 56 and restrictions with respect to this document. Code Components 57 extracted from this document must include Revised BSD License text as 58 described in Section 4.e of the Trust Legal Provisions and are 59 provided without warranty as described in the Revised BSD License. 61 Table of Contents 63 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 64 2. Conventions and Definitions . . . . . . . . . . . . . . . . . 3 65 3. Identities and Names . . . . . . . . . . . . . . . . . . . . 3 66 3.1. Special case: non-default ports . . . . . . . . . . . . . 4 67 4. Applicable existing SvcParamKeys . . . . . . . . . . . . . . 4 68 4.1. alpn . . . . . . . . . . . . . . . . . . . . . . . . . . 4 69 4.2. port . . . . . . . . . . . . . . . . . . . . . . . . . . 4 70 4.3. Other applicable SvcParamKeys . . . . . . . . . . . . . . 5 71 5. New SvcParamKeys . . . . . . . . . . . . . . . . . . . . . . 5 72 5.1. dohpath . . . . . . . . . . . . . . . . . . . . . . . . . 5 73 6. Limitations . . . . . . . . . . . . . . . . . . . . . . . . . 6 74 7. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 6 75 8. Security Considerations . . . . . . . . . . . . . . . . . . . 7 76 8.1. Adversary on the query path . . . . . . . . . . . . . . . 7 77 8.1.1. Downgrade attacks . . . . . . . . . . . . . . . . . . 7 78 8.1.2. Redirection attacks . . . . . . . . . . . . . . . . . 7 79 8.2. Adversary on the transport path . . . . . . . . . . . . . 8 80 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 81 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 8 82 10.1. Normative References . . . . . . . . . . . . . . . . . . 8 83 10.2. Informative References . . . . . . . . . . . . . . . . . 9 84 Appendix A. Mapping Summary . . . . . . . . . . . . . . . . . . 10 85 Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 10 86 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 10 88 1. Introduction 90 The SVCB record type [SVCB] provides clients with information about 91 how to reach alternative endpoints for a service, which may have 92 improved performance or privacy properties. The service is 93 identified by a "scheme" indicating the service type, a hostname, and 94 optionally other information such as a port number. A DNS server is 95 often identified only by its IP address (e.g. in DHCP), but in some 96 contexts it can also be identified by a hostname (e.g. "NS" records, 97 manual resolver configuration) and sometimes also a non-default port 98 number. 100 Use of the SVCB record type requires a mapping document for each 101 service type, indicating how a client for that service can interpret 102 the contents of the SVCB SvcParams. This document provides the 103 mapping for the "dns" service type, allowing DNS servers to offer 104 alternative endpoints and transports, including encrypted transports 105 like DNS over TLS and DNS over HTTPS. 107 2. Conventions and Definitions 109 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 110 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 111 "OPTIONAL" in this document are to be interpreted as described in BCP 112 14 [RFC2119] [RFC8174] when, and only when, they appear in all 113 capitals, as shown here. 115 3. Identities and Names 117 SVCB record names (i.e. QNAMEs) are formed using Port-Prefix Naming 118 (Section 2.3 of [SVCB]), with a scheme of "dns". For example, SVCB 119 records for a DNS service identified as "dns1.example.com" would be 120 queried at "_dns.dns1.example.com". 122 In some use cases, the name used for retrieving these DNS records is 123 different from the server identity used to authenticate the secure 124 transport. To distinguish them, we use the following terms: 126 * Binding authority - The service name (Section 1.4 of [SVCB]) and 127 optional port number used as input to Port-Prefix Naming. 129 * Authentication name - The name used for secure transport 130 authentication. It must be a DNS hostname or a literal IP 131 address. Unless otherwise specified, it is the service name from 132 the binding authority. 134 3.1. Special case: non-default ports 136 Normally, a DNS service is identified by an IP address or a domain 137 name. When connecting to the service using unencrypted DNS over UDP 138 or TCP, clients use the default port number for DNS (53). However, 139 in rare cases, a DNS service might be identified by both a name and a 140 port number. For example, the dns: URI scheme [DNSURI] optionally 141 includes an authority, comprised of a host and a port number (with a 142 default of 53). DNS URIs normally omit the authority, or specify an 143 IP address, but a hostname and non-default port number are allowed. 145 When the binding authority specifies a non-default port number, Port- 146 Prefix Naming places the port number in an additional a prefix on the 147 name. For example, if the binding authority is 148 "dns1.example.com:9953", the client would query for SVCB records at 149 "_9953._dns.dns1.example.com". If two DNS services operating on 150 different port numbers provide different behaviors, this arrangement 151 allows them to preserve the distinction when specifying alternative 152 endpoints. 154 4. Applicable existing SvcParamKeys 156 4.1. alpn 158 This key indicates the set of supported protocols (Section 6.1 of 159 [SVCB]). There is no default protocol, so the no-default-alpn key 160 does not apply, and the alpn key MUST be present. 162 If the protocol set contains any HTTP versions (e.g. "h2", "h3"), 163 then the record indicates support for DNS over HTTPS [DOH], and the 164 "dohpath" key MUST be present (Section 5.1). All keys specified for 165 use with the HTTPS record are also permissible, and apply to the 166 resulting HTTP connection. 168 If the protocol set contains protocols with different default ports, 169 and no port key is specified, then protocols are contacted separately 170 on their default ports. Note that in this configuration, ALPN 171 negotiation does not defend against cross-protocol downgrade attacks. 173 4.2. port 175 This key is used to indicate the target port for connection 176 (Section 6.2 of [SVCB]). If omitted, the client SHALL use the 177 default port for each transport protocol (853 for DNS over TLS [DOT], 178 443 for DNS over HTTPS). 180 This key is automatically mandatory if present. (See Section 7 of 181 [SVCB] for the definition of "automatically mandatory".) 183 4.3. Other applicable SvcParamKeys 185 These SvcParamKeys from [SVCB] apply to the "dns" scheme without 186 modification: 188 * ech 190 * ipv4hint 192 * ipv6hint 194 Future SvcParamKeys may also be applicable. 196 5. New SvcParamKeys 198 5.1. dohpath 200 "dohpath" is a single-valued SvcParamKey whose value (both in 201 presentation and wire format) MUST be a URI Template [RFC6570] 202 encoded in UTF-8 [RFC3629]. If the "alpn" SvcParamKey indicates 203 support for HTTP, "dohpath" MUST be present, and clients MAY 204 construct a DNS over HTTPS URI Template as follows: 206 1. Let $HOST be the authentication name encoded as a "host" value 207 (Section 3.2.2 of [RFC3986]). 209 2. Let $PORT be the port from the "port" key if present, otherwise 210 443. (The binding authority's port number MUST NOT be used.) 212 3. Let $DOHPATH be the "dohpath" value, decoded from UTF-8. 214 4. The DNS over HTTPS URI Template is "https://$HOST:$PORT$DOHPATH". 216 The "dohpath" value MUST be chosen such that the resulting URI 217 Template is valid for use with DNS over HTTPS. For example, DNS over 218 HTTPS servers are required to support requests using GET and POST 219 methods. The GET method relies on the "dns" URI Template parameter, 220 and the POST method does not use it. Therefore, the URI Template is 221 required to make use of a "dns" variable, and result in a valid URI 222 whether or not "dns" is defined. 224 Clients SHOULD NOT query for any "HTTPS" RRs when using the 225 constructed URI Template. Instead, the SvcParams and address records 226 associated with this SVCB record SHOULD be used for the HTTPS 227 connection, with the same semantics as an HTTPS RR. However, for 228 consistency, service operators SHOULD publish an equivalent HTTPS RR, 229 especially if clients might learn this URI Template through a 230 different channel. 232 6. Limitations 234 This document is concerned exclusively with the DNS transport, and 235 does not affect or inform the construction or interpretation of DNS 236 messages. For example, nothing in this document indicates whether 237 the service is intended for use as a recursive or authoritative DNS 238 server. Clients must know the intended use in their context. 240 7. Examples 242 * A resolver at "simple.example" that supports DNS over TLS on port 243 853 (implicitly, as this is its default port): 245 _dns.simple.example. 7200 IN SVCB 1 simple.example. alpn=dot 247 * A resolver at "doh.example" that supports only DNS over HTTPS (DNS 248 over TLS is not supported): 250 _dns.doh.example. 7200 IN SVCB 1 doh.example. ( 251 alpn=h2 dohpath=/dns-query{?dns} ) 253 * A resolver at "resolver.example" that supports: 255 - DNS over TLS on "resolver.example" ports 853 (implicit in 256 record 1) and 8530 (explicit in record 2), with 257 "resolver.example" as the Authentication Domain Name, 259 - DNS over HTTPS at https://resolver.example/dns-query{?dns} 260 (record 1), and 262 - an experimental protocol on fooexp.resolver.example:5353 263 (record 3): 265 _dns.resolver.example. 7200 IN SVCB 1 resolver.example. ( 266 alpn=dot,h2,h3 dohpath=/dns-query{?dns} ) 267 _dns.resolver.example. 7200 IN SVCB 2 resolver.example. ( 268 alpn=dot port=8530 ) 269 _dns.resolver.example. 7200 IN SVCB 3 fooexp ( 270 port=5353 alpn=foo foo-info=... ) 272 * A nameserver at "ns.example" whose service configuration is 273 published on a different domain: 275 _dns.ns.example. 7200 IN SVCB 0 _dns.ns.nic.example. 277 8. Security Considerations 279 8.1. Adversary on the query path 281 This section considers an adversary who can add or remove responses 282 to the SVCB query. 284 During secure transport establishment, clients MUST authenticate the 285 server to its authentication name, which is not influenced by the 286 SVCB record contents. Accordingly, this draft does not mandate the 287 use of DNSSEC. This draft also does not specify how clients 288 authenticate the name (e.g. selection of roots of trust), which might 289 vary according to the context. 291 8.1.1. Downgrade attacks 293 This attacker cannot impersonate the secure endpoint, but it can 294 forge a response indicating that the requested SVCB records do not 295 exist. For a SVCB-reliant client ([SVCB], Section 3) this only 296 results in a denial of service. However, SVCB-optional clients will 297 generally fall back to insecure DNS in this case, exposing all DNS 298 traffic to attacks. 300 8.1.2. Redirection attacks 302 SVCB-reliant clients always enforce the authentication domain name, 303 but they are still subject to attacks using the transport, port 304 number, and "dohpath" value, which are controlled by this adversary. 305 By changing these values in the SVCB answers, the adversary can 306 direct DNS queries for $HOSTNAME to any port on $HOSTNAME, and any 307 path on "https://$HOSTNAME". If the DNS client uses shared TLS or 308 HTTP state, the client could be correctly authenticated (e.g. using a 309 TLS client certificate or HTTP cookie). 311 This behavior creates a number of possible attacks for certain server 312 configurations. For example, if "https://$HOSTNAME/upload" accepts 313 any POST request as a public file upload, the adversary could forge a 314 SVCB record containing dohpath=/upload. This would cause the client 315 to upload and publish every query, resulting in unexpected storage 316 costs for the server and privacy loss for the client. Similarly, if 317 two DoH endpoints are available on the same origin, and the service 318 has designated one of them for use with this specification, this 319 adversary can cause clients to use the other endpoint instead. 321 To mitigate redirection attacks, a client of this SVCB mapping MUST 322 NOT provide client authentication for DNS queries, except to servers 323 that it specifically knows are not vulnerable to such attacks. If an 324 endpoint sends an invalid response to a DNS query, the client SHOULD 325 NOT send more queries to that endpoint. DNS services that are 326 identified by a hostname (Section 3) MUST ensure that all 327 unauthenticated DNS requests to that name receive any promised 328 privacy and security guarantees, regardless of transport, port 329 number, or HTTP path. 331 8.2. Adversary on the transport path 333 This section considers an adversary who can modify network traffic 334 between the client and the alternative service (identified by the 335 TargetName). 337 For a SVCB-reliant client, this adversary can only cause a denial of 338 service. However, because DNS is unencrypted by default, this 339 adversary can execute a downgrade attack against SVCB-optional 340 clients. Accordingly, when use of this specification is optional, 341 clients SHOULD switch to SVCB-reliant behavior if SVCB resolution 342 succeeds. Specifications making using of this mapping MAY adjust 343 this fallback behavior to suit their requirements. 345 9. IANA Considerations 347 Per [SVCB] IANA is directed to add the following entry to the SVCB 348 Service Parameters registry. 350 +========+=========+==============================+=================+ 351 | Number | Name | Meaning | Reference | 352 +========+=========+==============================+=================+ 353 | 7 | dohpath | DNS over HTTPS path template | (This | 354 | | | | document) | 355 +--------+---------+------------------------------+-----------------+ 357 Table 1 359 Per [Attrleaf], IANA is directed to add the following entry to the 360 DNS Underscore Global Scoped Entry Registry: 362 +=========+============+===============+=================+ 363 | RR TYPE | _NODE NAME | Meaning | Reference | 364 +=========+============+===============+=================+ 365 | SVCB | _dns | DNS SVCB info | (This document) | 366 +---------+------------+---------------+-----------------+ 368 Table 2 370 10. References 372 10.1. Normative References 374 [DOH] Hoffman, P. and P. McManus, "DNS Queries over HTTPS 375 (DoH)", RFC 8484, DOI 10.17487/RFC8484, October 2018, 376 . 378 [DOT] Hu, Z., Zhu, L., Heidemann, J., Mankin, A., Wessels, D., 379 and P. Hoffman, "Specification for DNS over Transport 380 Layer Security (TLS)", RFC 7858, DOI 10.17487/RFC7858, May 381 2016, . 383 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 384 Requirement Levels", BCP 14, RFC 2119, 385 DOI 10.17487/RFC2119, March 1997, 386 . 388 [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO 389 10646", STD 63, RFC 3629, DOI 10.17487/RFC3629, November 390 2003, . 392 [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform 393 Resource Identifier (URI): Generic Syntax", STD 66, 394 RFC 3986, DOI 10.17487/RFC3986, January 2005, 395 . 397 [RFC6570] Gregorio, J., Fielding, R., Hadley, M., Nottingham, M., 398 and D. Orchard, "URI Template", RFC 6570, 399 DOI 10.17487/RFC6570, March 2012, 400 . 402 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 403 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 404 May 2017, . 406 [SVCB] Schwartz, B., Bishop, M., and E. Nygren, "Service binding 407 and parameter specification via the DNS (DNS SVCB and 408 HTTPS RRs)", Work in Progress, Internet-Draft, draft-ietf- 409 dnsop-svcb-https-08, 12 October 2021, 410 . 413 10.2. Informative References 415 [Attrleaf] Crocker, D., "Scoped Interpretation of DNS Resource 416 Records through "Underscored" Naming of Attribute Leaves", 417 BCP 222, RFC 8552, DOI 10.17487/RFC8552, March 2019, 418 . 420 [DNSURI] Josefsson, S., "Domain Name System Uniform Resource 421 Identifiers", RFC 4501, DOI 10.17487/RFC4501, May 2006, 422 . 424 Appendix A. Mapping Summary 426 This table serves as a non-normative summary of the DNS mapping for 427 SVCB. 429 +=================+====================================+ 430 +=================+====================================+ 431 | *Mapped scheme* | "dns" | 432 +-----------------+------------------------------------+ 433 | *RR type* | SVCB (64) | 434 +-----------------+------------------------------------+ 435 | *Name prefix* | _dns for port 53, else _$PORT._dns | 436 +-----------------+------------------------------------+ 437 | *Required keys* | alpn | 438 +-----------------+------------------------------------+ 439 | *Automatically | port | 440 | Mandatory Keys* | | 441 +-----------------+------------------------------------+ 442 | *Special | Supports all HTTPS RR SvcParamKeys | 443 | behaviors* | | 444 +-----------------+------------------------------------+ 445 | | Overrides the HTTPS RR for DoH | 446 +-----------------+------------------------------------+ 447 | | Default port is per-transport | 448 +-----------------+------------------------------------+ 449 | | No encrypted -> cleartext fallback | 450 +-----------------+------------------------------------+ 452 Table 3 454 Acknowledgments 456 Thanks to the many reviewers and contributors, including Daniel 457 Migault, Paul Hoffman, Matt Norhoff, Peter van Dijk, Eric Rescorla, 458 and Andreas Schulze. 460 Author's Address 462 Benjamin Schwartz 463 Google LLC 465 Email: bemasc@google.com