idnits 2.17.1 draft-ietf-add-svcb-dns-05.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (24 June 2022) is 662 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: A later version (-12) exists of draft-ietf-dnsop-svcb-https-10 Summary: 0 errors (**), 0 flaws (~~), 2 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 add B. Schwartz 3 Internet-Draft Google LLC 4 Intended status: Standards Track 24 June 2022 5 Expires: 26 December 2022 7 Service Binding Mapping for DNS Servers 8 draft-ietf-add-svcb-dns-05 10 Abstract 12 The SVCB DNS resource record type expresses a bound collection of 13 endpoint metadata, for use when establishing a connection to a named 14 service. DNS itself can be such a service, when the server is 15 identified by a domain name. This document provides the SVCB mapping 16 for named DNS servers, allowing them to indicate support for 17 encrypted transport protocols. 19 Discussion Venues 21 This note is to be removed before publishing as an RFC. 23 Discussion of this document takes place on the ADD Working Group 24 mailing list (add@ietf.org), which is archived at 25 https://mailarchive.ietf.org/arch/browse/add/. 27 Source for this draft and an issue tracker can be found at 28 https://github.com/bemasc/svcb-dns. 30 Status of This Memo 32 This Internet-Draft is submitted in full conformance with the 33 provisions of BCP 78 and BCP 79. 35 Internet-Drafts are working documents of the Internet Engineering 36 Task Force (IETF). Note that other groups may also distribute 37 working documents as Internet-Drafts. The list of current Internet- 38 Drafts is at https://datatracker.ietf.org/drafts/current/. 40 Internet-Drafts are draft documents valid for a maximum of six months 41 and may be updated, replaced, or obsoleted by other documents at any 42 time. It is inappropriate to use Internet-Drafts as reference 43 material or to cite them other than as "work in progress." 45 This Internet-Draft will expire on 26 December 2022. 47 Copyright Notice 49 Copyright (c) 2022 IETF Trust and the persons identified as the 50 document authors. All rights reserved. 52 This document is subject to BCP 78 and the IETF Trust's Legal 53 Provisions Relating to IETF Documents (https://trustee.ietf.org/ 54 license-info) in effect on the date of publication of this document. 55 Please review these documents carefully, as they describe your rights 56 and restrictions with respect to this document. Code Components 57 extracted from this document must include Revised BSD License text as 58 described in Section 4.e of the Trust Legal Provisions and are 59 provided without warranty as described in the Revised BSD License. 61 Table of Contents 63 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 64 2. Conventions and Definitions . . . . . . . . . . . . . . . . . 3 65 3. Identities and Names . . . . . . . . . . . . . . . . . . . . 3 66 3.1. Special case: non-default ports . . . . . . . . . . . . . 4 67 4. Applicable existing SvcParamKeys . . . . . . . . . . . . . . 4 68 4.1. alpn . . . . . . . . . . . . . . . . . . . . . . . . . . 4 69 4.2. port . . . . . . . . . . . . . . . . . . . . . . . . . . 4 70 4.3. Other applicable SvcParamKeys . . . . . . . . . . . . . . 5 71 5. New SvcParamKeys . . . . . . . . . . . . . . . . . . . . . . 5 72 5.1. dohpath . . . . . . . . . . . . . . . . . . . . . . . . . 6 73 6. Limitations . . . . . . . . . . . . . . . . . . . . . . . . . 6 74 7. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 6 75 8. Security Considerations . . . . . . . . . . . . . . . . . . . 7 76 8.1. Adversary on the query path . . . . . . . . . . . . . . . 7 77 8.1.1. Downgrade attacks . . . . . . . . . . . . . . . . . . 7 78 8.1.2. Redirection attacks . . . . . . . . . . . . . . . . . 8 79 8.2. Adversary on the transport path . . . . . . . . . . . . . 8 80 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 81 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 9 82 10.1. Normative References . . . . . . . . . . . . . . . . . . 9 83 10.2. Informative References . . . . . . . . . . . . . . . . . 10 84 Appendix A. Mapping Summary . . . . . . . . . . . . . . . . . . 10 85 Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 11 86 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 11 88 1. Introduction 90 The SVCB resource record type [SVCB] provides clients with 91 information about how to reach alternative endpoints for a service, 92 which may have improved performance or privacy properties. The 93 service is identified by a "scheme" indicating the service type, a 94 hostname, and optionally other information such as a port number. A 95 DNS server is often identified only by its IP address (e.g., in 96 DHCP), but in some contexts it can also be identified by a hostname 97 (e.g., "NS" records, manual resolver configuration) and sometimes 98 also a non-default port number. 100 Use of the SVCB resource record type requires a mapping document for 101 each service type (Section 2.4.3 of [SVCB]), indicating how a client 102 for that service can interpret the contents of the SVCB SvcParams. 103 This document provides the mapping for the "dns" service type, 104 allowing DNS servers to offer alternative endpoints and transports, 105 including encrypted transports like DNS over TLS (DoT) [RFC7858], DNS 106 over HTTPS (DoH) [RFC8484], and DNS over QUIC (DoQ) [RFC9250]. 108 2. Conventions and Definitions 110 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 111 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 112 "OPTIONAL" in this document are to be interpreted as described in BCP 113 14 [RFC2119] [RFC8174] when, and only when, they appear in all 114 capitals, as shown here. 116 3. Identities and Names 118 SVCB record names (i.e., QNAMEs) for DNS services are formed using 119 Port-Prefix Naming (Section 2.3 of [SVCB]), with a scheme of "dns". 120 For example, SVCB records for a DNS service identified as 121 dns1.example.com would be queried at _dns.dns1.example.com. 123 In some use cases, the name used for retrieving these DNS records is 124 different from the server identity used to authenticate the secure 125 transport. To distinguish between these, this document uses the 126 following terms: 128 * Binding authority - The service name (Section 1.4 of [SVCB]) and 129 optional port number used as input to Port-Prefix Naming. 131 * Authentication name - The name used for secure transport 132 authentication. This MUST be a DNS hostname or a literal IP 133 address. Unless otherwise specified, this is the service name 134 from the binding authority. 136 3.1. Special case: non-default ports 138 Normally, a DNS service is identified by an IP address or a domain 139 name. When connecting to the service using unencrypted DNS over UDP 140 or TCP, clients use the default port number for DNS (53). However, 141 in rare cases, a DNS service might be identified by both a name and a 142 port number. For example, the "dns:" URI scheme [DNSURI] optionally 143 includes an authority, comprised of a host and a port number (with a 144 default of 53). DNS URIs normally omit the authority, or specify an 145 IP address, but a hostname and non-default port number are allowed. 147 When the binding authority specifies a non-default port number, Port- 148 Prefix Naming places the port number in an additional a prefix on the 149 name. For example, if the binding authority is 150 "dns1.example.com:9953", the client would query for SVCB records at 151 _9953._dns.dns1.example.com. If two DNS services operating on 152 different port numbers provide different behaviors, this arrangement 153 allows them to preserve the distinction when specifying alternative 154 endpoints. 156 4. Applicable existing SvcParamKeys 158 4.1. alpn 160 This key indicates the set of supported protocols (Section 6.1 of 161 [SVCB]). There is no default protocol, so the "no-default-alpn" key 162 does not apply, and the "alpn" key MUST be present. 164 If the protocol set contains any HTTP versions (e.g., "h2", "h3"), 165 then the record indicates support for DoH, and the "dohpath" key MUST 166 be present (Section 5.1). All keys specified for use with the HTTPS 167 record are also permissible, and apply to the resulting HTTP 168 connection. 170 If the protocol set contains protocols with different default ports, 171 and no port key is specified, then protocols are contacted separately 172 on their default ports. Note that in this configuration, ALPN 173 negotiation does not defend against cross-protocol downgrade attacks. 175 4.2. port 177 This key is used to indicate the target port for connection 178 (Section 6.2 of [SVCB]). If omitted, the client SHALL use the 179 default port number for each transport protocol (853 for DoT and DoQ, 180 443 for DoH). 182 This key is automatically mandatory for this binding. This means 183 that a client that does not respect the "port" key MUST ignore any 184 SVCB record that contains this key. (See Section 7 of [SVCB] for the 185 definition of "automatically mandatory".) 187 Support for the "port" key can be unsafe if the client has implicit 188 elevated access to some network service (e.g., a local service that 189 is inaccessible to remote parties) and that service uses a TCP-based 190 protocol other than TLS. A hostile DNS server might be able to 191 manipulate this service by causing the client to send a specially 192 crafted TLS SNI or session ticket that can be misparsed as a command 193 or exploit. To avoid such attacks, clients SHOULD NOT support the 194 "port" key unless one of the following conditions applies: 196 * The client is being used with a DNS server that it trusts not 197 attempt this attack. 199 * The client is being used in a context where implicit elevated 200 access cannot apply. 202 * The client restricts the set of allowed TCP port values to exclude 203 any ports where a confusion attack is likely to be possible (e.g., 204 the "bad ports" list from the "Port blocking" section of [FETCH]). 206 4.3. Other applicable SvcParamKeys 208 These SvcParamKeys from [SVCB] apply to the "dns" scheme without 209 modification: 211 * mandatory 213 * ech 215 * ipv4hint 217 * ipv6hint 219 Future SvcParamKeys might also be applicable. 221 5. New SvcParamKeys 222 5.1. dohpath 224 "dohpath" is a single-valued SvcParamKey whose value (both in 225 presentation and wire format) MUST be a URI Template in relative form 226 ([RFC6570], Section 1.1) encoded in UTF-8 [RFC3629]. If the "alpn" 227 SvcParam indicates support for HTTP, "dohpath" MUST be present. The 228 URI Template MUST contain a "dns" variable, and MUST be chosen such 229 that the result after DoH template expansion (Section 6 of [RFC8484]) 230 is always a valid and functional ":path" value ([RFC9113], 231 Section 8.3.1). 233 When using this SVCB record, the client MUST send any DoH requests to 234 the HTTP origin identified by the "https" scheme, the authentication 235 name, and the port from the "port" SvcParam (if present). HTTP 236 requests MUST be directed to the resource resulting from DoH template 237 expansion of the "dohpath" value. 239 Clients SHOULD NOT query for any "HTTPS" RRs when using "dohpath". 240 Instead, the SvcParams and address records associated with this SVCB 241 record SHOULD be used for the HTTPS connection, with the same 242 semantics as an HTTPS RR. However, for consistency, service 243 operators SHOULD publish an equivalent HTTPS RR, especially if 244 clients might learn about this DoH service through a different 245 channel. 247 6. Limitations 249 This document is concerned exclusively with the DNS transport, and 250 does not affect or inform the construction or interpretation of DNS 251 messages. For example, nothing in this document indicates whether 252 the service is intended for use as a recursive or authoritative DNS 253 server. Clients need to know the intended use of services based on 254 their context. 256 7. Examples 258 * A resolver known as simple.example that supports DNS over TLS on 259 port 853 (implicitly, as this is its default port): 261 _dns.simple.example. 7200 IN SVCB 1 simple.example. alpn=dot 263 * A DoH-only resolver at https://doh.example/dns-query{?dns}. (DNS 264 over TLS is not supported.): 266 _dns.doh.example. 7200 IN SVCB 1 doh.example. ( 267 alpn=h2 dohpath=/dns-query{?dns} ) 269 * A resolver known as resolver.example that supports: 271 - DoT on resolver.example ports 853 (implicit in record 1) and 272 8530 (explicit in record 2), with "resolver.example" as the 273 Authentication Domain Name, 275 - DoQ on resolver.example port 853 (record 1), 277 - DoH at https://resolver.example/dns-query{?dns} (record 1), and 279 - an experimental protocol on fooexp.resolver.example:5353 280 (record 3): 282 _dns.resolver.example. 7200 IN SVCB 1 resolver.example. ( 283 alpn=dot,doq,h2,h3 dohpath=/dns-query{?dns} ) 284 _dns.resolver.example. 7200 IN SVCB 2 resolver.example. ( 285 alpn=dot port=8530 ) 286 _dns.resolver.example. 7200 IN SVCB 3 fooexp ( 287 port=5353 alpn=foo foo-info=... ) 289 * A nameserver named ns.example. whose service configuration is 290 published on a different domain: 292 _dns.ns.example. 7200 IN SVCB 0 _dns.ns.nic.example. 294 8. Security Considerations 296 8.1. Adversary on the query path 298 This section considers an adversary who can add or remove responses 299 to the SVCB query. 301 During secure transport establishment, clients MUST authenticate the 302 server to its authentication name, which is not influenced by the 303 SVCB record contents. Accordingly, this draft does not mandate the 304 use of DNSSEC. This draft also does not specify how clients 305 authenticate the name (e.g., selection of roots of trust), which 306 might vary according to the context. 308 8.1.1. Downgrade attacks 310 This attacker cannot impersonate the secure endpoint, but it can 311 forge a response indicating that the requested SVCB records do not 312 exist. For a SVCB-reliant client ([SVCB], Section 3) this only 313 results in a denial of service. However, SVCB-optional clients will 314 generally fall back to insecure DNS in this case, exposing all DNS 315 traffic to attacks. 317 8.1.2. Redirection attacks 319 SVCB-reliant clients always enforce the authentication domain name, 320 but they are still subject to attacks using the transport, port 321 number, and "dohpath" value, which are controlled by this adversary. 322 By changing these values in the SVCB answers, the adversary can 323 direct DNS queries for $HOSTNAME to any port on $HOSTNAME, and any 324 path on "https://$HOSTNAME". If the DNS client uses shared TLS or 325 HTTP state, the client could be correctly authenticated (e.g., using 326 a TLS client certificate or HTTP cookie). 328 This behavior creates a number of possible attacks for certain server 329 configurations. For example, if https://$HOSTNAME/upload accepts any 330 POST request as a public file upload, the adversary could forge a 331 SVCB record containing dohpath=/upload{?dns}. This would cause the 332 client to upload and publish every query, resulting in unexpected 333 storage costs for the server and privacy loss for the client. 334 Similarly, if two DoH endpoints are available on the same origin, and 335 the service has designated one of them for use with this 336 specification, this adversary can cause clients to use the other 337 endpoint instead. 339 To mitigate redirection attacks, a client of this SVCB mapping MUST 340 NOT identify or authenticate itself when performing DNS queries, 341 except to servers that it specifically knows are not vulnerable to 342 such attacks. If an endpoint sends an invalid response to a DNS 343 query, the client SHOULD NOT send more queries to that endpoint. 344 Multiple DNS services MUST NOT share a hostname identifier 345 (Section 3) unless they are so similar that it is safe to allow an 346 attacker to choose which one is used. 348 8.2. Adversary on the transport path 350 This section considers an adversary who can modify network traffic 351 between the client and the alternative service (identified by the 352 TargetName). 354 For a SVCB-reliant client, this adversary can only cause a denial of 355 service. However, because DNS is unencrypted by default, this 356 adversary can execute a downgrade attack against SVCB-optional 357 clients. Accordingly, when use of this specification is optional, 358 clients SHOULD switch to SVCB-reliant behavior if SVCB resolution 359 succeeds. Specifications making using of this mapping MAY adjust 360 this fallback behavior to suit their requirements. 362 9. IANA Considerations 364 Per [SVCB] IANA is directed to add the following entry to the SVCB 365 Service Parameters registry. 367 +========+=========+==============================+=================+ 368 | Number | Name | Meaning | Reference | 369 +========+=========+==============================+=================+ 370 | 7 | dohpath | DNS over HTTPS path template | (This | 371 | | | | document) | 372 +--------+---------+------------------------------+-----------------+ 374 Table 1 376 Per [Attrleaf], IANA is directed to add the following entry to the 377 DNS Underscore Global Scoped Entry Registry: 379 +=========+============+=================+ 380 | RR TYPE | _NODE NAME | Reference | 381 +=========+============+=================+ 382 | SVCB | _dns | (This document) | 383 +---------+------------+-----------------+ 385 Table 2 387 10. References 389 10.1. Normative References 391 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 392 Requirement Levels", BCP 14, RFC 2119, 393 DOI 10.17487/RFC2119, March 1997, 394 . 396 [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO 397 10646", STD 63, RFC 3629, DOI 10.17487/RFC3629, November 398 2003, . 400 [RFC6570] Gregorio, J., Fielding, R., Hadley, M., Nottingham, M., 401 and D. Orchard, "URI Template", RFC 6570, 402 DOI 10.17487/RFC6570, March 2012, 403 . 405 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 406 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 407 May 2017, . 409 [RFC8484] Hoffman, P. and P. McManus, "DNS Queries over HTTPS 410 (DoH)", RFC 8484, DOI 10.17487/RFC8484, October 2018, 411 . 413 [RFC9113] Thomson, M., Ed. and C. Benfield, Ed., "HTTP/2", RFC 9113, 414 DOI 10.17487/RFC9113, June 2022, 415 . 417 [SVCB] Schwartz, B., Bishop, M., and E. Nygren, "Service binding 418 and parameter specification via the DNS (DNS SVCB and 419 HTTPS RRs)", Work in Progress, Internet-Draft, draft-ietf- 420 dnsop-svcb-https-10, 24 May 2022, 421 . 424 10.2. Informative References 426 [Attrleaf] Crocker, D., "Scoped Interpretation of DNS Resource 427 Records through "Underscored" Naming of Attribute Leaves", 428 BCP 222, RFC 8552, DOI 10.17487/RFC8552, March 2019, 429 . 431 [DNSURI] Josefsson, S., "Domain Name System Uniform Resource 432 Identifiers", RFC 4501, DOI 10.17487/RFC4501, May 2006, 433 . 435 [FETCH] "Fetch Living Standard", February 2022, 436 . 438 [RFC7858] Hu, Z., Zhu, L., Heidemann, J., Mankin, A., Wessels, D., 439 and P. Hoffman, "Specification for DNS over Transport 440 Layer Security (TLS)", RFC 7858, DOI 10.17487/RFC7858, May 441 2016, . 443 [RFC9250] Huitema, C., Dickinson, S., and A. Mankin, "DNS over 444 Dedicated QUIC Connections", RFC 9250, 445 DOI 10.17487/RFC9250, May 2022, 446 . 448 Appendix A. Mapping Summary 450 This table serves as a non-normative summary of the DNS mapping for 451 SVCB. 453 +=================+====================================+ 454 +=================+====================================+ 455 | *Mapped scheme* | "dns" | 456 +-----------------+------------------------------------+ 457 | *RR type* | SVCB (64) | 458 +-----------------+------------------------------------+ 459 | *Name prefix* | _dns for port 53, else _$PORT._dns | 460 +-----------------+------------------------------------+ 461 | *Required keys* | alpn | 462 +-----------------+------------------------------------+ 463 | *Automatically | port | 464 | Mandatory Keys* | | 465 +-----------------+------------------------------------+ 466 | *Special | Supports all HTTPS RR SvcParamKeys | 467 | behaviors* | | 468 +-----------------+------------------------------------+ 469 | | Overrides the HTTPS RR for DoH | 470 +-----------------+------------------------------------+ 471 | | Default port is per-transport | 472 +-----------------+------------------------------------+ 473 | | No encrypted -> cleartext fallback | 474 +-----------------+------------------------------------+ 476 Table 3 478 Acknowledgments 480 Thanks to the many reviewers and contributors, including Andrew 481 Campling, Peter van Dijk, Paul Hoffman, Daniel Migault, Matt Norhoff, 482 Eric Rescorla, Andreas Schulze, and Eric Vyncke. 484 Author's Address 486 Benjamin Schwartz 487 Google LLC 488 Email: bemasc@google.com