idnits 2.17.1 draft-ietf-dprive-unauth-to-authoritative-04.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document seems to lack the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords -- however, there's a paragraph with a matching beginning. Boilerplate error? (The document does seem to have the reference to RFC 2119 which the ID-Checklist requires). -- The document date (28 September 2021) is 941 days in the past. Is this intentional? -- Found something which looks like a code comment -- if you have code sections in the document, please surround them with '' and '' lines. Checking references for intended status: Experimental ---------------------------------------------------------------------------- == Outdated reference: A later version (-10) exists of draft-ietf-dnsop-rfc8499bis-03 == Outdated reference: A later version (-12) exists of draft-ietf-dnsop-svcb-https-07 == Outdated reference: A later version (-12) exists of draft-ietf-dprive-dnsoquic-04 == Outdated reference: A later version (-15) exists of draft-ietf-dnsop-dns-tcp-requirements-12 Summary: 0 errors (**), 0 flaws (~~), 6 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group P. Hoffman 3 Internet-Draft ICANN 4 Intended status: Experimental P. van Dijk 5 Expires: 1 April 2022 PowerDNS 6 28 September 2021 8 Recursive to Authoritative DNS with Unauthenticated Encryption 9 draft-ietf-dprive-unauth-to-authoritative-04 11 Abstract 13 This document describes a use case and a method for a DNS recursive 14 resolver to use unauthenticated encryption when communicating with 15 authoritative servers. The motivating use case for this method is 16 that more encryption on the Internet is better, and some resolver 17 operators believe that unauthenticated encryption is better than no 18 encryption at all. The method described here is optional for both 19 the recursive resolver and the authoritative server. 21 Status of This Memo 23 This Internet-Draft is submitted in full conformance with the 24 provisions of BCP 78 and BCP 79. 26 Internet-Drafts are working documents of the Internet Engineering 27 Task Force (IETF). Note that other groups may also distribute 28 working documents as Internet-Drafts. The list of current Internet- 29 Drafts is at https://datatracker.ietf.org/drafts/current/. 31 Internet-Drafts are draft documents valid for a maximum of six months 32 and may be updated, replaced, or obsoleted by other documents at any 33 time. It is inappropriate to use Internet-Drafts as reference 34 material or to cite them other than as "work in progress." 36 This Internet-Draft will expire on 1 April 2022. 38 Copyright Notice 40 Copyright (c) 2021 IETF Trust and the persons identified as the 41 document authors. All rights reserved. 43 This document is subject to BCP 78 and the IETF Trust's Legal 44 Provisions Relating to IETF Documents (https://trustee.ietf.org/ 45 license-info) in effect on the date of publication of this document. 46 Please review these documents carefully, as they describe your rights 47 and restrictions with respect to this document. Code Components 48 extracted from this document must include Simplified BSD License text 49 as described in Section 4.e of the Trust Legal Provisions and are 50 provided without warranty as described in the Simplified BSD License. 52 Table of Contents 54 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 55 1.1. Use Case for Unauthenticated Encryption . . . . . . . . . 3 56 1.2. Summary of Protocol . . . . . . . . . . . . . . . . . . . 3 57 1.3. Definitions . . . . . . . . . . . . . . . . . . . . . . . 4 58 2. Discovery of Authoritative Server Encryption . . . . . . . . 4 59 3. Processing Discovery Responses . . . . . . . . . . . . . . . 5 60 3.1. Resolver Process as Pseudocode . . . . . . . . . . . . . 6 61 3.2. Resolver Session Failures . . . . . . . . . . . . . . . . 7 62 4. Serving with Encryption . . . . . . . . . . . . . . . . . . . 8 63 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 64 6. Security Considerations . . . . . . . . . . . . . . . . . . . 8 65 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 9 66 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 9 67 8.1. Normative References . . . . . . . . . . . . . . . . . . 9 68 8.2. Informative References . . . . . . . . . . . . . . . . . 10 69 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 11 71 1. Introduction 73 A recursive resolver using traditional DNS over port 53 may wish 74 instead to use encrypted communication with authoritative servers in 75 order to limit snooping of its DNS traffic by passive or on-path 76 attackers. The recursive resolver can use unauthenticated encryption 77 (defined in [OPPORTUN]) to achieve this goal. 79 This document describes the use case for unauthenticated encryption 80 in recursive resolvers in Section 1.1. The encryption method with 81 authoritative servers can be DNS-over-TLS [DNS-OVER-TLS] (DoT), DNS- 82 over-HTTPS [DNS-OVER-HTTPS] (DoH), and/or DNS-over-QUIC 83 [DNS-OVER-QUIC] (DoQ). 85 The document also describes a discovery method that shows if an 86 authoritative server supports encryption in Section 2. 88 See [FULL-AUTH] for a description of the use case and a proposed 89 mechanism for fully-authenticated encryption. 91 NOTE: The draft uses the SVCB record as a discovery mechanism for 92 encryption by a particular authoritative server. Any record type 93 that can show multiple types of encryption (currently DoT, DoH, and 94 DoQ) can be used for discovery. Thus, this record type might change 95 in the future, depending on the discussion in the DPRIVE WG. 97 1.1. Use Case for Unauthenticated Encryption 99 The use case in this document for unauthenticated encryption is 100 recursive resolver operators who are happy to use encryption with 101 authoritative servers if doing so doesn't significantly slow down 102 getting answers, and authoritative server operators that are happy to 103 use encryption with recursive resolvers if it doesn't cost much. In 104 this use case, resolvers do not want to return an error for requests 105 that were sent over an encrypted channel if they would have been able 106 to give a correct answer using unencrypted transport. Ultimately, 107 this effort has two two goals: to protect queries from failing in 108 case authenticated encryption is not available, and to enable 109 recursive resolver operators to encrypt without server 110 authentication. 112 Resolvers and authoritative servers understand that using encryption 113 costs something, but are willing to absorb the costs for the benefit 114 of more Internet traffic being encrypted. The extra costs (compared 115 to using traditional DNS on port 53) include: 117 * Extra round trips to establish TCP for every session (but not 118 necessarily for every query) 120 * Extra round trips for TLS establishment 122 * Greater CPU use for TLS establishment 124 * Greater CPU use for encryption after TLS establishment 126 * Greater memory use for holding TLS state 128 This use case is not expected to apply to all resolvers or 129 authoritative servers. For example, according to [RSO_STATEMENT], 130 some root server operators do not want to be the early adopters for 131 DNS with encryption. The protocol in this document explicitly allows 132 authoritative servers to signal when they are ready to begin offering 133 DNS with encryption. 135 1.2. Summary of Protocol 137 This summary gives an overview of how the parts of the protocol work 138 together. 140 * The resolver discovers whether any authoritative server of 141 interest supports DNS with encryption by querying for the SVCB 142 records [SVCB]. As described in [DNS-SVCB], SVCB records can 143 indicate that a server supports encrypted transport of DNS 144 queries. 146 NOTE: In this document, the term "SVCB record" is used _only_ for 147 SVCB records that indicate encryption as described in [DNS-SVCB]. 148 SVCB records that do not have these indicators in the RDATA are 149 not included in the term "SVCB record" in this document. 151 * The resolver uses any authoritative server with a SVCB record that 152 indicates encryption to perform unauthenticated encryption. 154 * The resolver does not fail to set up encryption if server 155 authentication in the TLS session fails. 157 1.3. Definitions 159 The terms "recursive resolver", "authoritative server", and "classic 160 DNS" are defined in [DNS-TERM]. 162 "DNS with encryption" means transport of DNS over any of DoT, DoH, or 163 DoQ. A server that supports DNS with encryption supports transport 164 over one or more of DoT, DoH, or DoQ. 166 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 167 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 168 "OPTIONAL" in this document are to be interpreted as described in BCP 169 14 [MUST-SHOULD-1] [MUST-SHOULD-2] when, and only when, they appear 170 in all capitals, as shown here. 172 2. Discovery of Authoritative Server Encryption 174 An authoritative server that supports DNS with encryption makes 175 itself discoverable by publishing one or more DNS SVCB records that 176 contain "alpn" parameter keys. SVCB records are defined in [SVCB], 177 and the DNS extension to those records is defined in [DNS-SVCB]. 179 A recursive resolver discovers whether an authoritative server 180 supports DNS with encryption by looking for cached SVCB records for 181 the name of the authoritative server with a positive answer. A 182 cached DNS SVCB record with a negative answer indicates that the 183 authoritative server does not support any encrypted transport. 185 A resolver MAY also use port probing, although the mechanism for that 186 is not described here. 188 If the cache has no positive or negative answers for any SVCB record 189 for any of a zone's authoritative servers, the resolver MAY send 190 queries for the SVCB records (and for the A/AAAA records of names 191 mentioned in those SVCB records) for some or all of the zone's 192 authoritative servers and wait for a positive response so that the 193 resolver can use DNS with encryption for the original query. In this 194 situation, the resolver MAY instead just use classic DNS for the 195 original query but simultaneously queue queries for the SVCB (and 196 subsequent A/AAAA) records for some or all of the zone's 197 authoritative servers so that future queries might be able to use DNS 198 with encryption. 200 DNSSEC validation of SVCB RRsets used strictly for this discovery 201 mechanism is not mandated. 203 3. Processing Discovery Responses 205 After a resolver has DNS SCVB records in its cache (possibly due to 206 having just queried for them), it needs to use those records to try 207 to find an authoritative server that uses DNS with encryption. This 208 section describes how the resolver can make that selection. 210 A resolver MUST NOT attempt encryption for a server that has a 211 negative response in its cache for the associated DNS SVCB record. 213 After sending out all requests for SVCB records for the authoritative 214 servers in the NS RRset for a name, if all of the SVCB records for 215 those authoritative servers in the cache are negative responses, the 216 resolver MUST use classic (unencrypted) DNS instead of encryption. 217 Similarly, if none of the DNS SVCB records for the authoritative 218 servers in the cache have supported "alpn" parameters, the resolver 219 MUST use classic (unencrypted) DNS instead of encryption. 221 If there are any DNS SVCB records in the cache for the authoritative 222 servers for a zone with supported "alpn" parameters, the resolver 223 MUST try each indicated authoritative server using DNS with 224 encryption until it successfully sets up a connection. The resolver 225 attempts to use the encrypted transports that are in the associated 226 SVCB record for the authoritative server. 228 A resolver SHOULD keep a DNS with encryption session to a particular 229 server open if it expects to send additional queries to that server 230 in a short period of time. [DNS-OVER-TCP] says "both clients and 231 servers SHOULD support connection reuse" for TCP connections, and 232 that advice could apply as well for DNS with encryption, especially 233 as DNS with encryption has far greater overhead for re-establishing a 234 connection. If the server closes the DNS with encryption session, 235 the resolver can possibly re-establish a DNS with encryption session 236 using encrypted session resumption. Configuration for the maximum 237 timeout, minimum timeout, and duration of encrypted sessions should 238 take into consideration the recommendations given in [TCP-TIMEOUT], 239 [EDNS-TCP], and (for DoH) [HTTP-1.1]. 241 For any DNS with encryption protocols, TLS version 1.3 [TLS-13] or 242 later MUST be used. 244 A resolver following this protocol does not need to authenticate TLS 245 servers. Thus, when setting up a TLS connection, if the server's 246 authentication credentials do not match those expected by the 247 resolver, the resolver continues with the TLS connection. Privacy- 248 oriented resolvers (defined in [PRIVACY-REC]) following this protocol 249 MUST NOT indicate that they are using encryption because this 250 protocol is susceptible to on-path attacks. 252 If the resolver gets a TLS failure (such as those listed in 253 Section 3.2, the resolver instead uses classic DNS on any of the 254 authoritative servers. 256 3.1. Resolver Process as Pseudocode 258 This section is meant as an informal clarification of the protocol, 259 and is not normative. The pseudocode here is designed to show the 260 intent of the protocol, so it is not optimized for things like 261 intersection of sets and other shortcuts. 263 In this code, signal_rrset(this_name) means an SVCB query for the 264 '_dns' prefix of this_name. The Query over secure transport until 265 successful section ignores differences in name server selection and 266 retry behaviour in different resolvers. 268 # Inputs 269 ns_names = List of NS Rdatas from the NS RRset for the queried name 270 can_do_secure = List of secure transports supported by resolver 271 secure_names_and_transports = Empty list, filled in below 273 # Fill secure_names_and_transports with (name, transport) tuples 274 for this_name in ns_names: 275 if signal_rrset(this_name) is in the resolver cache: 276 if signal_rrset(this_name) positively does not exist: 277 continue 278 for this_transport in signal_rrset(this_name): 279 if this_transport in can_do_secure: 280 add (this_name, this_transport) to secure_names_and_transports 281 else: # signal_rrset(this_name) is not in the resolver cache 282 queue a query for signal_rrset(this_name) for later caching 284 # Query over secure transport until successful 285 for (this_name, this_transport) tuple in secure_names_and_transports: 286 query using this_transport on this_name 287 if successful: 288 finished 290 # Got here if no this_name/this_transport query was successful 291 # or if secure_names_and_transports was empty 292 query using classic DNS; finished 294 3.2. Resolver Session Failures 296 The following are some of the reasons that a DNS with encryption 297 session might fail to be set up: 299 * The resolver receives a TCP RST response 301 * The resolver does not receive replies to TCP or TLS setup (such as 302 getting the TCP SYN message, the first TLS message, or completing 303 TLS handshakes) 305 * The TLS handshake gets a definitive failure 307 * The encrypted session fails for reasons other than for 308 authentication, such as incorrect algorithm choices or TLS record 309 failures 311 4. Serving with Encryption 313 An operator of an authoritative server following this protocol SHOULD 314 publish SVCB records as described in Section 2. If they cannot 315 publish such records, the security properties of their authoritative 316 servers will not be found. If an operator wants to test serving 317 using encryption, they can publish SVCB records with short TTLs and 318 then stop serving with encryption after removing the SVCB records and 319 waiting for the TTLs to expire. 321 It is acceptable for an operator of authoritative servers to only 322 offer encryption on some of the named authoritative servers, such as 323 when the operator is determining how far to roll out encrypted 324 service. 326 A server MAY close an encrypted connection at any time. For example, 327 it can close the session if it has not received a DNS query in a 328 defined length of time. The server MAY close an encrypted session 329 after it sends a DNS response; however, it might also want to keep 330 the session open waiting for another DNS query from the resolver. 331 [DNS-OVER-TCP] says "both clients and servers SHOULD support 332 connection reuse" for TCP connections, and that advice could apply as 333 well for DNS with encryption, especially as DNS with encryption has 334 far greater overhead for re-establishing a connection. If the server 335 closes the DNS with encryption session, the resolver can possibly re- 336 establish a DNS with encryption session using encrypted session 337 resumption. 339 For any DNS with encryption protocols, TLS version 1.3 [TLS-13] or 340 later MUST be used. 342 5. IANA Considerations 344 (( Update registration for TCP/853 to also include ADoT )) 346 (( Maybe other updates for DoH and DoQ )) 348 6. Security Considerations 350 The method described in this document explicitly allows a resolver to 351 perform DNS communications over traditional unencrypted, 352 unauthenticated DNS on port 53, if it cannot find an authoritative 353 server that advertises that it supports encryption. The method 354 described in this document explicitly allows a resolver using 355 encryption to choose to allow unauthenticated encryption. In either 356 of these cases, the resulting communication will be susceptible to 357 obvious and well-understood attacks from an attacker in the path of 358 the communications. 360 [TLS-1.3] specifically warns against anonymous connections because 361 such connections only provide protection against passive 362 eavesdropping while failing to protect against active on-path 363 attacks. Section C.5 of [TLS-1.3] explicitly states applications 364 MUST NOT use TLS with unverifiable server authentication unless there 365 is explicit configuration or a specific application profile to do so. 366 This document is such an application profile. 368 Encrypting the traffic between resolvers and authoritative servers 369 does not solve all the privacy issues for resolution. See 370 [PRIVACY-REC] and [PRIVACY-CONS] for in-depth discussion of the 371 associated privacy issues. 373 7. Acknowledgements 375 Puneet Sood contributed many ideas to early drafts of this document. 377 The DPRIVE Working Group has contributed many ideas that keep 378 shifting the focus and content of this document. 380 8. References 382 8.1. Normative References 384 [DNS-SVCB] Schwartz, B., "Service Binding Mapping for DNS Servers", 385 Work in Progress, Internet-Draft, draft-schwartz-svcb-dns- 386 04, 26 July 2021, . 389 [DNS-TERM] Hoffman, P. and K. Fujiwara, "DNS Terminology", Work in 390 Progress, Internet-Draft, draft-ietf-dnsop-rfc8499bis-03, 391 28 September 2021, . 394 [FULL-AUTH] 395 Pauly, T., Rescorla, E., Schinazi, D., and C. A. Wood, 396 "Signaling Authoritative DNS Encryption", Work in 397 Progress, Internet-Draft, draft-rescorla-dprive-adox- 398 latest-00, 26 February 2021, 399 . 402 [MUST-SHOULD-1] 403 Bradner, S., "Key words for use in RFCs to Indicate 404 Requirement Levels", BCP 14, RFC 2119, 405 DOI 10.17487/RFC2119, March 1997, 406 . 408 [MUST-SHOULD-2] 409 Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 410 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 411 May 2017, . 413 [OPPORTUN] Dukhovni, V., "Opportunistic Security: Some Protection 414 Most of the Time", RFC 7435, DOI 10.17487/RFC7435, 415 December 2014, . 417 [SVCB] Schwartz, B., Bishop, M., and E. Nygren, "Service binding 418 and parameter specification via the DNS (DNS SVCB and 419 HTTPS RRs)", Work in Progress, Internet-Draft, draft-ietf- 420 dnsop-svcb-https-07, 5 August 2021, 421 . 424 [TLS-13] Rescorla, E., "The Transport Layer Security (TLS) Protocol 425 Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, 426 . 428 8.2. Informative References 430 [DNS-OVER-HTTPS] 431 Hoffman, P. and P. McManus, "DNS Queries over HTTPS 432 (DoH)", RFC 8484, DOI 10.17487/RFC8484, October 2018, 433 . 435 [DNS-OVER-QUIC] 436 Huitema, C., Dickinson, S., and A. Mankin, "Specification 437 of DNS over Dedicated QUIC Connections", Work in Progress, 438 Internet-Draft, draft-ietf-dprive-dnsoquic-04, 3 September 439 2021, . 442 [DNS-OVER-TCP] 443 Dickinson, J., Dickinson, S., Bellis, R., Mankin, A., and 444 D. Wessels, "DNS Transport over TCP - Implementation 445 Requirements", RFC 7766, DOI 10.17487/RFC7766, March 2016, 446 . 448 [DNS-OVER-TLS] 449 Hu, Z., Zhu, L., Heidemann, J., Mankin, A., Wessels, D., 450 and P. Hoffman, "Specification for DNS over Transport 451 Layer Security (TLS)", RFC 7858, DOI 10.17487/RFC7858, May 452 2016, . 454 [EDNS-TCP] Wouters, P., Abley, J., Dickinson, S., and R. Bellis, "The 455 edns-tcp-keepalive EDNS0 Option", RFC 7828, 456 DOI 10.17487/RFC7828, April 2016, 457 . 459 [HTTP-1.1] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer 460 Protocol (HTTP/1.1): Message Syntax and Routing", 461 RFC 7230, DOI 10.17487/RFC7230, June 2014, 462 . 464 [PRIVACY-CONS] 465 Wicinski, T., Ed., "DNS Privacy Considerations", RFC 9076, 466 DOI 10.17487/RFC9076, July 2021, 467 . 469 [PRIVACY-REC] 470 Dickinson, S., Overeinder, B., van Rijswijk-Deij, R., and 471 A. Mankin, "Recommendations for DNS Privacy Service 472 Operators", BCP 232, RFC 8932, DOI 10.17487/RFC8932, 473 October 2020, . 475 [RSO_STATEMENT] 476 "Statement on DNS Encryption", 2021, . 479 [TCP-TIMEOUT] 480 Kristoff, J. and D. Wessels, "DNS Transport over TCP - 481 Operational Requirements", Work in Progress, Internet- 482 Draft, draft-ietf-dnsop-dns-tcp-requirements-12, 18 August 483 2021, . 486 [TLS-1.3] Rescorla, E., "The Transport Layer Security (TLS) Protocol 487 Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, 488 . 490 Authors' Addresses 492 Paul Hoffman 493 ICANN 495 Email: paul.hoffman@icann.org 497 Peter van Dijk 498 PowerDNS 500 Email: peter.van.dijk@powerdns.com