idnits 2.17.1 draft-ietf-homenet-dot-04.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- == There are 2 instances of lines with non-RFC2606-compliant FQDNs in the document. ** The document seems to lack a both a reference to RFC 2119 and the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. RFC 2119 keyword, line 109: '...t. Such queries MUST NOT be recursive...' RFC 2119 keyword, line 135: '...2. Applications SHOULD treat domain n...' RFC 2119 keyword, line 136: '... other FQDN, and MUST NOT make any ass...' RFC 2119 keyword, line 139: '...Is and libraries MUST NOT recognize na...' RFC 2119 keyword, line 140: '...a.' as special and MUST NOT treat them...' (11 more instances...) == The 'Updates: ' line in the draft header should list only the _numbers_ of the RFCs which will be updated by this document (if approved); it should not include the word 'RFC' in the list. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (April 6, 2017) is 2574 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: 'RFC2860' is defined on line 254, but no explicit reference was found in the text ** Downref: Normative reference to an Informational RFC: RFC 2860 Summary: 2 errors (**), 0 flaws (~~), 4 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group P. Pfister 3 Internet-Draft Cisco Systems 4 Updates: RFC7788 (if approved) T. Lemon 5 Intended status: Standards Track Nominum, Inc. 6 Expires: October 8, 2017 April 6, 2017 8 Special Use Domain '.home.arpa' 9 draft-ietf-homenet-dot-04 11 Abstract 13 This document specifies the behavior that is expected from the Domain 14 Name System with regard to DNS queries for names ending with 15 '.home.arpa.', and designates this top-level domain as a special-use 16 domain name. The '.home.arpa' top-level domain replaces '.home' as 17 the default domain used by the Home Networking Control Protocol 18 (HNCP). 20 Status of This Memo 22 This Internet-Draft is submitted in full conformance with the 23 provisions of BCP 78 and BCP 79. 25 Internet-Drafts are working documents of the Internet Engineering 26 Task Force (IETF). Note that other groups may also distribute 27 working documents as Internet-Drafts. The list of current Internet- 28 Drafts is at http://datatracker.ietf.org/drafts/current/. 30 Internet-Drafts are draft documents valid for a maximum of six months 31 and may be updated, replaced, or obsoleted by other documents at any 32 time. It is inappropriate to use Internet-Drafts as reference 33 material or to cite them other than as "work in progress." 35 This Internet-Draft will expire on October 8, 2017. 37 Copyright Notice 39 Copyright (c) 2017 IETF Trust and the persons identified as the 40 document authors. All rights reserved. 42 This document is subject to BCP 78 and the IETF Trust's Legal 43 Provisions Relating to IETF Documents 44 (http://trustee.ietf.org/license-info) in effect on the date of 45 publication of this document. Please review these documents 46 carefully, as they describe your rights and restrictions with respect 47 to this document. Code Components extracted from this document must 48 include Simplified BSD License text as described in Section 4.e of 49 the Trust Legal Provisions and are provided without warranty as 50 described in the Simplified BSD License. 52 Table of Contents 54 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 55 2. General Guidance . . . . . . . . . . . . . . . . . . . . . . 3 56 3. Domain Name Reservation Considerations . . . . . . . . . . . 3 57 4. Updates to Home Networking Control Protocol . . . . . . . . . 4 58 5. Security Considerations . . . . . . . . . . . . . . . . . . . 5 59 6. Delegation of 'home.arpa' . . . . . . . . . . . . . . . . . . 5 60 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6 61 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 6 62 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 6 63 9.1. Normative References . . . . . . . . . . . . . . . . . . 6 64 9.2. Informative References . . . . . . . . . . . . . . . . . 6 65 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 7 67 1. Introduction 69 Users and devices within a home network require devices and services 70 to be identified by names that are unique within the boundaries of 71 the home network [RFC7368]. The naming mechanism needs to function 72 without configuration from the user. While it may be possible for a 73 name to be delegated by an ISP, home networks must also function in 74 the absence of such a delegation. A default name with a scope 75 limited to each individual home network needs to be used. 77 The '.home.arpa' top-level domain replaces '.home' which was 78 specified in [RFC7788] as the default domain-name for home networks. 79 '.home' had been selected as the most user-friendly option. However, 80 there are existing uses of '.home' that may be in conflict with this 81 use: evidence indicates that '.home' queries frequently leak out and 82 reach the root name servers [ICANN1] [ICANN2]. Also, ICANN has about 83 a dozen applicants for the '.home' top-level domain name, which 84 creates a significant risk of litigation if it were claimed by the 85 IETF outside of that process. As a result, the use of '.home' has 86 been deprecated; this document updates [RFC7788] to replace '.home' 87 with '.home.arpa', while another document, [I-D.ietf-homenet-redact] 88 deprecates the use of the '.home' TLD. 90 This document registers the top-level domain '.home.arpa.' as a 91 special-use domain name [RFC6761] and specifies the behavior that is 92 expected from the Domain Name System with regard to DNS queries for 93 names whose rightmost non-terminal label is 'homenet'. Queries for 94 names ending with '.home.arpa.' are of local significance within the 95 scope of a home network, meaning that identical queries will result 96 in different results from one home network to another. In other 97 words, a name ending in '.home.arpa' is not globally unique. 99 2. General Guidance 101 The top-level domain name '.home.arpa.' is to be used for naming 102 within a home network. Names ending with '.home.arpa.' reference a 103 locally-served zone, the contents of which are unique only to a 104 particular home network, and are not globally unique. Such names 105 refer to nodes and/or services that are located within a home network 106 (e.g., a printer, or a toaster). 108 DNS queries for names ending with '.home.arpa.' are resolved using 109 local resolvers on the homenet. Such queries MUST NOT be recursively 110 forwarded to servers outside the logical boundaries of the home 111 network. 113 Some service discovery user interfaces that are expected to be used 114 on homenets conceal information such as domain names from end users. 115 However, it is still expected that in some cases, users will need to 116 see, remember, and even type, names ending with '.home.arpa'. It is 117 therefore desirable that users identify the top-level domain and 118 understand that using it expresses the intention to connect to a 119 service that is specific to the home network to which they are 120 connected. Enforcing the fulfillment of this intention is out of 121 scope for this document. 123 3. Domain Name Reservation Considerations 125 This section defines the behavior of systems involved in domain name 126 resolution when serving queries for names ending with '.home.arpa.' 127 (as per [RFC6761]). 129 1. Users can use names ending with '.home.arpa.' just as they would 130 use any other domain name. The '.home.arpa' name is chosen to be 131 readily recognized by users as signifying that the name is 132 addressing a service on the homenet to which the user's device is 133 connected. 135 2. Applications SHOULD treat domain names ending with '.home.arpa.' 136 just like any other FQDN, and MUST NOT make any assumption on the 137 level of additional security implied by its presence. 139 3. Name resolution APIs and libraries MUST NOT recognize names that 140 end in '.home.arpa.' as special and MUST NOT treat them 141 differently. Name resolution APIs MUST send queries for such 142 names to a recursive DNS server that is configured to be 143 authoritative for the .home.arpa zone appropriate to the home 144 network. One or more IP addresses for recursive DNS servers will 145 usually be supplied to the client through router advertisements 146 or DHCP. If a host is configured to use a resolver other than 147 one that is authoritative for the appropriate .home.arpa zone, 148 the client may be unable to resolve, or may receive incorrect 149 results for, names in sub domains of ".home.arpa". 151 4. Unless configured otherwise, recursive resolvers and DNS proxies 152 MUST behave as described in Locally Served Zones ([RFC6303] 153 Section 3). Recursive resolvers that are part of a home network 154 MAY be configured manually or automatically (e.g., for auto- 155 configuration purposes) to act differently, e.g., by querying 156 another name server configured as authoritative for part or all 157 of the '.home.arpa' domain, or proxying the request through a 158 different mechanism. 160 5. Only a DNS server that is authoritative for the '.arpa' zone or 161 is configured to be authoritative for '.home.arpa' or a subdomain 162 of '.home.arpa' will ever answer a query about '.home.arpa.' In 163 both of these cases, the server should simply answer as 164 configured: no special handling is required. 166 6. DNS servers outside a home network should not be configured to be 167 authoritative for .home.arpa. 169 7. DNS Registries/Registrars MUST NOT grant requests to register 170 '.home.arpa' in the normal way to any person or entity. 171 '.home.arpa' MUST BE registered in perpetuity to IANA, and IANA 172 MUST maintain nameservers for the zone. 174 4. Updates to Home Networking Control Protocol 176 The final paragraph of Homenet Considerations Protocol [RFC7788], 177 section 8, is updated as follows: 179 OLD: 181 Names and unqualified zones are used in an HNCP network to provide 182 naming and service discovery with local significance. A network- 183 wide zone is appended to all single labels or unqualified zones in 184 order to qualify them. ".home" is the default; however, an 185 administrator MAY configure the announcement of a Domain-Name TLV 186 (Section 10.6) for the network to use a different one. In case 187 multiple are announced, the domain of the node with the greatest 188 node identifier takes precedence. 190 NEW: 192 Names and unqualified zones are used in an HNCP network to provide 193 naming and service discovery with local significance. A network- 194 wide zone is appended to all single labels or unqualified zones in 195 order to qualify them. ".home.arpa" is the default; however, an 196 administrator MAY configure the announcement of a Domain-Name TLV 197 (Section 10.6) for the network to use a different one. In case 198 multiple are announced, the domain of the node with the greatest 199 node identifier takes precedence. 201 The '.home.arpa' special-use name does not require a special 202 resolution protocol. Names for which the rightmost non-terminal 203 label is 'homenet' are resolved using the DNS protocol [RFC1035]. 205 5. Security Considerations 207 A DNS record that is returned as a response to a query ending with 208 '.home.arpa.' is expected to have local significance. It is expected 209 to be returned by a server involved in name resolution for the home 210 network the device is connected in. However, such response MUST NOT 211 be considered more trustworthy than would be a similar response for 212 any other DNS query. 214 Because '.home.arpa' is not globally scoped and cannot be secured 215 using DNSSEC based on the root domain's trust anchor, there is no way 216 to tell, using a standard DNS query, in which home network scope an 217 answer belongs. Consequently, users may experience surprising 218 results with such names when roaming to different home networks. To 219 prevent this from happening, it may be useful for the resolver to 220 identify different home networks on which it has resolved names, but 221 this is out of scope for this document. 223 In order to enable DNSSEC validation of a particular '.home.arpa', it 224 might make sense to configure a trust anchor for that homenet. How 225 this might be done is out of scope for this document. 227 6. Delegation of 'home.arpa' 229 In order to be fully functional, there must be a delegation of 230 'home.arpa' in the '.arpa' zone. This delegation MUST NOT be signed, 231 MUST NOT include a DS record, and MUST point to one or more black 232 hole servers, for example BLACKHOLE-1.IANA.ORG and BLACKHOLE- 233 2.IANA.ORG. The reason that this delegation must not be signed is 234 that not signing the delegation breaks the DNSSEC chain of trust, 235 which prevents a validating stub resolver from rejecting names 236 published under 'home.arpa' on a homenet name server. 238 7. IANA Considerations 240 IANA is requested to record the domain name ".home.arpa" in the 241 Special-Use Domain Names registry [SUDN]. 243 8. Acknowledgments 245 The authors would like to thank Stuart Cheshire for his prior work on 246 '.home', as well as the homenet chairs: Mark Townsley and Ray Bellis. 247 We would also like to thank Paul Hoffman for providing review and 248 comments on the IANA considerations section. 250 9. References 252 9.1. Normative References 254 [RFC2860] Carpenter, B., Baker, F., and M. Roberts, "Memorandum of 255 Understanding Concerning the Technical Work of the 256 Internet Assigned Numbers Authority", RFC 2860, 257 DOI 10.17487/RFC2860, June 2000, 258 . 260 [RFC6303] Andrews, M., "Locally Served DNS Zones", BCP 163, 261 RFC 6303, DOI 10.17487/RFC6303, July 2011, 262 . 264 [RFC6761] Cheshire, S. and M. Krochmal, "Special-Use Domain Names", 265 RFC 6761, DOI 10.17487/RFC6761, February 2013, 266 . 268 [I-D.ietf-homenet-redact] 269 Lemon, T., "Redacting .home from HNCP", draft-ietf- 270 homenet-redact-03 (work in progress), March 2017. 272 9.2. Informative References 274 [RFC1035] Mockapetris, P., "Domain names - implementation and 275 specification", STD 13, RFC 1035, DOI 10.17487/RFC1035, 276 November 1987, . 278 [RFC7368] Chown, T., Ed., Arkko, J., Brandt, A., Troan, O., and J. 279 Weil, "IPv6 Home Networking Architecture Principles", 280 RFC 7368, DOI 10.17487/RFC7368, October 2014, 281 . 283 [RFC7788] Stenberg, M., Barth, S., and P. Pfister, "Home Networking 284 Control Protocol", RFC 7788, DOI 10.17487/RFC7788, April 285 2016, . 287 [ICANN1] "New gTLD Collision Risk Mitigation", October 2013, 288 . 291 [ICANN2] "New gTLD Collision Occurence Management", October 2013, 292 . 295 [SUDN] "Special-Use Domain Names Registry", July 2012, 296 . 299 Authors' Addresses 301 Pierre Pfister 302 Cisco Systems 303 Paris 304 France 306 Email: pierre.pfister@darou.fr 308 Ted Lemon 309 Nominum, Inc. 310 800 Bridge Parkway 311 Redwood City, California 94065 312 United States of America 314 Phone: +1 650 381 6000 315 Email: ted.lemon@nominum.com