idnits 2.17.1 draft-ietf-ipsecme-split-dns-13.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document seems to lack the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords -- however, there's a paragraph with a matching beginning. Boilerplate error? (The document does seem to have the reference to RFC 2119 which the ID-Checklist requires). -- The document date (October 22, 2018) is 2013 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) No issues found here. Summary: 0 errors (**), 0 flaws (~~), 2 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network T. Pauly 3 Internet-Draft Apple Inc. 4 Intended status: Standards Track P. Wouters 5 Expires: April 25, 2019 Red Hat 6 October 22, 2018 8 Split DNS Configuration for IKEv2 9 draft-ietf-ipsecme-split-dns-13 11 Abstract 13 This document defines two Configuration Payload Attribute Types for 14 the IKEv2 protocol that add support for private DNS domains. These 15 domains are intended to be resolved using DNS servers reachable 16 through an IPsec connection, while leaving all other DNS resolution 17 unchanged. This approach of resolving a subset of domains using non- 18 public DNS servers is referred to as "Split DNS". 20 Status of This Memo 22 This Internet-Draft is submitted in full conformance with the 23 provisions of BCP 78 and BCP 79. 25 Internet-Drafts are working documents of the Internet Engineering 26 Task Force (IETF). Note that other groups may also distribute 27 working documents as Internet-Drafts. The list of current Internet- 28 Drafts is at https://datatracker.ietf.org/drafts/current/. 30 Internet-Drafts are draft documents valid for a maximum of six months 31 and may be updated, replaced, or obsoleted by other documents at any 32 time. It is inappropriate to use Internet-Drafts as reference 33 material or to cite them other than as "work in progress." 35 This Internet-Draft will expire on April 25, 2019. 37 Copyright Notice 39 Copyright (c) 2018 IETF Trust and the persons identified as the 40 document authors. All rights reserved. 42 This document is subject to BCP 78 and the IETF Trust's Legal 43 Provisions Relating to IETF Documents 44 (https://trustee.ietf.org/license-info) in effect on the date of 45 publication of this document. Please review these documents 46 carefully, as they describe your rights and restrictions with respect 47 to this document. Code Components extracted from this document must 48 include Simplified BSD License text as described in Section 4.e of 49 the Trust Legal Provisions and are provided without warranty as 50 described in the Simplified BSD License. 52 Table of Contents 54 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 55 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 56 2. Protocol Exchange . . . . . . . . . . . . . . . . . . . . . . 3 57 2.1. Configuration Request . . . . . . . . . . . . . . . . . . 4 58 2.2. Configuration Reply . . . . . . . . . . . . . . . . . . . 4 59 2.3. Mapping DNS Servers to Domains . . . . . . . . . . . . . 5 60 2.4. Example Exchanges . . . . . . . . . . . . . . . . . . . . 5 61 2.4.1. Simple Case . . . . . . . . . . . . . . . . . . . . . 5 62 2.4.2. Requesting Domains and DNSSEC trust anchors . . . . . 6 63 3. Payload Formats . . . . . . . . . . . . . . . . . . . . . . . 6 64 3.1. INTERNAL_DNS_DOMAIN Configuration Attribute Type Request 65 and Reply . . . . . . . . . . . . . . . . . . . . . . . . 7 66 3.2. INTERNAL_DNSSEC_TA Configuration Attribute . . . . . . . 7 67 4. INTERNAL_DNS_DOMAIN Usage Guidelines . . . . . . . . . . . . 9 68 5. INTERNAL_DNSSEC_TA Usage Guidelines . . . . . . . . . . . . . 10 69 6. Security Considerations . . . . . . . . . . . . . . . . . . . 11 70 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12 71 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 12 72 8.1. Normative References . . . . . . . . . . . . . . . . . . 12 73 8.2. Informative References . . . . . . . . . . . . . . . . . 13 74 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 13 76 1. Introduction 78 Split DNS is a common configuration for secure tunnels, such as 79 Virtual Private Networks in which host machines private to an 80 organization can only be resolved using internal DNS resolvers 81 [RFC2775]. In such configurations, it is often desirable to only 82 resolve hosts within a set of private domains using the tunnel, while 83 letting resolutions for public hosts be handled by a device's default 84 DNS configuration. 86 The Internet Key Exchange protocol version 2 [RFC7296] negotiates 87 configuration parameters using Configuration Payload Attribute Types. 88 This document defines two Configuration Payload Attribute Types that 89 add support for trusted Split DNS domains. 91 The INTERNAL_DNS_DOMAIN attribute type is used to convey one or more 92 DNS domains that SHOULD be resolved only using the provided DNS 93 nameserver IP addresses, causing these requests to use the IPsec 94 connection. 96 The INTERNAL_DNSSEC_TA attribute type is used to convey DNSSEC trust 97 anchors for those domains. 99 When only a subset of traffic is routed into a private network using 100 an IPsec SA, these Configuration Payload options can be used to 101 define which private domains are intended to be resolved through the 102 IPsec connection without affecting the client's global DNS 103 resolution. 105 For the purposes of this document, DNS resolution servers accessible 106 through an IPsec connection will be referred to as "internal DNS 107 servers", and other DNS servers will be referred to as "external DNS 108 servers". 110 A client using these configuration payloads will be able to request 111 and receive Split DNS configurations using the INTERNAL_DNS_DOMAIN 112 and INTERNAL_DNSSEC_TA configuration attributes. The client device 113 can use the internal DNS server(s) for any DNS queries within the 114 assigned domains. DNS queries for other domains SHOULD be sent to 115 the regular external DNS server. 117 Other tunnel-establishment protocols already support the assignment 118 of Split DNS domains. For example, there are proprietary extensions 119 to IKEv1 that allow a server to assign Split DNS domains to a client. 120 However, the IKEv2 standard does not include a method to configure 121 this option. This document defines a standard way to negotiate this 122 option for IKEv2. 124 1.1. Requirements Language 126 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 127 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 128 "OPTIONAL" in this document are to be interpreted as described in BCP 129 14 [RFC2119] [RFC8174] when, and only when, they appear in all 130 captials, as shown here. 132 2. Protocol Exchange 134 In order to negotiate which domains are considered internal to an 135 IKEv2 tunnel, initiators indicate support for Split DNS in their 136 CFG_REQUEST payloads, and responders assign internal domains (and 137 DNSSEC trust anchors) in their CFG_REPLY payloads. When Split DNS 138 has been negotiated, the existing DNS server configuration attributes 139 will be interpreted as internal DNS servers that can resolve 140 hostnames within the internal domains. 142 2.1. Configuration Request 144 To indicate support for Split DNS, an initiator includes one more 145 INTERNAL_DNS_DOMAIN attributes as defined in Section 3 as part of the 146 CFG_REQUEST payload. If an INTERNAL_DNS_DOMAIN attribute is included 147 in the CFG_REQUEST, the initiator MUST also include one or more 148 INTERNAL_IP4_DNS and INTERNAL_IP6_DNS attributes in the CFG_REQUEST. 150 The INTERNAL_DNS_DOMAIN attribute sent by the initiator is usually 151 empty but MAY contain a suggested domain name. 153 The absence of INTERNAL_DNS_DOMAIN attributes in the CFG_REQUEST 154 payload indicates that the initiator does not support or is unwilling 155 to accept Split DNS configuration. 157 To indicate support for DNSSEC, an initiator includes one or more 158 INTERNAL_DNSSEC_TA attributes as defined in Section 3 as part of the 159 CFG_REQUEST payload. If an INTERNAL_DNSSEC_TA attribute is included 160 in the CFG_REQUEST, the initiator MUST also include one or more 161 INTERNAL_DNS_DOMAIN attributes in the CFG_REQUEST. If the initiator 162 includes an INTERNAL_DNSSEC_TA attribute, but does not inclue an 163 INTERNAL_DNS_DOMAIN attribute, the responder MAY still respond with 164 both INTERNAL_DNSSEC_TA and INTERNAL_DNS_DOMAIN attributes. 166 An initiator MAY convey its current DNSSEC trust anchors for the 167 domain specified in the INTERNAL_DNS_DOMAIN attribute. If it does 168 not wish to convey this information, it MUST use a length of 0. 170 The absence of INTERNAL_DNSSEC_TA attributes in the CFG_REQUEST 171 payload indicates that the initiator does not support or is unwilling 172 to accept DNSSEC trust anchor configuration. 174 2.2. Configuration Reply 176 Responders MAY send one or more INTERNAL_DNS_DOMAIN attributes in 177 their CFG_REPLY payload. If an INTERNAL_DNS_DOMAIN attribute is 178 included in the CFG_REPLY, the responder MUST also include one or 179 both of the INTERNAL_IP4_DNS and INTERNAL_IP6_DNS attributes in the 180 CFG_REPLY. These DNS server configurations are necessary to define 181 which servers can receive queries for hostnames in internal domains. 182 If the CFG_REQUEST included an INTERNAL_DNS_DOMAIN attribute, but the 183 CFG_REPLY does not include an INTERNAL_DNS_DOMAIN attribute, the 184 initiator MUST behave as if Split DNS configurations are not 185 supported by the server, unless the initiator has been configured 186 with local polict to define a set of Split DNS domains to use by 187 default. 189 Each INTERNAL_DNS_DOMAIN represents a domain that the DNS servers 190 address listed in INTERNAL_IP4_DNS and INTERNAL_IP6_DNS can resolve. 192 If the CFG_REQUEST included INTERNAL_DNS_DOMAIN attributes with non- 193 zero lengths, the content MAY be ignored or be interpreted as a 194 suggestion by the responder. 196 For each DNS domain specified in an INTERNAL_DNS_DOMAIN attribute, 197 one or more INTERNAL_DNSSEC_TA attributes MAY be included by the 198 responder. This attribute lists the corresponding internal DNSSEC 199 trust anchor in the DNS presentation format of a DS record as 200 specified in [RFC4034]. The INTERNAL_DNSSEC_TA attribute MUST 201 immediately follow the INTERNAL_DNS_DOMAIN attribute that it applies 202 to. 204 2.3. Mapping DNS Servers to Domains 206 All DNS servers provided in the CFG_REPLY MUST support resolving 207 hostnames within all INTERNAL_DNS_DOMAIN domains. In other words, 208 the INTERNAL_DNS_DOMAIN attributes in a CFG_REPLY payload form a 209 single list of Split DNS domains that applies to the entire list of 210 INTERNAL_IP4_DNS and INTERNAL_IP6_DNS attributes. 212 2.4. Example Exchanges 214 2.4.1. Simple Case 216 In this example exchange, the initiator requests INTERNAL_IP4_DNS and 217 INTERNAL_DNS_DOMAIN attributes in the CFG_REQUEST, but does not 218 specify any value for either. This indicates that it supports Split 219 DNS, but has no preference for which DNS requests will be routed 220 through the tunnel. 222 The responder replies with two DNS server addresses, and two internal 223 domains, "example.com" and "city.other.com". 225 Any subsequent DNS queries from the initiator for domains such as 226 "www.example.com" SHOULD use 198.51.100.2 or 198.51.100.4 to resolve. 228 CP(CFG_REQUEST) = 229 INTERNAL_IP4_ADDRESS() 230 INTERNAL_IP4_DNS() 231 INTERNAL_DNS_DOMAIN() 233 CP(CFG_REPLY) = 234 INTERNAL_IP4_ADDRESS(198.51.100.234) 235 INTERNAL_IP4_DNS(198.51.100.2) 236 INTERNAL_IP4_DNS(198.51.100.4) 237 INTERNAL_DNS_DOMAIN(example.com) 238 INTERNAL_DNS_DOMAIN(city.other.com) 240 2.4.2. Requesting Domains and DNSSEC trust anchors 242 In this example exchange, the initiator requests INTERNAL_IP4_DNS, 243 INTERNAL_DNS_DOMAIN and INTERNAL_DNSSEC_TA attributes in the 244 CFG_REQUEST. 246 Any subsequent DNS queries from the initiator for domains such as 247 "www.example.com" or "city.other.com" would be DNSSEC validated using 248 the DNSSEC trust anchor received in the CFG_REPLY. 250 In this example, the initiator has no existing DNSSEC trust anchors 251 would the requested domain. the "example.com" dommain has DNSSEC 252 trust anchors that are returned, while the "other.com" domain has no 253 DNSSEC trust anchors. 255 CP(CFG_REQUEST) = 256 INTERNAL_IP4_ADDRESS() 257 INTERNAL_IP4_DNS() 258 INTERNAL_DNS_DOMAIN() 259 INTERNAL_DNSSEC_TA() 261 CP(CFG_REPLY) = 262 INTERNAL_IP4_ADDRESS(198.51.100.234) 263 INTERNAL_IP4_DNS(198.51.100.2) 264 INTERNAL_IP4_DNS(198.51.100.4) 265 INTERNAL_DNS_DOMAIN(example.com) 266 INTERNAL_DNSSEC_TA(43547,8,1,B6225AB2CC613E0DCA7962BDC2342EA4...) 267 INTERNAL_DNSSEC_TA(31406,8,2,F78CF3344F72137235098ECBBD08947C...) 268 INTERNAL_DNS_DOMAIN(city.other.com) 270 3. Payload Formats 272 All multi-octet fields representing integers are laid out in big 273 endian order (also known as "most significant byte first", or 274 "network byte order"). 276 3.1. INTERNAL_DNS_DOMAIN Configuration Attribute Type Request and Reply 278 1 2 3 279 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 280 +-+-----------------------------+-------------------------------+ 281 |R| Attribute Type | Length | 282 +-+-----------------------------+-------------------------------+ 283 | | 284 ~ Domain Name in DNS presentation format ~ 285 | | 286 +---------------------------------------------------------------+ 288 o Reserved (1 bit) - Defined in IKEv2 RFC [RFC7296]. 290 o Attribute Type (15 bits) set to value 25 for INTERNAL_DNS_DOMAIN. 292 o Length (2 octets) - Length of domain name. 294 o Domain Name (0 or more octets) - A Fully Qualified Domain Name 295 used for Split DNS rules, such as "example.com", in DNS 296 presentation format and optionally using IDNA [RFC5890] for 297 Internationalized Domain Names. Implementors need to be careful 298 that this value is not null-terminated. 300 3.2. INTERNAL_DNSSEC_TA Configuration Attribute 302 An INTERNAL_DNSSEC_TA Configuration Attribute can either be empty, or 303 it can contain one Trust Anchor by containing a non-zero Length with 304 a DNSKEY Key Tag, DNSKEY Algorithm, Digest Type and Digest Data 305 fields. 307 An empty INTERNAL_DNSSEC_TA CFG attribute: 309 1 2 3 310 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 311 +-+-----------------------------+-------------------------------+ 312 |R| Attribute Type | Length (set to 0) | 313 +-+-----------------------------+-------------------------------+ 315 o Reserved (1 bit) - Defined in IKEv2 RFC [RFC7296]. 317 o Attribute Type (15 bits) set to value 26 for INTERNAL_DNSSEC_TA. 319 o Length (2 octets) - Set to 0 for an empty attribute. 321 A non-empty INTERNAL_DNSSEC_TA CFG attribute: 323 1 2 3 324 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 325 +-+-----------------------------+-------------------------------+ 326 |R| Attribute Type | Length | 327 +-+-----------------------------+---------------+---------------+ 328 | DNSKEY Key Tag | DNSKEY Alg | Digest Type | 329 +-------------------------------+---------------+---------------+ 330 | | 331 ~ Digest Data ~ 332 | | 333 +---------------------------------------------------------------+ 335 o Reserved (1 bit) - Defined in IKEv2 RFC [RFC7296]. 337 o Attribute Type (15 bits) set to value 26 for INTERNAL_DNSSEC_TA. 339 o Length (2 octets) - Length of DNSSEC Trust Anchor data (4 octets 340 plus the length of the Digest Data). 342 o DNSKEY Key Tag value (2 octets) - Delegation Signer (DS) Key Tag 343 as specified in [RFC4034] Section 5.1. 345 o DNSKEY Algorithm (1 octet) - DNSKEY algorithm value from the IANA 346 DNS Security Algorithm Numbers Registry. 348 o Digest Type (1 octet) - DS algorithm value from the IANA 349 Delegation Signer (DS) Resource Record (RR) Type Digest Algorithms 350 Registry. 352 o Digest Data (1 or more octets) - The DNSKEY digest as specified in 353 [RFC4034] Section 5.1 in presentation format. 355 Each INTERNAL_DNSSEC_TA attribute in the CFG_REPLY payload MUST 356 immediately follow a corresponding INTERNAL_DNS_DOMAIN attribute. As 357 the INTERNAL_DNSSEC_TA format itself does not contain the domain 358 name, it relies on the preceding INTERNAL_DNS_DOMAIN to provide the 359 domain for which it specifies the trust anchor. Any 360 INTERNAL_DNSSEC_TA attribute that is not immediately preceded by an 361 INTERNAL_DNS_DOMAIN or another INTERNAL_DNSSEC_TA attribute applying 362 to the same domain name MUST be ignored and treated as a protocol 363 error. 365 4. INTERNAL_DNS_DOMAIN Usage Guidelines 367 If a CFG_REPLY payload contains no INTERNAL_DNS_DOMAIN attributes, 368 the client MAY use the provided INTERNAL_IP4_DNS or INTERNAL_IP6_DNS 369 servers as the default DNS server(s) for all queries. 371 If a client is configured by local policy to only accept a limited 372 number of INTERNAL_DNS_DOMAIN values, the client MUST ignore any 373 other INTERNAL_DNS_DOMAIN values. 375 For each INTERNAL_DNS_DOMAIN entry in a CFG_REPLY payload that is not 376 prohibited by local policy, the client MUST use the provided 377 INTERNAL_IP4_DNS or INTERNAL_IP6_DNS DNS servers as the only 378 resolvers for the listed domains and its sub-domains and it MUST NOT 379 attempt to resolve the provided DNS domains using its external DNS 380 servers. Other domain names SHOULD be resolved using some other 381 external DNS resolver(s), configured independently from IKE. Queries 382 for these other domains MAY be sent to the internal DNS resolver(s) 383 listed in that CFG_REPLY message, but have no guarantee of being 384 answered. For example, if the INTERNAL_DNS_DOMAIN attribute 385 specifies "example.com", then "example.com", "www.example.com" and 386 "mail.eng.example.com" MUST be resolved using the internal DNS 387 resolver(s), but "anotherexample.com" and "ample.com" SHOULD NOT be 388 resolved using the internal resolver and SHOULD use the system's 389 external DNS resolver(s). 391 The initiator SHOULD allow the DNS domains listed in the 392 INTERNAL_DNS_DOMAIN attributes to resolve to special IP address 393 ranges, such as those of [RFC1918], even if the initiator host is 394 otherwise configured to block DNS answer containing these special IP 395 addresses. 397 When an IKE SA is terminated, the DNS forwarding MUST be 398 unconfigured. This includes deleting the DNS forwarding rules; 399 flushing all cached data for DNS domains provided by the 400 INTERNAL_DNS_DOMAIN attribute, including negative cache entries; 401 removing any obtained DNSSEC trust anchors from the list of trust 402 anchors; and clearing the outstanding DNS request queue. 404 INTERNAL_DNS_DOMAIN attributes SHOULD only be used on split tunnel 405 configurations where only a subset of traffic is routed into a 406 private remote network using the IPsec connection. If all traffic is 407 routed over the IPsec connection, the existing global 408 INTERNAL_IP4_DNS and INTERNAL_IP6_DNS can be used without creating 409 specific DNS exemptions. 411 5. INTERNAL_DNSSEC_TA Usage Guidelines 413 DNS records can be used to publish specific records containing trust 414 anchors for applications. The most common record type is the TLSA 415 record specified in [RFC6698]. This DNS record type publishes which 416 CA certificate or EE certificate to expect for a certain host name. 417 These records are protected by DNSSEC and thus can be trusted by the 418 application. Whether to trust TLSA records instead of the 419 traditional WebPKI depends on the local policy of the client. By 420 accepting an INTERNAL_DNSSEC_TA trust anchor via IKE from the remote 421 IKE server, the IPsec client might be allowing the remote IKE server 422 to override the trusted certificates for TLS. Similar override 423 concerns apply to other public key or fingerprint based DNS records, 424 such as OPENPGPKEY, SMIMEA or IPSECKEY records. 426 Thus, installing an INTERNAL_DNSSEC_TA trust anchor can be seen as 427 the equivalent of installing an Enterprise Certificate Agency (CA) 428 certificate. It allows the remote IKE/IPsec server to modify DNS 429 answers including its DNSSEC cryptographic signatures by overriding 430 existing DNS information with trust anchor conveyed via IKE and 431 (temporarilly) installed on the IKE client. Of specific concern is 432 the overriding of [RFC6698] based TLSA records, which represent a 433 confirmation or override of an existing WebPKI TLS certificate. 434 Other DNS record types that convey cryptographic materials (public 435 keys or fingerprints) are OPENPGPKEY, SMIMEA, SSHP and IPSECKEY 436 records. 438 IKE clients willing to accept INTERNAL_DNSSEC_TA attributes MUST use 439 a whitelist of one or more domains that can be updated out of band. 440 IKE clients with an empty whitelist MUST NOT use any 441 INTERNAL_DNSSEC_TA attributes received over IKE. Such clients MAY 442 interpret receiving an INTERNAL_DNSSEC_TA attribute for a non- 443 whitelisted domain as an indication that their local configuration 444 may need to be updated out of band. 446 IKE clients should take care to only whitelist domains that apply to 447 internal or managed domains, rather than to generic Internet traffic. 448 The DNS root zone (".") MUST NOT be whitelisted. Other generic or 449 public domains, such as top-level domains, similarly SHOULD NOT be 450 whitelisted. 452 Any updates to this whitelist of domain names MUST happen via 453 explicit human interaction to prevent invisible installation of trust 454 anchors. 456 IKE clients SHOULD accept any INTERNAL_DNSSEC_TA updates for 457 subdomain names of the whitelisted domain names. For example, if 458 "example.net" is whitelisted, then INTERNAL_DNSSEC_TA received for 459 "antartica.example.net" SHOULD be accepted. 461 IKE clients MAY interpret an INTERNAL_DNSSEC_TA for domain that was 462 not preconfigured as an indication that it needs to update its IKE 463 configuration (out of band). The client MUST NOT use such a 464 INTERNAL_DNSSEC_TA to reconfigure its local DNS settings. 466 IKE clients MUST ignore any received INTERNAL_DNSSEC_TA requests for 467 a FDQN for which it did not receive and accept an INTERNAL_DNS_DOMAIN 468 Configuration Payload. 470 In most deployment scenario's, the IKE client has an expectation that 471 it is connecting, using a split-network setup, to a specific 472 organisation or enterprise. A recommended policy would be to only 473 accept INTERNAL_DNSSEC_TA directives from that organization's DNS 474 names. However, this might not be possible in all deployment 475 scenarios, such as one where the IKE server is handing out a number 476 of domains that are not within one parent domain. 478 6. Security Considerations 480 The use of Split DNS configurations assigned by an IKEv2 responder is 481 predicated on the trust established during IKE SA authentication. 482 However, if IKEv2 is being negotiated with an anonymous or unknown 483 endpoint (such as for Opportunistic Security [RFC7435]), the 484 initiator MUST ignore Split DNS configurations assigned by the 485 responder. 487 If a host connected to an authenticated IKE peer is connecting to 488 another IKE peer that attempts to claim the same domain via the 489 INTERNAL_DNS_DOMAIN attribute, the IKE connection SHOULD only process 490 the DNS information if the two connections are part of the same 491 logical entity. Otherwise, the client SHOULD refuse the DNS 492 information and potentially warn the end-user. 494 If the initiator is using DNSSEC validation for a domain in its 495 public DNS view, and it requests and receives an INTERNAL_DNS_DOMAIN 496 attribute without an INTERNAL_DNSSEC_TA, it will need to reconfigure 497 its DNS resolver to allow for an insecure delegation. It SHOULD NOT 498 accept insecure delegations for domains that are DNSSEC signed in the 499 public DNS view, for which it has not explicitely requested such 500 deletation by specifying the domain specifically using a 501 INTERNAL_DNS_DOMAIN(domain) request. 503 Deployments that configure INTERNAL_DNS_DOMAIN domains should pay 504 close attention to their use of indirect reference RRtypes such as 505 CNAME, DNAME, MX or SRV records so that resolving works as intended 506 when all, some, or none of the IPsec connections are established. 508 The content of INTERNAL_DNS_DOMAIN and INTERNAL_DNSSEC_TA may be 509 passed to another (DNS) program for processing. As with any network 510 input, the content SHOULD be considered untrusted and handled 511 accordingly. 513 7. IANA Considerations 515 This document defines two new IKEv2 Configuration Payload Attribute 516 Types, which are allocated from the "IKEv2 Configuration Payload 517 Attribute Types" namespace. 519 Multi- 520 Value Attribute Type Valued Length Reference 521 ------ ------------------- ------ ---------- --------------- 522 25 INTERNAL_DNS_DOMAIN YES 0 or more [this document] 523 26 INTERNAL_DNSSEC_TA YES 0 or more [this document] 525 Figure 1 527 8. References 529 8.1. Normative References 531 [RFC1918] Rekhter, Y., Moskowitz, B., Karrenberg, D., de Groot, G., 532 and E. Lear, "Address Allocation for Private Internets", 533 BCP 5, RFC 1918, DOI 10.17487/RFC1918, February 1996, 534 . 536 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 537 Requirement Levels", BCP 14, RFC 2119, 538 DOI 10.17487/RFC2119, March 1997, 539 . 541 [RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S. 542 Rose, "Resource Records for the DNS Security Extensions", 543 RFC 4034, DOI 10.17487/RFC4034, March 2005, 544 . 546 [RFC5890] Klensin, J., "Internationalized Domain Names for 547 Applications (IDNA): Definitions and Document Framework", 548 RFC 5890, DOI 10.17487/RFC5890, August 2010, 549 . 551 [RFC6698] Hoffman, P. and J. Schlyter, "The DNS-Based Authentication 552 of Named Entities (DANE) Transport Layer Security (TLS) 553 Protocol: TLSA", RFC 6698, DOI 10.17487/RFC6698, August 554 2012, . 556 [RFC7296] Kaufman, C., Hoffman, P., Nir, Y., Eronen, P., and T. 557 Kivinen, "Internet Key Exchange Protocol Version 2 558 (IKEv2)", STD 79, RFC 7296, DOI 10.17487/RFC7296, October 559 2014, . 561 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 562 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 563 May 2017, . 565 8.2. Informative References 567 [RFC2775] Carpenter, B., "Internet Transparency", RFC 2775, 568 DOI 10.17487/RFC2775, February 2000, 569 . 571 [RFC7435] Dukhovni, V., "Opportunistic Security: Some Protection 572 Most of the Time", RFC 7435, DOI 10.17487/RFC7435, 573 December 2014, . 575 Authors' Addresses 577 Tommy Pauly 578 Apple Inc. 579 One Apple Park Way 580 Cupertino, California 95014 581 US 583 Email: tpauly@apple.com 585 Paul Wouters 586 Red Hat 588 Email: pwouters@redhat.com