idnits 2.17.1 draft-ietf-v6ops-nat64-srv-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- == There are 2 instances of lines with non-RFC2606-compliant FQDNs in the document. == There are 1 instance of lines with non-RFC6890-compliant IPv4 addresses in the document. If these are example addresses, they should be changed. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 214 has weird spacing: '...riority reaso...' == Line 243 has weird spacing: '...riority reaso...' == Line 244 has weird spacing: '...t. tcp yes...' == Line 245 has weird spacing: '...t. udp yes...' == Line 246 has weird spacing: '...g. udp no ...' == (1 more instance...) -- The document date (March 11, 2019) is 1866 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) No issues found here. Summary: 0 errors (**), 0 flaws (~~), 9 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 1 IPv6 Operations (v6ops) Martin Hunek 2 Internet-Draft Technical University of Liberec 3 Intended status: Standards Track March 11, 2019 4 Expires: September 11, 2019 6 NAT64/DNS64 detection via SRV Records 7 draft-ietf-v6ops-nat64-srv-00 9 Abstract 11 This document specifies the way of discovering the NAT64 pools in 12 use as well as DNS servers providing DNS64 service to the local 13 clients. The discovery is done via SRV records, which also allows 14 asignment of priorities to the NAT64 pools as well as DNS64 servers. 15 It also allows clients to have diferent DNS providers than NAT64 16 provider, while providing a secure way via DNSSEC validation of 17 provided SRV records. This way, it provides DNS64 service even in 18 case where DNS over HTTPS is used. 20 Status of This Memo 22 This Internet-Draft is submitted in full conformance with the 23 provisions of BCP 78 and BCP 79. 25 Internet-Drafts are working documents of the Internet Engineering 26 Task Force (IETF). Note that other groups may also distribute 27 working documents as Internet-Drafts. The list of current Internet- 28 Drafts is at https://datatracker.ietf.org/drafts/current/. 30 Internet-Drafts are draft documents valid for a maximum of six 31 months and may be updated, replaced, or obsoleted by other documents 32 at any time. It is inappropriate to use Internet-Drafts as 33 reference material or to cite them other than as "work in progress." 35 This Internet-Draft will expire on September 11, 2019 37 Copyright Notice 39 Copyright (c) 2019 IETF Trust and the persons identified as the 40 document authors. All rights reserved. 42 This document is subject to BCP 78 and the IETF Trust's Legal 43 Provisions Relating to IETF Documents 44 (http://trustee.ietf.org/license-info) in effect on the date of 45 publication of this document. Please review these documents 46 carefully, as they describe your rights and restrictions with 47 respect to this document. Code Components extracted from this 48 document must include Simplified BSD License text as described in 49 Section 4.e of the Trust Legal Provisions and are provided without 50 warranty as described in the Simplified BSD License. 52 Table of Contents 54 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 55 1.1. Requirements Language . . . . . . . . . . . . . . . . . . . 3 56 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 57 3. NAT64 service SRV record . . . . . . . . . . . . . . . . . . . 3 58 4. DNS64 service SRV record . . . . . . . . . . . . . . . . . . . 4 59 5. Node Behavior . . . . . . . . . . . . . . . . . . . . . . . . 4 60 5.1. Example . . . . . . . . . . . . . . . . . . . . . . . . . . 5 61 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 62 7. Security considerations . . . . . . . . . . . . . . . . . . . 7 63 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 7 64 8.1. Normative References . . . . . . . . . . . . . . . . . . . 7 65 8.2. Informative References . . . . . . . . . . . . . . . . . . 8 67 1. Introduction 69 The simultaneous use of NAT64/DNS64 and DNSSEC outlined by 70 [RFC7050], does not solve all the aspects of such use. Namely 71 [RFC7050] does not allow assignment of NAT64 priorities in case when 72 multiple network prefixes are in use. [RFC7050] also doesn't work in 73 the case when network operator and DNS operator are not the same 74 subject, like in the case when the end node is using some public DNS 75 resolvers. This document describes the way how to circumvent that 76 limitation while maintaining added security provided by DNSSEC. 78 1.1. Requirements Language 80 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 81 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", 82 and "OPTIONAL" in this document are to be interpreted as described 83 in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in 84 all capitals, as shown here. 86 2. Terminology 88 End node: Either DNS stub resolver or the DNS recursive resolver 89 serving a local area network or station. 91 Pref64::/n: an IPv6 prefix used for IPv6 address synthesis 92 [RFC6146]. 94 Pref64::WKA: an IPv6 address consisting of Pref64::/n and WKA at 95 any of the locations allowed by [RFC6052]. 97 Well-Known IPv4 Address (WKA): an IPv4 address that is well-known 98 and present in an A record for the well-known name. Two well-known 99 IPv4 addresses are defined for Pref64::/n discovery purposes: 100 192.0.0.170 and 192.0.0.171. 102 3. NAT64 service SRV record 104 This document specifies two new well-known SRV records. The one for 105 NAT64 prefix which validation end node MUST implement: 107 nat64. ipv6.Name TTL Class SRV Priority Weight Port Target 109 The TTL, Class, Priority and Weight follows the same scheme as 110 defined in [RFC2782] and have theirs standard meaning. 112 Port: IPv6 as L3 protocol doesn't use port numbers. Because of that 113 this field SHOULD be either set to zero, or SHOULD be used to 114 indicate length of network prefix mask in both IPv6 and IPv4 115 protocol, used NAT64. In such case the port 16b integer MUST be 116 constructed by directly appending IPv4 pool prefix mask after the 117 IPv6 prefix mask decadicaly. Usually this would mean 9632 stating 118 that IPv6 prefix with mask /96 is translated into single IPv4 119 address (/32). 121 Target: MUST point to AAAA record formed from Pref64::/n prefix and 122 WKA same way as in [RFC7050] (Pref64::WKA). Target MAY also point to 123 A record, in which case it SHOULD point to IPv4 address used for 124 NAT64 (or base address of the NAT64 IPv4 prefix). 126 4. DNS64 service SRV record 128 The second SRV record is for the discovery of DNS64 service. Support 129 of this record is OPTIONAL but end node SHOULD implement it. 131 dns64.Protocol.Name TTL Class SRV Priority Weight Port Target 133 Record informs about location of DNS64 service. This might be used 134 in case that network operator doesn't want to deploy DNS64 in their 135 main DNS infrastructure. A DNS64 SRV record follows the rules 136 specified by [RFC2782] and does not modify meaning of any field. 138 Server provided by this record SHOULD only be used for domain names 139 which have returned NODATA for AAAA record. 141 5. Node Behavior 143 In early stage of end node connection to the network - after the end 144 node is configured with IP address, the end node MUST get local 145 domains used in the network. Method of obtaining such information is 146 out of scope of this document, but it might contain one or more 147 methods, like the SLAAC-DNSSL [RFC8106], the DHCPv6 - option 24 or 148 a manual configuration. In case, when no local domain can be 149 discovered, the end node SHOULD continue NAT64/DNS64 detection by 150 other means, like [RFC7050]. 152 After the list of local domains has been established, the end node 153 MUST ask for NAT64 SRV record for every domain in the list. Result 154 of such queries SHOULD be ordered by following the rules of 155 [RFC2782]. In case when multiple records do have a same values of 156 both priority and weight, the records SHOULD maintain the same order 157 as its domain in the discovered domain list. 159 For every domain with NAT64 SRV record the end node SHOULD perform 160 query for DNS64 SRV record. If such a record is obtained and the end 161 node is not configured to make DNS64 synthesis itself, the end node 162 SHOULD use preferred target of DNS64 SRV record to query for FQDN 163 without AAAA record - when it received NODATA response. 165 If the end node is capable of validation of DNS records via DNSSEC, 166 the end node MUST perform validation of NAT64/DNS64 SRV record. 167 Default behavior of end node SHOULD be to ignore any NAT64/DNS64 SRV 168 records which cannot be validated or did not pass the validation. 170 5.1. Example 172 The end node is a home router connected to the ISP network in which 173 the NAT64/DNS64 is used and the ISP has the following SRV records 174 in their zones: 175 - nat64.ipv6.example.com. IN SRV 5 10 9632 nat64-pool-1.example.com. 176 - nat64-pool-1.example.com. IN AAAA 2001:db8:64:ff9b:1::c000:aa 177 - nat64-pool-1.example.com. IN A 192.0.2.64 178 - nat64.ipv6.example.com. 179 IN SRV 10 10 9632 nat64-pool-2.example.com. 180 - nat64-pool-2.example.com. IN AAAA 2001:db8:64:ff9b:2::c000:aa 181 - nat64-pool-2.example.com. IN A 192.0.2.164 182 - nat64.ipv6.example.net. IN SRV 10 10 9624 nat64-pool.example.net. 183 - nat64-pool.example.net. IN AAAA 2001:db8:64:ff9b:abc::c000:aa 184 - nat64-pool.example.net. IN A 198.51.100.0 185 - nat64.ipv6.example.invalid. 186 IN SRV 10 10 9624 nat64-pool.example.org. 187 - nat64-pool.example.org. IN AAAA 2001:db8:64:ff9b:def::c000:aa 188 - nat64-pool.example.org. IN A 203.0.113.0 190 In addition the zones "example.net" and "example.invalid" has got 191 DNS64 SRV records: 192 - dns64.tcp.example.net. IN SRV 5 10 53 dns64.example.net. 193 - dns64.udp.example.net. IN SRV 10 10 53 dns64.example.net. 194 - dns64.example.net. IN AAAA 2001:db8::53 195 - dns64.udp.example.invalid. IN SRV 10 10 53 dns64.example.org. 196 - dns64.example.org. IN AAAA 2001:db8:123::53 198 The zones "example.com" and "example.net" are secured and 199 successfully validated by the DNSSEC. Domain "example.invalid" is 200 either not secured by the DNSSEC or its validation failed. Domain 201 "example.org" is DNSSEC secured but does not have any NAT64/DNS64 202 SRV records. 204 The end node has been supplied with the following list of domains 205 via SLAAC-DNSSL: 206 1. example.net 207 2. example.invalid 208 3. example.com 209 4. example.org 211 The end node would fetch all available SRV records and its A and 212 AAAA counterparts and sort it in following order: 214 pool DNSSEC priority reason 215 nat64-pool-1.example.com. yes 5 lowest priority field 216 nat64-pool.example.net. yes 10 discovered first 217 nat64-pool-2.example.com. yes 10 higher priority field 218 nat64-pool.example.org. no 10 no valid DNSSEC chain 219 After sorting, the end node SHOULD graylist any record which cannot 220 be validated by the DNSSEC. In this example it would be 221 "nat64-pool.example.org." because it has been obtained from insecure 222 domain "example.invalid". A such pool SHOULD NOT be used if it is 223 not confirmed by other DNSSEC secured record. 225 If the end node is capable to act as recursive or caching DNS server 226 and it is configured to provide the DNS64 service, it MUST provide 227 this service using sorted list of NAT64 pools. For such end node 228 a process of the NAT64/DNS64 ends here. 230 However, when the end node is not capable of record synthesis or it 231 is not configured to provide DNS64 service, it SHOULD perform 232 detection of DNS64 by querying for "ipv4only.arpa" like in the 233 case of [RFC7050]. If the reply contains a pool listed in the NAT64 234 pool list, the corresponding entry is marked as having DNS64 235 provided by recursive DNS. 237 When the end node supports DNS64 SRV record and there is at least 238 one non-graylisted NAT64 pool, which is not reachable by using the 239 end node's recursive DNS, the end node MUST make a sorted list of 240 DNS64 servers from the DNS64 SRV records. The DNS64 sorted list 241 would look like this: 243 server proto DNSSEC priority reason 244 dns64.example.net. tcp yes 5 lowest priority field 245 dns64.example.net. udp yes 10 higher priority field 246 dns64.example.org. udp no 10 no valid DNSSEC chain 248 Sorting is done in the same fashion as any other SRV record with the 249 same exception of graylisting records without valid DNSSEC chain. 250 Those SHOULD NOT be used when not confirmed by DNSSEC validated 251 record and SHOULD be kept in the end of the list. 253 For example when ISP is providing DNS64 service in their main DNS 254 infrastructure only for pools in the domains "example.com" and 255 "example.org" and the pool "nat64-pool.example.net" is used only 256 with corresponding DNS64 server. The final sorted list of NAT64 257 prefixes used by the end node in the ISP network would be: 259 pool state priority reason 260 nat64-pool-1.example.com. active 5 lowest priority field 261 nat64-pool-2.example.com. backup 10 higher priority field 262 nat64-pool.example.net. backup* 10 main DNS has priority 263 nat64-pool.example.org. inactive 10 no valid DNSSEC chain 265 As the pool "nat64-pool.example.net" is used only with the server 266 "dns64.example.net" this would effectively put this pool to the end 267 of the list. Because it would be used only for FQDN for which the 268 regular DNS infrastructure returns NODATA. 270 Now the end node has successfully identified NAT64 pools and the 271 DNS64 servers in the ISP infrastructure. The discovered prefixes 272 SHOULD be considered safe and DNSSEC validation of answers in these 273 prefixes MUST be either disabled or performed by validating only 274 the suffix. 276 6. IANA Considerations. 278 This document proposes a usage of "ipv6" in Proto field and two 279 services "nat64" and "dns64" in Service field of SRV RR 280 ([RFC2782]). 282 7. Security considerations 284 Method proposed by this document relies on security principles based 285 on DNSSEC and secure discovery of local domain. In order to be 286 secure, the network operator MUST deploy DNSSEC on at least one 287 domain (advertised to end node) and establish secure channel to this 288 advertisement. 290 8. References 292 8.1. Normative References 294 [RFC2119] S. Bradner. Key words for use in RFCs to Indicate 295 Requirement Levels. RFC 2119. RFC Editor, Mar. 1997, pp. 296 1-3. url: https://www.rfc-editor.org/rfc/rfc2119.txt. 298 [RFC2782] A. Gulbrandsen, P. Vixie, and L. Esibov. A DNS RR for 299 specifying the location of services (DNS SRV). RFC 2782. 300 RFC Editor, Feb. 2000, pp. 1-12. 301 url: https://www.rfc-editor.org/rfc/rfc2782.txt. 303 [RFC6146] M. Bagnulo, P. Matthews, and I. van Beijnum. Stateful 304 NAT64: Network Address and Protocol Translation from IPv6 305 Clients to IPv4 Servers. RFC 6146. RFC Editor, Apr. 2011, 306 pp. 1-45. 307 url: https://www.rfc-editor.org/rfc/rfc6146.txt. 309 [RFC7050] T. Savolainen, J. Korhonen, and D. Wing. Discovery of the 310 IPv6 Prefix Used for IPv6 Address Synthesis. RFC 7050. 311 RFC Editor, Nov. 2013, pp. 1-22. 312 url: https://www.rfc-editor.org/rfc/rfc7050.txt. 314 [RFC8174] B. Leiba. Ambiguity of Uppercase vs Lowercase in RFC 2119 315 Key Words. RFC 8174. RFC Editor, May 2017, pp. 1-4. 316 url: https://www.rfc-editor.org/rfc/rfc8174.txt. 318 8.2. Informative References 320 [RFC6052] C. Bao et al. IPv6 Addressing of IPv4/IPv6 Translators. 321 RFC 6052. RFC Editor, Oct. 2010, pp. 1-18. 322 url: https://www.rfc-editor.org/rfc/rfc6052.txt. 324 [RFC8106] J. Jeong et al. IPv6 Router Advertisement Options for DNS 325 Configuration. RFC 8106. RFC Editor, Mar. 2017, pp. 1-19. 326 url: https://www.rfc-editor.org/rfc/rfc8106.txt. 328 Acknowledgments 330 This work has been supported by Student Grant Scheme (SGS 2019) at 331 Technical University of Liberec. 333 Authors' Addresses 335 Martin Hunek 336 Technical University of Liberec 337 Studentska 1402/2 338 Liberec, 46017 Czech Republic 340 phone: +420 485 35 3792 341 e-mail: martin.hunek@tul.cz