idnits 2.17.1 draft-mglt-front-end-naming-delegation-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (July 3, 2012) is 4316 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Looks like a reference, but probably isn't: '1' on line 394 -- Looks like a reference, but probably isn't: '2' on line 392 -- Looks like a reference, but probably isn't: '3' on line 400 -- Looks like a reference, but probably isn't: '4' on line 398 == Missing Reference: 'DS' is mentioned on line 361, but not defined Summary: 0 errors (**), 0 flaws (~~), 2 warnings (==), 5 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 HOMENET W. Cloetens 3 Internet-Draft SoftAtHome 4 Intended status: Standards Track P. Lemordant 5 Expires: January 4, 2013 D. Migault (Ed) 6 Francetelecom - Orange 7 July 3, 2012 9 Home Network Front End Naming Delegation 10 draft-mglt-front-end-naming-delegation-00.txt 12 Abstract 14 This document proposes a Naming Delegation Architecture that makes 15 possible End Users to reach the hosts or services of their Home 16 Network using Names instead of IP addresses. 18 This document shows how the Naming Delegation between the CPE and the 19 ISP can be set so the CPE is not exposed on the Internet. This 20 document describes an Naming Architecture where ISPs provide Front 21 End Delegating DNS Servers whereas the CPEs constitute a Back End 22 Network of Delegated DNS Servers. All DNS queries for any Home 23 Network are addressed to the Delegating Front End Server. The 24 response is expected to be stored on a CPE, and the Front End 25 Delegating DNS Server sends a DNS Query to that CPE before answering 26 to the initial DNS query. 28 The negotiation between the CPE and the ISP is using DHCP Options. 29 This document provides options so Front End Delegating and the 30 Delegated DNS Servers configure their respective Zone files and so 31 that CPEs restrict access and protect themselves from unauthorized 32 DNS Queries. 34 Status of this Memo 36 This Internet-Draft is submitted in full conformance with the 37 provisions of BCP 78 and BCP 79. 39 Internet-Drafts are working documents of the Internet Engineering 40 Task Force (IETF). Note that other groups may also distribute 41 working documents as Internet-Drafts. The list of current Internet- 42 Drafts is at http://datatracker.ietf.org/drafts/current/. 44 Internet-Drafts are draft documents valid for a maximum of six months 45 and may be updated, replaced, or obsoleted by other documents at any 46 time. It is inappropriate to use Internet-Drafts as reference 47 material or to cite them other than as "work in progress." 48 This Internet-Draft will expire on January 4, 2013. 50 Copyright Notice 52 Copyright (c) 2012 IETF Trust and the persons identified as the 53 document authors. All rights reserved. 55 This document is subject to BCP 78 and the IETF Trust's Legal 56 Provisions Relating to IETF Documents 57 (http://trustee.ietf.org/license-info) in effect on the date of 58 publication of this document. Please review these documents 59 carefully, as they describe your rights and restrictions with respect 60 to this document. Code Components extracted from this document must 61 include Simplified BSD License text as described in Section 4.e of 62 the Trust Legal Provisions and are provided without warranty as 63 described in the Simplified BSD License. 65 Table of Contents 67 1. Requirements notation . . . . . . . . . . . . . . . . . . . . 4 68 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 69 3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 5 70 4. Front End Naming Delegation Architecture Overview . . . . . . 5 71 4.1. Home Network Naming Architecture Requirements . . . . . . 5 72 4.2. Front End Naming Delegation Architecture Description . . . 7 73 4.3. Front End Naming Delegation Configuration . . . . . . . . 8 74 4.4. Difference between the Front End Delegating DNS Server 75 and traditional DNS Recursive DNS Server . . . . . . . . . 10 76 4.5. How the Front End Configuration impacts the CPE . . . . . 11 77 5. Protocol Exchange . . . . . . . . . . . . . . . . . . . . . . 11 78 5.1. CPE Request Creation and Transmission for the Front 79 End Naming Delegation Architecture . . . . . . . . . . . . 11 80 5.2. ISP DHCP Server Responding to the CPE Request for the 81 Front End Naming Delegation Architecture . . . . . . . . . 12 82 5.3. CPE Receiving the ISP DHCP Response for the Front End 83 Naming Delegation Architecture . . . . . . . . . . . . . . 12 84 6. DHCP Options . . . . . . . . . . . . . . . . . . . . . . . . . 13 85 6.1. Delegated DNS Architecture Option . . . . . . . . . . . . 13 86 6.2. Front End Delegating Information Option . . . . . . . . . 14 87 6.3. Delegating Authorized Resolvers Option . . . . . . . . . . 15 88 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 15 89 8. Security Considerations . . . . . . . . . . . . . . . . . . . 15 90 9. Acknowledgment . . . . . . . . . . . . . . . . . . . . . . . . 16 91 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 16 92 10.1. Normative References . . . . . . . . . . . . . . . . . . . 16 93 10.2. Informational References . . . . . . . . . . . . . . . . . 16 94 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 16 96 1. Requirements notation 98 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 99 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 100 document are to be interpreted as described in [RFC2119]. 102 2. Introduction 104 [I-D.mglt-naming-delegation] describes the Naming Delegation 105 Architecture that makes possible Services and Objects of a Home 106 Network to be globally reachable with Names on the Internet. For 107 that purpose, the Costumer Premise Equipment (CPE) hosts the 108 authoritative DNS Server of the Home Network. The zone associated to 109 the Home Network ("my-homenet") is a subzone of a zone managed by the 110 ISP ("example."). This zone is attached to the global DNS 111 Architecture. Because the ISP delegates the Naming service to the 112 CPE, we call the DNS server responsible for "example." the Delegating 113 DNS Server, and the DNS server responsible for "my-homenet.example." 114 the Delegated DNS Server. The Delegated DNS Server runs on the CPE, 115 and [I-D.mglt-naming-delegation] describes how the CPE can 116 automatically set the Naming Delegation between the Delegated and the 117 Delegating DNS Server. Necessary pieces of information to configure 118 the respective DNS Zones are exchanged between the DHCP client of the 119 CPE and the ISP DHCP Server through DHCP Options. 121 The resulting Naming Delegation Architecture 122 [I-D.mglt-naming-delegation] results in a CPE hosting a Service on 123 the Internet. CPEs have not been designed for heavy load, and, as a 124 result, the Delegating exposes the Home Network to potential Deny of 125 Service attacks. The Front End Naming Delegation Architecture 126 proposed in this document is an alternative to the Naming Delegation 127 Architecture [I-D.mglt-naming-delegation] where the ISP provides 128 Front End Delegating Servers that handles the whole DNS traffic. The 129 CPE remains responsible for the zone "my-homenet.example.", but only 130 responds to DNS queries sent by the Front End Delegating Servers. 131 For this reason we call the CPE Delegated DNS Server the Back End 132 Delegated DNS Server. 134 The Front End Naming Delegation Architecture can be seen as providing 135 a Authoritative DNS Server for all the Home Networks: the Front End 136 Delegating DNS Server. However this Authoritative Server distributes 137 the Zone between multiple nodes (the CPE). The CPE constitutes the 138 Back End Network. The Front End Delegating DNS Server receives DNS 139 query from the Internet, and to respond requires to retrieve this 140 information on the CPE hosting this information. In this document, 141 the Front End Delegating DNS Server uses the DNS protocol to retrieve 142 this information from the CPE. Other protocols may have been chosen. 144 The Front End Naming Delegation Architecture is based on the Naming 145 Delegation Architecture [I-D.mglt-naming-delegation] and addresses 146 the same requirements. It addresses the Deny of Service Security 147 issue. On the other hand, it requires the ISP to provide an adapted 148 infrastructure, and that all DNS traffic is (partly) handled by the 149 ISP. The document shows how the CPE can be configured automatically 150 and be part of the Front End Naming Delegation Architecture. 152 In this document we only considered IPv6 and DHCP. As such DHCP MUST 153 be understood as DHCPv6. We also assume the reader has read 154 [I-D.mglt-naming-delegation] 156 3. Terminology 158 This document uses the terminology defined in 159 [I-D.mglt-naming-delegation], and introduces the following 160 terminology: 162 - Front End Delegating DNS Server or Delegating DNS Server: The DNS 163 Server of the ISP that handles with the DNS queries addressed 164 to the Home Network. 166 - Back End Delegated DNS Server or Delegated DNS Server: CPE are 167 hosting a DNS Service 169 - Front End Delegating Information: Information like FQDNs and IP 170 addresses of the Front End Delegating DNS Servers. These 171 pieces of information are provided from the ISP DHCP Server to 172 the CPE so it can properly configure its DNS zone file. 174 - Delegating Authorized Resolvers: The hosts that are authorized to 175 send DNS queries to the CPE. These Resolvers can be the Front 176 End Delegating DNS Servers, but we keep these functions 177 independent since some ISP may use dedicated Interfaces for the 178 Front End Delegating DNS Server and for the Delegating 179 Authorized Resolvers. 181 4. Front End Naming Delegation Architecture Overview 183 4.1. Home Network Naming Architecture Requirements 185 The Home Network Naming Requirements for the Naming Delegation listed 186 in [I-D.mglt-naming-delegation] are: 188 - 1: Centralized Naming Configuration: The CPE is responsible to 189 bind Names and IP addresses for the whole Home Network. 191 - 2: Automatic Configuration: The CPE MUST be able to set the Naming 192 architecture when plugged, with minimum configuration from the 193 End User. 195 - 3: Advanced Configuration enable: The CPE enables advanced 196 specific configurations. 198 - 4: Privacy Protection By Design: The Names and the Home Network IP 199 address plan is administrated by the CPE and are not 200 communicated to the ISP. This prevents the ISP to be aware of 201 the hosts, Services and Objects that compose the Home Network. 203 - 5: Make the Home Network Naming Architecture Scalable: The Naming 204 Architecture MUST be scalable and designed to handle a large 205 increase of Objects, Services and hosts in each Home Networks. 207 The Naming Delegation Architecture fulfills these requirements, and 208 we consider this architecture as the base architecture. However, 209 this architecture major drawback is that the CPE hosts the Delegated 210 DNS Server. CPE are usually not designed to handle heavy traffic, 211 and thus are sensitive to DoS attacks. The Front End Naming 212 Delegation Architecture adds one requirement to the currently 213 designed Naming Delegation Architecture [I-D.mglt-naming-delegation]: 215 - 6: the Naming Architecture MUST be protected by the ISP 216 Infrastructure: The CPE MUST NOT expose the Home Network Naming 217 service to DoS attacks. The ISP MUST be able to provide the 218 necessary infrastructure that handle DoS attacks, or heavy 219 loads. 221 In order to match Requirement 6, the Front End Naming delegation 222 Architecture introduces Front End DNS Delegating Server that handles 223 with all DNS traffic. This means that all DNS queries that concern 224 the Home Network are addressed to the Front End DNS Delegating Server 225 of the ISP and are not addressed to the CPE. CPEs belong to the Back 226 End DNS Network. 228 The Front End DNS Naming Delegation Architecture fulfills all the 229 above Requirements. However, Requirement 4 needs to be balanced 230 against Requirement 6. Requirement 6 requires the ISP to handle all 231 DNS queries that concern the Home Network. This makes the ISP aware 232 of all queried Services, Objects and hosts in the Home Network. This 233 may, in that sense, reduces the Privacy of the Home Network compared 234 to the Naming Delegation Architecture. In fact with the Naming 235 Delegation Architecture, the DNS query is directly sent to the CPE 236 when the DNS client has the IP address of the CPE in its cache. In 237 that case, the ISP is not aware of the existence of the queried FQDN. 238 However, if the DNS client does not have the IP address of the CPE, 239 then the DNS query is sent first to the ISP Delegating Server. In 240 this latter case, the Front End DNS Naming Delegation Architecture 241 does not provide less privacy. 243 4.2. Front End Naming Delegation Architecture Description 245 Figure 1 shows how the Resolution is performed. In [1], the Resolver 246 sends a DNS query to the Front End Delegated Server for the host 247 "hots1.my-homenet.example.". The Front End Delegated Server does not 248 have the response in its cache or in its zone file. The Front End 249 Delegating DNS Server MUST send a query to the Back End Delegated DNS 250 Sever. The IP address of the Back End Delegated DNS Sever MUST NOT 251 be revealed to the Resolver, for example by setting the NS field in 252 the DNS Zone File. In Figure 1, we mentioned the Delegated Server 253 Information Database where this IP address is stored. The Front End 254 Delegating Server sends the DNS(SEC) query to the Back End Delegated 255 Server hosting the zone "my-homenet.example.". The source IP address 256 used is one the Delegating Authorized Resolvers IP addresses. This 257 query is represented in [2]. The Back End Delegated Server responds 258 in [3] with the DNS(SEC) Response. Note that the "AUTHORITY" and 259 "ADDITIONAL SECTION" of the DNS response MUST indicate the FQDN and 260 the IP addresses of the Front End Delegated DNS Server. These pieces 261 of information have been provided by the ISP DHCP Server with the 262 Front End Delegating Information DHCP Option. The CPE can also be 263 configured to respond without these fields. Finally in [4], the 264 Front End Delegating Server forwards the DNS(SEC) response to the 265 Resolver. "AUTHORITY" and "ADDITIONAL SECTION" fields MUST be filled 266 in appropriately. 268 +-----------------------------+ [1] DNS Query +---+ 269 | ZONE "example.": | hots1.my-homenet.example. AAAA | R | 270 | Front End Delegating Servers| <------------------------------- | E | 271 | | [4] DNS Response: | S | 272 +-------------------------+ | my-homenet.example. AAAA IP6 | O | 273 | Delegated Server Info | | [my-homenet.example. RRSIG [...] ] | L | 274 | Database | | -------------------------------> | V | 275 +-------------------------+---+ | E | 276 | [2] DNS Query ^ | R | 277 | hots1.my-homenet.example. AAAA +---+ 278 | | [3] DNS Response: 279 | | my-homenet.example. AAAA IP6 280 v | [my-homenet.example. RRSIG [...] ] 281 +-----------------------------+ 282 | CPE | 283 | Back End Delegated Server | 284 | ZONE "my-homenet.example." | 285 | IP6 DELEGATED_DNS_ADDR_INFO | 286 +-----------------------------+ 287 | | 288 +------------+ +------------+ 289 | Host 1 | | Host n | 290 +------------+ +------------+ 292 Figure 1: DNS Resolution with the Home Network Delegating Architecture 294 4.3. Front End Naming Delegation Configuration 296 Figure 2 describes the Interactions between the CPE and the ISP DHCP 297 Server. 299 Similarly to [I-D.mglt-naming-delegation], the CPE hosts a DHCP 300 Server (DHCP_SRV) that is used to assign IP addresses and FQDNs to 301 the Hosts of the Home Network. In this document we considered DHCP, 302 but other protocols can also be used in combination with DHCP or 303 instead of DHCP. The CPE also has a DHCP Client (DHCP_CLT) that is 304 used to exchange information with the ISP DHCP Server. This document 305 describes how these exchanges properly configure the Front End Naming 306 Delegation Architecture. The CPE also hosts a Authoritative DNS 307 Server (DNS_SRV) that is responsible of the subzone associated to the 308 Home Network. This Authoritative DNS Server is called the Back End 309 Delegated Server. At last the CPE also has a Firewall (FIREWALL), 310 that can be configured with security Policies. In this document, the 311 CPE is not expected to received DNS queries from any other peer but 312 the Front End Delegation DNS Servers, that are in the ISP Network. 314 In Figure 2. the CPE sends a DHCP Request for a Front End Naming 315 Delegation Architecture (DELEGATED_DNS_ARCHITECTURE). Similarly to 316 the Naming Delegation Architecture, the CPE provides the necessary 317 information so the ISP can derive the IP address of the Back End 318 Delegated DNS Server (DELEGATED_DNS_ADDR_INFO). If the CPE wants a 319 DNSSEC Delegation to be set it also provides the Delegation of 320 Signing Information (DS). In our case, the CPE also sends a request 321 for a Prefix Delegation (IA_PD). 323 To the difference with [I-D.mglt-naming-delegation], the IP address 324 of the Back End Delegated DNS Server is not mentioned in the Zone 325 file of the Front End Delegating DNS Server. In this document, the 326 Back End Delegated DNS Server is not expected to receive any DNS 327 query from anyone but the Front End Delegating DNS Server. For DNS 328 Resolvers, the only Authoritative DNS Server they are aware of is the 329 Front End Delegating DNS Server. 331 Similarly to [I-D.mglt-naming-delegation], the ISP DHCP Server 332 provides the CPE the IP Prefix so the CPE can configure its Prefix 333 Delegation. To set the DNS(SEC) Naming Delegation the ISP DHCP 334 Server indicates the type of Naming Delegation Architecture agreed 335 between the CPE and the ISP DHCP Server (DELEGATED_DNS_ARCHITECTURE). 336 In addition, the ISP DHCP Server, provides the Delegated Domain 337 (DELEGATED_DOMAIN) as well as the IP addresses and FQDNs of the Front 338 End Delegating DNS Servers (FRONT_END_DELEGATING_INFO). These pieces 339 of information are necessary to configure the zone file of the Home 340 Network. In fact the zone file MUST be configured with the Front End 341 Delegating Server as the authoritative servers. In addition, the ISP 342 DHCP Server may also provide the IP addresses or subnet prefix of the 343 Delegating Authorized Resolvers (DELEGATING_AUTH_RESOLVERS). These 344 Resolvers are the only hosts supposed to send DNS queries to the CPE. 345 DNS queries from any other IP address MUST be discarded. 347 Upon receiving these pieces of information, the Front End Delegating 348 Server and the Back End Delegated Server configure their Zones. In 349 addition the CPE also configures its Firewall, so to discard any DNS 350 queries but those emitted from the Delegating Authorized Resolvers. 352 <--------- Home Network ----------> <--------- ISP ---------> 353 +--------+ +---------------------+ +-----------------------+ 354 | Host 1 +--+ CPE | | ISP DHCP | 355 +--------+ +----------+----------+ +-----------------------+ 356 . | DHCP_SRV | DHCP_CLT | | | 357 . | v | | | | 358 . | v | DHCP Request ----------------------> | 359 . | v | DELEGATED_DNS_ARCHITECTURE, | 360 . +----------| DELEGATED_DNS_ADDR_INFO, | 361 . | DNS_SRV | ORO(IA_PD) [DS] | 362 . +----------| | | | 363 . | ^ | <---------------------- DHCP Reply | 364 . | ^ | DELEGATED_DNS_ARCHITECTURE, | 365 . | < < < DHCP_CLT DELEGATED_DOMAIN, IA_PD, | 366 . | v | FRONT_END_DELEGATING_INFO, | 367 +--------+ +----------+ DELEGATING_AUTH_RESOLVERS, | 368 | Host n +--| FIREWALL | | | | 369 +--------+ +----------+--------- + +-----------------------+ 371 Figure 2: Front End Naming Delegation Architecture 373 4.4. Difference between the Front End Delegating DNS Server and 374 traditional DNS Recursive DNS Server 376 From Figure 1, one may assimilate the Front End Delegating DNS Server 377 to a Recursive DNS Resolver. The main differences are: 379 - 1. The Front End Delegating DNS Server only proceeds to Resolution 380 for the FQDNs that are hosted in one of the Back End Delegated 381 DNS Servers. 383 - 2. The Back End Delegated DNS Servers are not Public DNS. More 384 especially, the Delegated DNS Server may have a public IP 385 address, but the DNS Service is not provided for any Resolver 386 but the authorized Resolvers. 388 As a result, the Front End Delegating DNS Server is a mixed mode 389 between Authoritative and Recursive DNS Server. As an Authoritative 390 Server, the Response [4] in figure 1 MUST have a Authoritative Answer 391 (AA) bit set, which indicates the Response is from an Authoritative 392 Server. Then the Resolution [2] and [3] in figure 1 MUST be 393 processed even if the Recursion Desired (RD) bit is not set in the 394 DNS query [1]. 396 It is also recommended that the Front End Delegating DNS Server 397 provides the Authoritative and Additional Section of the Response in 398 [4], without considering the sections of [3]. In other word, it is 399 recommended not to forward these section from [3], and the CPE should 400 be configured not to provide these sections in [3]. 402 4.5. How the Front End Configuration impacts the CPE 404 Figure 2 shows that the ISP DHCP Server provides the IP addresses of 405 the Front End Delegating DNS Server as well as the Name of the Front 406 End Delegating DNS Server. These are the information the Back End 407 Delegated DNS Server MUST put in its Zone file. More especially in 408 the NS fields. 410 Figure 2 also shows that the ISP DHCP Server provides the CPE the IP 411 addresses or subnet prefix of the Authorized Delegating Resolvers. 412 These are the IP addresses authorized to send DNS queries that should 413 not be discarded on the WAN Interface. Any other DNS query on the 414 WAN should be discarded. These rules are set by the Firewall as 415 represented in Figure 2. 417 The Firewall rules does not prevent the CPE to be a DNS forwarder or 418 a DNS Resolver for the hosts of the Home Network. In fact the CPE 419 can still receive DNS queries from the LAN Interface. The issue is 420 that the CPE may provide Multiple DNS Services. In this document, we 421 consider the CPE provides at least a DNS Authoritative servers on its 422 WAN Interface for the Authorized Delegating Resolvers. For the LAN 423 Interface, the CPE may be configured in various ways, depending on 424 the ISP DNS Infrastructure. A first configuration consists in 425 configuring the CPE LAN DNS Service into a DNS forwarder. In that 426 case, the CPE DHCP server of the Home Network provides an IP address 427 of the CPE for the DNS Resolver. DNS queries for the Home Network 428 are answered by the CPE, others are forwarded to the Resolver of the 429 ISP. This resolver is provided via DHCP. Another alternative 430 consists in configuring the CPE as a Recursive DNS Server. Without 431 any specific configurations, DNS queries for the Home Network are 432 sent to the Front End Delegating DNS Server. Optimization may be 433 done to bypass the Front End Delegating DNS Server for the Home 434 Network Zone and are CPE or software implementation specific. 436 5. Protocol Exchange 438 5.1. CPE Request Creation and Transmission for the Front End Naming 439 Delegation Architecture 441 When the CPE wants to set a Front End Naming Delegation Architecture, 442 it requests this set up to the ISP DHCP Server. For that purpose, we 443 consider two new naming-delegation-action: 444 SET_FRONT_END_NAMING_DELEGATION_WITH_DNS when the delegation is only 445 performed with DNS or SET_FRONT_END_NAMING_DELEGATION_WITH_DNSSEC if 446 the CPE wants a DNSSEC delegation. These naming-delegation-actions 447 are proposed in the Delegated DNS Architecture DHCP Option 448 (OPTION_DELEGATED_DNS_ARCHITECTURE). Then, the CPE proceeds as 449 described in [I-D.mglt-naming-delegation]. 451 5.2. ISP DHCP Server Responding to the CPE Request for the Front End 452 Naming Delegation Architecture 454 When the DHCP Server receives a Delegated DNS Architecture DHCP 455 Option (OPTION_DELEGATED_DNS_ARCHITECTURE), Delegated DNS Address 456 Information DHCP Option (OPTION_DELEGATED_DNS_ADDR_INFO) or a 457 Delegation of Signing DHCP Option (OPTION_DS), the DHCP Server 458 proceeds as described in [I-D.mglt-naming-delegation]. 460 In addition, when the naming-delegation-action is set to 461 SET_FRONT_END_NAMING_DELEGATION_WITH_DNS or 462 SET_FRONT_END_NAMING_DELEGATION_WITH_DNSSEC, the DHCP Server MUST 463 include in the Response the two additional DCHP Options. The Front 464 End Delegating Information DHCP Option 465 (OPTION_FRONT_END_DELEGATING_INFO) which indicates the FQDNs of the 466 Front End Delegating Servers and their associated IP addresses. 467 Then, it also MUST include the Delegating Authorized Resolvers DHCP 468 Option (OPTION_DELEGATING_AUTH_RESOLVERS) which indicates the IP 469 addresses or subnet prefixes of the Authorized Delegating Resolvers. 471 Note that Naming Delegation is set differently for the Front End 472 Naming Delegation Architecture and for the Naming Delegation 473 Architecture. More specifically, in the Front End Naming Delegation, 474 the ISP DHCP Server MUST NOT make the IP address of the Delegated DNS 475 Server public in its zone file. 477 5.3. CPE Receiving the ISP DHCP Response for the Front End Naming 478 Delegation Architecture 480 Similarly to [I-D.mglt-naming-delegation], if the CPE has not 481 received all expected DHCP Options, or cannot proceed to the 482 configuration of the Naming Delegation Architecture, it MUST either 483 clear the Naming Delegation settings or proceed to the appropriated 484 settings. 486 When the CPE receives the Delegating Authorized Resolvers DHCP Option 487 (OPTION_DELEGATING_AUTH_RESOLVERS), the CPE may update its Firewall 488 rules. The Front End Delegating Information DHCP Option 489 (OPTION_FRONT_END_DELEGATING_INFO) is used to configure the DNS zone 490 of the Home Network. 492 The CPE may receive the Delegating Authorized Resolvers or the Front 493 End Delegating Information DHCP Option from the ISP DHCP Server that 494 are not the response to a Delegated DNS Architecture DHCP Option. 496 This may happen if the ISP DHCP Server is updating or modifying its 497 Front End Delegating DNS Server or the associated Delegating 498 Authorized Resolvers. In that case, the CPE MUST make sure the 499 message provides from the ISP DHCP Server and updates its Firewall 500 rules as well as its DNS zone file. 502 6. DHCP Options 504 The options detailed in this section are 506 - Delegated DNS Architecture (OPTION_DELEGATED_DNS_ARCHITECTURE): is 507 used by the DHCP Client on the CPE to inform how the Naming 508 Delegation Architecture should be configured. In return, it is 509 used by the ISP DHCP Server to report the Status Code. 511 - Front End Delegating Information DHCP Option 512 (OPTION_FRONT_END_DELEGATING_INFO): is used by the ISP DHCP Server 513 to provide the CPE the FQDN and IP addresses of the 514 Authoritative DNS Server of the Home Network Zone file. These 515 Authoritative DNS Servers are the Front End DNS Server. 517 - Delegating Authorized Resolvers DHCP Option 518 (OPTION_DELEGATING_AUTH_RESOLVERS): is used by the DHCP Server to 519 provide the CPE the IP addresses or subnet prefixes of the 520 Delegating Authorized Resolvers. These are the resolvers 521 authorized to send DNS(SEC) queries. 523 6.1. Delegated DNS Architecture Option 525 The Delegated DNS Architecture DHCP Option is defined in 526 [I-D.mglt-naming-delegation]. This document adds two new naming- 527 delegation-actions defined below: 529 - SET_FRONT_END_NAMING_DELEGATION_WITH_DNS - 2 - : Indicates that 530 the DHCP Server MUST set the Front End Naming Delegation 531 Architecture with only DNS, and MUST NOT consider DNSSEC 532 Delegation. 534 - SET_FRONT_END_NAMING_DELEGATION_WITH_DNSSEC - 3 - : Indicates that 535 the DHCP Server MUST set the Front End Naming Delegation 536 Architecture with DNSSEC. 538 6.2. Front End Delegating Information Option 540 0 1 2 3 541 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 542 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 543 | OPT_FRONT_END_DELEGATING_INFO | option-len | 544 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 545 | front-end-length | front-end-fqdn-length | 546 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 547 | | 548 / front-end-delegating-fqdn / 549 | | 550 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 551 | | | 552 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 553 | | 554 | ipv6-address | 555 | | 556 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 557 | | | 558 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 559 | | 560 | ipv6-address | 561 | | 562 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 563 | | 564 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 566 - option-code: OPT_FRONT_END_DELEGATING_INFO (16 bits) 568 - option-len: Length (16 bits) of the Front End Delegating 569 Information Option in octets. 571 - front-end-length: Length (16 bits) of the Front End Delegating 572 Server. 574 - front-end-fqdn-length: Length (16 bits) of the Front End 575 Delegating Server FQDN. 577 - ipv6-address: IPv6 Address (128 bits). 579 6.3. Delegating Authorized Resolvers Option 581 0 1 2 3 582 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 583 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 584 |OPTION_DELEGATED_AUTH_RESOLVERS| option-len | 585 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 586 | prefix-length | | 587 +-+-+-+-+-+-+-+-+ | 588 | | 589 | ipv6-prefix | 590 | | 591 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 592 | | prefix-length | | 593 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 594 | | 595 / ipv6-prefix / 596 | | 597 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 599 - option-code: OPTION_DELEGATED_AUTH_RESOLVERS (16 bits) 601 - option-len: Length (16 bits) of the Delegating Authorized 602 Resolvers Option in octets. 604 - prefix-length: Length (8 bits) for this prefix in bits. 606 - ipv6-prefix: IPv6 address or IPv6 prefix used by the authoritative 607 DNS server to send DNS queries to the delegated domain name. 609 7. IANA Considerations 611 This document adds two new DHCP Options: 613 - OPTION_FRONT_END_DELEGATING_INFO: TBD 615 - OPTION_DELEGATING_AUTH_RESOLVERS: TBD 617 8. Security Considerations 619 This document addresses the DoS security issue of 620 [I-D.mglt-naming-delegation]. Other security considerations remains 621 as described in [I-D.mglt-naming-delegation]. 623 9. Acknowledgment 625 The authors wish to thank Ole Troan for pointing out issues with the 626 IPv6 routed home concept and placing the scope of this document in a 627 wider picture, Mark Townsley for encouragement and injecting a 628 healthy debate on the merits of the idea, Ulrik de Bie for providing 629 alternative solutions, Paul Mockapetris for pointing out issues of 630 the trustworthiness of a reverse lookup, and Christian Jacquenet for 631 seeing the value from a Service Provider point of view. 633 10. References 635 10.1. Normative References 637 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 638 Requirement Levels", BCP 14, RFC 2119, March 1997. 640 10.2. Informational References 642 [I-D.mglt-naming-delegation] 643 Cloetens, W., Lemordant, P., and D. Migault, "IPv6 Home 644 Network Naming Delegation Architecture", 645 draft-mglt-naming-delegation-00 (work in progress), 646 July 2012. 648 Authors' Addresses 650 Wouter Cloetens 651 SoftAtHome 652 vaartdijk 3 701 653 3018 Wijgmaal 654 Belgium 656 Phone: 657 Email: wouter.cloetens@softathome.com 659 Philippe Lemordant 660 Francetelecom - Orange 661 2 avenue Pierre Marzin 662 22300 Lannion 663 France 665 Phone: +33 2 96 05 35 11 666 Email: philippe.lemordant@orange.com 667 Daniel Migault 668 Francetelecom - Orange 669 38 rue du General Leclerc 670 92794 Issy-les-Moulineaux Cedex 9 671 France 673 Phone: +33 1 45 29 60 52 674 Email: mglt.ietf@gmail.com