idnits 2.17.1 draft-mglt-homenet-front-end-naming-delegation-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (July 2012) is 4303 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Looks like a reference, but probably isn't: '1' on line 397 -- Looks like a reference, but probably isn't: '2' on line 395 -- Looks like a reference, but probably isn't: '3' on line 403 -- Looks like a reference, but probably isn't: '4' on line 401 == Missing Reference: 'DS' is mentioned on line 364, but not defined Summary: 0 errors (**), 0 flaws (~~), 2 warnings (==), 5 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 HOMENET W. Cloetens 3 Internet-Draft SoftAtHome 4 Intended status: Standards Track P. Lemordant 5 Expires: December 31, 2012 D. Migault (Ed) 6 Francetelecom - Orange 7 July 2012 9 IPv6 Home Network Front End Naming Delegation 10 draft-mglt-homenet-front-end-naming-delegation-00.txt 12 Abstract 14 This document proposes a Naming Delegation Architecture that makes 15 possible End Users to reach the hosts or services of their Home 16 Network using Names instead of IP addresses. 18 This document shows how the Naming Delegation between the CPE and the 19 ISP can be set so the CPE is not exposed on the Internet. This 20 document describes an Naming Architecture where ISPs provide Front 21 End Delegating DNS Servers whereas the CPEs constitute a Back End 22 Network of Delegated DNS Servers. All DNS queries for any Home 23 Network are addressed to the Delegating Front End Server. The 24 response is expected to be stored on a CPE, and the Front End 25 Delegating DNS Server sends a DNS Query to that CPE before answering 26 to the initial DNS query. 28 The negotiation between the CPE and the ISP is using DHCP Options. 29 This document provides options so Front End Delegating and the 30 Delegated DNS Servers configure their respective Zone files and so 31 that CPEs restrict access and protect themselves from unauthorized 32 DNS Queries. 34 Status of This Memo 36 This Internet-Draft is submitted in full conformance with the 37 provisions of BCP 78 and BCP 79. 39 Internet-Drafts are working documents of the Internet Engineering 40 Task Force (IETF). Note that other groups may also distribute 41 working documents as Internet-Drafts. The list of current Internet- 42 Drafts is at http://datatracker.ietf.org/drafts/current/. 44 Internet-Drafts are draft documents valid for a maximum of six months 45 and may be updated, replaced, or obsoleted by other documents at any 46 time. It is inappropriate to use Internet-Drafts as reference 47 material or to cite them other than as "work in progress." 49 This Internet-Draft will expire on December 31, 2012. 51 Copyright Notice 52 Copyright (c) 2012 IETF Trust and the persons identified as the 53 document authors. All rights reserved. 55 This document is subject to BCP 78 and the IETF Trust's Legal 56 Provisions Relating to IETF Documents 57 (http://trustee.ietf.org/license-info) in effect on the date of 58 publication of this document. Please review these documents 59 carefully, as they describe your rights and restrictions with respect 60 to this document. Code Components extracted from this document must 61 include Simplified BSD License text as described in Section 4.e of 62 the Trust Legal Provisions and are provided without warranty as 63 described in the Simplified BSD License. 65 Table of Contents 67 1. Requirements notation . . . . . . . . . . . . . . . . . . . . 2 68 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 2 69 3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 70 4. Front End Naming Delegation Architecture Overview . . . . . . 4 71 4.1. Home Network Naming Architecture Requirements . . . . . . 4 72 4.2. Front End Naming Delegation Architecture Description . . . 6 73 4.3. Front End Naming Delegation Configuration . . . . . . . . 6 74 4.4. Difference between the Front End Delegating DNS Server and 75 traditional DNS Recursive DNS Server . . . . . . . . . . . 8 76 4.5. How the Front End Configuration impacts the CPE . . . . . 9 77 5. Protocol Exchange . . . . . . . . . . . . . . . . . . . . . . 10 78 5.1. CPE Request Creation and Transmission for the Front End 79 Naming Delegation Architecture . . . . . . . . . . . . . . 10 80 5.2. ISP DHCP Server Responding to the CPE Request for the Front 81 End Naming Delegation Architecture . . . . . . . . . . . . 10 82 5.3. CPE Receiving the ISP DHCP Response for the Front End Naming 83 Delegation Architecture . . . . . . . . . . . . . . . . . 11 84 6. DHCP Options . . . . . . . . . . . . . . . . . . . . . . . . . 11 85 6.1. Delegated DNS Architecture Option . . . . . . . . . . . . 11 86 6.2. Front End Delegating Information Option . . . . . . . . . 12 87 6.3. Delegating Authorized Resolvers Option . . . . . . . . . . 12 88 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13 89 8. Security Considerations . . . . . . . . . . . . . . . . . . . 13 90 9. Acknowledgment . . . . . . . . . . . . . . . . . . . . . . . . 13 91 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 13 92 10.1. Normative References . . . . . . . . . . . . . . . . . . 14 93 10.2. Informational References . . . . . . . . . . . . . . . . 14 94 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 14 96 1. Requirements notation 98 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 99 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 100 document are to be interpreted as described in [RFC2119]. 102 2. Introduction 104 [I-D.mglt-homenet-naming-delegation] describes the Naming Delegation 105 Architecture that makes possible Services and Objects of a Home 106 Network to be globally reachable with Names on the Internet. For 107 that purpose, the Costumer Premise Equipment (CPE) hosts the 108 authoritative DNS Server of the Home Network. The zone associated to 109 the Home Network ("my-homenet") is a subzone of a zone managed by the 110 ISP ("example."). This zone is attached to the global DNS 111 Architecture. Because the ISP delegates the Naming service to the 112 CPE, we call the DNS server responsible for "example." the 113 Delegating DNS Server, and the DNS server responsible for "my- 114 homenet.example." the Delegated DNS Server. The Delegated DNS 115 Server runs on the CPE, and [I-D.mglt-homenet-naming-delegation] 116 describes how the CPE can automatically set the Naming Delegation 117 between the Delegated and the Delegating DNS Server. Necessary 118 pieces of information to configure the respective DNS Zones are 119 exchanged between the DHCP client of the CPE and the ISP DHCP Server 120 through DHCP Options. 122 The resulting Naming Delegation Architecture [I-D.mglt-homenet- 123 naming-delegation] results in a CPE hosting a Service on the 124 Internet. CPEs have not been designed for heavy load, and, as a 125 result, the Delegating exposes the Home Network to potential Deny of 126 Service attacks. The Front End Naming Delegation Architecture 127 proposed in this document is an alternative to the Naming Delegation 128 Architecture [I-D.mglt-homenet-naming-delegation] where the ISP 129 provides Front End Delegating Servers that handles the whole DNS 130 traffic. The CPE remains responsible for the zone "my- 131 homenet.example.", but only responds to DNS queries sent by the Front 132 End Delegating Servers. For this reason we call the CPE Delegated 133 DNS Server the Back End Delegated DNS Server. 135 The Front End Naming Delegation Architecture can be seen as 136 providing a Authoritative DNS Server for all the Home Networks: the 137 Front End Delegating DNS Server. However this Authoritative Server 138 distributes the Zone between multiple nodes (the CPE). The CPE 139 constitutes the Back End Network. The Front End Delegating DNS 140 Server receives DNS query from the Internet, and to respond requires 141 to retrieve this information on the CPE hosting this information. In 142 this document, the Front End Delegating DNS Server uses the DNS 143 protocol to retrieve this information from the CPE. Other protocols 144 may have been chosen. 146 The Front End Naming Delegation Architecture is based on the Naming 147 Delegation Architecture [I-D.mglt-homenet-naming-delegation] and 148 addresses the same requirements. It addresses the Deny of Service 149 Security issue. On the other hand, it requires the ISP to provide an 150 adapted infrastructure, and that all DNS traffic is (partly) handled 151 by the ISP. The document shows how the CPE can be configured 152 automatically and be part of the Front End Naming Delegation 153 Architecture. 155 In this document we only considered IPv6 and DHCP. As such DHCP MUST 156 be understood as DHCPv6. We also assume the reader has read [I-D 157 .mglt-homenet-naming-delegation] 159 3. Terminology 161 This document uses the terminology defined in [I-D.mglt-homenet- 162 naming-delegation], and introduces the following terminology: 164 - Front End Delegating DNS Server or Delegating DNS Server: The DNS 165 Server of the ISP that handles with the DNS queries addressed 166 to the Home Network. 168 - Back End Delegated DNS Server or Delegated DNS Server: CPE are 169 hosting a DNS Service 171 - Front End Delegating Information: Information like FQDNs and IP 172 addresses of the Front End Delegating DNS Servers. These 173 pieces of information are provided from the ISP DHCP Server to 174 the CPE so it can properly configure its DNS zone file. 176 - Delegating Authorized Resolvers: The hosts that are authorized to 177 send DNS queries to the CPE. These Resolvers can be the Front 178 End Delegating DNS Servers, but we keep these functions 179 independent since some ISP may use dedicated Interfaces for the 180 Front End Delegating DNS Server and for the Delegating 181 Authorized Resolvers. 183 4. Front End Naming Delegation Architecture Overview 185 4.1. Home Network Naming Architecture Requirements 187 The Home Network Naming Requirements for the Naming Delegation listed 188 in [I-D.mglt-homenet-naming-delegation] are: 190 - 1: Centralized Naming Configuration: The CPE is responsible to bind 191 Names and IP addresses for the whole Home Network. 193 - 2: Automatic Configuration: The CPE MUST be able to set the Naming 194 architecture when plugged, with minimum configuration from the 195 End User. 197 - 3: Advanced Configuration enable: The CPE enables advanced specific 198 configurations. 200 - 4: Privacy Protection By Design: The Names and the Home Network IP 201 address plan is administrated by the CPE and are not 202 communicated to the ISP. This prevents the ISP to be aware of 203 the hosts, Services and Objects that compose the Home Network. 205 - 5: Make the Home Network Naming Architecture Scalable: The Naming 206 Architecture MUST be scalable and designed to handle a large 207 increase of Objects, Services and hosts in each Home Networks. 209 The Naming Delegation Architecture fulfills these requirements, and 210 we consider this architecture as the base architecture. However, 211 this architecture major drawback is that the CPE hosts the Delegated 212 DNS Server. CPE are usually not designed to handle heavy traffic, 213 and thus are sensitive to DoS attacks. The Front End Naming 214 Delegation Architecture adds one requirement to the currently 215 designed Naming Delegation Architecture [I-D.mglt-homenet-naming- 216 delegation]: 218 - 6: ISP Infrastructure MUST protect the Naming Architecture: The CPE 219 MUST NOT expose the Home Network Naming service to DoS attacks. 220 The ISP MUST be able to provide the necessary infrastructure 221 that handle DoS attacks, or heavy loads. 223 In order to match Requirement 6, the Front End Naming delegation 224 Architecture introduces Front End DNS Delegating Server that handles 225 with all DNS traffic. This means that all DNS queries that concern 226 the Home Network are addressed to the Front End DNS Delegating Server 227 of the ISP and are not addressed to the CPE. CPEs belong to the Back 228 End DNS Network. 230 The Front End DNS Naming Delegation Architecture fulfills all the 231 above Requirements. However, Requirement 4 needs to be balanced 232 against Requirement 6. Requirement 6 requires the ISP to handle all 233 DNS queries that concern the Home Network. This makes the ISP aware 234 of all queried Services, Objects and hosts in the Home Network. This 235 may, in that sense, reduces the Privacy of the Home Network compared 236 to the Naming Delegation Architecture. In fact with the Naming 237 Delegation Architecture, the DNS query is directly sent to the CPE 238 when the DNS client has the IP address of the CPE in its cache. In 239 that case, the ISP is not aware of the existence of the queried FQDN. 240 However, if the DNS client does not have the IP address of the CPE, 241 then the DNS query is sent first to the ISP Delegating Server. In 242 this latter case, the Front End DNS Naming Delegation Architecture 243 does not provide less privacy. 245 4.2. Front End Naming Delegation Architecture Description 247 Figure 1 shows how the Resolution is performed. In [1], the Resolver 248 sends a DNS query to the Front End Delegated Server for the host 249 "hots1.my-homenet.example.". The Front End Delegated Server does not 250 have the response in its cache or in its zone file. The Front End 251 Delegating DNS Server MUST send a query to the Back End Delegated DNS 252 Sever. The IP address of the Back End Delegated DNS Sever MUST NOT 253 be revealed to the Resolver, for example by setting the NS field in 254 the DNS Zone File. In Figure 1, we mentioned the Delegated Server 255 Information Database where this IP address is stored. The Front End 256 Delegating Server sends the DNS(SEC) query to the Back End Delegated 257 Server hosting the zone "my-homenet.example.". The source IP address 258 used is one the Delegating Authorized Resolvers IP addresses. This 259 query is represented in [2]. The Back End Delegated Server responds 260 in [3] with the DNS(SEC) Response. Note that the "AUTHORITY" and 261 "ADDITIONAL SECTION" of the DNS response MUST indicate the FQDN and 262 the IP addresses of the Front End Delegated DNS Server. These pieces 263 of information have been provided by the ISP DHCP Server with the 264 Front End Delegating Information DHCP Option. The CPE can also be 265 configured to respond without these fields. Finally in [4], the 266 Front End Delegating Server forwards the DNS(SEC) response to the 267 Resolver. "AUTHORITY" and "ADDITIONAL SECTION" fields MUST be filled 268 in appropriately. 270 +--------------------------+ [1] DNS Query +---+ 271 | ZONE "example.": | hots1.my-homenet.example. AAAA | R | 272 | Front End Delegating | <------------------------------- | E | 273 | Servers | [4] DNS Response: | S | 274 +----------------------+ | my-homenet.example. AAAA IP6 | O | 275 | Delegated Server | | [my-homenet.example. RRSIG [...] ] | L | 276 | Info Database | | -------------------------------> | V | 277 +----------------------+---+ | E | 278 | [2] DNS Query ^ | R | 279 | hots1.my-homenet.example. AAAA +---+ 280 | | [3] DNS Response: 281 | | my-homenet.example. AAAA IP6 282 v | [my-homenet.example. RRSIG [...] ] 283 +-----------------------------+ 284 | CPE | 285 | Back End Delegated Server | 286 | ZONE "my-homenet.example." | 287 | IP6 DELEGATED_DNS_ADDR_INFO | 288 +-----------------------------+ 289 | | 290 +------------+ +------------+ 291 | Host 1 | | Host n | 292 +------------+ +------------+ 294 Figure 1: DNS Resolution with the Home Network Front End Naming 295 Delegation Architecture 297 4.3. Front End Naming Delegation Configuration 298 Figure 2 describes the Interactions between the CPE and the ISP DHCP 299 Server. 301 Similarly to [I-D.mglt-homenet-naming-delegation], the CPE hosts a 302 DHCP Server (DHCP_SRV) that is used to assign IP addresses and FQDNs 303 to the Hosts of the Home Network. In this document we considered 304 DHCP, but other protocols can also be used in combination with DHCP 305 or instead of DHCP. The CPE also has a DHCP Client (DHCP_CLT) that is 306 used to exchange information with the ISP DHCP Server. This document 307 describes how these exchanges properly configure the Front End Naming 308 Delegation Architecture. The CPE also hosts a Authoritative DNS 309 Server (DNS_SRV) that is responsible of the subzone associated to the 310 Home Network. This Authoritative DNS Server is called the Back End 311 Delegated Server. At last the CPE also has a Firewall (FIREWALL), 312 that can be configured with security Policies. In this document, the 313 CPE is not expected to received DNS queries from any other peer but 314 the Front End Delegation DNS Servers, that are in the ISP Network. 316 In Figure 2. the CPE sends a DHCP Request for a Front End Naming 317 Delegation Architecture (DELEGATED_DNS_ARCHITECTURE). Similarly to 318 the Naming Delegation Architecture, the CPE provides the necessary 319 information so the ISP can derive the IP address of the Back End 320 Delegated DNS Server (DELEGATED_DNS_ADDR_INFO). If the CPE wants a 321 DNSSEC Delegation to be set it also provides the Delegation of 322 Signing Information (DS). In our case, the CPE also sends a request 323 for a Prefix Delegation (IA_PD). 325 To the difference with [I-D.mglt-homenet-naming-delegation], the IP 326 address of the Back End Delegated DNS Server is not mentioned in the 327 Zone file of the Front End Delegating DNS Server. In this document, 328 the Back End Delegated DNS Server is not expected to receive any DNS 329 query from anyone but the Front End Delegating DNS Server. For DNS 330 Resolvers, the only Authoritative DNS Server they are aware of is the 331 Front End Delegating DNS Server. 333 Similarly to [I-D.mglt-homenet-naming-delegation], the ISP DHCP 334 Server provides the CPE the IP Prefix so the CPE can configure its 335 Prefix Delegation. To set the DNS(SEC) Naming Delegation the ISP 336 DHCP Server indicates the type of Naming Delegation Architecture 337 agreed between the CPE and the ISP DHCP Server 338 (DELEGATED_DNS_ARCHITECTURE). In addition, the ISP DHCP Server, 339 provides the Delegated Domain (DELEGATED_DOMAIN) as well as the IP 340 addresses and FQDNs of the Front End Delegating DNS Servers 341 (FRONT_END_DELEGATING_INFO). These pieces of information are 342 necessary to configure the zone file of the Home Network. In fact 343 the zone file MUST be configured with the Front End Delegating Server 344 as the authoritative servers. In addition, the ISP DHCP Server may 345 also provide the IP addresses or subnet prefix of the Delegating 346 Authorized Resolvers (DELEGATING_AUTH_RESOLVERS). These Resolvers are 347 the only hosts supposed to send DNS queries to the CPE. DNS queries 348 from any other IP address MUST be discarded. 350 Upon receiving these pieces of information, the Front End Delegating 351 Server and the Back End Delegated Server configure their Zones. In 352 addition the CPE also configures its Firewall, so to discard any DNS 353 queries but those emitted from the Delegating Authorized Resolvers. 355 <--------- Home Network ----------> <--------- ISP ---------> 356 +--------+ +---------------------+ +-----------------------+ 357 | Host 1 +--+ CPE | | ISP DHCP | 358 +--------+ +----------+----------+ +-----------------------+ 359 . | DHCP_SRV | DHCP_CLT | | | 360 . | v | | | | 361 . | v | DHCP Request ----------------------> | 362 . | v | DELEGATED_DNS_ARCHITECTURE, | 363 . +----------| DELEGATED_DNS_ADDR_INFO, | 364 . | DNS_SRV | ORO(IA_PD) [DS] | 365 . +----------| | | | 366 . | ^ | <---------------------- DHCP Reply | 367 . | ^ | DELEGATED_DNS_ARCHITECTURE, | 368 . | < < < DHCP_CLT DELEGATED_DOMAIN, IA_PD, | 369 . | v | FRONT_END_DELEGATING_INFO, | 370 +--------+ +----------+ DELEGATING_AUTH_RESOLVERS, | 371 | Host n +--| FIREWALL | | | | 372 +--------+ +----------+--------- + +-----------------------+ 374 Figure 2: Front End Naming Delegation Architecture 376 4.4. Difference between the Front End Delegating DNS Server and 377 traditional DNS Recursive DNS Server 379 From Figure 1, one may assimilate the Front End Delegating DNS Server 380 to a Recursive DNS Resolver. The main differences are: 382 - 1. The Front End Delegating DNS Server only proceeds to Resolution 383 for the FQDNs that are hosted in one of the Back End Delegated 384 DNS Servers. 386 - 2. The Back End Delegated DNS Servers are not Public DNS. More 387 especially, the Delegated DNS Server may have a public IP 388 address, but the DNS Service is not provided for any Resolver 389 but the authorized Resolvers. 391 As a result, the Front End Delegating DNS Server is a mixed mode 392 between Authoritative and Recursive DNS Server. As an Authoritative 393 Server, the Response [4] in figure 1 MUST have a Authoritative Answer 394 (AA) bit set, which indicates the Response is from an Authoritative 395 Server. Then the Resolution [2] and [3] in figure 1 MUST be 396 processed even if the Recursion Desired (RD) bit is not set in the 397 DNS query [1]. 399 It is also recommended that the Front End Delegating DNS Server 400 provides the Authoritative and Additional Section of the Response in 401 [4], without considering the sections of [3]. In other word, it is 402 recommended not to forward these section from [3], and the CPE should 403 be configured not to provide these sections in [3]. 405 4.5. How the Front End Configuration impacts the CPE 407 Figure 2 shows that the ISP DHCP Server provides the IP addresses of 408 the Front End Delegating DNS Server as well as the Name of the Front 409 End Delegating DNS Server. These are the information the Back End 410 Delegated DNS Server MUST put in its Zone file. More especially in 411 the NS fields. 413 Figure 2 also shows that the ISP DHCP Server provides the CPE the IP 414 addresses or subnet prefix of the Authorized Delegating Resolvers. 415 These are the IP addresses authorized to send DNS queries that 416 should not be discarded on the WAN Interface. Any other DNS query on 417 the WAN should be discarded. These rules are set by the Firewall as 418 represented in Figure 2. 420 The Firewall rules does not prevent the CPE to be a DNS forwarder or 421 a DNS Resolver for the hosts of the Home Network. In fact the CPE 422 can still receive DNS queries from the LAN Interface. The issue is 423 that the CPE may provide Multiple DNS Services. In this document, we 424 consider the CPE provides at least a DNS Authoritative servers on its 425 WAN Interface for the Authorized Delegating Resolvers. For the LAN 426 Interface, the CPE may be configured in various ways, depending on 427 the ISP DNS Infrastructure. A first configuration consists in 428 configuring the CPE LAN DNS Service into a DNS forwarder. In that 429 case, the CPE DHCP server of the Home Network provides an IP address 430 of the CPE for the DNS Resolver. DNS queries for the Home Network 431 are answered by the CPE, others are forwarded to the Resolver of the 432 ISP. This resolver is provided via DHCP. Another alternative consists 433 in configuring the CPE as a Recursive DNS Server. Without any 434 specific configurations, DNS queries for the Home Network are sent to 435 the Front End Delegating DNS Server. Optimization may be done to 436 bypass the Front End Delegating DNS Server for the Home Network Zone 437 and are CPE or software implementation specific. 439 5. Protocol Exchange 441 5.1. CPE Request Creation and Transmission for the Front End Naming 442 Delegation Architecture 444 When the CPE wants to set a Front End Naming Delegation Architecture, 445 it requests this set up to the ISP DHCP Server. For that purpose, we 446 consider two new naming-delegation-action: 447 SET_FRONT_END_NAMING_DELEGATION_WITH_DNS when the delegation is only 448 performed with DNS or SET_FRONT_END_NAMING_DELEGATION_WITH_DNSSEC if 449 the CPE wants a DNSSEC delegation. These naming-delegation-actions 450 are proposed in the Delegated DNS Architecture DHCP Option 451 (OPTION_DELEGATED_DNS_ARCHITECTURE). Then, the CPE proceeds as 452 described in [I-D.mglt-homenet-naming-delegation]. 454 5.2. ISP DHCP Server Responding to the CPE Request for the Front End 455 Naming Delegation Architecture 457 When the DHCP Server receives a Delegated DNS Architecture DHCP 458 Option (OPTION_DELEGATED_DNS_ARCHITECTURE), Delegated DNS Address 459 Information DHCP Option (OPTION_DELEGATED_DNS_ADDR_INFO) or a 460 Delegation of Signing DHCP Option (OPTION_DS), the DHCP Server 461 proceeds as described in [I-D.mglt-homenet-naming-delegation]. 463 In addition, when the naming-delegation-action is set to 464 SET_FRONT_END_NAMING_DELEGATION_WITH_DNS or 465 SET_FRONT_END_NAMING_DELEGATION_WITH_DNSSEC, the DHCP Server MUST 466 include in the Response the two additional DCHP Options. The Front 467 End Delegating Information DHCP Option 468 (OPTION_FRONT_END_DELEGATING_INFO) which indicates the FQDNs of the 469 Front End Delegating Servers and their associated IP addresses. 470 Then, it also MUST include the Delegating Authorized Resolvers DHCP 471 Option (OPTION_DELEGATING_AUTH_RESOLVERS) which indicates the IP 472 addresses or subnet prefixes of the Authorized Delegating Resolvers. 474 Note that Naming Delegation is set differently for the Front End 475 Naming Delegation Architecture and for the Naming Delegation 476 Architecture. More specifically, in the Front End Naming Delegation, 477 the ISP DHCP Server MUST NOT make the IP address of the Delegated DNS 478 Server public in its zone file. 480 5.3. CPE Receiving the ISP DHCP Response for the Front End Naming 481 Delegation Architecture 483 Similarly to [I-D.mglt-homenet-naming-delegation], if the CPE has not 484 received all expected DHCP Options, or cannot proceed to the 485 configuration of the Naming Delegation Architecture, it MUST either 486 clear the Naming Delegation settings or proceed to the appropriated 487 settings. 489 When the CPE receives the Delegating Authorized Resolvers DHCP Option 490 (OPTION_DELEGATING_AUTH_RESOLVERS), the CPE may update its Firewall 491 rules. The Front End Delegating Information DHCP Option 492 (OPTION_FRONT_END_DELEGATING_INFO) is used to configure the DNS zone 493 of the Home Network. 495 The CPE may receive the Delegating Authorized Resolvers or the Front 496 End Delegating Information DHCP Option from the ISP DHCP Server that 497 are not the response to a Delegated DNS Architecture DHCP Option. 498 This may happen if the ISP DHCP Server is updating or modifying its 499 Front End Delegating DNS Server or the associated Delegating 500 Authorized Resolvers. In that case, the CPE MUST make sure the 501 message provides from the ISP DHCP Server and updates its Firewall 502 rules as well as its DNS zone file. 504 6. DHCP Options 506 The options detailed in this section are 508 - Delegated DNS Architecture: (OPTION_DELEGATED_DNS_ARCHITECTURE) is 509 used by the DHCP Client on the CPE to inform how the Naming 510 Delegation Architecture should be configured. In return, it is 511 used by the ISP DHCP Server to report the Status Code. 513 - Front End Delegating Information DHCP Option: (OPTION_FRONT_END_DEL 514 EGATING_INFO) is used by the ISP DHCP Server to provide the CPE 515 the FQDN and IP addresses of the Authoritative DNS Server of 516 the Home Network Zone file. These Authoritative DNS Servers 517 are the Front End DNS Server. 519 - Delegating Authorized Resolvers DHCP Option: (OPTION_DELEGATING_AUT 520 H_RESOLVERS) is used by the DHCP Server to provide the CPE the 521 IP addresses or subnet prefixes of the Delegating Authorized 522 Resolvers. These are the resolvers authorized to send DNS(SEC) 523 queries. 525 6.1. Delegated DNS Architecture Option 527 The Delegated DNS Architecture DHCP Option is defined in [I-D.mglt- 528 homenet-naming-delegation]. This document adds two new naming- 529 delegation-actions defined below: 531 - SET_FRONT_END_NAMING_DELEGATION_WITH_DNS - 2 - : Indicates that the 532 DHCP Server MUST set the Front End Naming Delegation 533 Architecture with only DNS, and MUST NOT consider DNSSEC 534 Delegation. 536 - SET_FRONT_END_NAMING_DELEGATION_WITH_DNSSEC - 3 - : Indicates that 537 the DHCP Server MUST set the Front End Naming Delegation 538 Architecture with DNSSEC. 540 6.2. Front End Delegating Information Option 542 0 1 2 3 543 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 544 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 545 | OPT_FRONT_END_DELEGATING_INFO | option-len | 546 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 547 | front-end-length | front-end-fqdn-length | 548 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 549 | | 550 / front-end-delegating-fqdn / 551 | | 552 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 553 | | | 554 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 555 | | 556 | ipv6-address | 557 | | 558 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 559 | | | 560 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 561 | | 562 | ipv6-address | 563 | | 564 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 565 | | 566 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 568 - option-code: OPT_FRONT_END_DELEGATING_INFO (16 bits) 570 - option-len: Length (16 bits) of the Front End Delegating 571 Information Option in octets. 573 - front-end-length: Length (16 bits) of the Front End Delegating 574 Server. 576 - front-end-fqdn-length: Length (16 bits) of the Front End Delegating 577 Server FQDN. 579 - ipv6-address: IPv6 Address (128 bits). 581 6.3. Delegating Authorized Resolvers Option 582 0 1 2 3 583 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 584 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 585 |OPTION_DELEGATED_AUTH_RESOLVERS| option-len | 586 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 587 | prefix-length | | 588 +-+-+-+-+-+-+-+-+ | 589 | | 590 | ipv6-prefix | 591 | | 592 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 593 | | prefix-length | | 594 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 595 | | 596 / ipv6-prefix / 597 | | 598 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 600 - option-code: OPTION_DELEGATED_AUTH_RESOLVERS (16 bits) 602 - option-len: Length (16 bits) of the Delegating Authorized Resolvers 603 Option in octets. 605 - prefix-length: Length (8 bits) for this prefix in bits. 607 - ipv6-prefix: IPv6 address or IPv6 prefix used by the authoritative 608 DNS server to send DNS queries to the delegated domain name. 610 7. IANA Considerations 612 This document adds two new DHCP Options: 614 - OPTION_FRONT_END_DELEGATING_INFO: TBD 616 - OPTION_DELEGATING_AUTH_RESOLVERS: TBD 618 8. Security Considerations 620 This document addresses the DoS security issue of [I-D.mglt-homenet- 621 naming-delegation]. Other security considerations remains as 622 described in [I-D.mglt-homenet-naming-delegation]. 624 9. Acknowledgment 626 The authors wish to thank Ole Troan for pointing out issues with the 627 IPv6 routed home concept and placing the scope of this document in a 628 wider picture, Mark Townsley for encouragement and injecting a 629 healthy debate on the merits of the idea, Ulrik de Bie for providing 630 alternative solutions, Paul Mockapetris for pointing out issues of 631 the trustworthiness of a reverse lookup, and Christian Jacquenet for 632 seeing the value from a Service Provider point of view. 634 10. References 635 10.1. Normative References 637 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 638 Requirement Levels", BCP 14, RFC 2119, March 1997. 640 10.2. Informational References 642 [I-D.mglt-homenet-naming-delegation] 643 Cloetens, W., Lemordant, P. and D. Migault, "IPv6 Home 644 Network Naming Delegation Architecture", Internet-Draft 645 draft-mglt-homenet-naming-delegation-00, July 2012. 647 Authors' Addresses 649 Wouter Cloetens 650 SoftAtHome 651 vaartdijk 3 701 652 3018 Wijgmaal 653 Belgium 655 Email: wouter.cloetens@softathome.com 657 Philippe Lemordant 658 Francetelecom - Orange 659 2 avenue Pierre Marzin 660 22300 Lannion 661 France 663 Phone: +33 2 96 05 35 11 664 Email: philippe.lemordant@orange.com 666 Daniel Migault 667 Francetelecom - Orange 668 38 rue du General Leclerc 669 92794 Issy-les-Moulineaux Cedex 9 670 France 672 Phone: +33 1 45 29 60 52 673 Email: mglt.ietf@gmail.com