idnits 2.17.1 draft-pauly-add-resolver-discovery-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** There is 1 instance of too long lines in the document, the longest one being 13 characters in excess of 72. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (20 May 2020) is 1437 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: A later version (-03) exists of draft-ietf-dnsop-svcb-httpssvc-02 == Outdated reference: A later version (-18) exists of draft-ietf-tls-esni-06 Summary: 1 error (**), 0 flaws (~~), 3 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group T. Pauly 3 Internet-Draft E. Kinnear 4 Intended status: Standards Track Apple Inc. 5 Expires: 21 November 2020 C.A. Wood 6 Cloudflare 7 P. McManus 8 Fastly 9 T. Jensen 10 Microsoft 11 20 May 2020 13 Adaptive DNS Resolver Discovery 14 draft-pauly-add-resolver-discovery-00 16 Abstract 18 This document defines a method for dynamically discovering resolvers 19 that support encrypted transports, and introduces the concept of a 20 designating a resolver to be used for a subset of client queries 21 based on domain. This method is intended to work both for locally- 22 hosted resolvers and resolvers accessible over the broader Internet. 24 Status of This Memo 26 This Internet-Draft is submitted in full conformance with the 27 provisions of BCP 78 and BCP 79. 29 Internet-Drafts are working documents of the Internet Engineering 30 Task Force (IETF). Note that other groups may also distribute 31 working documents as Internet-Drafts. The list of current Internet- 32 Drafts is at https://datatracker.ietf.org/drafts/current/. 34 Internet-Drafts are draft documents valid for a maximum of six months 35 and may be updated, replaced, or obsoleted by other documents at any 36 time. It is inappropriate to use Internet-Drafts as reference 37 material or to cite them other than as "work in progress." 39 This Internet-Draft will expire on 21 November 2020. 41 Copyright Notice 43 Copyright (c) 2020 IETF Trust and the persons identified as the 44 document authors. All rights reserved. 46 This document is subject to BCP 78 and the IETF Trust's Legal 47 Provisions Relating to IETF Documents (https://trustee.ietf.org/ 48 license-info) in effect on the date of publication of this document. 49 Please review these documents carefully, as they describe your rights 50 and restrictions with respect to this document. Code Components 51 extracted from this document must include Simplified BSD License text 52 as described in Section 4.e of the Trust Legal Provisions and are 53 provided without warranty as described in the Simplified BSD License. 55 Table of Contents 57 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 58 1.1. Specification of Requirements . . . . . . . . . . . . . . 3 59 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 60 3. Designated Resolvers . . . . . . . . . . . . . . . . . . . . 3 61 3.1. Designating with Service Binding DNS Records . . . . . . 4 62 3.2. Additional Designation with PvD JSON . . . . . . . . . . 5 63 3.3. Mutual Confirmation with PvD JSON . . . . . . . . . . . . 6 64 4. Explicit Discovery of Local Resolvers . . . . . . . . . . . . 7 65 5. Discovery of DoH Capabilities for Direct Resolvers . . . . . 8 66 6. Server Deployment Considerations . . . . . . . . . . . . . . 9 67 6.1. Single Content Provider . . . . . . . . . . . . . . . . . 9 68 6.2. Multiple Content Providers . . . . . . . . . . . . . . . 9 69 6.3. Avoid Narrow Deployments . . . . . . . . . . . . . . . . 10 70 7. Security Considerations . . . . . . . . . . . . . . . . . . . 10 71 8. Privacy Considerations . . . . . . . . . . . . . . . . . . . 10 72 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11 73 9.1. DoH Template PvD Key . . . . . . . . . . . . . . . . . . 11 74 9.2. Trusted Names PvD Key . . . . . . . . . . . . . . . . . . 11 75 9.3. DoH URI Template DNS Parameter . . . . . . . . . . . . . 11 76 9.4. Special Use Domain Name "resolver.arpa" . . . . . . . . . 12 77 10. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 12 78 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 12 79 11.1. Normative References . . . . . . . . . . . . . . . . . . 12 80 11.2. Informative References . . . . . . . . . . . . . . . . . 13 81 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 13 83 1. Introduction 85 When clients need to resolve names into addresses in order to 86 establish networking connections, they traditionally use by default 87 the DNS resolver that is provisioned by the local network along with 88 their IP address [RFC2132] [RFC8106]. Alternatively, they can use a 89 resolver indicated by a tunneling service such as a VPN. 91 However, privacy-sensitive clients might prefer to use an encrypted 92 DNS service other than the one locally provisioned in order to 93 prevent interception, profiling, or modification by entities other 94 than the operator of the name service for the name being resolved. 95 Protocols that can improve the transport security of a client when 96 using DNS or creating TLS connections include DNS-over-TLS (DoT) 97 [RFC7858], DNS-over-HTTPS (DoH) [RFC8484], and Encrypted TLS Client 98 Hellos [I-D.ietf-tls-esni]. 100 This document defines a method for dynamically discovering resolvers 101 that support encrypted transports, and introduces the concept of a 102 designating a resolver to be used for a subset of client queries 103 based on domain. This method is intended to work both for locally- 104 hosted resolvers and resolvers accessible over the broader Internet. 106 1.1. Specification of Requirements 108 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 109 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 110 "OPTIONAL" in this document are to be interpreted as described in BCP 111 14 [RFC2119] [RFC8174] when, and only when, they appear in all 112 capitals, as shown here. 114 2. Terminology 116 This document defines the following terms: 118 Direct Resolver: A DNS resolver using any transport, encrypted or 119 unencrypted, that is provisioned directly by a local router or a 120 VPN. 122 Designated Resolver: A DNS resolver that is designated as a 123 responsible resolver for a given domain or zone. Designated 124 resolvers use encrypted transports. 126 Companion DoH Server: A DNS resolver that provides connectivity over 127 HTTPS (DoH) that is designated as equivalent to querying a 128 particular Direct Resolver. 130 3. Designated Resolvers 132 An encrypted DNS resolver, such as a DoH or DoT server, can be 133 designated for use in resolving names within one or more zones. This 134 means that clients can learn about an explicit mapping from a given 135 domain or zone to one or more Designated Resolvers, and use that 136 mapping to select the best resolver for a given query. 138 Designating a resolver MUST rely on mutual agreement between the 139 entity managing a zone (the Domain Owner) and the entity operating 140 the resolver. These entities can be one and the same, or a Domain 141 Owner can choose to designate a third-party resolver to handle its 142 traffic. Proof of this mutual agreement asserts to clients that 143 sending any query to the designated resolver exposes no more 144 information than sending that query to the entity managing the 145 corresponding zone. 147 As an example with only one entity, a company that runs many sites 148 within "enterprise.example.com" can provide its own DoH resolver, 149 "doh.enterprise.example.com", and designate only that resolver for 150 all names that fall within "enterprise.example.com". This means that 151 no other resolver would be designated for those names, and clients 152 would only resolve names with the same entity that would service TLS 153 connections. 155 As an example with several entities, the organization that operates 156 sites within "example.org" may work with two different Content 157 Delivery Networks (CDNs) to serve its sites. It might designate 158 names under "example.com" to two different entities, "doh.cdn-a.net" 159 and "doh.cdn-b.net". These are CDNs that have an existing 160 relationship with the organization that runs "example.org", and have 161 agreements with that organization about how data with information on 162 names and users is handled. 164 There are several methods that can be used to designate a resolver: 166 * Based on SVCB DNS records issued to another resolver (Section 3.1) 168 * Based on information from Designated DoH Resolver that is 169 confirmed via SVCB DNS records (Section 3.2) 171 * Based on mutual agreement through confirmation of domains over 172 HTTPS (Section 3.3) 174 Note that clients MUST NOT accept designations for effective top- 175 level domains (eTLDs), such as ".com". 177 3.1. Designating with Service Binding DNS Records 179 The primary source for discovering Designated DoH Server 180 configurations is from properties stored in a SVCB (or a SVCB- 181 conformant type like HTTPSSVC) DNS Record 182 [I-D.ietf-dnsop-svcb-httpssvc]. This record provides the URI 183 Template of a DoH server that is designated for a specific domain. A 184 specific domain may have more than one such record. 186 In order to designate a DoH server for a domain, a SVCB record can 187 contain the "dohuri" (Section 9). The value stored in the parameter 188 is a URI, which is the DoH URI template [RFC8484]. 190 The following example shows a record containing a DoH URI, as 191 returned by a query for the HTTPSSVC variant of the SVCB record type 192 on "foo.example.com", where the response indicates a DoH Resolver 193 that is designated for names under "example.com". 195 foo.example.com. 7200 IN HTTPSSVC 1 example.com. ( 196 dohuri=https://doh.example.net/dns-query ) 198 If this record is DNSSEC-signed [RFC4033], clients can immediately 199 create a mapping that indicates the server (doh.example.net) as a 200 Designated Resolver for the name in the SVCB record 201 (foo.example.com). 203 If this record is not DNSSEC-signed, clients MUST perform other 204 validation to determine that the zone designation is permitted, as 205 described in Section 3.3. 207 3.2. Additional Designation with PvD JSON 209 A provisioning domain (PvD) defines a coherent set of information 210 that can be used to access a network and resolve names. 211 [I-D.ietf-intarea-provisioning-domains] defines a JSON dictionary 212 format that can be fetched over HTTPS at the well-known URI "/.well- 213 known/pvd". 215 Designated Resolvers that support DoH SHOULD provide a PvD JSON 216 dictionary available at the well-known PvD URI with the path of the 217 DoH server's URI template appended. 219 For example, the PvD JSON for the DoH server 220 "https://doh.example.net/dns-query" would be available at 221 "https://doh.example.net/.well-known/pvd/dns-query". 223 Names that are listed in the "dnsZones" key in the JSON dictionary 224 indicate other names that designate the resolver. For each of those 225 domains, clients SHOULD issue an SVCB query to the DoH resolver. If 226 this record confirms the designation and is DNSSEC-signed, clients 227 can create a mapping to designate the resolver. In order to optimize 228 the validation of these domains, servers MAY use HTTP Server Push to 229 deliver the records prior to the request being made. 231 The key "dohTemplate" is also defined within the JSON dictionary 232 (Section 9) to point back to the DoH URI Template itself. This is 233 used for confirming the DoH server when the PvD is discovered locally 234 or during mutual confirmation (Section 3.3). 236 3.3. Mutual Confirmation with PvD JSON 238 Designated DoH Resolvers that provide the PvD JSON described in 239 Section 3.2 can also provide information to allow validation of zone 240 designations without DNSSEC. 242 The JSON dictionary MAY contain a key "trustedNames" that is an array 243 of strings containing domains that can be used for mutual 244 confirmation of resolver designation. 246 For example, the JSON dictionary retrieved at 247 "https://doh.example.net/.well-known/pvd/dns-query" can contain the 248 following contents: 250 { 251 "identifier": "doh.example.net.", 252 "dohTemplate": "https://doh.example.net/dns-query", 253 "dnsZones": ["example.com"], 254 "trustedNames": ["example.com"] 255 } 257 This indicates that "example.com" should be treated as a designated 258 domain, and that it can be validated by checking with the 259 "example.com" server rather than using DNSSEC. 261 Clients MUST validate the resolver designation by checking a resource 262 hosted by the name indicated in "trustedNames". The client first 263 issues an HTTP GET request by appending "/.well-known/pvd" to the 264 trusted name, using the "https" scheme. In this example, the 265 resulting URI is "https://example.com/.well-known/pvd". In order to 266 trust the designation, this request must return valid JSON with the 267 "dohTemplate" key matching the original DoH resolver. For example, 268 this dictionary could contain the following contents: 270 { 271 "identifier": "example.com.", 272 "dohTemplate": "https://doh.example.net/dns-query", 273 } 275 A client MUST NOT trust a designation if the JSON content is not 276 present, does not contain a "dohTemplate" key, or the value in the 277 "dohTemplate" key does not match. The following result would not be 278 acceptable for the example above: 280 { 281 "identifier": "example.com.", 282 "dohTemplate": "https://not-the-doh-youre-looking-for.example.net/dns-query", 283 } 285 Note that the domains listed in "trustedNames" may be broader than 286 the zones that designate the resolver. In the following example, 287 names under "foo.example.com" and "bar.example.com" designate the DoH 288 server "https://doh.example.net/dns-query", and use the PvD JSON from 289 "example.com" to validate the designation. However, the client would 290 not designate the DoH server for all names under "example.com". 292 { 293 "identifier": "doh.example.net.", 294 "dohTemplate": "https://doh.example.net/dns-query", 295 "dnsZones": ["foo.example.com", "bar.example.com"], 296 "trustedNames": ["example.com"] 297 } 299 4. Explicit Discovery of Local Resolvers 301 If the local network provides configuration with an Explicit 302 Provisioning Domain (PvD), as defined by 303 [I-D.ietf-intarea-provisioning-domains], clients can learn about 304 domains for which the local network's resolver is authoritative. The 305 keys for DoH resolvers described in Section 3.2 also allow this local 306 PvD to be used for resolver discovery. 308 If an RA provided by the router on the network defines an Explicit 309 PvD that has additional information, and this additional information 310 JSON dictionary contains the key "dohTemplate", then the client 311 SHOULD add this DoH server to its list of known DoH configurations. 312 The domains that the DoH server claims authority for are listed in 313 the "dnsZones" key. Clients MUST use one of the methods for 314 validating a designation described in Section 3.1 or Section 3.3. 316 Local deployments that want to designate a resolver for a private 317 name that is not easily signed with DNSSEC MUST provide an alternate 318 method of validating a designation, particularly the one described in 319 Section 3.3. 321 5. Discovery of DoH Capabilities for Direct Resolvers 323 Direct Resolvers can advertise a Companion DoH server that offers 324 equivalent services and is controlled by the same entity. To do 325 this, a DNS server returns an SVCB record for the "resolver.arpa" 326 domain with "ipv4hint" and/or "ipv6hint" set to a valid IP address 327 and the "dohuri" key set to a valid DoH URI template as with the 328 Designated DoH Server SVCB record. The TLS certificate used with the 329 DoH URI MUST have the IP addresses for each of its DNS endpoints, 330 classic or DoH, within the SubjectAlternativeName field to allow the 331 client to verify ownership. 333 Once a client is configured to query a Direct Resolver, it SHOULD 334 query the resolver for SVCB records for the "resolver.arpa" domain 335 before making other queries. This will help the client avoid leaking 336 queries that could go over DoH once the Companion DoH Server is 337 discovered. If an SVCB record is returned, its "dohip" field 338 designates an IP address the client can send DoH queries to in lieu 339 of sending classic DNS queries to the Direct Resolver. The "dohuri" 340 field contains the DoH URI similarly to the SVCB record for a 341 Designated DoH Server. 343 To validate the Companion DoH Server and the resolver that advertised 344 it are related, the client MUST check the SubjectAlternativeName 345 field of the Companion DoH Server's TLS certificate for the original 346 resolver's IP address and the advertised IP address for the Companion 347 DoH server. If both are present, the discovered Companion DoH Server 348 MUST be used whenever the original Direct Resolver would be used. 349 Otherwise, the client SHOULD suppress queries for Companion DoH 350 Servers against this resolver for the TTL of the negative or invalid 351 response and continue to use the original Direct Resolver. 353 The following example shows a record containing a Companion DoH URI, 354 as returned by a query for the HTTPSSVC variant of the SVCB record 355 type on the "resolver.arpa" domain. 357 resolver.arpa 7200 IN HTTPSSVC 1 doh.example.net ( 358 ipv4hint=x.y.z.w 359 dohuri=https://doh.example.net/dns-query ) 361 A DNS resolver MAY return more than one SVCB record of this form to 362 advertise multiple Companion DoH Servers that are valid as a 363 replacement for itself. Any or all of these servers may have the 364 same IP address as the DNS resolver itself. In this case, clients 365 will only have one IP address to check for when verifying ownership 366 of the Companion DoH server. 368 6. Server Deployment Considerations 370 When servers designate DoH servers for their names, the specific 371 deployment model can impact the effective privacy and performance 372 characteristics. 374 6.1. Single Content Provider 376 If a name always resolves to server IP addresses that are hosted by a 377 single content provider, the name ought to designate a single DoH 378 server. This DoH server will be most optimal when it is designated 379 by many or all names that are hosted by the same content provider. 380 This ensures that clients can increase connection reuse to reduce 381 latency in connection setup. 383 A DoH server that corresponds to the content provider that hosts 384 content has an opportunity to tune the responses provided to a client 385 based on the location inferred by the client IP address. 387 6.2. Multiple Content Providers 389 Some hostnames may resolve to server IP addresses that are hosted by 390 multiple content providers. In such scenarios, the deployment may 391 want to be able to control the percentage of traffic that flows to 392 each content provider. 394 In these scenarios, there can either be: 396 * multiple designated DoH servers that are advertised via SVCB DNS 397 Records; or, 399 * a single designated DoH server that can be referenced by one or 400 more SVCB DNS Records, operated by a party that is aware of both 401 content providers and can manage splitting the traffic. 403 If a server deployment wants to easily control the split of traffic 404 between different content providers, it ought to use the latter model 405 of using a single designated DoH server that can better control which 406 IP addresses are provided to clients. Otherwise, if a client is 407 aware of multiple DoH servers, it might use a single resolver 408 exclusively, which may lead to inconsistent behavior between clients 409 that choose different resolvers. 411 6.3. Avoid Narrow Deployments 413 Using designated DoH servers can improve the privacy of name 414 resolution whenever a DoH server is designated by many different 415 names within one or more domains. This limits the amount of 416 information leaked to an attacker observing traffic between a client 417 and a DoH server: the attacker only learns that the client might be 418 resolving one of the many names for which the server is designated. 420 However, if a deployment designates a given DoH server for only one 421 name, or a very small set of names, then it becomes easier for an 422 attacker to infer that a specific name is being accessed by a client. 423 For this reason, deployments are encouraged to avoid deploying a DoH 424 server that is only designated by a small number of names. Clients 425 can also choose to only whitelist DoH servers that are associated 426 with many names. 428 Beyond the benefits to privacy, having a larger number of names 429 designate a given DoH server improves the opportunity for DoH 430 connection reuse, which can improve the performance of name 431 resolutions. 433 7. Security Considerations 435 In order to avoid interception and modification of the information 436 sent between clients and Designated Resolvers, all exchanges between 437 clients and servers are performed over encrypted connections, e.g., 438 TLS. 440 Malicious adversaries may block client connections to a Designated 441 Resolver as a Denial-of-Service (DoS) measure. Clients which cannot 442 connect these resolvers may be forced to, if local policy allows, 443 fall back to unencrypted DNS if this occurs. 445 8. Privacy Considerations 447 Clients must be careful in determining to which DoH servers they send 448 queries directly. A malicious resolver that can direct queries to 449 itself can track or profile client activity. In order to avoid the 450 possibility of a spoofed SVCB record designating a malicious DoH 451 server for a name, clients MUST ensure that such records validate 452 using DNSSEC (Section 3.1) or using mutual confirmation 453 (Section 3.3). 455 Even servers that are validly designated can risk leaking or logging 456 information about client lookups. Such risk can be mitigated by 457 further restricting the list of resolvers that are whitelisted for 458 direct use based on client policy. 460 An adversary able to see traffic on each path segment of a DoH query 461 (e.g., from client to a Designated Resolver, and the Designated 462 Resolver to an authoritative DNS server) can link queries to specific 463 clients with high probability. Failure to observe traffic on any one 464 of these path segments makes this linkability increasingly difficult. 465 For example, if an adversary can only observe traffic between a 466 client and proxy and egress traffic from a target, then it may be 467 difficult identify a specific client's query among the recursive 468 queries generated by the target. 470 9. IANA Considerations 472 9.1. DoH Template PvD Key 474 This document adds a key to the "Additional Information PvD Keys" 475 registry [I-D.ietf-intarea-provisioning-domains]. 477 +------------+-------------+------+---------------------------------+ 478 | JSON key | Description | Type | Example | 479 +============+=============+======+=================================+ 480 |dohTemplate | DoH URI |String| "https://dnsserver.example.net/ | 481 | | Template | | dns-query{?dns}" | 482 | | [RFC8484] | | | 483 +------------+-------------+------+---------------------------------+ 485 Table 1 487 9.2. Trusted Names PvD Key 489 This document adds a key to the "Additional Information PvD Keys" 490 registry [I-D.ietf-intarea-provisioning-domains]. 492 +--------------+-----------------------+---------+---------------+ 493 | JSON key | Description | Type | Example | 494 +==============+=======================+=========+===============+ 495 | trustedNames | Names of servers that | Array | [ | 496 | | can validate resolver | of | "example.com" | 497 | | designation. | Strings | ] | 498 +--------------+-----------------------+---------+---------------+ 500 Table 2 502 9.3. DoH URI Template DNS Parameter 504 If present, this parameters indicates the URI template of a DoH 505 server that is designated for use with the name being resolved. This 506 is a string encoded as UTF-8 characters. 508 Name: dohuri 510 SvcParamKey: TBD 512 Meaning: URI template for a designated DoH server 514 Reference: This document. 516 9.4. Special Use Domain Name "resolver.arpa" 518 This document calls for the creation of the "resolver.arpa" SUDN. 519 This will allow resolvers to respond to queries directed at 520 themselves rather than a specific domain name. While this document 521 uses "resolver.arpa" to return SVCB records indicating DoH 522 capability, the name is generic enough to allow future reuse for 523 other purposes where the resolver wishes to provide information about 524 itself to the client. 526 10. Acknowledgments 528 Thanks to Erik Nygren, Lorenzo Colitti, Mikael Abrahamsson, Ben 529 Schwartz, Ask Hansen, Leif Hedstrom, Tim McCoy, Stuart Cheshire, 530 Miguel Vega, Joey Deng, Ted Lemon, and Elliot Briggs for their 531 feedback and input on this document. 533 11. References 535 11.1. Normative References 537 [I-D.ietf-dnsop-svcb-httpssvc] 538 Schwartz, B., Bishop, M., and E. Nygren, "Service binding 539 and parameter specification via the DNS (DNS SVCB and 540 HTTPSSVC)", Work in Progress, Internet-Draft, draft-ietf- 541 dnsop-svcb-httpssvc-02, 9 March 2020, 542 . 545 [I-D.ietf-intarea-provisioning-domains] 546 Pfister, P., Vyncke, E., Pauly, T., Schinazi, D., and W. 547 Shao, "Discovering Provisioning Domain Names and Data", 548 Work in Progress, Internet-Draft, draft-ietf-intarea- 549 provisioning-domains-11, 31 January 2020, 550 . 553 [I-D.ietf-tls-esni] 554 Rescorla, E., Oku, K., Sullivan, N., and C. Wood, 555 "Encrypted Server Name Indication for TLS 1.3", Work in 556 Progress, Internet-Draft, draft-ietf-tls-esni-06, 9 March 557 2020, . 560 [RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S. 561 Rose, "DNS Security Introduction and Requirements", 562 RFC 4033, DOI 10.17487/RFC4033, March 2005, 563 . 565 [RFC7858] Hu, Z., Zhu, L., Heidemann, J., Mankin, A., Wessels, D., 566 and P. Hoffman, "Specification for DNS over Transport 567 Layer Security (TLS)", RFC 7858, DOI 10.17487/RFC7858, May 568 2016, . 570 [RFC8484] Hoffman, P. and P. McManus, "DNS Queries over HTTPS 571 (DoH)", RFC 8484, DOI 10.17487/RFC8484, October 2018, 572 . 574 11.2. Informative References 576 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 577 Requirement Levels", BCP 14, RFC 2119, 578 DOI 10.17487/RFC2119, March 1997, 579 . 581 [RFC2132] Alexander, S. and R. Droms, "DHCP Options and BOOTP Vendor 582 Extensions", RFC 2132, DOI 10.17487/RFC2132, March 1997, 583 . 585 [RFC8106] Jeong, J., Park, S., Beloeil, L., and S. Madanapalli, 586 "IPv6 Router Advertisement Options for DNS Configuration", 587 RFC 8106, DOI 10.17487/RFC8106, March 2017, 588 . 590 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 591 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 592 May 2017, . 594 Authors' Addresses 596 Tommy Pauly 597 Apple Inc. 598 One Apple Park Way 599 Cupertino, California 95014, 600 United States of America 602 Email: tpauly@apple.com 603 Eric Kinnear 604 Apple Inc. 605 One Apple Park Way 606 Cupertino, California 95014, 607 United States of America 609 Email: ekinnear@apple.com 611 Christopher A. Wood 612 Cloudflare 613 101 Townsend St 614 San Francisco, 615 United States of America 617 Email: caw@heapingbits.net 619 Patrick McManus 620 Fastly 622 Email: mcmanus@ducksong.com 624 Tommy Jensen 625 Microsoft 627 Email: tojens@microsoft.com