idnits 2.17.1 draft-pauly-add-resolver-discovery-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** There is 1 instance of too long lines in the document, the longest one being 9 characters in excess of 72. == There are 1 instance of lines with non-RFC2606-compliant FQDNs in the document. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (13 July 2020) is 1383 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: A later version (-12) exists of draft-ietf-dnsop-svcb-https-00 == Outdated reference: A later version (-18) exists of draft-ietf-tls-esni-07 == Outdated reference: A later version (-02) exists of draft-schinazi-httpbis-doh-preference-hints-01 Summary: 1 error (**), 0 flaws (~~), 5 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group T. Pauly 3 Internet-Draft E. Kinnear 4 Intended status: Standards Track Apple Inc. 5 Expires: 14 January 2021 C.A. Wood 6 Cloudflare 7 P. McManus 8 Fastly 9 T. Jensen 10 Microsoft 11 13 July 2020 13 Adaptive DNS Resolver Discovery 14 draft-pauly-add-resolver-discovery-01 16 Abstract 18 This document defines a method for dynamically discovering resolvers 19 that support encrypted transports, and introduces the concept of 20 designating a resolver to be used for a subset of client queries 21 based on domain. This method is intended to work both for locally- 22 hosted resolvers and resolvers accessible over the broader Internet. 24 Status of This Memo 26 This Internet-Draft is submitted in full conformance with the 27 provisions of BCP 78 and BCP 79. 29 Internet-Drafts are working documents of the Internet Engineering 30 Task Force (IETF). Note that other groups may also distribute 31 working documents as Internet-Drafts. The list of current Internet- 32 Drafts is at https://datatracker.ietf.org/drafts/current/. 34 Internet-Drafts are draft documents valid for a maximum of six months 35 and may be updated, replaced, or obsoleted by other documents at any 36 time. It is inappropriate to use Internet-Drafts as reference 37 material or to cite them other than as "work in progress." 39 This Internet-Draft will expire on 14 January 2021. 41 Copyright Notice 43 Copyright (c) 2020 IETF Trust and the persons identified as the 44 document authors. All rights reserved. 46 This document is subject to BCP 78 and the IETF Trust's Legal 47 Provisions Relating to IETF Documents (https://trustee.ietf.org/ 48 license-info) in effect on the date of publication of this document. 49 Please review these documents carefully, as they describe your rights 50 and restrictions with respect to this document. Code Components 51 extracted from this document must include Simplified BSD License text 52 as described in Section 4.e of the Trust Legal Provisions and are 53 provided without warranty as described in the Simplified BSD License. 55 Table of Contents 57 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 58 1.1. Specification of Requirements . . . . . . . . . . . . . . 3 59 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 60 3. Designated Resolvers . . . . . . . . . . . . . . . . . . . . 3 61 3.1. Designating with Service Binding DNS Records . . . . . . 4 62 3.2. Additional Designation with PvD JSON . . . . . . . . . . 5 63 3.3. Confirmation of Designation with Zone Apex PvD . . . . . 6 64 3.4. Confirmation of Designation with TLS Certificates . . . . 8 65 4. Explicit Discovery of Local Resolvers . . . . . . . . . . . . 9 66 5. Discovery of DoH Capabilities for Direct Resolvers . . . . . 9 67 6. Server Deployment Considerations . . . . . . . . . . . . . . 10 68 6.1. Single Content Provider . . . . . . . . . . . . . . . . . 10 69 6.2. Multiple Content Providers . . . . . . . . . . . . . . . 10 70 6.3. Avoid Narrow Deployments . . . . . . . . . . . . . . . . 11 71 7. Security Considerations . . . . . . . . . . . . . . . . . . . 11 72 8. Privacy Considerations . . . . . . . . . . . . . . . . . . . 12 73 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12 74 9.1. DoH Template PvD Key . . . . . . . . . . . . . . . . . . 12 75 9.2. Trusted Names PvD Key . . . . . . . . . . . . . . . . . . 12 76 9.3. DoH URI Template DNS Service Parameter . . . . . . . . . 13 77 9.4. Special Use Domain Name "resolver.arpa" . . . . . . . . . 13 78 10. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 13 79 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 13 80 11.1. Normative References . . . . . . . . . . . . . . . . . . 13 81 11.2. Informative References . . . . . . . . . . . . . . . . . 14 82 Appendix A. Rationale for using SVCB records . . . . . . . . . . 15 83 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 16 85 1. Introduction 87 When clients need to resolve names into addresses in order to 88 establish networking connections, they traditionally use by default 89 the DNS resolver that is provisioned by the local network along with 90 their IP address [RFC2132] [RFC8106]. Alternatively, they can use a 91 resolver indicated by a tunneling service such as a VPN. 93 However, privacy-sensitive clients might prefer to use an encrypted 94 DNS service other than the one locally provisioned in order to 95 prevent interception, profiling, or modification by entities other 96 than the operator of the name service for the name being resolved. 98 Protocols that can improve the transport security of a client when 99 using DNS or creating TLS connections include DNS-over-TLS (DoT) 100 [RFC7858], DNS-over-HTTPS (DoH) [RFC8484], and Encrypted TLS Client 101 Hellos [I-D.ietf-tls-esni]. 103 This document defines a method for dynamically discovering resolvers 104 that support encrypted transports, and introduces the concept of 105 designating a resolver to be used for a subset of client queries 106 based on domain. This method is intended to work both for locally- 107 hosted resolvers and resolvers accessible over the broader Internet. 109 1.1. Specification of Requirements 111 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 112 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 113 "OPTIONAL" in this document are to be interpreted as described in BCP 114 14 [RFC2119] [RFC8174] when, and only when, they appear in all 115 capitals, as shown here. 117 2. Terminology 119 This document defines the following terms: 121 Direct Resolver: A DNS resolver using any transport, encrypted or 122 unencrypted, that is provisioned directly by a local router or a 123 VPN. 125 Designated Resolver: A DNS resolver that is designated as a 126 responsible resolver for a given domain or zone. Designated 127 resolvers use encrypted transports. 129 Companion DoH Server: A DNS resolver that provides connectivity over 130 HTTPS (DoH) that is designated as equivalent to querying a 131 particular Direct Resolver. 133 3. Designated Resolvers 135 An encrypted DNS resolver, such as a DoH or DoT server, can be 136 designated for use in resolving names within one or more zones. This 137 means that clients can learn about an explicit mapping from a given 138 domain or zone to one or more Designated Resolvers, and use that 139 mapping to select the best resolver for a given query. 141 Designating a resolver MUST rely on agreement between the entity 142 managing a zone (the Domain Owner) and the entity operating the 143 resolver, such that clients can securely validate this designation. 144 These entities can be one and the same, or a Domain Owner can choose 145 to designate a third-party resolver to handle its traffic. Proof of 146 this agreement asserts to clients that sending any query to the 147 designated resolver exposes no more information than sending that 148 query to the entity managing the corresponding zone. 150 As an example with only one entity, a company that runs many sites 151 within "enterprise.example.com" can provide its own DoH resolver, 152 "doh.enterprise.example.com", and designate only that resolver for 153 all names that fall within "enterprise.example.com". This means that 154 no other resolver would be designated for those names, and clients 155 would only resolve names with the same entity that would service TLS 156 connections. 158 As an example with several entities, the organization that operates 159 sites within "example.org" may work with two different Content 160 Delivery Networks (CDNs) to serve its sites. It might designate 161 names under "example.com" to two different entities, "doh.cdn-a.net" 162 and "doh.cdn-b.net". These are CDNs that have an existing 163 relationship with the organization that runs "example.org", and have 164 agreements with that organization about how data with information on 165 names and users is handled. 167 There are several methods that can be used to discover and validate a 168 resolver designation: 170 * Discovery using SVCB DNS records (Section 3.1), and validation 171 using DNSSEC 173 * Discovery using information in a provisioning domain (PvD) file 174 from the Designated DoH Resolver (Section 3.2) 176 * Validation using a file hosted on a well-known HTTPS URI based on 177 a zone apex (Section 3.3) 179 * Validation using TLS certificates to confirm of domain name 180 ownership (Section 3.4) 182 Note that clients MUST NOT accept designations for effective top- 183 level domains (eTLDs), such as ".com". 185 3.1. Designating with Service Binding DNS Records 187 The primary source for discovering Designated DoH Server 188 configurations is from properties stored in a SVCB DNS resource 189 record, or a SVCB-conformant resource record type, like HTTPS 190 [I-D.ietf-dnsop-svcb-https]. This record provides the URI Template 191 of a DoH server that is designated for a specific domain. A specific 192 domain may have more than one such record. 194 The rationale for using SVCB records for recolver discovery is 195 discussed in Appendix A. 197 In order to designate a DoH server for a domain, a SVCB record can 198 contain the "dohuri" (Section 9). The value stored in the parameter 199 is a URI, which is the DoH URI template [RFC8484]. 201 The following example shows a record containing a DoH URI, as 202 returned by a query for the HTTPS variant of the SVCB record type on 203 "foo.example.com". 205 foo.example.com. 7200 IN HTTPS 1 . ( 206 dohuri=https://doh.example.net/dns-query ) 208 If this record is DNSSEC-signed [RFC4033], clients can immediately 209 create a mapping that indicates the server (doh.example.net) as a 210 Designated Resolver for the name in the SVCB record 211 (foo.example.com). 213 Once a record that designated a DoH server has expired, the client 214 SHOULD issue another SVCB/HTTPS query whenever issuing queries within 215 the designated domain. This query SHOULD still be performed using 216 the designated DoH server. If the response designates a different 217 DoH server, the client should verify and use the new designation. 219 If this record is not DNSSEC-signed, clients MUST perform other 220 validation to determine that the zone designation is permitted, as 221 described in Section 3.3. 223 3.2. Additional Designation with PvD JSON 225 A provisioning domain (PvD) defines a coherent set of information 226 that can be used to access a network and resolve names. Section 4.3 227 of [I-D.ietf-intarea-provisioning-domains] defines a JSON dictionary 228 format that can be fetched over HTTPS at the well-known URI "/.well- 229 known/pvd". 231 Designated Resolvers that support DoH SHOULD provide a PvD JSON 232 dictionary available at the well-known PvD URI with the path of the 233 DoH server's URI template appended. 235 For example, the PvD JSON for the DoH server 236 "https://doh.example.net/dns-query" would be available at 237 "https://doh.example.net/.well-known/pvd/dns-query". 239 The key "dohTemplate" is defined within the JSON dictionary 240 (Section 9) to point back to the DoH URI Template itself. This is 241 used for confirming the DoH server when the PvD is discovered locally 242 or during zone apex confirmation (Section 3.3). 244 Names that are listed in the "dnsZones" key in the JSON dictionary 245 indicate a set of zones that designate the resolver. These are the 246 zones that are available to resolve through the associated DoH 247 server. Note that this list does not need to be exhaustive, but is 248 the set of common zones managed by the resolver that all clients 249 should be aware of. Before using DNS results for these names, 250 clients MUST validate the designation either with a DNSSEC-signed 251 SVCB record (Section 3.1), or the confirmation methods described in 252 Section 3.3 and Section 3.4. DNS queries for validating records 253 SHOULD be sent to the DoH resolver. In order to optimize the 254 validation of these domains, servers MAY use HTTP Server Push to 255 deliver the signed SVCB answers prior to requests being made. 257 The "expires" key indicates a time after which the content of the PvD 258 file is no longer valid. Clients SHOULD re-fetch PvD information if 259 the expiration time has passed before using any designations that 260 were based on the PvD content. 262 { 263 "identifier": "doh.example.net.", 264 "dohTemplate": "https://doh.example.net/dns-query", 265 "dnsZones": ["example.com"], 266 "expires": "2020-08-23T06:00:00Z" 267 } 269 3.3. Confirmation of Designation with Zone Apex PvD 271 Designated DoH Resolvers that provide the PvD JSON described in 272 Section 3.2 can also provide information to validate of zone's 273 designation without DNSSEC. In order to confirm the designation, the 274 client requests a well-known HTTPS URI based on a zone apex name, and 275 checks a PvD file to ensure that it matches the DoH resolver. This 276 ensures that a DoH resolver cannot claim a designation for a given 277 zone without cooperation from the entity that owns the certificate 278 for the apex of that zone. 280 In order to enumerate the zone apex names that confirm designation in 281 this manner, the DoH resolver's PvD JSON dictionary can contain an 282 array of strings, with the key "trustedNames". Clients can validate 283 the resolver designation by checking a resource hosted by a name 284 indicated in "trustedNames". The client first issues an HTTP GET 285 request by appending "/.well-known/pvd" to the trusted name, using 286 the "https" scheme. In order to validate the designation, the PvD 287 JSON MUST contain a "dohTemplate" key pointing to the correct DoH 288 resolver. The client's query for the IP addresses of the trusted 289 name MAY use the DoH resolver prior to fully validating the 290 designation, since the validation uses HTTPS to authenticate the 291 designation. 293 Note that the names listed in "trustedNames" are only useful for 294 confirming a designation that was indicated either by a non-DNSSEC- 295 signed SVCB designation (Section 3.1), or an additional designation 296 provided by the DoH resolver's PvD (Section 3.2). A trusted name 297 MUST be an exact match of a designating name, or else a parent of a 298 designating name. 300 If a name has more specific sub-domains that should not be allowed to 301 designate a given DoH resolver, this method of confirmation MUST NOT 302 be used. 304 As an example of this process, the JSON dictionary for the DoH server 305 "https://doh.example.net/dns-query", which is retrieved from 306 "https://doh.example.net/.well-known/pvd/dns-query", could contain 307 the following contents: 309 { 310 "identifier": "doh.example.net.", 311 "dohTemplate": "https://doh.example.net/dns-query", 312 "dnsZones": ["example.com"], 313 "trustedNames": ["example.com"], 314 "expires": "2020-08-23T06:00:00Z" 315 } 317 This indicates that "example.com" should be treated as a designated 318 domain, and that it can be validated by checking with the 319 "example.com" server rather than using DNSSEC. 321 In this example, the well-known URI used for validation is 322 "https://example.com/.well-known/pvd". In order to trust the 323 designation, this request must return valid JSON with the 324 "dohTemplate" key matching the original DoH resolver. For example, 325 this dictionary could contain the following contents: 327 { 328 "identifier": "example.com.", 329 "dohTemplate": "https://doh.example.net/dns-query", 330 "expires": "2020-08-23T06:00:00Z" 331 } 333 A client MUST NOT trust a designation if the JSON content is not 334 present, does not contain a "dohTemplate" key, or the value in the 335 "dohTemplate" key does not match. The following result would not be 336 acceptable for the example above: 338 { 339 "identifier": "example.com.", 340 "dohTemplate": "https://not-the-doh-youre-looking-for.example.net/dns-query" 341 "expires": "2020-08-23T06:00:00Z" 342 } 344 Note that the domains listed in "trustedNames" may be broader than 345 the zones that designate the resolver. In the following example, 346 names under "foo.example.com" and "bar.example.com" designate the DoH 347 server "https://doh.example.net/dns-query", and use the PvD JSON from 348 "example.com" to validate the designation. However, the client would 349 not designate the DoH server for all names under "example.com". 351 { 352 "identifier": "doh.example.net.", 353 "dohTemplate": "https://doh.example.net/dns-query", 354 "dnsZones": ["foo.example.com", "bar.example.com"], 355 "trustedNames": ["example.com"], 356 "expires": "2020-08-23T06:00:00Z" 357 } 359 3.4. Confirmation of Designation with TLS Certificates 361 A DoH server designation can also be validated by checking the 362 SubjectAlternativeName field in the DoH server's own TLS certificate. 363 When a client wants to confirm the validity of the designation in 364 this situation, it can check the TLS certificate of the DoH server 365 for the name of the domain which triggered the original designation 366 query. 368 The following example shows an HTTPS variant of the SVCB record type 369 for "foo.example.com". If this record was received without DNSSEC, 370 the client can confirm its validity by establishing a connection to 371 "doh.example.net" and verifying the TLS certificate contains an exact 372 match for the "foo.example.com" name. If the queried domain is not 373 present in the TLS certificate of the designated DoH server, the 374 client may confirm the validity by an alternate method such as zone 375 apex confirmation (Section 3.3) but MUST NOT use the record until 376 otherwise validated. 378 foo.example.com. 7200 IN HTTPS 1 . ( 379 dohuri=https://doh.example.net/dns-query ) 381 4. Explicit Discovery of Local Resolvers 383 If the local network provides configuration with an Explicit 384 Provisioning Domain (PvD), as defined by 385 [I-D.ietf-intarea-provisioning-domains], clients can learn about 386 domains for which the local network's resolver is authoritative. The 387 keys for DoH resolvers described in Section 3.2 also allow this local 388 PvD to be used for resolver discovery. 390 If an RA provided by the router on the network defines an Explicit 391 PvD that has additional information, and this additional information 392 JSON dictionary contains the key "dohTemplate", then the client 393 SHOULD add this DoH server to its list of known DoH configurations. 394 The domains that the DoH server claims authority for are listed in 395 the "dnsZones" key. 397 Local deployments that want to designate a resolver for a private 398 name that is not easily signed with DNSSEC MUST provide an alternate 399 method of validating a designation, such as described in Section 3.3 400 or Section 3.4. 402 5. Discovery of DoH Capabilities for Direct Resolvers 404 Direct Resolvers can advertise a Companion DoH server that offers 405 equivalent services and is controlled by the same entity. To do 406 this, a DNS server returns an SVCB record for "dns://resolver.arpa" 407 with "ipv4hint" and/or "ipv6hint" set to a valid IP address and the 408 "dohuri" key set to a valid DoH URI template as with the Designated 409 DoH Server SVCB record. The TLS certificate used with the DoH URI 410 MUST have the IP addresses for each of its DNS endpoints, classic or 411 DoH, within the SubjectAlternativeName field to allow the client to 412 verify ownership. 414 Once a client is configured to query a Direct Resolver, it SHOULD 415 query the resolver for SVCB records for "dns://resolver.arpa" before 416 making other queries. This will help the client avoid leaking 417 queries that could go over DoH once the Companion DoH Server is 418 discovered. If an SVCB record is returned, its "dohip" field 419 designates an IP address the client can send DoH queries to in lieu 420 of sending classic DNS queries to the Direct Resolver. The "dohuri" 421 field contains the DoH URI similarly to the SVCB record for a 422 Designated DoH Server. 424 To validate the Companion DoH Server and the resolver that advertised 425 it are related, the client MUST check the SubjectAlternativeName 426 field of the Companion DoH Server's TLS certificate for the original 427 resolver's IP address and the advertised IP address for the Companion 428 DoH server. If both are present, the discovered Companion DoH Server 429 MUST be used whenever the original Direct Resolver would be used. 430 Otherwise, the client SHOULD suppress queries for Companion DoH 431 Servers against this resolver for the TTL of the negative or invalid 432 response and continue to use the original Direct Resolver. 434 The following example shows a record containing a Companion DoH URI, 435 as returned by a query for an SVCB record for "dns://resolver.arpa": 437 _dns.resolver.arpa 7200 IN SVCB 1 doh.example.net ( 438 ipv4hint=x.y.z.w 439 dohuri=https://doh.example.net/dns-query ) 441 A DNS resolver MAY return more than one SVCB record of this form to 442 advertise multiple Companion DoH Servers that are valid as a 443 replacement for itself. Any or all of these servers may have the 444 same IP address as the DNS resolver itself. In this case, clients 445 will only have one IP address to check for when verifying ownership 446 of the Companion DoH server. 448 6. Server Deployment Considerations 450 When servers designate DoH servers for their names, the specific 451 deployment model can impact the effective privacy and performance 452 characteristics. 454 6.1. Single Content Provider 456 If a name always resolves to server IP addresses that are hosted by a 457 single content provider, the name ought to designate a single DoH 458 server. This DoH server will be most optimal when it is designated 459 by many or all names that are hosted by the same content provider. 460 This ensures that clients can increase connection reuse to reduce 461 latency in connection setup. 463 A DoH server that corresponds to the content provider that hosts 464 content has an opportunity to tune the responses provided to a client 465 based on the location inferred by the client IP address. 467 6.2. Multiple Content Providers 469 Some hostnames may resolve to server IP addresses that are hosted by 470 multiple content providers. In such scenarios, the deployment may 471 want to be able to control the percentage of traffic that flows to 472 each content provider. 474 In these scenarios, there can either be: 476 * multiple designated DoH servers that are advertised via SVCB DNS 477 Records; or, 479 * a single designated DoH server that can be referenced by one or 480 more SVCB DNS Records, operated by a party that is aware of both 481 content providers and can manage splitting the traffic. 483 If a server deployment wants to easily control the split of traffic 484 between different content providers, it ought to use the latter model 485 of using a single designated DoH server that can better control which 486 IP addresses are provided to clients. Otherwise, if a client is 487 aware of multiple DoH servers, it might use a single resolver 488 exclusively, which may lead to inconsistent behavior between clients 489 that choose different resolvers. 491 6.3. Avoid Narrow Deployments 493 Using designated DoH servers can improve the privacy of name 494 resolution whenever a DoH server is designated by many different 495 names within one or more domains. This limits the amount of 496 information leaked to an attacker observing traffic between a client 497 and a DoH server: the attacker only learns that the client might be 498 resolving one of the many names for which the server is designated. 500 However, if a deployment designates a given DoH server for only one 501 name, or a very small set of names, then it becomes easier for an 502 attacker to infer that a specific name is being accessed by a client. 503 For this reason, deployments are encouraged to avoid deploying a DoH 504 server that is only designated by a small number of names. Clients 505 can also choose to only allow DoH servers that are associated with 506 many names. 508 Beyond the benefits to privacy, having a larger number of names 509 designate a given DoH server improves the opportunity for DoH 510 connection reuse, which can improve the performance of name 511 resolutions. 513 7. Security Considerations 515 In order to avoid interception and modification of the information 516 sent between clients and Designated Resolvers, all exchanges between 517 clients and servers are performed over encrypted connections, e.g., 518 TLS. 520 Malicious adversaries may block client connections to a Designated 521 Resolver as a Denial-of-Service (DoS) measure. Clients which cannot 522 connect these resolvers may be forced to, if local policy allows, 523 fall back to unencrypted DNS if this occurs. 525 8. Privacy Considerations 527 Clients must be careful in determining to which DoH servers they send 528 queries directly. A malicious resolver that can direct queries to 529 itself can track or profile client activity. In order to avoid the 530 possibility of a spoofed SVCB record designating a malicious DoH 531 server for a name, clients MUST ensure that such records validate 532 using DNSSEC (Section 3.1), using zone apex confirmation 533 (Section 3.3), or using domain names in TLS certificates 534 (Section 3.4). 536 Even servers that are validly designated can risk leaking or logging 537 information about client lookups. Such risk can be mitigated by 538 further restricting the list of resolvers that are allowed for direct 539 use based on client policy. 541 An adversary able to see traffic on each path segment of a DoH query 542 (e.g., from client to a Designated Resolver, and the Designated 543 Resolver to an authoritative DNS server) can link queries to specific 544 clients with high probability. Failure to observe traffic on any one 545 of these path segments makes this linkability increasingly difficult. 546 For example, if an adversary can only observe traffic between a 547 client and proxy and egress traffic from a target, then it may be 548 difficult identify a specific client's query among the recursive 549 queries generated by the target. 551 9. IANA Considerations 553 9.1. DoH Template PvD Key 555 This document adds a key to the "Additional Information PvD Keys" 556 registry [I-D.ietf-intarea-provisioning-domains]. 558 +============+=============+======+=================================+ 559 | JSON key | Description | Type | Example | 560 +============+=============+======+=================================+ 561 |dohTemplate | DoH URI |String| "https://dnsserver.example.net/ | 562 | | Template | | dns-query{?dns}" | 563 | | [RFC8484] | | | 564 +------------+-------------+------+---------------------------------+ 566 Table 1 568 9.2. Trusted Names PvD Key 570 This document adds a key to the "Additional Information PvD Keys" 571 registry [I-D.ietf-intarea-provisioning-domains]. 573 +==============+=======================+=========+===============+ 574 | JSON key | Description | Type | Example | 575 +==============+=======================+=========+===============+ 576 | trustedNames | Names of servers that | Array | [ | 577 | | can validate resolver | of | "example.com" | 578 | | designation. | Strings | ] | 579 +--------------+-----------------------+---------+---------------+ 581 Table 2 583 9.3. DoH URI Template DNS Service Parameter 585 This document adds a parameter to the "Service Binding (SVCB) 586 Parameter" registry. The allocation request is 32768, taken from the 587 to the First Come First Served range. 589 If present, this parameters indicates the URI template of a DoH 590 server that is designated for use with the name being resolved. This 591 is a string encoded as UTF-8 characters. 593 Name: dohuri 595 SvcParamKey: 32768 597 Meaning: URI template for a designated DoH server 599 Reference: This document. 601 9.4. Special Use Domain Name "resolver.arpa" 603 This document calls for the creation of the "resolver.arpa" SUDN. 604 This will allow resolvers to respond to queries directed at 605 themselves rather than a specific domain name. While this document 606 uses "resolver.arpa" to return SVCB records indicating DoH 607 capability, the name is generic enough to allow future reuse for 608 other purposes where the resolver wishes to provide information about 609 itself to the client. 611 10. Acknowledgments 613 Thanks to Erik Nygren, Lorenzo Colitti, Mikael Abrahamsson, Ben 614 Schwartz, Ask Hansen, Leif Hedstrom, Tim McCoy, Stuart Cheshire, 615 Miguel Vega, Joey Deng, Ted Lemon, and Elliot Briggs for their 616 feedback and input on this document. 618 11. References 620 11.1. Normative References 622 [I-D.ietf-dnsop-svcb-https] 623 Schwartz, B., Bishop, M., and E. Nygren, "Service binding 624 and parameter specification via the DNS (DNS SVCB and 625 HTTPS RRs)", Work in Progress, Internet-Draft, draft-ietf- 626 dnsop-svcb-https-00, 12 June 2020, . 629 [I-D.ietf-intarea-provisioning-domains] 630 Pfister, P., Vyncke, E., Pauly, T., Schinazi, D., and W. 631 Shao, "Discovering Provisioning Domain Names and Data", 632 Work in Progress, Internet-Draft, draft-ietf-intarea- 633 provisioning-domains-11, 31 January 2020, 634 . 637 [I-D.ietf-tls-esni] 638 Rescorla, E., Oku, K., Sullivan, N., and C. Wood, "TLS 639 Encrypted Client Hello", Work in Progress, Internet-Draft, 640 draft-ietf-tls-esni-07, 1 June 2020, . 643 [RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S. 644 Rose, "DNS Security Introduction and Requirements", 645 RFC 4033, DOI 10.17487/RFC4033, March 2005, 646 . 648 [RFC7858] Hu, Z., Zhu, L., Heidemann, J., Mankin, A., Wessels, D., 649 and P. Hoffman, "Specification for DNS over Transport 650 Layer Security (TLS)", RFC 7858, DOI 10.17487/RFC7858, May 651 2016, . 653 [RFC8484] Hoffman, P. and P. McManus, "DNS Queries over HTTPS 654 (DoH)", RFC 8484, DOI 10.17487/RFC8484, October 2018, 655 . 657 11.2. Informative References 659 [I-D.schinazi-httpbis-doh-preference-hints] 660 Schinazi, D., Sullivan, N., and J. Kipp, "DoH Preference 661 Hints for HTTP", Work in Progress, Internet-Draft, draft- 662 schinazi-httpbis-doh-preference-hints-01, 8 January 2020, 663 . 666 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 667 Requirement Levels", BCP 14, RFC 2119, 668 DOI 10.17487/RFC2119, March 1997, 669 . 671 [RFC2132] Alexander, S. and R. Droms, "DHCP Options and BOOTP Vendor 672 Extensions", RFC 2132, DOI 10.17487/RFC2132, March 1997, 673 . 675 [RFC5507] IAB, Faltstrom, P., Ed., Austein, R., Ed., and P. Koch, 676 Ed., "Design Choices When Expanding the DNS", RFC 5507, 677 DOI 10.17487/RFC5507, April 2009, 678 . 680 [RFC8106] Jeong, J., Park, S., Beloeil, L., and S. Madanapalli, 681 "IPv6 Router Advertisement Options for DNS Configuration", 682 RFC 8106, DOI 10.17487/RFC8106, March 2017, 683 . 685 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 686 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 687 May 2017, . 689 Appendix A. Rationale for using SVCB records 691 This mechanism uses SVCB/HTTPS resource records 692 [I-D.ietf-dnsop-svcb-https] to communicate that a given domain 693 designates a particular DoH resolver for clients to use for 694 subsequent queries to within the domain. 696 There are various other proposals for how to provide similar 697 functionality. There are several reasons that this mechanism has 698 chosen SVCB records: 700 * Discovering encrypted resolver using DNS records keeps client 701 logic for DNS self-contained, and allows an operator of a DNS zone 702 to define exactly which names should use a given DoH server. 704 * Using DNS records also doesn't rely on bootstrapping with higher- 705 level application operations (such as 706 [I-D.schinazi-httpbis-doh-preference-hints]). 708 * SVCB records are extensible and allow definition of parameter 709 keys. This makes them a superior mechanism for extensibility, as 710 compared to approaches such as overloading TXT records. The same 711 keys can be used both for upgrading direct resolvers to DoH 712 through an explicit query (Section 5) and for discovering 713 designated resolvers when issuing standard HTTPS queries 714 (Section 3.1). 716 * Clients and servers that are interested in privacy of names will 717 already need to support SVCB records in order to use Encrypted TLS 718 Client Hello [I-D.ietf-tls-esni]. Without encrypting names in 719 TLS, the value of encrypting DNS is reduced, so pairing the 720 solutions provides the largest benefit. 722 * Clients that support SVCB will generally send out three queries 723 when accessing web content on a dual-stack network: A, AAAA, and 724 HTTPS queries. Discovering a resolver designation for a zone as 725 part of one of these queries, without having to add yet another 726 query, minimizes the total number of queries clients send. While 727 [RFC5507] recommends adding new RRTypes for new functionality, 728 SVCB provides an extension mechanism that simplifies client 729 behavior. 731 Authors' Addresses 733 Tommy Pauly 734 Apple Inc. 735 One Apple Park Way 736 Cupertino, California 95014, 737 United States of America 739 Email: tpauly@apple.com 741 Eric Kinnear 742 Apple Inc. 743 One Apple Park Way 744 Cupertino, California 95014, 745 United States of America 747 Email: ekinnear@apple.com 749 Christopher A. Wood 750 Cloudflare 751 101 Townsend St 752 San Francisco, 753 United States of America 755 Email: caw@heapingbits.net 757 Patrick McManus 758 Fastly 760 Email: mcmanus@ducksong.com 761 Tommy Jensen 762 Microsoft 764 Email: tojens@microsoft.com