idnits 2.17.1 draft-pauly-ipsecme-split-dns-02.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (September 21, 2016) is 2774 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'TBD IANA' is mentioned on line 355, but not defined == Missing Reference: 'TBD' is mentioned on line 471, but not defined Summary: 0 errors (**), 0 flaws (~~), 3 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network T. Pauly 3 Internet-Draft Apple Inc. 4 Intended status: Standards Track P. Wouters 5 Expires: March 25, 2017 Red Hat 6 September 21, 2016 8 Split DNS Configuration for IKEv2 9 draft-pauly-ipsecme-split-dns-02 11 Abstract 13 This document defines two Configuration Payload Attribute Types for 14 the IKEv2 protocol that add support for private DNS domains. These 15 domains should be resolved using DNS servers reachable through an 16 IPsec connection, while leaving all other DNS resolution unchanged. 17 This approach of resolving a subset of domains using non-public DNS 18 servers is referred to as "Split DNS". 20 Status of This Memo 22 This Internet-Draft is submitted in full conformance with the 23 provisions of BCP 78 and BCP 79. 25 Internet-Drafts are working documents of the Internet Engineering 26 Task Force (IETF). Note that other groups may also distribute 27 working documents as Internet-Drafts. The list of current Internet- 28 Drafts is at http://datatracker.ietf.org/drafts/current/. 30 Internet-Drafts are draft documents valid for a maximum of six months 31 and may be updated, replaced, or obsoleted by other documents at any 32 time. It is inappropriate to use Internet-Drafts as reference 33 material or to cite them other than as "work in progress." 35 This Internet-Draft will expire on March 25, 2017. 37 Copyright Notice 39 Copyright (c) 2016 IETF Trust and the persons identified as the 40 document authors. All rights reserved. 42 This document is subject to BCP 78 and the IETF Trust's Legal 43 Provisions Relating to IETF Documents 44 (http://trustee.ietf.org/license-info) in effect on the date of 45 publication of this document. Please review these documents 46 carefully, as they describe your rights and restrictions with respect 47 to this document. Code Components extracted from this document must 48 include Simplified BSD License text as described in Section 4.e of 49 the Trust Legal Provisions and are provided without warranty as 50 described in the Simplified BSD License. 52 Table of Contents 54 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 55 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 56 2. Background . . . . . . . . . . . . . . . . . . . . . . . . . 3 57 3. Protocol Exchange . . . . . . . . . . . . . . . . . . . . . . 3 58 3.1. Configuration Request . . . . . . . . . . . . . . . . . . 4 59 3.2. Configuration Reply . . . . . . . . . . . . . . . . . . . 4 60 3.3. Mapping DNS Servers to Domains . . . . . . . . . . . . . 5 61 3.4. Example Exchanges . . . . . . . . . . . . . . . . . . . . 5 62 3.4.1. Simple Case . . . . . . . . . . . . . . . . . . . . . 5 63 3.4.2. Requesting Limited Domains . . . . . . . . . . . . . 6 64 3.4.3. Requesting Domains and DNSSEC trust anchors . . . . . 6 65 4. Payload Formats . . . . . . . . . . . . . . . . . . . . . . . 7 66 4.1. INTERNAL_DNS_DOMAIN Configuration Attribute Type . . . . 7 67 4.2. INTERNAL_DNSSEC_TA Configuration Attribute . . . . . . . 8 68 5. Split DNS Usage Guidelines . . . . . . . . . . . . . . . . . 8 69 6. Security Considerations . . . . . . . . . . . . . . . . . . . 9 70 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 71 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 10 72 8.1. Normative References . . . . . . . . . . . . . . . . . . 11 73 8.2. Informative References . . . . . . . . . . . . . . . . . 11 74 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 11 76 1. Introduction 78 Split DNS is a common configuration for secure tunnels, such as 79 Virtual Private Networks in which host machines private to an 80 organization can only be resolved using internal DNS resolvers 81 [RFC2775]. In such configurations, it is often desirable to only 82 resolve hosts within a set of private domains using the tunnel, while 83 letting resolutions for public hosts be handled by a device's default 84 DNS configuration. 86 The Internet Key Exchange protocol version 2 [RFC7296] negotiates 87 configuration parameters using Configuration Payload Attribute Types. 88 This document defines two Configuration Payload Attribute Types that 89 add support for trusted Split DNS domains. 91 The INTERNAL_DNS_DOMAIN attribute type is used to convey one or more 92 DNS domains that should be resolved only using the provided DNS 93 nameserver IP addresses, causing these requests to use the IPsec 94 connection. 96 The INTERNAL_DNSSEC_TA attribute type is used to convey DNSSEC trust 97 anchors for those domains. 99 When only a subset of traffic is routed into a private network using 100 an IPsec SA, these Configuration Payload options can be used to 101 define which private domains should be resolved through the IPsec 102 connection without affecting the client's global DNS resolution. 104 For the purposes of this document, DNS resolution servers accessible 105 through an IPsec connection will be referred to as "internal DNS 106 servers", and other DNS servers will be referred to as "external DNS 107 servers". 109 A client using these configuration payloads will be able to request 110 and receive Split DNS configurations using the INTERNAL_DNS_DOMAIN 111 and INTERNAL_DNSSEC_TA configuration attributes. The client device 112 can use the internal DNS server(s) for any DNS queries within the 113 assigned domains, while routing other DNS queries to its regular 114 external DNS server. 116 1.1. Requirements Language 118 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 119 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 120 document are to be interpreted as described in RFC 2119 [RFC2119]. 122 2. Background 124 Split DNS is a common configuration for enterprise VPN deployments, 125 in which only one or a few private DNS domains are accessible and 126 resolvable via an IPsec based VPN connection. 128 Other tunnel-establishment protocols already support the assignment 129 of Split DNS domains. For example, there are proprietary extensions 130 to IKEv1 that allow a server to assign Split DNS domains to a client. 131 However, the IKEv2 standard does not include a method to configure 132 this option. This document defines a standard way to negotiate this 133 option for IKEv2. 135 3. Protocol Exchange 137 In order to negotiate which domains are considered internal to an 138 IKEv2 tunnel, initiators indicate support for Split DNS in their 139 CFG_REQUEST payloads, and responders assign internal domains (and 140 DNSSEC trust anchors) in their CFG_REPLY payloads. When Split DNS 141 has been negotiated, the existing DNS server configuration attributes 142 will be interpreted as internal DNS servers that can resolve 143 hostnames within the internal domains. 145 3.1. Configuration Request 147 To indicate support for Split DNS, an initiator sending a CFG_REQUEST 148 payload MAY include one or more INTERNAL_DNS_DOMAIN attributes as 149 defined in Section 4. If an INTERNAL_DNS_DOMAIN attribute is 150 included in the CFG_REQUEST, the initiator SHOULD also include one or 151 both of the INTERNAL_IP4_DNS and INTERNAL_IP6_DNS attributes in its 152 CFG_REQUEST. 154 If the length of the INTERNAL_DNS_DOMAIN attribute is zero, then the 155 initiator is requesting that the attribute be assigned without 156 restricting the subdomains that it will accept. 158 If the length of the INTERNAL_DNS_DOMAIN is greater than zero, the 159 value is a single DNS domain. The initiator is indicating that it 160 will only allow this domain and any sub-domains within this domain to 161 be resolved using the internal DNS servers. The list of 162 INTERNAL_DNS_DOMAIN attributes in the CFG_REQUEST defines the full 163 set of domains the intiator is willing to resolve using the internal 164 DNS servers. 166 The absence of INTERNAL_DNS_DOMAIN attributes in the CFG_REQUEST 167 payload indicates that the initiator does not support or is unwilling 168 to accept Split DNS configuration. 170 To indicate support for DNSSEC, an initiator sending a CFG_REQUEST 171 payload MAY include one or more INTERNAL_DNS_TA attributes as defined 172 in Section 4. These payloads MUST immediately follow a 173 INTERNAL_DNS_DOMAIN attribute, which binds the DNSSEC trust anchor 174 request to the domain. 176 An initiator MAY convey its current DNSSEC trust anchors for the 177 domain specified in the INTERNAL_DNS_DOMAIN attribute. If it does 178 not wish to convey this information, it MUST use a length of 0. 180 The absence of INTERNAL_DNS_TA attributes in the CFG_REQUEST payload 181 indicates that the initiator does not support or is unwilling to 182 accept DNSSEC trust anchor configuration. 184 3.2. Configuration Reply 186 Responders MAY send one or more INTERNAL_DNS_DOMAIN attributes in 187 their CFG_REPLY payload if the CFG_REQUEST contained at least one 188 INTERNAL_DNS_DOMAIN attribute. If the CFG_REQUEST did not contain an 189 INTERNAL_DNS_DOMAIN attribute, the responder MUST NOT include an 190 INTERNAL_DNS_DOMAIN attribute in the CFG_REPLY. If an 191 INTERNAL_DNS_DOMAIN attribute is included in the CFG_REPLY, the 192 responder SHOULD also include one or both of the INTERNAL_IP4_DNS and 193 INTERNAL_IP6_DNS attributes in its CFG_REPLY. These DNS server 194 configurations are necessary to define which servers should receive 195 queries for hostnames in internal domains. If the CFG_REQUEST 196 included an INTERNAL_DNS_DOMAIN attribute, but the CFG_REPLY does not 197 include an INTERNAL_DNS_DOMAIN attribute, the initiator should behave 198 as if Split DNS configurations are not supported by the server. 200 Each INTERNAL_DNS_DOMAIN represents a domain that the DNS servers 201 address listed in INTERNAL_IP4_DNS and INTERNAL_IP6_DNS can resolve. 203 If the CFG_REQUEST included INTERNAL_DNS_DOMAIN attributes with non- 204 zero lengths, the CFG_REPLY MUST NOT assign any domains in its 205 INTERNAL_DNS_DOMAIN attributes that are not contained within the 206 requested domains. The initiator SHOULD ignore any domains beyond 207 its requested list. 209 For each DNS domain specified in an INTERNAL_DNS_DOMAIN attribute, 210 one or more INTERNAL_DNSSEC_TA attributes MAY be included by the 211 responder. This attribute lists the corresponding DSSNEC trust 212 anchor in the DNS wire format of a DS record as specified in 213 [RFC4034]. The INTERNAL_DNSSEC_TA attribute MUST immediately follow 214 the INTERNAL_DNS_DOMAIN attribute that it applies to. 216 3.3. Mapping DNS Servers to Domains 218 All DNS servers provided in the CFG_REPLY MUST support resolving 219 hostnames within all INTERNAL_DNS_DOMAIN domains. In other words, 220 the INTERNAL_DNS_DOMAIN attributes in a CFG_REPLY payload form a 221 single list of Split DNS domains that applies to the entire list of 222 INTERNAL_IP4_DNS and INTERNAL_IP6_DNS attributes. 224 3.4. Example Exchanges 226 3.4.1. Simple Case 228 In this example exchange, the initiator requests INTERNAL_IP4_DNS and 229 INTERNAL_DNS_DOMAIN attributes in its CFG_REQUEST, but does not 230 specify any value for either. This indicates that it supports Split 231 DNS, but has no preference for which DNS requests should be routed 232 through the tunnel. 234 The responder replies with two DNS server addresses, and one internal 235 domain, "example.com". 237 Any subsequent DNS queries from the initiator for domains such as 238 "www.example.com" should use 198.51.100.2 or 198.51.100.4 to resolve. 240 CP(CFG_REQUEST) = 241 INTERNAL_IP4_ADDRESS() 242 INTERNAL_IP4_DNS() 243 INTERNAL_DNS_DOMAIN() 245 CP(CFG_REPLY) = 246 INTERNAL_IP4_ADDRESS(198.51.100.234) 247 INTERNAL_IP4_DNS(198.51.100.2) 248 INTERNAL_IP4_DNS(198.51.100.4) 249 INTERNAL_DNS_DOMAIN(example.com) 251 3.4.2. Requesting Limited Domains 253 In this example exchange, the initiator requests INTERNAL_IP4_DNS and 254 INTERNAL_DNS_DOMAIN attributes in its CFG_REQUEST, specifically 255 requesting only "example.com" and "other.com". The responder replies 256 with two DNS server addresses, 198.51.100.2 and 198.51.100.4, and two 257 domains, "example.com" and "city.other.com". Note that one of the 258 domains in the CFG_REPLY, "city.other.com", is a subset of the 259 requested domain, "other.com". This indicates that hosts within 260 "other.com" that are not within "city.other.com" should be resolved 261 using an external DNS server. The CFG_REPLY would not be allowed to 262 respond with "com" or "example.net", however, since these were 263 contained within the limited set of requested domains. 265 Any subsequent DNS queries from the initiator for domains such as 266 "www.example.com" or "city.other.com" should use 198.51.100.2 or 267 198.51.100.4 to resolve. 269 CP(CFG_REQUEST) = 270 INTERNAL_IP4_ADDRESS() 271 INTERNAL_IP4_DNS() 272 INTERNAL_DNS_DOMAIN(example.com) 273 INTERNAL_DNS_DOMAIN(other.com) 275 CP(CFG_REPLY) = 276 INTERNAL_IP4_ADDRESS(198.51.100.234) 277 INTERNAL_IP4_DNS(198.51.100.2) 278 INTERNAL_IP4_DNS(198.51.100.4) 279 INTERNAL_DNS_DOMAIN(example.com) 280 INTERNAL_DNS_DOMAIN(city.other.com) 282 3.4.3. Requesting Domains and DNSSEC trust anchors 284 In this example exchange, the initiator requests INTERNAL_IP4_DNS, 285 INTERNAL_DNS_DOMAIN and INTERNAL_DNS_TA attributess in its 286 CFG_REQUEST 287 Any subsequent DNS queries from the initiator for domains such as 288 "www.example.com" or "city.other.com" would be DNSSEC validated using 289 the DNSSEC trust anchor received in the CFG_REPLY 291 In this example, the initiator has no existing DNSSEC trust anchors 292 would the requested domain. the "example.com" dommain has DNSSEC 293 trust anchors that are returned, while the "other.com" domain has no 294 DNSSEC trust anchors 296 CP(CFG_REQUEST) = 297 INTERNAL_IP4_ADDRESS() 298 INTERNAL_IP4_DNS() 299 INTERNAL_DNS_DOMAIN(example.com) 300 INTERNAL_DNS_TA() 301 INTERNAL_DNS_DOMAIN(other.com) 302 INTERNAL_DNS_TA() 304 CP(CFG_REPLY) = 305 INTERNAL_IP4_ADDRESS(198.51.100.234) 306 INTERNAL_IP4_DNS(198.51.100.2) 307 INTERNAL_IP4_DNS(198.51.100.4) 308 INTERNAL_DNS_DOMAIN(example.com) 309 INTERNAL_DNS_TA(43547,8,1,B6225AB2CC613E0DCA7962BDC2342EA4F1B56083) 310 INTERNAL_DNS_TA(31406,8,2,F78CF3344F72137235098ECBBD08947C2C90....) 311 INTERNAL_DNS_DOMAIN(city.other.com) 313 4. Payload Formats 315 4.1. INTERNAL_DNS_DOMAIN Configuration Attribute Type 317 1 2 3 318 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 319 +-+-----------------------------+-------------------------------+ 320 |R| Attribute Type | Length | 321 +-+-----------------------------+-------------------------------+ 322 | | 323 ~ Domain Name ~ 324 | | 325 +---------------------------------------------------------------+ 327 o Reserved (1 bit) - Defined in IKEv2 RFC [RFC7296]. 329 o Attribute Type (15 bits) [TBD IANA] - INTERNAL_DNS_DOMAIN. 331 o Length (2 octets, unsigned integer) - Length of domain name. 333 o Domain Name (0 or more octets) - A domain or subdomain used for 334 Split DNS rules, such as example.com. This is a string of ASCII 335 characters with labels separated by dots, with no trailing dot, 336 using IDNA [RFC5890] for non-ASCII DNS domains. The value is NOT 337 null-terminated. 339 4.2. INTERNAL_DNSSEC_TA Configuration Attribute 341 1 2 3 342 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 343 +-+-----------------------------+-------------------------------+ 344 |R| Attribute Type | Length | 345 +-+-----------------------------+---------------+---------------+ 346 | Key Tag | Algorithm | Digest Type | 347 +-------------------------------+---------------+---------------+ 348 | | 349 ~ Digest ~ 350 | | 351 +---------------------------------------------------------------+ 353 o Reserved (1 bit) - Defined in IKEv2 RFC [RFC7296]. 355 o Attribute Type (15 bits) [TBD IANA] - INTERNAL_DNSSEC_TA. 357 o Length (2 octets, unsigned integer) - Length of DNSSEC Trust 358 Anchor data. 360 o Key Tag value (0 or 2 octets, unsigned integer) - Key Tag as 361 specified in [RFC4034] Section 5.1 363 o DNSKEY algorithm (0 or 1 octet) - Value from the IANA DNS Security 364 Algorithm Numbers Registry 366 o DS algorithm (0 or 1 octet) - Value from the IANA Delegation 367 Signer (DS) Resource Record (RR) Type Digest Algorithms Registry 369 o Digest (0 or more octets) - The raw digest as specified in 370 [RFC4034] Section 5.1 372 5. Split DNS Usage Guidelines 374 If a CFG_REPLY payload contains no INTERNAL_DNS_DOMAIN attributes, 375 the client MAY use the provided INTERNAL_IP4_DNS or INTERNAL_IP6_DNS 376 servers as the default DNS server(s) for all queries. 378 For each INTERNAL_DNS_DOMAIN entry in a CFG_REPLY payload, the client 379 SHOULD use the provided INTERNAL_IP4_DNS or INTERNAL_IP6_DNS DNS 380 servers as the only resolvers for the listed domains and its sub- 381 domains and it SHOULD NOT attempt to resolve the provided DNS domains 382 using its external DNS servers. 384 If the initiator host is configured to block DNS answers containing 385 IP addresses from special IP address ranges such as those of 386 [RFC1918], the initiator SHOULD allow the DNS domains listed in the 387 INTERNAL_DNS_DOMAIN attributes to contain these IP addresses. 389 If a CFG_REPLY contains one or more INTERNAL_DNS_DOMAIN attributes, 390 the client SHOULD configure its DNS resolver to resolve those domains 391 and all their subdomains using only the DNS resolver(s) listed in 392 that CFG_REPLY message. If those resolvers fail, those names SHOULD 393 NOT be resolved using any other DNS resolvers. All other domain 394 names MUST be resolved using some other external DNS resolver(s), 395 configured independently, and SHOULD NOT be sent to the internal DNS 396 resolver(s) listed in that CFG_REPLY message. For example, if the 397 INTERNAL_DNS_DOMAIN attribute specifies "example.com", then 398 "example.com", "www.example.com" and "mail.eng.example.com" MUST be 399 resolved using the internal DNS resolver(s), but "anotherexample.com" 400 and "ample.com" MUST be resolved using the system's external DNS 401 resolver(s). 403 An initiator SHOULD ignore INTERNAL_DNS_DOMAIN attributes containing 404 domains that are designated Special Use Domain Names in [RFC6761], 405 such as "local", "localhost", "invalid", etc. Although it may 406 explicitly wish to support some Special Use Domain Names. 408 When an IPsec connection is terminated, the DNS forwarding must be 409 unconfigured. The DNS forwarding itself MUST be be deleted. All 410 cached data of the INTERNAL_DNS_DOMAIN provided DNS domainis MUST be 411 flushed. This includes negative cache entries. Obtained DNSSEC 412 trust anchors MUST be removed from the list of trust anchors. The 413 outstanding DNS request queue MAY be cleared. 415 A domain that is served via INTERNAL_DNS_DOMAIN MUST NOT have 416 indirect references to DNS records that point to other Split DNS 417 domains that are not served via INTERNAL_DNS_DOMAIN attributes. 418 Indirect reference RRtypes include CNAME, DNAME, MX and SRV RR's. 420 INTERNAL_DNS_DOMAIN and INTERNAL_DNSSEC_TA attributes SHOULD only be 421 used on split tunnel configurations where only a subset of traffic is 422 routed into a private remote network using the IPsec connection. If 423 all traffic is routed over the IPsec connection, the existing global 424 INTERNAL_IP4_DNS and INTERNAL_IP6_DNS can be used without creating 425 specific DNS exemptions. 427 6. Security Considerations 429 The use of Split DNS configurations assigned by an IKEv2 responder is 430 predicated on the trust established during IKE SA authentication. 431 However, if IKEv2 is being negotiated with an anonymous or unknown 432 endpoint (such as for Opportunistic Security [RFC7435]), the 433 initiator MUST ignore Split DNS configurations assigned by the 434 responder. 436 If a host connected to an authenticated IKE peer is connecting to 437 another IKE peer that attempts to claim the same domain via the 438 INTERNAL_DNS_DOMAIN attribute, the IKE connection should be 439 terminated. 441 If the IP address value of the received INTERNAL_IP4_DNS or 442 INTERNAL_IP6_DNS attribute is not covered by the proposed IPsec 443 connection, then the local DNS should not be reconfigured until a 444 CREATE_CHILD Exchange is received that covers these IP addresses. 446 INTERNAL_DNSSEC_TA directives MUST immediately follow an 447 INTERNAL_DNS_DOMAIN directive. As the INTERNAL_DNSSEC_TA format 448 itself does not contain the domain name, it relies on the preceding 449 INTERNAL_DNS_DOMAIN to provide the domain for which it specifies the 450 trust anchor. 452 If the initiator is using DNSSEC validation for a domain in its 453 public DNS view, and it requests and receives an INTERNAL_DNS_DOMAIN 454 attribute without an INTERNAL_DNSSEC_TA, it will need to reconfigure 455 its DNS resolver to allow for an insecure delegation. It SHOULD NOT 456 accept insecure delegations for domains that are DNSSEC signed in the 457 public DNS view, for which it has not explicitely requested such 458 deletation by specifying the domain specifically using a 459 INTERNAL_DNS_DOMAIN(domain) request. 461 7. IANA Considerations 463 This document defines two new IKEv2 Configuration Payload Attribute 464 Types, which are allocated from the "IKEv2 Configuration Payload 465 Attribute Types" namespace. 467 Multi- 468 Value Attribute Type Valued Length Reference 469 ------ ------------------- ------ ---------- --------------- 470 [TBD] INTERNAL_DNS_DOMAIN YES 0 or more [this document] 471 [TBD] INTERNAL_DNSSEC_TA YES 0 or more [this document] 473 Figure 1 475 8. References 476 8.1. Normative References 478 [RFC1918] Rekhter, Y., Moskowitz, B., Karrenberg, D., de Groot, G., 479 and E. Lear, "Address Allocation for Private Internets", 480 BCP 5, RFC 1918, DOI 10.17487/RFC1918, February 1996, 481 . 483 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 484 Requirement Levels", BCP 14, RFC 2119, 485 DOI 10.17487/RFC2119, March 1997, 486 . 488 [RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S. 489 Rose, "Resource Records for the DNS Security Extensions", 490 RFC 4034, DOI 10.17487/RFC4034, March 2005, 491 . 493 [RFC5890] Klensin, J., "Internationalized Domain Names for 494 Applications (IDNA): Definitions and Document Framework", 495 RFC 5890, DOI 10.17487/RFC5890, August 2010, 496 . 498 [RFC7296] Kaufman, C., Hoffman, P., Nir, Y., Eronen, P., and T. 499 Kivinen, "Internet Key Exchange Protocol Version 2 500 (IKEv2)", STD 79, RFC 7296, DOI 10.17487/RFC7296, October 501 2014, . 503 8.2. Informative References 505 [RFC2775] Carpenter, B., "Internet Transparency", RFC 2775, 506 DOI 10.17487/RFC2775, February 2000, 507 . 509 [RFC6761] Cheshire, S. and M. Krochmal, "Special-Use Domain Names", 510 RFC 6761, DOI 10.17487/RFC6761, February 2013, 511 . 513 [RFC7435] Dukhovni, V., "Opportunistic Security: Some Protection 514 Most of the Time", RFC 7435, DOI 10.17487/RFC7435, 515 December 2014, . 517 Authors' Addresses 518 Tommy Pauly 519 Apple Inc. 520 1 Infinite Loop 521 Cupertino, California 95014 522 US 524 Email: tpauly@apple.com 526 Paul Wouters 527 Red Hat 529 Email: pwouters@redhat.com