idnits 2.17.1 draft-peterson-dot-dhcp-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (April 27, 2019) is 1826 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) No issues found here. Summary: 0 errors (**), 0 flaws (~~), 1 warning (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group T. Peterson 3 Internet-Draft April 27, 2019 4 Intended status: Standards Track 5 Expires: October 29, 2019 7 DNS over Transport Layer Security announcements using DHCP or Router 8 Advertisements 9 draft-peterson-dot-dhcp-00 11 Abstract 13 This specification describes a DHCP option and Router Advertisement 14 (RA) extension to inform clients of the presence of DNS resolvers 15 with Transport Layer Security (TLS). 17 Status of This Memo 19 This Internet-Draft is submitted in full conformance with the 20 provisions of BCP 78 and BCP 79. 22 Internet-Drafts are working documents of the Internet Engineering 23 Task Force (IETF). Note that other groups may also distribute 24 working documents as Internet-Drafts. The list of current Internet- 25 Drafts is at https://datatracker.ietf.org/drafts/current/. 27 Internet-Drafts are draft documents valid for a maximum of six months 28 and may be updated, replaced, or obsoleted by other documents at any 29 time. It is inappropriate to use Internet-Drafts as reference 30 material or to cite them other than as "work in progress." 32 This Internet-Draft will expire on October 29, 2019. 34 Copyright Notice 36 Copyright (c) 2019 IETF Trust and the persons identified as the 37 document authors. All rights reserved. 39 This document is subject to BCP 78 and the IETF Trust's Legal 40 Provisions Relating to IETF Documents 41 (https://trustee.ietf.org/license-info) in effect on the date of 42 publication of this document. Please review these documents 43 carefully, as they describe your rights and restrictions with respect 44 to this document. Code Components extracted from this document must 45 include Simplified BSD License text as described in Section 4.e of 46 the Trust Legal Provisions and are provided without warranty as 47 described in the Simplified BSD License. 49 Table of Contents 51 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 52 2. Conventions and Definitions . . . . . . . . . . . . . . . . . 2 53 3. The DNS over TLS Option . . . . . . . . . . . . . . . . . . . 2 54 3.1. IPv4 DHCP Option . . . . . . . . . . . . . . . . . . . . 2 55 3.2. IPv6 DHCP Option . . . . . . . . . . . . . . . . . . . . 3 56 3.3. The DoT IPv6 RA Option . . . . . . . . . . . . . . . . . 3 57 4. Security Considerations . . . . . . . . . . . . . . . . . . . 4 58 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 4 59 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 4 60 6.1. Normative References . . . . . . . . . . . . . . . . . . 4 61 6.2. Informative References . . . . . . . . . . . . . . . . . 4 62 Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 5 63 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 5 65 1. Introduction 67 DHCPv4 [RFC2131], DHCPv6 [RFC3646], and IPv6 Router Announcements 68 [RFC8106] all provide means to inform clients of available resolvers 69 using the incumbent DNS protocol for querying, however there is no 70 means of specifying alternate protocols to perform DNS queries. 72 2. Conventions and Definitions 74 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 75 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 76 "OPTIONAL" in this document are to be interpreted as described in BCP 77 14 [RFC2119] [RFC8174] when, and only when, they appear in all 78 capitals, as shown here. 80 3. The DNS over TLS Option 82 3.1. IPv4 DHCP Option 84 The format of the IPv4 DoT DHCP option is shown below. 86 0 1 2 3 87 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 88 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 89 | Code | Len | | 90 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 91 | | 92 | DNS Servers | 93 | | 94 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 96 Code: The DoT DHCPv4 option (one octet) 97 Length: Length of the DNS Servers list in octects 99 DNS Servers: One or more IPv4 addresses of DNS servers 101 3.2. IPv6 DHCP Option 103 The format of the IPv6 Captive-Portal DHCP option is shown below. 105 0 1 2 3 106 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 107 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 108 | option-code | option-len | 109 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 110 | | 111 | DNS Servers | 112 | | 113 | | 114 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 116 option-code: TODO (two octets) 118 option-len: Length of the list of DNS servers in octects, which MUST 119 be a multiple of 16 121 DNS Servers: IPv6 addresses of DNS servers 123 3.3. The DoT IPv6 RA Option 125 The format of the DoT Router Advertisement option is shown below. 127 0 1 2 3 128 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 129 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 130 | Type | Len | | 131 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 132 | | 133 | DNS Servers | 134 | | 135 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 137 Type: TODO (one octet) 139 Length: 8-bit unsigned integer representing the entire length of all 140 fields, in units of 8 bytes. The minimum value is 3 if one DNS 141 server is contained in the option. Every additional DNS server 142 increases the length by 2. This field is used by the receiver to 143 determine the number of DNS server addresses in the option. 145 DNS Servers: One or more IPv6 addresses of DNS servers. The number 146 of addresses is determined by the Length field. That is, the 147 number of addresses is equal to (Length - 1) / 2. 149 4. Security Considerations 151 An attacker with the ability to inject DHCP messages could include 152 this option and present a malicious resolver. 154 TODO: Further risk and threat assessments. 156 5. IANA Considerations 158 TODO: This section must be updated after assignments have been 159 issued. 161 This document requires the assignment of an option code assigned 162 under the "BOOTP Vendor Extensions and DHCP Options" 163 [bootp-registry], in addition to an option code assigned under the 164 "Option Codes" registry under DHCPv6 parameters [dhcpv6-registry]. 166 Also, an assignment for an IPv6 RA Option Type from the "IPv6 167 Neighbor Discovery Option Formats" registry under ICMPv6 paramters 168 [icmpv6-registry]. 170 6. References 172 6.1. Normative References 174 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 175 Requirement Levels", BCP 14, RFC 2119, 176 DOI 10.17487/RFC2119, March 1997, 177 . 179 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 180 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 181 May 2017, . 183 6.2. Informative References 185 [bootp-registry] 186 "Dynamic Host Configuration Protocol (DHCP) and Bootstrap 187 Protocol (BOOTP) Parameters", n.d., 188 . 190 [dhcpv6-registry] 191 "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)", 192 n.d., . 194 [icmpv6-registry] 195 "Internet Control Message Protocol version 6 (ICMPv6) 196 Parameters", n.d., 197 . 199 [RFC2131] Droms, R., "Dynamic Host Configuration Protocol", 200 RFC 2131, DOI 10.17487/RFC2131, March 1997, 201 . 203 [RFC3646] Droms, R., Ed., "DNS Configuration options for Dynamic 204 Host Configuration Protocol for IPv6 (DHCPv6)", RFC 3646, 205 DOI 10.17487/RFC3646, December 2003, 206 . 208 [RFC8106] Jeong, J., Park, S., Beloeil, L., and S. Madanapalli, 209 "IPv6 Router Advertisement Options for DNS Configuration", 210 RFC 8106, DOI 10.17487/RFC8106, March 2017, 211 . 213 Acknowledgments 215 TODO 217 Author's Address 219 Thomas Peterson 221 Email: nosretep.samoht@gmail.com