idnits 2.17.1 draft-peterson-dot-dhcp-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (July 22, 2019) is 1737 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: 'RFC2132' is defined on line 197, but no explicit reference was found in the text == Outdated reference: A later version (-02) exists of draft-hoffman-dns-terminology-ter-01 ** Obsolete normative reference: RFC 6125 (Obsoleted by RFC 9525) Summary: 1 error (**), 0 flaws (~~), 3 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group T. Peterson 3 Internet-Draft July 22, 2019 4 Intended status: Standards Track 5 Expires: January 23, 2020 7 DNS over Transport Layer Security announcements using DHCP or Router 8 Advertisements 9 draft-peterson-dot-dhcp-01 11 Abstract 13 This specification describes a DHCP option and Router Advertisement 14 (RA) extension to inform clients of the presence of DNS resolvers 15 with Transport Layer Security (TLS). 17 Status of This Memo 19 This Internet-Draft is submitted in full conformance with the 20 provisions of BCP 78 and BCP 79. 22 Internet-Drafts are working documents of the Internet Engineering 23 Task Force (IETF). Note that other groups may also distribute 24 working documents as Internet-Drafts. The list of current Internet- 25 Drafts is at https://datatracker.ietf.org/drafts/current/. 27 Internet-Drafts are draft documents valid for a maximum of six months 28 and may be updated, replaced, or obsoleted by other documents at any 29 time. It is inappropriate to use Internet-Drafts as reference 30 material or to cite them other than as "work in progress." 32 This Internet-Draft will expire on January 23, 2020. 34 Copyright Notice 36 Copyright (c) 2019 IETF Trust and the persons identified as the 37 document authors. All rights reserved. 39 This document is subject to BCP 78 and the IETF Trust's Legal 40 Provisions Relating to IETF Documents 41 (https://trustee.ietf.org/license-info) in effect on the date of 42 publication of this document. Please review these documents 43 carefully, as they describe your rights and restrictions with respect 44 to this document. Code Components extracted from this document must 45 include Simplified BSD License text as described in Section 4.e of 46 the Trust Legal Provisions and are provided without warranty as 47 described in the Simplified BSD License. 49 Table of Contents 51 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 52 2. Conventions and Definitions . . . . . . . . . . . . . . . . . 2 53 3. The DNS over TLS Option . . . . . . . . . . . . . . . . . . . 2 54 3.1. IPv4 DHCP Option . . . . . . . . . . . . . . . . . . . . 3 55 3.2. IPv6 DHCP Option . . . . . . . . . . . . . . . . . . . . 3 56 3.3. The DoT IPv6 RA Option . . . . . . . . . . . . . . . . . 3 57 3.4. Trust Anchoring . . . . . . . . . . . . . . . . . . . . . 4 58 4. Security Considerations . . . . . . . . . . . . . . . . . . . 4 59 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 4 60 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 4 61 6.1. Normative References . . . . . . . . . . . . . . . . . . 5 62 6.2. Informative References . . . . . . . . . . . . . . . . . 5 63 Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 6 64 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 6 66 1. Introduction 68 DHCPv4 [RFC2131], DHCPv6 [RFC3646], and IPv6 Router Announcements 69 [RFC8106] all provide means to inform clients of available resolvers 70 using the incumbent DNS protocol for querying, however there is no 71 means of specifying alternate protocols to perform DNS queries. 73 2. Conventions and Definitions 75 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 76 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 77 "OPTIONAL" in this document are to be interpreted as described in BCP 78 14 [RFC2119] [RFC8174] when, and only when, they appear in all 79 capitals, as shown here. 81 "DoT", "Do53" and other related abbreviations follow the definitions 82 as defined in [I-D.draft-hoffman-dns-terminology-ter-01]. 84 3. The DNS over TLS Option 86 The DoT DHCP/RA option informs the client that a DoT service is 87 available for use for answering DNS queries using the same IP 88 address(es) returned in Do53 DNS Server DHCP/RA options. Thus 89 networks which announce DoT services MUST announce DNS resolver 90 availability via their respective options, and provide a TLS 91 certificate on the DoT service which passes verification ([RFC6125]) 92 against the DNS Host Name provided in the DoT DHCP/RA option. 94 The maximum length of the DNS Host Name that can be carried in IPv4 95 DHCP is 255 bytes, so DNS Host Names longer than 255 bytes SHOULD NOT 96 be used in IPv6 DHCP or IPv6 RA. 98 3.1. IPv4 DHCP Option 100 The format of the IPv4 DoT DHCP option is shown below. 102 0 1 2 3 103 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 104 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 105 | Code | Len | | 106 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 107 | | 108 | DNS Host Name | 109 | | 110 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 112 Code: The DoT DHCPv4 option (one octet) 114 Len: Length of the DNS Host Name 116 DNS Host Name: The DNS Host Name 118 3.2. IPv6 DHCP Option 120 The format of the IPv6 Captive-Portal DHCP option is shown below. 122 0 1 2 3 123 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 124 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 125 | option-code | option-len | 126 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 127 | | 128 | DNS Host Name | 129 | | 130 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 132 option-code: TODO (two octets) 134 option-len: Length of the DNS Host Name, in octects 136 DNS Servers: The DNS Host Name 138 3.3. The DoT IPv6 RA Option 140 The format of the DoT Router Advertisement option is shown below. 142 0 1 2 3 143 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 144 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 145 | Type | Len | | 146 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 147 | | 148 | DNS Host Name | 149 | | 150 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 152 Type: TODO (one octet) 154 Len: The length of the DNS Host Name, in octets 156 DNS Server: The DNS Host Name 158 3.4. Trust Anchoring 160 TODO: Put in considerations for using DANE and/or existing 161 certificate authorities for trust anchoring. 163 4. Security Considerations 165 An attacker with the ability to inject DHCP messages could include 166 this option and present a malicious resolver. 168 TODO: Further risk and threat assessments. 170 5. IANA Considerations 172 TODO: This section must be updated after assignments have been 173 issued. 175 This document requires the assignment of an option code assigned 176 under the "BOOTP Vendor Extensions and DHCP Options" 177 [bootp-registry], in addition to an option code assigned under the 178 "Option Codes" registry under DHCPv6 parameters [dhcpv6-registry]. 180 Also, an assignment for an IPv6 RA Option Type from the "IPv6 181 Neighbor Discovery Option Formats" registry under ICMPv6 paramters 182 [icmpv6-registry]. 184 6. References 185 6.1. Normative References 187 [I-D.draft-hoffman-dns-terminology-ter-01] 188 Hoffman, P., "Terminology for DNS Transports and 189 Location", draft-hoffman-dns-terminology-ter-01 (work in 190 progress), April 2019. 192 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 193 Requirement Levels", BCP 14, RFC 2119, 194 DOI 10.17487/RFC2119, March 1997, 195 . 197 [RFC2132] Alexander, S. and R. Droms, "DHCP Options and BOOTP Vendor 198 Extensions", RFC 2132, DOI 10.17487/RFC2132, March 1997, 199 . 201 [RFC3646] Droms, R., Ed., "DNS Configuration options for Dynamic 202 Host Configuration Protocol for IPv6 (DHCPv6)", RFC 3646, 203 DOI 10.17487/RFC3646, December 2003, 204 . 206 [RFC6125] Saint-Andre, P. and J. Hodges, "Representation and 207 Verification of Domain-Based Application Service Identity 208 within Internet Public Key Infrastructure Using X.509 209 (PKIX) Certificates in the Context of Transport Layer 210 Security (TLS)", RFC 6125, DOI 10.17487/RFC6125, March 211 2011, . 213 [RFC8106] Jeong, J., Park, S., Beloeil, L., and S. Madanapalli, 214 "IPv6 Router Advertisement Options for DNS Configuration", 215 RFC 8106, DOI 10.17487/RFC8106, March 2017, 216 . 218 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 219 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 220 May 2017, . 222 6.2. Informative References 224 [bootp-registry] 225 "Dynamic Host Configuration Protocol (DHCP) and Bootstrap 226 Protocol (BOOTP) Parameters", n.d., 227 . 229 [dhcpv6-registry] 230 "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)", 231 n.d., . 233 [icmpv6-registry] 234 "Internet Control Message Protocol version 6 (ICMPv6) 235 Parameters", n.d., 236 . 238 [RFC2131] Droms, R., "Dynamic Host Configuration Protocol", 239 RFC 2131, DOI 10.17487/RFC2131, March 1997, 240 . 242 Acknowledgments 244 The author would like to acknowledge the extensive feedback from 245 Martin Thomson. 247 Author's Address 249 Thomas Peterson 251 Email: nosretep.samoht@gmail.com