idnits 2.17.1 draft-pp-add-resinfo-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (May 14, 2020) is 1442 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Obsolete normative reference: RFC 8499 (Obsoleted by RFC 9499) -- Possible downref: Non-RFC (?) normative reference: ref. 'SUDN' Summary: 1 error (**), 0 flaws (~~), 1 warning (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group P. Sood 3 Internet-Draft Google 4 Intended status: Standards Track P. Hoffman 5 Expires: November 15, 2020 ICANN 6 May 14, 2020 8 DNS Resolver Information Self-publication 9 draft-pp-add-resinfo-01 11 Abstract 13 This document describes methods for DNS resolvers to self-publish 14 information about themselves. The information is returned as a JSON 15 object. The names in this object are defined in an IANA registry 16 that allows for light-weight registration. Applications and 17 operating systems can use the methods defined here to get the 18 information from resolvers in order to make choices about how to send 19 future queries to those resolvers. 21 Status of This Memo 23 This Internet-Draft is submitted in full conformance with the 24 provisions of BCP 78 and BCP 79. 26 Internet-Drafts are working documents of the Internet Engineering 27 Task Force (IETF). Note that other groups may also distribute 28 working documents as Internet-Drafts. The list of current Internet- 29 Drafts is at https://datatracker.ietf.org/drafts/current/. 31 Internet-Drafts are draft documents valid for a maximum of six months 32 and may be updated, replaced, or obsoleted by other documents at any 33 time. It is inappropriate to use Internet-Drafts as reference 34 material or to cite them other than as "work in progress." 36 This Internet-Draft will expire on November 15, 2020. 38 Copyright Notice 40 Copyright (c) 2020 IETF Trust and the persons identified as the 41 document authors. All rights reserved. 43 This document is subject to BCP 78 and the IETF Trust's Legal 44 Provisions Relating to IETF Documents 45 (https://trustee.ietf.org/license-info) in effect on the date of 46 publication of this document. Please review these documents 47 carefully, as they describe your rights and restrictions with respect 48 to this document. Code Components extracted from this document must 49 include Simplified BSD License text as described in Section 4.e of 50 the Trust Legal Provisions and are provided without warranty as 51 described in the Simplified BSD License. 53 Table of Contents 55 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 56 1.1. Definitions . . . . . . . . . . . . . . . . . . . . . . . 3 57 2. Retrieving Resolver Information by DNS . . . . . . . . . . . 3 58 3. Contents of the Returned I-JSON Object . . . . . . . . . . . 4 59 3.1. Example . . . . . . . . . . . . . . . . . . . . . . . . . 4 60 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 4 61 4.1. RESINFO RRtype . . . . . . . . . . . . . . . . . . . . . 4 62 4.2. Registry for DNS Resolver Information . . . . . . . . . . 5 63 4.3. resolver-info.arpa Special-Use Domain Name . . . . . . . 5 64 5. Security Considerations . . . . . . . . . . . . . . . . . . . 5 65 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 6 66 6.1. Normative References . . . . . . . . . . . . . . . . . . 6 67 6.2. Informative References . . . . . . . . . . . . . . . . . 6 68 Appendix A. Ideas From Earlier Work that was Abandoned . . . . . 7 69 Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 7 70 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 7 72 1. Introduction 74 Historically, DNS stub resolvers typically communicated with the 75 recursive resolvers in their configuration without needing to know 76 anything about the features of the recursive resolvers. More 77 recently, recursive resolvers have different features that may cause 78 stub resolvers to make choices about which configured resolver from 79 its configuration to use, and also how to communicate with the 80 recursive resolver (such as over different transports). Thus stub 81 resolvers need a way to get information from recursive resolvers 82 about features that might affect the communication. 84 This document specifies a method for stub resolvers to ask recursive 85 resolvers for such information. In short, a new RRtype is defined 86 for stub resolvers to query using the DNS to a special-use domain 87 name. 89 The response from this method is a JSON object. The JSON object MUST 90 use the I-JSON message format defined in [RFC7493]. Note that 91 [RFC7493] was based on RFC 7159, but RFC 7159 was replaced by 92 [RFC8259]. Requiring the use of I-JSON instead of more general JSON 93 format greatly increases the likelihood of interoperability. 95 The information that a resolver might want to give to a recursive 96 resolver is not defined in this document; instead other documents 97 will follow that will specify that information and the format that it 98 comes in. 100 In nearly every common scenario today, a DNS stub resolver gets the 101 IP addresses of the recursive resolvers that it will use in an 102 insecure fashion, such as from DHCP. Because these addresses were 103 obtained insecurely, the protocol specified here does not try to use 104 authenticated communication. If, in the future, more stub resolvers 105 get the addresses of their recursive resolvers in a secure fashion, 106 this protocol can be enhanced to include authenticated ways of 107 getting information from the resolver. 109 1.1. Definitions 111 In the rest of this document, the term "resolver" without 112 qualification means "recursive resolver" as defined in [RFC8499]. 113 Also, the term "stub" is used to mean "stub resolver". 115 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 116 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 117 "OPTIONAL" in this document are to be interpreted as described in BCP 118 14 [RFC2119] [RFC8174] when, and only when, they appear in all 119 capitals, as shown here. 121 2. Retrieving Resolver Information by DNS 123 A stub that wants to use the DNS to get information about a resolver 124 can use the DNS query defined here. The query a stub resolver uses 125 is resolver-info.arpa/IN/RESINFO. The RRtype "RESINFO" is defined in 126 this document, and the IANA assignment is given in Section 4.1. The 127 contents of the Rdata in the response to this query is defined in 128 Section 3. If the resolver understands the RESINFO RRtype, the RRset 129 in the Answer section MUST have exactly one record. 131 The name resolver-info.arpa is defined in this document, and the IANA 132 assignment is given in Section 4.3. As described in Section 4.3, the 133 zone resolver-info.arpa is not actually delegated and never will be. 134 The resolver that receives this query acts as if it is delegated, and 135 responds with its own RESINFO data in the Answer section. 137 A resolver that receives a query with the RRtype of RESINFO with a 138 QNAME of resolver-info.arpa acts as if it is delegated, and responds 139 with its own RESINFO data in the Answer section. The resolver can 140 generate this reply with special code to capture queries for these 141 types of addresses; if the resolver can be configured to also be 142 authoritative for some zones, it can use that configuration to 143 actually be authoritative for the addresses on which it responds. 145 Any query for the RESINFO RRtype that does not have a QNAME of 146 resolver-info.arpa/IN is meaningless and MUST result in a NODATA or 147 NXDOMAIN response. Resolvers would not need any special code to meet 148 this requirement; they only need code to handle the RESINFO RRtype 149 that is in resolver-info.arpa/IN. 151 3. Contents of the Returned I-JSON Object 153 The JSON object returned by a DNS query or an HTTPS query MAY contain 154 any name/value pairs. 156 All names in the returned object MUST either be defined in the IANA 157 registry or, if for local use only, begin with the substring "temp-". 158 The IANA registry (Section 4.2) will never register names that begin 159 with "temp-". 161 All names MUST consist only of lower-case ASCII characters, digits, 162 and hyphens (that is, Unicode characters U+0061 through 007A, U+0030 163 through U+0039, and U+002D), and MUST be 63 characters or shorter. 164 As defined in Section 4.2, the IANA registry will not register names 165 that begin with "temp-", so these names can be used freely by any 166 implementer. 168 Note that the message returned by the resolver MUST be in I-JSON 169 format. I-JSON requires that the message MUST be encoded in UTF8. 171 3.1. Example 173 The I-JSON object that a resolver returns might look like the 174 following: 176 { 177 "temp-field2": 42 178 } 180 As specified in [RFC7493], the I-JSON object is encoded as UTF8. 181 [RFC7493] explicitly allows the returned objects to be in any order. 183 4. IANA Considerations 185 4.1. RESINFO RRtype 187 This document defines a new DNS RR type, RESINFO, whose value TBD 188 will be allocated by IANA from the "Resource Record (RR) TYPEs" sub- 189 registry of the "Domain Name System (DNS) Parameters" registry: 191 Type: RESINFO 192 Value: TBD 194 Meaning: Information self-published by a resolver as an I-JSON (RFC 195 7493) object 197 Reference: This document 199 4.2. Registry for DNS Resolver Information 201 IANA will create a new registry titled "DNS Resolver Information" 202 that will contain definitions of the names that can be used with the 203 protocols defined in this document. The registration procedure is by 204 Expert Review and Specification Required, as defined in [RFC8126]. 206 The specification that is required for registration can be either an 207 Internet-Draft or an RFC. The reviewer for this registry is 208 instructed to generally be liberal in what they accept into the 209 registry: as long as the specification that comes with the 210 registration request is reasonably understandable, the registration 211 should be accepted. 213 The registry has the following fields for each element: 215 Name: The name to be used in the JSON object. This name MUST NOT 216 begin with "temp-". This name MUST conform to the definition of 217 "string" in I-JSON [RFC7493] message format. 219 Value type: The type of data to be used in the JSON object. 221 Specification: The name of the specification for the registered 222 element. 224 4.3. resolver-info.arpa Special-Use Domain Name 226 IANA will record the domain name "resolver-info.arpa" in the 227 "Special-Use Domain Names" registry [SUDN]. IANA MUST NOT delegate 228 resolver-info.arpa in the .arpa zone. 230 5. Security Considerations 232 Unless a DNS request for resolver-info.arpa/IN/RESINFO as described 233 in Section 2 is sent over DNS-over-TLS (DoT) [RFC7858] or DNS-over- 234 HTTPS (DoH) [RFC8484], the response is susceptible to forgery. Given 235 that one of the first expected uses for the protocol in this document 236 is to find out whether DoT or DoH is available for the resolver, it 237 is thus expected that most if not all such DNS requests will be sent 238 without any chance of authentication. Stubs and resolvers SHOULD use 239 normal DNS methods for avoiding forgery such as query ID 240 randomization and source port randomization. 242 6. References 244 6.1. Normative References 246 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 247 Requirement Levels", BCP 14, RFC 2119, 248 DOI 10.17487/RFC2119, March 1997, 249 . 251 [RFC7493] Bray, T., Ed., "The I-JSON Message Format", RFC 7493, 252 DOI 10.17487/RFC7493, March 2015, 253 . 255 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 256 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 257 May 2017, . 259 [RFC8259] Bray, T., Ed., "The JavaScript Object Notation (JSON) Data 260 Interchange Format", STD 90, RFC 8259, 261 DOI 10.17487/RFC8259, December 2017, 262 . 264 [RFC8499] Hoffman, P., Sullivan, A., and K. Fujiwara, "DNS 265 Terminology", BCP 219, RFC 8499, DOI 10.17487/RFC8499, 266 January 2019, . 268 [SUDN] "Special-Use Domain Names", n.d., 269 . 272 6.2. Informative References 274 [RFC7858] Hu, Z., Zhu, L., Heidemann, J., Mankin, A., Wessels, D., 275 and P. Hoffman, "Specification for DNS over Transport 276 Layer Security (TLS)", RFC 7858, DOI 10.17487/RFC7858, May 277 2016, . 279 [RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for 280 Writing an IANA Considerations Section in RFCs", BCP 26, 281 RFC 8126, DOI 10.17487/RFC8126, June 2017, 282 . 284 [RFC8484] Hoffman, P. and P. McManus, "DNS Queries over HTTPS 285 (DoH)", RFC 8484, DOI 10.17487/RFC8484, October 2018, 286 . 288 Appendix A. Ideas From Earlier Work that was Abandoned 290 This document is based on work done earlier in the DNSOP working 291 group, and personal drafts before that. 293 In that earlier work, ".{in-addr,ip6}.arpa" was proposed 294 as the domain name to allow for the possibility of DNSSEC-signed 295 responses. However, it was pointed out that people often do not 296 control their reverse IP names and thus their ISP (or their ISP's 297 ISP) could spoof responses and make them look legitimate by signing 298 with DNSSEC. 300 In an earlier version of this draft, a second way to get the resolver 301 information was specified: using a query to a well-known URI over 302 HTTPS, possibly with authentication. Many participants in the ADD 303 Working Group in early 2020 disagreed with specifying this transport 304 because the IP address being used was most likely obtained by the 305 stub resolver in an insecure fashion, so using an authenticated 306 method could lead to inappropriate assumptions about the security of 307 the answer. 309 Acknowledgments 311 The idea of various types of servers publishing information about 312 themselves has been around for decades. However this idea has not 313 been used in the DNS. This document aims to fix this omission. 315 Roy Arends contributed many ideas to an earlier version of this draft 316 before it was moved to the ADD working group. 318 Authors' Addresses 320 Puneet Sood 321 Google 323 Email: puneets@google.com 325 Paul Hoffman 326 ICANN 328 Email: paul.hoffman@icann.org