idnits 2.17.1 draft-pp-add-resinfo-02.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (June 27, 2020) is 1396 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Obsolete normative reference: RFC 8499 (Obsoleted by RFC 9499) -- Possible downref: Non-RFC (?) normative reference: ref. 'SUDN' Summary: 1 error (**), 0 flaws (~~), 1 warning (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group P. Sood 3 Internet-Draft Google 4 Intended status: Standards Track P. Hoffman 5 Expires: December 29, 2020 ICANN 6 June 27, 2020 8 DNS Resolver Information Self-publication 9 draft-pp-add-resinfo-02 11 Abstract 13 This document describes methods for DNS resolvers to self-publish 14 information about themselves. The information is returned as a JSON 15 object. The names in this object are defined in an IANA registry 16 that allows for light-weight registration. Applications and 17 operating systems can use the methods defined here to get the 18 information from resolvers in order to make choices about how to send 19 future queries to those resolvers. 21 Status of This Memo 23 This Internet-Draft is submitted in full conformance with the 24 provisions of BCP 78 and BCP 79. 26 Internet-Drafts are working documents of the Internet Engineering 27 Task Force (IETF). Note that other groups may also distribute 28 working documents as Internet-Drafts. The list of current Internet- 29 Drafts is at https://datatracker.ietf.org/drafts/current/. 31 Internet-Drafts are draft documents valid for a maximum of six months 32 and may be updated, replaced, or obsoleted by other documents at any 33 time. It is inappropriate to use Internet-Drafts as reference 34 material or to cite them other than as "work in progress." 36 This Internet-Draft will expire on December 29, 2020. 38 Copyright Notice 40 Copyright (c) 2020 IETF Trust and the persons identified as the 41 document authors. All rights reserved. 43 This document is subject to BCP 78 and the IETF Trust's Legal 44 Provisions Relating to IETF Documents 45 (https://trustee.ietf.org/license-info) in effect on the date of 46 publication of this document. Please review these documents 47 carefully, as they describe your rights and restrictions with respect 48 to this document. Code Components extracted from this document must 49 include Simplified BSD License text as described in Section 4.e of 50 the Trust Legal Provisions and are provided without warranty as 51 described in the Simplified BSD License. 53 Table of Contents 55 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 56 1.1. Definitions . . . . . . . . . . . . . . . . . . . . . . . 3 57 2. Retrieving Resolver Information by DNS . . . . . . . . . . . 3 58 3. Contents of the Returned I-JSON Object . . . . . . . . . . . 4 59 3.1. Example . . . . . . . . . . . . . . . . . . . . . . . . . 4 60 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 4 61 4.1. RESINFO RRtype . . . . . . . . . . . . . . . . . . . . . 4 62 4.2. Registry for DNS Resolver Information . . . . . . . . . . 5 63 4.3. resolver-info.arpa Special-Use Domain Name . . . . . . . 5 64 5. Security Considerations . . . . . . . . . . . . . . . . . . . 5 65 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 6 66 6.1. Normative References . . . . . . . . . . . . . . . . . . 6 67 6.2. Informative References . . . . . . . . . . . . . . . . . 6 68 Appendix A. Ideas From Earlier Work that was Abandoned . . . . . 7 69 Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 7 70 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 7 72 1. Introduction 74 Historically, DNS stub resolvers typically communicated with the 75 recursive resolvers in their configuration without needing to know 76 anything about the features of the recursive resolvers. More 77 recently, recursive resolvers have different features that may cause 78 stub resolvers to make choices about which configured resolver from 79 its configuration to use, and also how to communicate with the 80 recursive resolver (such as over different transports). Thus stub 81 resolvers need a way to get information from recursive resolvers 82 about features that might affect the communication. 84 This document specifies a method for stub resolvers to ask recursive 85 resolvers for such information. In short, a new RRtype is defined 86 for stub resolvers to query using the DNS to a special-use domain 87 name. 89 The response from this method is a JSON object. The JSON object MUST 90 use the I-JSON message format defined in [RFC7493]. Note that 91 [RFC7493] was based on RFC 7159, but RFC 7159 was replaced by 92 [RFC8259]. Requiring the use of I-JSON instead of more general JSON 93 format greatly increases the likelihood of interoperability. 95 The information that a resolver might want to give to a recursive 96 resolver is not defined in this document; instead other documents 97 will follow that will specify that information and the format that it 98 comes in. 100 In nearly every common scenario today, a DNS stub resolver gets the 101 IP addresses of the recursive resolvers that it will use in an 102 insecure fashion, such as from DHCP. Because these addresses were 103 obtained insecurely, the protocol specified here does not try to use 104 authenticated communication. If, in the future, more stub resolvers 105 get the addresses of their recursive resolvers in a secure fashion, 106 this protocol can be enhanced to include authenticated ways of 107 getting information from the resolver. 109 1.1. Definitions 111 In the rest of this document, the term "resolver" without 112 qualification means "recursive resolver" as defined in [RFC8499]. 113 Also, the term "stub" is used to mean "stub resolver". 115 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 116 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 117 "OPTIONAL" in this document are to be interpreted as described in BCP 118 14 [RFC2119] [RFC8174] when, and only when, they appear in all 119 capitals, as shown here. 121 2. Retrieving Resolver Information by DNS 123 A stub that wants to use the DNS to get information about a resolver 124 can use the DNS query defined here. The query a stub resolver uses 125 is resolver-info.arpa/IN/RESINFO. The RRtype "RESINFO" is defined in 126 this document, and the IANA assignment is given in Section 4.1. The 127 contents of the Rdata in the response to this query is defined in 128 Section 3. If the resolver understands the RESINFO RRtype, the RRset 129 in the Answer section MUST have exactly one record. 131 The name resolver-info.arpa is defined in this document, and the IANA 132 assignment is given in Section 4.3. As described in Section 4.3, the 133 zone resolver-info.arpa is not actually delegated and never will be. 134 The resolver that receives this query acts as if it is delegated, and 135 responds with its own RESINFO data in the Answer section. 137 A resolver that receives a query with the RRtype of RESINFO with a 138 QNAME of resolver-info.arpa acts as if it is delegated, and responds 139 with its own RESINFO data in the Answer section. 141 A resolver MAY be configured to respond to queries for the RESINFO 142 RRtype on names other than resolver-info.arpa. For example, a 143 resolver might be known to some of its clients by both an IP address 144 and a few domain names, and be configured to be authoritative for 145 those names. For all names other than resolver-info.arpa or names 146 that the resolver is configured to be authoritative for, a query for 147 the RESINFO RRtype is meaningless and MUST result in a NODATA or 148 NXDOMAIN response. 150 3. Contents of the Returned I-JSON Object 152 The JSON object returned by a DNS query or an HTTPS query MAY contain 153 any name/value pairs. 155 All names in the returned object MUST either be defined in the IANA 156 registry or, if for local use only, begin with the substring "temp-". 157 The IANA registry (Section 4.2) will never register names that begin 158 with "temp-". 160 All names MUST consist only of lower-case ASCII characters, digits, 161 and hyphens (that is, Unicode characters U+0061 through 007A, U+0030 162 through U+0039, and U+002D), and MUST be 63 characters or shorter. 163 As defined in Section 4.2, the IANA registry will not register names 164 that begin with "temp-", so these names can be used freely by any 165 implementer. 167 Note that the message returned by the resolver MUST be in I-JSON 168 format. I-JSON requires that the message MUST be encoded in UTF8. 170 3.1. Example 172 The I-JSON object that a resolver returns might look like the 173 following: 175 { 176 "temp-field2": 42 177 } 179 As specified in [RFC7493], the I-JSON object is encoded as UTF8. 180 [RFC7493] explicitly allows the returned objects to be in any order. 182 4. IANA Considerations 184 4.1. RESINFO RRtype 186 This document defines a new DNS RR type, RESINFO, whose value TBD 187 will be allocated by IANA from the "Resource Record (RR) TYPEs" sub- 188 registry of the "Domain Name System (DNS) Parameters" registry: 190 Type: RESINFO 192 Value: TBD 193 Meaning: Information self-published by a resolver as an I-JSON (RFC 194 7493) object 196 Reference: This document 198 4.2. Registry for DNS Resolver Information 200 IANA will create a new registry titled "DNS Resolver Information" 201 that will contain definitions of the names that can be used with the 202 protocols defined in this document. The registration procedure is by 203 Expert Review and Specification Required, as defined in [RFC8126]. 205 The specification that is required for registration can be either an 206 Internet-Draft or an RFC. The reviewer for this registry is 207 instructed to generally be liberal in what they accept into the 208 registry: as long as the specification that comes with the 209 registration request is reasonably understandable, the registration 210 should be accepted. 212 The registry has the following fields for each element: 214 Name: The name to be used in the JSON object. This name MUST NOT 215 begin with "temp-". This name MUST conform to the definition of 216 "string" in I-JSON [RFC7493] message format. 218 Value type: The type of data to be used in the JSON object. 220 Specification: The name of the specification for the registered 221 element. 223 4.3. resolver-info.arpa Special-Use Domain Name 225 IANA will record the domain name "resolver-info.arpa" in the 226 "Special-Use Domain Names" registry [SUDN]. IANA MUST NOT delegate 227 resolver-info.arpa in the .arpa zone. 229 5. Security Considerations 231 Unless a DNS request for resolver-info.arpa/IN/RESINFO as described 232 in Section 2 is sent over DNS-over-TLS (DoT) [RFC7858] or DNS-over- 233 HTTPS (DoH) [RFC8484], the response is susceptible to forgery. Given 234 that one of the first expected uses for the protocol in this document 235 is to find out whether DoT or DoH is available for the resolver, it 236 is thus expected that most if not all such DNS requests will be sent 237 without any chance of authentication. Stubs and resolvers SHOULD use 238 normal DNS methods for avoiding forgery such as query ID 239 randomization and source port randomization. 241 6. References 243 6.1. Normative References 245 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 246 Requirement Levels", BCP 14, RFC 2119, 247 DOI 10.17487/RFC2119, March 1997, 248 . 250 [RFC7493] Bray, T., Ed., "The I-JSON Message Format", RFC 7493, 251 DOI 10.17487/RFC7493, March 2015, 252 . 254 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 255 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 256 May 2017, . 258 [RFC8259] Bray, T., Ed., "The JavaScript Object Notation (JSON) Data 259 Interchange Format", STD 90, RFC 8259, 260 DOI 10.17487/RFC8259, December 2017, 261 . 263 [RFC8499] Hoffman, P., Sullivan, A., and K. Fujiwara, "DNS 264 Terminology", BCP 219, RFC 8499, DOI 10.17487/RFC8499, 265 January 2019, . 267 [SUDN] "Special-Use Domain Names", n.d., 268 . 271 6.2. Informative References 273 [RFC7858] Hu, Z., Zhu, L., Heidemann, J., Mankin, A., Wessels, D., 274 and P. Hoffman, "Specification for DNS over Transport 275 Layer Security (TLS)", RFC 7858, DOI 10.17487/RFC7858, May 276 2016, . 278 [RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for 279 Writing an IANA Considerations Section in RFCs", BCP 26, 280 RFC 8126, DOI 10.17487/RFC8126, June 2017, 281 . 283 [RFC8484] Hoffman, P. and P. McManus, "DNS Queries over HTTPS 284 (DoH)", RFC 8484, DOI 10.17487/RFC8484, October 2018, 285 . 287 Appendix A. Ideas From Earlier Work that was Abandoned 289 This document is based on work done earlier in the DNSOP working 290 group, and personal drafts before that. 292 In that earlier work, ".{in-addr,ip6}.arpa" was proposed 293 as the domain name to allow for the possibility of DNSSEC-signed 294 responses. However, it was pointed out that people often do not 295 control their reverse IP names and thus their ISP (or their ISP's 296 ISP) could spoof responses and make them look legitimate by signing 297 with DNSSEC. 299 In an earlier version of this draft, a second way to get the resolver 300 information was specified: using a query to a well-known URI over 301 HTTPS, possibly with authentication. Many participants in the ADD 302 Working Group in early 2020 disagreed with specifying this transport 303 because the IP address being used was most likely obtained by the 304 stub resolver in an insecure fashion, so using an authenticated 305 method could lead to inappropriate assumptions about the security of 306 the answer. 308 Acknowledgments 310 The idea of various types of servers publishing information about 311 themselves has been around for decades. However this idea has not 312 been used in the DNS. This document aims to fix this omission. 314 Roy Arends contributed many ideas to an earlier version of this draft 315 before it was moved to the ADD working group. 317 Authors' Addresses 319 Puneet Sood 320 Google 322 Email: puneets@google.com 324 Paul Hoffman 325 ICANN 327 Email: paul.hoffman@icann.org