idnits 2.17.1 draft-pp-dprive-common-features-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack a both a reference to RFC 2119 and the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. RFC 2119 keyword, line 115: '... any child zones MAY include those DNS...' RFC 2119 keyword, line 135: '... A resolver MUST NOT attempt encrypt...' RFC 2119 keyword, line 141: '... resolver MUST use classic (unencryp...' RFC 2119 keyword, line 144: '... MUST use classic (unencrypted) DNS ...' RFC 2119 keyword, line 148: '... MUST try each indicated authoritati...' (8 more instances...) Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (19 May 2021) is 1074 days in the past. Is this intentional? -- Found something which looks like a code comment -- if you have code sections in the document, please surround them with '' and '' lines. Checking references for intended status: Experimental ---------------------------------------------------------------------------- == Outdated reference: A later version (-04) exists of draft-schwartz-svcb-dns-03 == Outdated reference: A later version (-12) exists of draft-ietf-dnsop-svcb-https-05 == Outdated reference: A later version (-04) exists of draft-ietf-dprive-unauth-to-authoritative-00 Summary: 1 error (**), 0 flaws (~~), 4 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group P. van Dijk 3 Internet-Draft PowerDNS 4 Intended status: Experimental P. Hoffman 5 Expires: 20 November 2021 ICANN 6 19 May 2021 8 Common Features for Encrypted Recursive to Authoritative DNS 9 draft-pp-dprive-common-features-01 11 Abstract 13 Encryption between recursive and authoritative DNS servers is 14 currently being defined in two modes: unauthenticated and fully- 15 authenticated. These two modes have some features in common, and 16 this document defines those common features so that the documents 17 defining the modes do not need to point to each other. 19 Status of This Memo 21 This Internet-Draft is submitted in full conformance with the 22 provisions of BCP 78 and BCP 79. 24 Internet-Drafts are working documents of the Internet Engineering 25 Task Force (IETF). Note that other groups may also distribute 26 working documents as Internet-Drafts. The list of current Internet- 27 Drafts is at https://datatracker.ietf.org/drafts/current/. 29 Internet-Drafts are draft documents valid for a maximum of six months 30 and may be updated, replaced, or obsoleted by other documents at any 31 time. It is inappropriate to use Internet-Drafts as reference 32 material or to cite them other than as "work in progress." 34 This Internet-Draft will expire on 20 November 2021. 36 Copyright Notice 38 Copyright (c) 2021 IETF Trust and the persons identified as the 39 document authors. All rights reserved. 41 This document is subject to BCP 78 and the IETF Trust's Legal 42 Provisions Relating to IETF Documents (https://trustee.ietf.org/ 43 license-info) in effect on the date of publication of this document. 44 Please review these documents carefully, as they describe your rights 45 and restrictions with respect to this document. Code Components 46 extracted from this document must include Simplified BSD License text 47 as described in Section 4.e of the Trust Legal Provisions and are 48 provided without warranty as described in the Simplified BSD License. 50 Table of Contents 52 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 53 2. Discovery of Authoritative Server Encryption . . . . . . . . 3 54 2.1. DNS SVCB Records in the Parent Zone . . . . . . . . . . . 3 55 3. Processing Discovery Responses . . . . . . . . . . . . . . . 3 56 3.1. Resolver Process as Pseudocode . . . . . . . . . . . . . 4 57 4. Serving with Encryption . . . . . . . . . . . . . . . . . . . 5 58 5. Resolvers Reporting Errors to Authoritative Servers . . . . . 6 59 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6 60 7. Security Considerations . . . . . . . . . . . . . . . . . . . 6 61 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 6 62 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 6 63 9.1. Normative References . . . . . . . . . . . . . . . . . . 6 64 9.2. Informative References . . . . . . . . . . . . . . . . . 7 65 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 7 67 1. Introduction 69 The DPRIVE Working Group in the IETF is working on standardizing 70 methods for encrypted communication between DNS recursive resolvers 71 and authoritative servers. At the time of this writing, [UNAUTH] is 72 a work item in the working group, and [FULL-AUTH] has been widely 73 discussed. The working group expressed a desire that the modes share 74 as much design as possible to simplify the working group's process of 75 evaluating the security and operational aspects of the methods. If 76 the DPRIVE Working Group later adopts other modes, those modes should 77 be considered in this document. 79 This document lists the major technical features that are shared by 80 [UNAUTH] and [FULL-AUTH]. Differences from the common features in 81 this document are listed in the respective method documents. The 82 following are the features in common between and [UNAUTH] and 83 [FULL-AUTH]: 85 * Discovery of an authoritative server's encryption support 86 (Section 2) 88 * Order of processing discovered authoritative servers (Section 3) 90 * Serving with Encryption (Section 4) 92 Other topics might be added as the working group discusses [UNAUTH] 93 and [FULL-AUTH] (and maybe other methods). 95 2. Discovery of Authoritative Server Encryption 97 An authoritative server that supports DNS with encryption makes 98 itself discoverable by publishing one or more DNS SVCB records that 99 contain "alpn" parameter keys. SVCB records are defined in [SVCB], 100 and the DNS extension to those records is defined in [DNS-SVCB]. 102 A recursive resolver discovers whether an authoritative server 103 supports DNS with encryption by looking for cached SVCB records for 104 the name of the authoritative server with a positive answer. A 105 cached DNS SVCB record with a negative answer indicates that the 106 authoritative server does not support any encrypted transport. 108 2.1. DNS SVCB Records in the Parent Zone 110 DNS SVCB records act as advisory information for resolvers about the 111 encrypted protocols that are supported. They can be thought of as 112 similar to NS records on the parent side of a zone cut: advisory 113 enough to act on, but not authoritative. Given this, authoritative 114 servers that know the DNS SCVB records associated with NS records for 115 any child zones MAY include those DNS SCVB records in the Additional 116 section of responses to queries to a parent authoritative server. 118 (( The question of how a parent zone knows the appropriate SCVB 119 record for the child zone is outside the scope of this document. 120 People have suggested an EPP extension and updating with CSYNC; these 121 and other ideas might be standardized outside the DPRIVE Working 122 Group. )) 124 (( Before this is published for real, it would be useful to check 125 whether any resolvers freak out or fall over when they receive SVCB 126 records in the Additional section. )) 128 3. Processing Discovery Responses 130 After a resolver has DNS SCVB records in its cache (possibly due to 131 having just queried for them), it needs to use those records to try 132 to find an authoritative server that uses DNS with encryption. This 133 section describes how the resolver can make that selection. 135 A resolver MUST NOT attempt encryption for a server that has a 136 negative response in its cache for the associated DNS SVCB record. 138 After sending out all requests for SVCB records for the authoritative 139 servers in the NS RRset for a name, if all of the SVCB records for 140 those authoritative servers in the cache are negative responses, the 141 resolver MUST use classic (unencrypted) DNS instead of encryption. 142 Similarly, if none of the DNS SVCB records for the authoritative 143 servers in the cache have supported "alpn" parameters, the resolver 144 MUST use classic (unencrypted) DNS instead of encryption. 146 If there are any DNS SVCB records in the cache for the authoritative 147 servers for a zone with supported "alpn" parameters, the resolver 148 MUST try each indicated authoritative server using DNS with 149 encryption until it successfully sets up a connection. The resolver 150 only attempts to use the encrypted transports that are in the 151 associated SVCB record for the authoritative server. (( Note that 152 this completely prohibits "simple port 853 probing" even though that 153 is what some operators are currently doing. Does the WG want to be 154 this strict? )) 156 A resolver SHOULD keep a DNS with encryption session to a particular 157 server open if it expects to send additional queries to that server 158 in a short period of time. [DNS-OVER-TCP] says "both clients and 159 servers SHOULD support connection reuse" for TCP connections, and 160 that advice could apply as well for DNS with encryption, especially 161 as DNS with encryption has far greater overhead for re-establishing a 162 connection. If the server closes the DNS with encryption session, 163 the resolver can possibly re-establish a DNS with encryption session 164 using encrypted session resumption. 166 For any DNS with encryption protocols, TLS version 1.3 [TLS-13] or 167 later MUST be used. 169 3.1. Resolver Process as Pseudocode 171 This section is meant as an informal clarification of the protocol, 172 and is not normative. The pseudocode here is designed to show the 173 intent of the protocol, so it is not optimized for things like 174 intersection of sets and other shortcuts. 176 In this code, "signal_rrset(this_name)" means an "SVCB" query for the 177 "'_dns'" prefix of "this_name". The "Query over secure transport 178 until successful" section ignores differences in name server 179 selection and retry behaviour in different resolvers. The pseudocode 180 was written to roughly cover the shared behaviour between [UNAUTH] 181 and [FULL-AUTH]. Specifically, whether an implementation waits for 182 the resolution of "queue a query" would differ between the two. 184 # Inputs 185 ns_names = List of NS Rdatas from the NS RRset for the queried name 186 can_do_secure = List of secure transports supported by resolver 187 secure_names_and_transports = Empty list, filled in below 189 # Fill secure_names_and_transports with (name, transport) tuples 190 for this_name in ns_names: 191 if signal_rrset(this_name) is in the resolver cache: 192 if signal_rrset(this_name) positively does not exist: 193 continue 194 for this_transport in signal_rrset(this_name): 195 if this_transport in can_do_secure: 196 add (this_name, this_transport) to secure_names_and_transports 197 else: # signal_rrset(this_name) is not in the resolver cache 198 queue a query for signal_rrset(this_name) for later caching 200 # Query over secure transport until successful 201 for (this_name, this_transport) tuple in secure_names_and_transports: 202 query using this_transport on this_name 203 if successful: 204 finished 206 # Got here if no this_name/this_transport query was successful 207 # or if secure_names_and_transports was empty 208 query using classic DNS on any/all ns_names; finished 210 4. Serving with Encryption 212 An operator of an authoritative server following this protocol SHOULD 213 publish SVCB records as described in Section 2. If they cannot 214 publish such records, the security properties of their authoritative 215 servers will not be found. If an operator wants to test serving 216 using encryption, they can publish SVCB records with short TTLs and 217 then stop serving with encryption after removing the SVCB records and 218 waiting for the TTLs to expire. 220 It is acceptable for an operator of authoritative servers to only 221 offer encryption on some of the named authoritative servers, such as 222 when the operator is determining how far to roll out encrypted 223 service. 225 A server MAY close an encrypted connection at any time. For example, 226 it can close the session if it has not received a DNS query in a 227 defined length of time. The server MAY close an encrypted session 228 after it sends a DNS response; however, it might also want to keep 229 the session open waiting for another DNS query from the resolver. 230 [DNS-OVER-TCP] says "both clients and servers SHOULD support 231 connection reuse" for TCP connections, and that advice could apply as 232 well for DNS with encryption, especially as DNS with encryption has 233 far greater overhead for re-establishing a connection. If the server 234 closes the DNS with encryption session, the resolver can possibly re- 235 establish a DNS with encryption session using encrypted session 236 resumption. 238 For any DNS with encryption protocols, TLS version 1.3 [TLS-13] or 239 later MUST be used. 241 5. Resolvers Reporting Errors to Authoritative Servers 243 Resolvers should have a method of telling authoritative servers that 244 there are problems with the encrypted service they are offering. 245 There is a proposal that the DNSOP Working Group might adopt 246 [ERROR-REPORTING], which would enable such reporting. 248 (( Clearly, more will need to go here. )) 250 6. IANA Considerations 252 (( Update registration for TCP/853 to also include ADoT )) 254 (( Maybe other updates for DoH and DoQ )) 256 7. Security Considerations 258 An authoritative server that wants to only serve data to resolvers 259 that use fully-authenticated encryption as described in [FULL-AUTH] 260 cannot differentiate between those resolvers and resolvers using the 261 mechanisms described in this document. 263 (( Talk about requiring TLS 1.3 )) 265 8. Acknowledgements 267 The use of SVCB records for discovering whether an authoritative 268 server supports encryption was first described by the authors of 269 [FULL-AUTH]. 271 The DPRIVE Working Group has contributed many ideas that keep 272 shifting the focus and content of this document. 274 9. References 276 9.1. Normative References 278 [DNS-SVCB] Schwartz, B., "Service Binding Mapping for DNS Servers", 279 Work in Progress, Internet-Draft, draft-schwartz-svcb-dns- 280 03, 19 April 2021, . 283 [FULL-AUTH] 284 Pauly, T., Rescorla, E., Schinazi, D., and C. A. Wood, 285 "Signaling Authoritative DNS Encryption", Work in 286 Progress, Internet-Draft, draft-rescorla-dprive-adox- 287 latest-00, 26 February 2021, 288 . 291 [SVCB] Schwartz, B., Bishop, M., and E. Nygren, "Service binding 292 and parameter specification via the DNS (DNS SVCB and 293 HTTPS RRs)", Work in Progress, Internet-Draft, draft-ietf- 294 dnsop-svcb-https-05, 21 April 2021, 295 . 298 [TLS-13] Rescorla, E., "The Transport Layer Security (TLS) Protocol 299 Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, 300 . 302 [UNAUTH] Hoffman, P. and P. V. Dijk, "Recursive to Authoritative 303 DNS with Unauthenticated Encryption", Work in Progress, 304 Internet-Draft, draft-ietf-dprive-unauth-to-authoritative- 305 00, 12 April 2021, . 308 9.2. Informative References 310 [DNS-OVER-TCP] 311 Dickinson, J., Dickinson, S., Bellis, R., Mankin, A., and 312 D. Wessels, "DNS Transport over TCP - Implementation 313 Requirements", RFC 7766, DOI 10.17487/RFC7766, March 2016, 314 . 316 [ERROR-REPORTING] 317 Arends, R. and M. Larson, "DNS Error Reporting", Work in 318 Progress, Internet-Draft, draft-arends-dns-error- 319 reporting-00, 30 October 2020, 320 . 323 Authors' Addresses 324 Peter van Dijk 325 PowerDNS 327 Email: peter.van.dijk@powerdns.com 329 Paul Hoffman 330 ICANN 332 Email: paul.hoffman@icann.org