idnits 2.17.1 draft-reddy-add-enterprise-split-dns-06.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (September 15, 2021) is 952 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Downref: Normative reference to an Informational RFC: RFC 2826 == Outdated reference: A later version (-04) exists of draft-btw-add-ipsecme-ike-03 == Outdated reference: A later version (-10) exists of draft-ietf-add-ddr-02 == Outdated reference: A later version (-16) exists of draft-ietf-add-dnr-02 -- Obsolete informational reference (is this intentional?): RFC 8499 (Obsoleted by RFC 9499) Summary: 1 error (**), 0 flaws (~~), 4 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 ADD T. Reddy 3 Internet-Draft Akamai 4 Intended status: Standards Track D. Wing 5 Expires: March 19, 2022 Citrix 6 K. Smith 7 Vodafone 8 September 15, 2021 10 Split-Horizon DNS Configuration 11 draft-reddy-add-enterprise-split-dns-06 13 Abstract 15 When split-horizon DNS is deployed by a network, certain domains are 16 only resolvable by querying the network-designated DNS server rather 17 than a public DNS server. DNS clients which use DNS servers not 18 provided by the network need to route those DNS domain queries to the 19 network-designated DNS server. This document informs DNS clients of 20 split-horizon DNS, their DNS domains, and is compatible with 21 encrypted DNS. 23 Status of This Memo 25 This Internet-Draft is submitted in full conformance with the 26 provisions of BCP 78 and BCP 79. 28 Internet-Drafts are working documents of the Internet Engineering 29 Task Force (IETF). Note that other groups may also distribute 30 working documents as Internet-Drafts. The list of current Internet- 31 Drafts is at https://datatracker.ietf.org/drafts/current/. 33 Internet-Drafts are draft documents valid for a maximum of six months 34 and may be updated, replaced, or obsoleted by other documents at any 35 time. It is inappropriate to use Internet-Drafts as reference 36 material or to cite them other than as "work in progress." 38 This Internet-Draft will expire on March 19, 2022. 40 Copyright Notice 42 Copyright (c) 2021 IETF Trust and the persons identified as the 43 document authors. All rights reserved. 45 This document is subject to BCP 78 and the IETF Trust's Legal 46 Provisions Relating to IETF Documents 47 (https://trustee.ietf.org/license-info) in effect on the date of 48 publication of this document. Please review these documents 49 carefully, as they describe your rights and restrictions with respect 50 to this document. Code Components extracted from this document must 51 include Simplified BSD License text as described in Section 4.e of 52 the Trust Legal Provisions and are provided without warranty as 53 described in the Simplified BSD License. 55 Table of Contents 57 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 58 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 59 3. Split DNS . . . . . . . . . . . . . . . . . . . . . . . . . . 3 60 4. PvD dnsZones . . . . . . . . . . . . . . . . . . . . . . . . 4 61 4.1. Authority over the Domains . . . . . . . . . . . . . . . 5 62 5. An Example . . . . . . . . . . . . . . . . . . . . . . . . . 6 63 6. Split DNS Configuration for IKEv2 . . . . . . . . . . . . . . 6 64 7. Security Considerations . . . . . . . . . . . . . . . . . . . 7 65 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 66 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 7 67 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 7 68 10.1. Normative References . . . . . . . . . . . . . . . . . . 7 69 10.2. Informative References . . . . . . . . . . . . . . . . . 8 70 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 9 72 1. Introduction 74 Historically, an endpoint would utilize network-designated DNS 75 servers upon joining a network (e.g., DHCP OFFER, IPv6 Router 76 Advertisement). While it has long been possible to configure 77 endpoints to ignore the network's suggestions and use a (public) DNS 78 server on the Internet, this was seldom used because some networks 79 block UDP/53 (in order to enforce their own DNS policies). Also, 80 there has been an increase in the availability of "public resolvers" 81 [RFC8499] which DNS clients may be pre-configured to use instead of 82 the default network resolver for a variety of reasons (e.g., offer a 83 good reachability, support an encrypted transport, provide a claimed 84 privacy policy, (lack of) filtering). With the advent of DoT and 85 DoH, such network blocking is more difficult, but the endpoint is 86 unable to (properly) resolve split-horizon DNS domains which must 87 query the network-designated DNS server. 89 This document specifies a mechanism to indicate which DNS zones are 90 used for split-horizon DNS. DNS clients can discover and 91 authenticate DNS servers provided by the network, for example using 92 the techniques proposed in [I-D.ietf-add-dnr] and [I-D.ietf-add-ddr]. 94 Provisioning Domains (PvDs) are defined in [RFC7556] as sets of 95 network configuration information that clients can use to access 96 networks, including rules for DNS resolution and proxy configuration. 98 [RFC8801] defines a mechanism for discovering multiple Explicit PvDs 99 on a single network and their Additional Information by means of an 100 HTTP-over-TLS query using a URI derived from the PvD ID. This set of 101 additional configuration information is referred to as a Web 102 Provisioning Domain (Web PvD). The network lists its claims of 103 authority for DNS domains using the "dnsZones" PvD key (defined in 104 [RFC8801]). 106 2. Terminology 108 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 109 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 110 "OPTIONAL" in this document are to be interpreted as described in BCP 111 14 [RFC2119][RFC8174] when, and only when, they appear in all 112 capitals, as shown here. 114 This document makes use of the terms defined in [RFC8499]. The terms 115 "Private DNS", "Global DNS" and "Split DNS" are defined in [RFC8499]. 117 'Encrypted DNS' refers to a DNS protocol that provides an encrypted 118 channel between a DNS client and server (e.g., DoT, DoH, or DoQ). 120 The term "enterprise network" in this document extends to a wide 121 variety of deployment scenarios. For example, an "enterprise" can be 122 a Small Office, Home Office or Corporation. 124 3. Split DNS 126 [RFC2826] "does not preclude private networks from operating their 127 own private name spaces" but notes that if private networks "wish to 128 make use of names uniquely defined for the global Internet, they have 129 to fetch that information from the global DNS naming hierarchy". 131 There are various DNS deployments outside of the global DNS, 132 including "split horizon" deployments and DNS usages on private (or 133 virtual private) networks. In a split horizon, an authoritative 134 server gives different responses to queries from the Internet than 135 they do to network-designated DNS servers; while some deployments 136 differentiate internal queries from public queries by the source IP 137 address, the concerns in Section 3.1.1 of [RFC6950] relating to 138 trusting source IP addresses apply to such deployments. 140 When the internal address space range is private [RFC1918], this 141 makes it both easier for the server to discriminate public from 142 private and harder for public entities to impersonate nodes in the 143 private network. The use cases that motivate split-horizon DNS 144 typically involve restricting access to some network services -- 145 intranet resources such as internal web sites, development servers, 146 or directories, for example -- while preserving the ease of use 147 offered by domain names for internal users. 149 A typical use case is an Enterprise network that requires one or more 150 DNS domains to be resolved via network-designated DNS servers. This 151 can be a special domain, such as "corp.example.com" for an enterprise 152 that is publicly known to use "example.com". In this case, the 153 endpoint needs to be informed what the private domain names are and 154 what the IP addresses of the network-designated DNS servers are. An 155 Enterprise can also run a different version of its global domain on 156 its internal network. In that case, the client is instructed to send 157 DNS queries for the enterprise public domain (e.g., "example.com") to 158 the network-designated DNS servers. A configuration for this 159 deployment scenario is referred to as a Split DNS configuration. 160 Another use case for split-horizon DNS is Cellular and Fixed-access 161 networks (ISPs) typically offer private domains, including account 162 status/controls, and free education initiatives [INS]. 164 The PvD RA option defined in [RFC8801] SHOULD set the H-flag to 165 indicate that Additional Information is available. This Additional 166 Information JSON object SHOULD include the "dnsZones" key to define 167 the DNS domains for which the network claims authority. 169 4. PvD dnsZones 171 As discussed in Section 3, internal resources in a network tend to 172 have private DNS names. A network can also run a different version 173 of its global domain on its internal network, and require the use of 174 network-designated DNS servers to get resolved. 176 The PvD Key dnsZones is defined in [RFC8801]. The PvD Key dnsZones 177 adds support for DNS domains for which the network claims authority. 178 The private domains specified in the dnsZones key are intended to be 179 resolved using network-designated DNS servers. The private domains 180 in dnsZones are only reachable by devices authenticated or attached 181 to the network. The global domains specified in the dnsZones key 182 have a different version in the internal network. DNS resolution for 183 other domains remains unchanged. 185 The dnsZones PvD Key conveys the specified DNS domains that need to 186 be resolved using a network-designated DNS server. The DNS root zone 187 (".") MUST be ignored if it appears in dnsZones. Other generic or 188 global domains, such as Top-Level Domains (TLDs), similarly MUST be 189 ignored if they appear in dnsZones. 191 For each dnsZones entry, the client can use the network-designated 192 DNS servers to resolve the listed domains and its subdomains. Other 193 domain names may be resolved using some other DNS servers that are 194 configured independently. For example, if the dnsZones key specifies 195 "example.test", then "example.test", "www.example.test", and 196 "mail.eng.example.test" can be resolved using the network-designated 197 DNS resolver(s), but "otherexample.test" and "ple.test" can be 198 resolved using the system's public resolver(s). 200 4.1. Authority over the Domains 202 To comply with [RFC2826] the split-horizon DNS zone must either not 203 exist in the global DNS hierarchy or must be authoritatively 204 delegated to the split-horizon DNS server to answer. The client can 205 use the mechanism described in [I-D.ietf-add-dnr] to discover the 206 network-designated resolvers. To determine if the network-designated 207 encrypted resolvers are authoritative over the domains in DnsZones, 208 the client performs the following steps for each domain in DnsZones: 210 1. The client sends an NS query for the domain in DnsZones. This 211 query MUST only be sent over encrypted DNS session to a public 212 resolver that is configured independently or to a network- 213 designated resolver whose response will be validated using DNSSEC 214 as described in [RFC6698]. 216 2. The client checks that the NS RRset matches any one of the ADN of 217 the discovered network-designated encrypted DNS resolvers. 219 A. If the match fails, the client determines the network is not 220 authoritative for the indicated domain. It might log an 221 error, reject the network entirely (because the network lied 222 about its authority over a domain) or other action. 224 B. If the match succeeds, the client can then establish a secure 225 connection to that network-designated resolver and validates 226 its certificate. 228 + If the server certificate does not validate and a secure 229 connection cannot be established to the network designated 230 resolver, the client can proceed as discussed in step 3 231 (A). 233 + If the server certificate validation is successful and a 234 secure connection is established, the client can 235 subsequently resolve the domains in that subtree using the 236 network-designated resolver. 238 3. As an exception to this rule, the client need not perform the 239 above validation for domains reserved for special use [RFC6761] 240 or [RFC6762] such as ".home.arpa" or ".local". 242 4. If the client uses a public resolver, authenticated denial of 243 existence using NSEC3 or NSEC records can be used by a client to 244 identify that the domain name does not exist in the global DNS. 246 For example, if in a network the private domain names are defined 247 under "internal.corp1.example.com". The DnsZones PvD Key would 248 indicate that "*.internal.corp1.example.com" are private domain 249 names. The client can trigger a NS query of 250 "internal.corp1.example.com" and the NS RRset returns that the 251 nameserver is "ns1.corp2.example.com". The client would then connect 252 to the network-designated encrypted resolver whose name is 253 "ns1.corp2.example.com", authenticate it using server certificate 254 validation in TLS handshake, and use it for resolving the domains in 255 the subtree of "*.internal.corp1.example.com". 257 5. An Example 259 The following example shows how the JSON keys defined in this 260 document can be used: 262 { 263 "identifier": "cafe.example.com.", 264 "expires": "2020-05-23T06:00:00Z", 265 "prefixes": ["2001:db8:1::/48", "2001:db8:4::/48"], 266 "dnsZones:": ["city.other.test", "example.com"] 267 } 269 The JSON keys "identifier", "expires", and "prefixes" are defined in 270 [RFC8801]. 272 6. Split DNS Configuration for IKEv2 274 The split-tunnel Virtual Private Network (VPN) configuration allows 275 the endpoint to access resources that reside in the VPN [RFC8598] via 276 the tunnel; other traffic not destined to the VPN does not traverse 277 the tunnel. In contrast, a non-split- tunnel VPN configuration 278 causes all traffic to traverse the tunnel into the VPN. 280 When the VPN tunnel is IPsec, the encrypted DNS resolver hosted by 281 the VPN service provider can be securely discovered by the endpoint 282 using the ENCDNS_IP*_* IKEv2 Configuration Payload Attribute Types 283 defined in [I-D.btw-add-ipsecme-ike]. For split-tunnel VPN 284 configurations, the endpoint uses the discovered encrypted DNS server 285 to resolve domain names for which the VPN provider claims authority. 286 For non-split-tunnel VPN configurations, the endpoint uses the 287 discovered encrypted DNS server to resolve both global and private 288 domain names. For split-tunnel VPN configurations, the IKE client 289 can use the steps discussed in Section 4.1 to determine if the VPN 290 service provider is authoritative over the INTERNAL_DNS_DOMAIN 291 domains. 293 Other VPN tunnel types have similar configuration capabilities, not 294 detailed here. 296 7. Security Considerations 298 The content of dnsZones may be passed to another (DNS) program for 299 processing. As with any network input, the content SHOULD be 300 considered untrusted and handled accordingly. The client must 301 perform the steps discussed in Section 4.1 to determine if the 302 network-designated encrypted resolvers are authoritative over the 303 domains in DnsZones. If the network is lying, the client can take 304 appropriate action like disconnecting from the network. 306 As an additional precaution, clients may want to preconfigure global 307 domains for TLDs and Second-Level Domains (SLDs) to prevent malicious 308 DNS redirections for well-known domains. This prevents users from 309 unknowingly giving DNS queries to third parties. This is even more 310 important if those well-known domains are not deploying DNSSEC, as 311 the attached network could then even modify the DNS answers without 312 detection. It is similar to the mechanism discussed in Section 8 of 313 [RFC8598]. 315 8. IANA Considerations 317 This document has no IANA actions.. 319 9. Acknowledgements 321 Thanks to Mohamed Boucadair, Jim Reid, Ben Schwartz, Tommy Pauly, 322 Paul Vixie and Vinny Parla for the discussion and comments. The 323 authors would like to give special thanks to Ben Schwartz for his 324 help. 326 10. References 328 10.1. Normative References 330 [RFC1918] Rekhter, Y., Moskowitz, B., Karrenberg, D., de Groot, G., 331 and E. Lear, "Address Allocation for Private Internets", 332 BCP 5, RFC 1918, DOI 10.17487/RFC1918, February 1996, 333 . 335 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 336 Requirement Levels", BCP 14, RFC 2119, 337 DOI 10.17487/RFC2119, March 1997, 338 . 340 [RFC2826] Internet Architecture Board, "IAB Technical Comment on the 341 Unique DNS Root", RFC 2826, DOI 10.17487/RFC2826, May 342 2000, . 344 [RFC6761] Cheshire, S. and M. Krochmal, "Special-Use Domain Names", 345 RFC 6761, DOI 10.17487/RFC6761, February 2013, 346 . 348 [RFC6762] Cheshire, S. and M. Krochmal, "Multicast DNS", RFC 6762, 349 DOI 10.17487/RFC6762, February 2013, 350 . 352 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 353 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 354 May 2017, . 356 [RFC8801] Pfister, P., Vyncke, E., Pauly, T., Schinazi, D., and W. 357 Shao, "Discovering Provisioning Domain Names and Data", 358 RFC 8801, DOI 10.17487/RFC8801, July 2020, 359 . 361 10.2. Informative References 363 [I-D.btw-add-ipsecme-ike] 364 Boucadair, M., Reddy, T., Wing, D., and V. Smyslov, 365 "Internet Key Exchange Protocol Version 2 (IKEv2) 366 Configuration for Encrypted DNS", draft-btw-add-ipsecme- 367 ike-03 (work in progress), May 2021. 369 [I-D.ietf-add-ddr] 370 Pauly, T., Kinnear, E., Wood, C. A., McManus, P., and T. 371 Jensen, "Discovery of Designated Resolvers", draft-ietf- 372 add-ddr-02 (work in progress), July 2021. 374 [I-D.ietf-add-dnr] 375 Boucadair, M., Reddy, T., Wing, D., Cook, N., and T. 376 Jensen, "DHCP and Router Advertisement Options for the 377 Discovery of Network-designated Resolvers (DNR)", draft- 378 ietf-add-dnr-02 (work in progress), May 2021. 380 [INS] The Unicode Consortium, "Vodafone Foundation Instant 381 Schools for Sub-Saharan Africa", 382 . 385 [RFC6698] Hoffman, P. and J. Schlyter, "The DNS-Based Authentication 386 of Named Entities (DANE) Transport Layer Security (TLS) 387 Protocol: TLSA", RFC 6698, DOI 10.17487/RFC6698, August 388 2012, . 390 [RFC6950] Peterson, J., Kolkman, O., Tschofenig, H., and B. Aboba, 391 "Architectural Considerations on Application Features in 392 the DNS", RFC 6950, DOI 10.17487/RFC6950, October 2013, 393 . 395 [RFC7556] Anipko, D., Ed., "Multiple Provisioning Domain 396 Architecture", RFC 7556, DOI 10.17487/RFC7556, June 2015, 397 . 399 [RFC8499] Hoffman, P., Sullivan, A., and K. Fujiwara, "DNS 400 Terminology", BCP 219, RFC 8499, DOI 10.17487/RFC8499, 401 January 2019, . 403 [RFC8598] Pauly, T. and P. Wouters, "Split DNS Configuration for the 404 Internet Key Exchange Protocol Version 2 (IKEv2)", 405 RFC 8598, DOI 10.17487/RFC8598, May 2019, 406 . 408 Authors' Addresses 410 Tirumaleswar Reddy 411 Akamai 412 Embassy Golf Link Business Park 413 Bangalore, Karnataka 560071 414 India 416 Email: kondtir@gmail.com 418 Dan Wing 419 Citrix Systems, Inc. 420 4988 Great America Pkwy 421 Santa Clara, CA 95054 422 USA 424 Email: danwing@gmail.com 425 Kevin Smith 426 Vodafone Group 427 One Kingdom Street 428 London 429 UK 431 Email: kevin.smith@vodafone.com