idnits 2.17.1 draft-sah-resolver-information-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- == There are 1 instance of lines with non-RFC2606-compliant FQDNs in the document. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (April 30, 2019) is 1795 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Obsolete normative reference: RFC 8499 (Obsoleted by RFC 9499) -- Possible downref: Non-RFC (?) normative reference: ref. 'SUDN' == Outdated reference: A later version (-08) exists of draft-ietf-acme-ip-05 Summary: 1 error (**), 0 flaws (~~), 3 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group P. Sood 3 Internet-Draft Google 4 Intended status: Standards Track R. Arends 5 Expires: November 1, 2019 P. Hoffman 6 ICANN 7 April 30, 2019 9 DNS Resolver Information Self-publication 10 draft-sah-resolver-information-00 12 Abstract 14 This document describes methods for DNS resolvers to self-publish 15 information about themselves, such as whether they perform DNSSEC 16 validation or are available over transports other than what is 17 defined in RFC 1035. The information is returned as a JSON object. 18 The names in this object are defined in an IANA registry that allows 19 for light-weight registration. Applications and operating systems 20 can use the methods defined here to get the information from 21 resolvers in order to make choices about how to send future queries 22 to those resolvers. 24 Discussion of this draft should be on the ADD mailing list 25 (https://www.ietf.org/mailman/listinfo/add). 27 Status of This Memo 29 This Internet-Draft is submitted in full conformance with the 30 provisions of BCP 78 and BCP 79. 32 Internet-Drafts are working documents of the Internet Engineering 33 Task Force (IETF). Note that other groups may also distribute 34 working documents as Internet-Drafts. The list of current Internet- 35 Drafts is at https://datatracker.ietf.org/drafts/current/. 37 Internet-Drafts are draft documents valid for a maximum of six months 38 and may be updated, replaced, or obsoleted by other documents at any 39 time. It is inappropriate to use Internet-Drafts as reference 40 material or to cite them other than as "work in progress." 42 This Internet-Draft will expire on November 1, 2019. 44 Copyright Notice 46 Copyright (c) 2019 IETF Trust and the persons identified as the 47 document authors. All rights reserved. 49 This document is subject to BCP 78 and the IETF Trust's Legal 50 Provisions Relating to IETF Documents 51 (https://trustee.ietf.org/license-info) in effect on the date of 52 publication of this document. Please review these documents 53 carefully, as they describe your rights and restrictions with respect 54 to this document. Code Components extracted from this document must 55 include Simplified BSD License text as described in Section 4.e of 56 the Trust Legal Provisions and are provided without warranty as 57 described in the Simplified BSD License. 59 Table of Contents 61 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 62 1.1. Definitions . . . . . . . . . . . . . . . . . . . . . . . 3 63 2. Retrieving Resolver Information by DNS . . . . . . . . . . . 3 64 3. Retrieving Resolver Information by Well-Known URI . . . . . . 4 65 4. Contents of the Returned I-JSON Object . . . . . . . . . . . 5 66 4.1. The "inventory" name . . . . . . . . . . . . . . . . . . 5 67 4.2. Example . . . . . . . . . . . . . . . . . . . . . . . . . 5 68 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6 69 5.1. RESINFO RRtype . . . . . . . . . . . . . . . . . . . . . 6 70 5.2. resolver-info.arpa Special-Use Domain Name . . . . . . . 6 71 5.3. Registry for DNS Resolver Information . . . . . . . . . . 6 72 5.4. resolver-info Well-known URI . . . . . . . . . . . . . . 7 73 6. Security Considerations . . . . . . . . . . . . . . . . . . . 7 74 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 8 75 7.1. Normative References . . . . . . . . . . . . . . . . . . 8 76 7.2. Informative References . . . . . . . . . . . . . . . . . 8 77 Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 9 78 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 9 80 1. Introduction 82 Historically, DNS stub resolvers typically communicated with the 83 recursive resolvers in their configuration without needing to know 84 anything about the features of the recursive resolvers. More 85 recently, recursive resolvers have different features that may cause 86 stub resolvers to make choices about which configured resolver from 87 its configuration to use, and also how to communicate with the 88 recursive resolver (such as over different transports). Thus stub 89 resolvers need a way to get information from recursive resolvers 90 about features that might affect the communication. 92 This document specifies methods for stub resolvers to ask recursive 93 resolvers for such information. In short, a new RRtype and a new 94 special-use domain name (SUDN) are defined for stub resolvers to 95 query using the DNS, and a new well-known URI is defined for stub 96 resolvers to query using HTTP over TLS. 98 The response from either method is the same: a JSON object. The JSON 99 object MUST use the I-JSON message format defined in [RFC7493]. Note 100 that [RFC7493] was based on RFC 7159, but RFC 7159 was replaced by 101 [RFC8259]. Requiring the use of I-JSON instead of more general JSON 102 format greatly increases the likelihood of interoperability. 104 The information that a resolver might want to give to a recursive 105 resolver is not defined in this document; instead other documents 106 will follow that will specify that information and the format that it 107 comes in. 109 It is important to note that the protocol defined here is only for 110 recursive resolvers, not for authoritative servers. Authoritative 111 servers MUST NOT answer queries that are defined in this protocol. 112 (It is likely that a later protocol will allow authoritative servers 113 to give information in a method similar to the one described in this 114 document.) 116 1.1. Definitions 118 In the rest of this document, the term "resolver" without 119 qualification means "recursive resolver" as defined in [RFC8499]. 120 Also, the term "stub" is used to mean "stub resolver". 122 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 123 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 124 "OPTIONAL" in this document are to be interpreted as described in BCP 125 14 [RFC2119] [RFC8174] when, and only when, they appear in all 126 capitals, as shown here. 128 2. Retrieving Resolver Information by DNS 130 A stub that wants to use the DNS to get information about a resolver 131 can use the DNS query defined here. Note that the answer given by 132 the resolver cannot be validated with DNSSEC. 134 The query a stub resolver uses is resolver-info.arpa/IN/RESINFO. The 135 RRtype "RESINFO" is defined in this document, and the IANA assignment 136 is given in Section 5.1. The contents of the Rdata in the response 137 to this query is defined in Section 4. If the resolver understands 138 the RESINFO RRtype, the RRset in the Answer section MUST have exactly 139 one record. 141 The name resolver-info.arpa is defined in this document, and the IANA 142 assignment is given in Section 5.2. As described in Section 5.2, the 143 zone resolver-info.arpa is not actually delegated and never will be. 144 The resolver that receives this query acts as if it is delegated, and 145 responds with its own RESINFO data in the Answer section. 147 The resolver can generate this reply with special code to capture 148 queries for "resolver-info.arpa"; if the resolver can be configured 149 to also be authoritative for some zones, it can use that 150 configuration to actually be authoritative for "resolver-info.arpa". 152 A stub that knows a specific type of information it wants MAY ask for 153 that information by prepending a label with the name of the 154 information in its query. For example, if the stub knows that it 155 wants information whose name is "temp-field2", it would send the 156 query temp-field2.resolver-info.arpa/IN/RESINFO. As described in 157 Section 4, the JSON object in the response is likely to have name- 158 value pairs in addition to the one requested. 160 Any query for the RESINFO RRtype that is not in resolver-info.arpa/IN 161 or a subdomain of resolver-info.arpa/IN is meaningless and MUST 162 result in a NODATA or NXDOMAIN response. Resolvers would not need 163 any special code to meet this requirement; they only need code to 164 handle the RESINFO RRtype that is not in resolver-info.arpa/IN or a 165 subdomain of resolver-info.arpa/IN . 167 3. Retrieving Resolver Information by Well-Known URI 169 A stub that wants to use HTTPS to get information about a resolver 170 can use the well-known URI defined here. Because this uses HTTPS, 171 the stub has the possibility of authenticating the TLS connection. 172 If the connection cannot be authenticated (such as if the stub only 173 knows the IP address of the resolver and the resolver's certificate 174 does not have the IP address, or the correct IP address), the stub 175 MAY still use the results with the same lack of assuredness as it 176 would have with using a DNS request described in Section 2. 178 The stub MUST use the HTTP GET method. The URI used to get the 179 resolver information is: 181 https://IPADDRESSGOESHERE/.well-known/resolver-info/ 183 This uses the ".well-known" URI mechanism defined in 184 [I-D.nottingham-rfc5785bis]. The contents of the response to this 185 query is defined in Section 4. 187 A resolver that uses this protocol to publish its information SHOULD, 188 if possible, have a TLS certificate whose subject identifiers are any 189 IP address that the resolver is available on, as well as any domain 190 names that the resolver operator uses for the resolver. At the time 191 that this document is published, getting IP addresses in TLS 192 certificates is possible by there are only a few widely-trusted CAs 193 that issue such certificates. [I-D.ietf-acme-ip] describes a new 194 protocol that may cause IP address certificates to become more 195 common. 197 4. Contents of the Returned I-JSON Object 199 The JSON object returned by a DNS query or an HTTPS query MUST 200 contain at least one name-value pair: "inventory", described later in 201 this section. The returned object MAY contain any other name-value 202 pairs. 204 The requirement for the inclusion of the "inventory" name-value pair 205 is so that systems retrieving the information over DNS can create 206 specific queries. Using specific queries can reduce the number of 207 round trips in the case where the answers to queries become large. 208 The "inventory" name-value pair MUST be included in the response even 209 if the query was for a single name. 211 If the request was over DNS using a subdomain under resolver- 212 info.arpa, the resolver SHOULD return an object that contains a name- 213 value pair with that name if the resolver has that information. If 214 the resolver does not have information for that name, it MUST NOT 215 returen the name in the object. 217 If the request was over HTTPS, the resolver SHOULD return an object 218 with all known name-value pairs for which it has information. 220 All names in the returned object MUST be defined in the IANA registry 221 or begin with the substring "temp-". As defined in Section 5.3, the 222 IANA registry will not register names that begin with "temp-", so 223 these names can be used freely by any implementer. 225 Note that the message returned by the resolver MUST be in I-JSON 226 format. I-JSON requires that the message MUST be encoded in UTF8. 228 This document only defines one element that can returned: 229 "inventory". All other elements will be defined in other documents. 231 4.1. The "inventory" name 233 The "inventory" name lists all of the types of information for which 234 the resolver has data. The value is an array of strings. 236 4.2. Example 238 The I-JSON object that a resolver returns might look like the 239 following: 241 { 242 "temp-field2": 42, 243 "temp-field1": [ "There is", "no \u000B!" ], 244 "inventory": [ "inventory", "temp-field1", "temp-field2" ] 245 } 247 As specified in [RFC7493], the I-JSON object is encoded as UTF8. 248 This example has no un-escaped non-ASCII characters only because they 249 are not currently allowed in Internet Drafts. For example, the 250 exclamation mark in the second name/value pair could instead be the 251 double exclamation mark character, U+203C. 253 [RFC7493] explicitly allows the returned objects to be in any order. 255 5. IANA Considerations 257 5.1. RESINFO RRtype 259 This document defines a new DNS RR type, RESINFO, whose value TBD 260 will be allocated by IANA from the "Resource Record (RR) TYPEs" sub- 261 registry of the "Domain Name System (DNS) Parameters" registry: 263 Type: RESINFO 265 Value: TBD 267 Meaning: Information self-published by a resolver as an I-JSON (RFC 268 7493) object 270 Reference: This document 272 5.2. resolver-info.arpa Special-Use Domain Name 274 IANA will record the domain name "resolver-info.arpa" in the 275 "Special-Use Domain Names" registry [SUDN]. IANA MUST NOT delegate 276 resolver-info.arpa in the .arpa zone. 278 5.3. Registry for DNS Resolver Information 280 IANA will create a new registry titled "DNS Resolver Information" 281 that will contain definitions of the names that can be used with the 282 protocols defined in this document. The registration procedure is by 283 Expert Review and Specification Required, as defined in [RFC8126]. 285 The specification that is required for registration can be either an 286 Internet-Draft or an RFC. The reviewer for this registry is 287 instructed to generally be liberal in what they accept into the 288 registry: as long as the specification that comes with the 289 registration request is reasonably understandable, the registration 290 should be accepted. 292 The registry has the following fields for each element: 294 Name: The name to be used in the JSON object. This name MUST NOT 295 begin with "temp-". This name MUST conform to the definition of 296 "string" in I-JSON [RFC7493] message format. 298 Value type: The type of data to be used in the JSON object. 300 Specification: The name of the specification for the registered 301 element. 303 5.4. resolver-info Well-known URI 305 Before this draft is complete, mail will be sent to wellknown-uri- 306 review@ietf.org in order to be registered in the "Well-Known URIs" 307 registry at IANA. The mail will contain the following: 309 URI suffix: resolver-info 311 Change controller: IETF 313 Specification document(s): This document 315 Status: permanent 317 6. Security Considerations 319 Unless a DNS request for resolver-info.arpa/IN/RESINFO, or a 320 subdomain, as described in Section 2 is sent over DNS-over-TLS (DoT) 321 [RFC7858] or DNS-over-HTTPS (DoT) [RFC8484], the response is 322 susceptible to forgery. Stubs and resolvers SHOULD use normal DNS 323 methods for avoiding forgery such as query ID randomizaton and source 324 port randomization. A stub resolver will know if it is using DoT or 325 DoH, and if it is using DoT it will know if the communication is 326 authenticated (DoH is always authenticated). 328 An application that is using an operating system API to send queries 329 for resolver-info.arpa/IN/RESINFO or a subdomain will only know if 330 query went over authenticated DoT or DoH if the API supports 331 returning that authentication information. Currently, no common APIs 332 support that type of response. 334 7. References 336 7.1. Normative References 338 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 339 Requirement Levels", BCP 14, RFC 2119, 340 DOI 10.17487/RFC2119, March 1997, 341 . 343 [RFC7493] Bray, T., Ed., "The I-JSON Message Format", RFC 7493, 344 DOI 10.17487/RFC7493, March 2015, 345 . 347 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 348 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 349 May 2017, . 351 [RFC8259] Bray, T., Ed., "The JavaScript Object Notation (JSON) Data 352 Interchange Format", STD 90, RFC 8259, 353 DOI 10.17487/RFC8259, December 2017, 354 . 356 [RFC8499] Hoffman, P., Sullivan, A., and K. Fujiwara, "DNS 357 Terminology", BCP 219, RFC 8499, DOI 10.17487/RFC8499, 358 January 2019, . 360 [SUDN] "Special-Use Domain Names", n.d., 361 . 364 7.2. Informative References 366 [I-D.ietf-acme-ip] 367 Shoemaker, R., "ACME IP Identifier Validation Extension", 368 draft-ietf-acme-ip-05 (work in progress), February 2019. 370 [I-D.nottingham-rfc5785bis] 371 Nottingham, M., "Well-Known Uniform Resource Identifiers 372 (URIs)", draft-nottingham-rfc5785bis-11 (work in 373 progress), April 2019. 375 [RFC7858] Hu, Z., Zhu, L., Heidemann, J., Mankin, A., Wessels, D., 376 and P. Hoffman, "Specification for DNS over Transport 377 Layer Security (TLS)", RFC 7858, DOI 10.17487/RFC7858, May 378 2016, . 380 [RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for 381 Writing an IANA Considerations Section in RFCs", BCP 26, 382 RFC 8126, DOI 10.17487/RFC8126, June 2017, 383 . 385 [RFC8484] Hoffman, P. and P. McManus, "DNS Queries over HTTPS 386 (DoH)", RFC 8484, DOI 10.17487/RFC8484, October 2018, 387 . 389 Acknowledgments 391 The idea of various types of servers publishing information about 392 themselves has been around for decades. However this idea has not 393 been used in the DNS. This document aims to fix this omission. 395 Authors' Addresses 397 Puneet Sood 398 Google 400 Email: puneets@google.com 402 Roy Arends 403 ICANN 405 Email: roy.arends@icann.org 407 Paul Hoffman 408 ICANN 410 Email: paul.hoffman@icann.org