idnits 2.17.1 draft-sah-resolver-information-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- -- The document has examples using IPv4 documentation addresses according to RFC6890, but does not use any IPv6 documentation addresses. Maybe there should be IPv6 examples, too? Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (May 22, 2019) is 1799 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: 'SUDN' is defined on line 365, but no explicit reference was found in the text ** Obsolete normative reference: RFC 8499 (Obsoleted by RFC 9499) -- Possible downref: Non-RFC (?) normative reference: ref. 'SUDN' == Outdated reference: A later version (-08) exists of draft-ietf-acme-ip-05 Summary: 1 error (**), 0 flaws (~~), 3 warnings (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group P. Sood 3 Internet-Draft Google 4 Intended status: Standards Track R. Arends 5 Expires: November 23, 2019 P. Hoffman 6 ICANN 7 May 22, 2019 9 DNS Resolver Information Self-publication 10 draft-sah-resolver-information-01 12 Abstract 14 This document describes methods for DNS resolvers to self-publish 15 information about themselves, such as whether they perform DNSSEC 16 validation or are available over transports other than what is 17 defined in RFC 1035. The information is returned as a JSON object. 18 The names in this object are defined in an IANA registry that allows 19 for light-weight registration. Applications and operating systems 20 can use the methods defined here to get the information from 21 resolvers in order to make choices about how to send future queries 22 to those resolvers. 24 Status of This Memo 26 This Internet-Draft is submitted in full conformance with the 27 provisions of BCP 78 and BCP 79. 29 Internet-Drafts are working documents of the Internet Engineering 30 Task Force (IETF). Note that other groups may also distribute 31 working documents as Internet-Drafts. The list of current Internet- 32 Drafts is at https://datatracker.ietf.org/drafts/current/. 34 Internet-Drafts are draft documents valid for a maximum of six months 35 and may be updated, replaced, or obsoleted by other documents at any 36 time. It is inappropriate to use Internet-Drafts as reference 37 material or to cite them other than as "work in progress." 39 This Internet-Draft will expire on November 23, 2019. 41 Copyright Notice 43 Copyright (c) 2019 IETF Trust and the persons identified as the 44 document authors. All rights reserved. 46 This document is subject to BCP 78 and the IETF Trust's Legal 47 Provisions Relating to IETF Documents 48 (https://trustee.ietf.org/license-info) in effect on the date of 49 publication of this document. Please review these documents 50 carefully, as they describe your rights and restrictions with respect 51 to this document. Code Components extracted from this document must 52 include Simplified BSD License text as described in Section 4.e of 53 the Trust Legal Provisions and are provided without warranty as 54 described in the Simplified BSD License. 56 Table of Contents 58 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 59 1.1. Definitions . . . . . . . . . . . . . . . . . . . . . . . 3 60 2. Retrieving Resolver Information by DNS . . . . . . . . . . . 3 61 3. Retrieving Resolver Information by Well-Known URI . . . . . . 4 62 4. Contents of the Returned I-JSON Object . . . . . . . . . . . 5 63 4.1. The "inventory" name . . . . . . . . . . . . . . . . . . 6 64 4.2. Example . . . . . . . . . . . . . . . . . . . . . . . . . 6 65 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6 66 5.1. RESINFO RRtype . . . . . . . . . . . . . . . . . . . . . 6 67 5.2. Registry for DNS Resolver Information . . . . . . . . . . 6 68 5.3. resolver-info Well-known URI . . . . . . . . . . . . . . 7 69 6. Security Considerations . . . . . . . . . . . . . . . . . . . 7 70 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 8 71 7.1. Normative References . . . . . . . . . . . . . . . . . . 8 72 7.2. Informative References . . . . . . . . . . . . . . . . . 8 73 Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 9 74 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 9 76 1. Introduction 78 Historically, DNS stub resolvers typically communicated with the 79 recursive resolvers in their configuration without needing to know 80 anything about the features of the recursive resolvers. More 81 recently, recursive resolvers have different features that may cause 82 stub resolvers to make choices about which configured resolver from 83 its configuration to use, and also how to communicate with the 84 recursive resolver (such as over different transports). Thus stub 85 resolvers need a way to get information from recursive resolvers 86 about features that might affect the communication. 88 This document specifies methods for stub resolvers to ask recursive 89 resolvers for such information. In short, a new RRtype and a new 90 special-use domain name (SUDN) are defined for stub resolvers to 91 query using the DNS, and a new well-known URI is defined for stub 92 resolvers to query using HTTP over TLS. 94 The response from either method is the same: a JSON object. The JSON 95 object MUST use the I-JSON message format defined in [RFC7493]. Note 96 that [RFC7493] was based on RFC 7159, but RFC 7159 was replaced by 98 [RFC8259]. Requiring the use of I-JSON instead of more general JSON 99 format greatly increases the likelihood of interoperability. 101 The information that a resolver might want to give to a recursive 102 resolver is not defined in this document; instead other documents 103 will follow that will specify that information and the format that it 104 comes in. 106 It is important to note that the protocol defined here is only for 107 recursive resolvers, not for authoritative servers. Authoritative 108 servers MUST NOT answer queries that are defined in this protocol. 109 (It is likely that a later protocol will allow authoritative servers 110 to give information in a method similar to the one described in this 111 document.) 113 1.1. Definitions 115 In the rest of this document, the term "resolver" without 116 qualification means "recursive resolver" as defined in [RFC8499]. 117 Also, the term "stub" is used to mean "stub resolver". 119 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 120 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 121 "OPTIONAL" in this document are to be interpreted as described in BCP 122 14 [RFC2119] [RFC8174] when, and only when, they appear in all 123 capitals, as shown here. 125 2. Retrieving Resolver Information by DNS 127 A stub that wants to use the DNS to get information about a resolver 128 can use the DNS query defined here. Note that the answer given by 129 the resolver cannot be validated with DNSSEC. 131 The query a stub resolver uses is .{in-addr,ip6}.arpa/IN/ 132 RESINFO. The RRtype "RESINFO" is defined in this document, and the 133 IANA assignment is given in Section 5.1. The contents of the Rdata 134 in the response to this query is defined in Section 4. If the 135 resolver understands the RESINFO RRtype, the RRset in the Answer 136 section MUST have exactly one record. 138 In this section, ".{in-addr,ip6}.arpa" is the domain name 139 associated with the reverse lookup of an IP address of the resolver 140 (resolvers can have multiple addresses). For example, if the 141 resolver is at 192.0.2.1, the query would be 1.2.0.192.in- 142 addr.arpa/IN/RESINFO. 144 A resolver that receives a query with the RRtype of RESINFO with a 145 QNAME of .{in-addr,ip6}.arpa acts as if it is delegated, 146 and responds with its own RESINFO data in the Answer section. The 147 resolver can generate this reply with special code to capture queries 148 for these types of addresses; if the resolver can be configured to 149 also be authoritative for some zones, it can use that configuration 150 to actually be authoritative for the addresses on which it responds. 152 A stub that knows a specific type of information it wants MAY ask for 153 that information by prepending a label with the name of the 154 information in its query. For example, if the stub knows that it 155 wants information whose name is "temp-field2", it would send the 156 query temp-field2..{in-addr,ip6}.arpa/IN/RESINFO. As 157 described in Section 4, the JSON object in the response is likely to 158 have name-value pairs in addition to the one requested. 160 Any query for the RESINFO RRtype that is not in .{in- 161 addr,ip6}.arpa/IN or a subdomain of .{in-addr,ip6}.arpa/ 162 IN is meaningless and MUST result in a NODATA or NXDOMAIN response. 163 Resolvers would not need any special code to meet this requirement; 164 they only need code to handle the RESINFO RRtype that is not in 165 .{in-addr,ip6}.arpa/IN or a subdomain of .{in-addr,ip6}.arpa/IN . 168 3. Retrieving Resolver Information by Well-Known URI 170 A stub that wants to use HTTPS to get information about a resolver 171 can use the well-known URI defined here. Because this uses HTTPS, 172 the stub has the possibility of authenticating the TLS connection. 173 If the connection cannot be authenticated (such as if the stub only 174 knows the IP address of the resolver and the resolver's certificate 175 does not have the IP address, or the correct IP address), the stub 176 MAY still use the results with the same lack of assuredness as it 177 would have with using a DNS request described in Section 2. 179 The stub MUST use the HTTP GET method. The URI used to get the 180 resolver information is one of: 182 https://IPADDRESSOFRESOLVER/.well-known/resolver-info/ 184 https://DOMAINNAMEOFRESOLVER/.well-known/resolver-info/ 186 This uses the ".well-known" URI mechanism defined in [RFC8615]. The 187 contents of the response to this query is defined in Section 4. 189 A resolver that uses this protocol to publish its information SHOULD, 190 if possible, have a TLS certificate whose subject identifiers are any 191 IP address that the resolver is available on, as well as any domain 192 names that the resolver operator uses for the resolver. At the time 193 that this document is published, getting IP addresses in TLS 194 certificates is possible, but there are only a few widely-trusted CAs 195 that issue such certificates. [I-D.ietf-acme-ip] describes a new 196 protocol that may cause IP address certificates to become more 197 common. 199 In the future, DHCP and/or DCHPv6 and/or RA may have options that 200 allow the configuration to contain the domain name of a resolver. If 201 so, this can be used for matching the domain name in the TLS 202 certificate. 204 4. Contents of the Returned I-JSON Object 206 The JSON object returned by a DNS query or an HTTPS query MUST 207 contain at least one name-value pair: "inventory", described later in 208 this section. The returned object MAY contain any other name-value 209 pairs. 211 The requirement for the inclusion of the "inventory" name-value pair 212 is so that systems retrieving the information over DNS can create 213 specific queries. Using specific queries can reduce the number of 214 round trips in the case where the answers to queries become large. 215 The "inventory" name-value pair MUST be included in the response even 216 if the query was for a single name. 218 If the request was over DNS using a subdomain under .{in- 219 addr,ip6}.arpa, the resolver SHOULD return an object that contains a 220 name-value pair with that name if the resolver has that information. 221 If the resolver does not have information for that name, it MUST NOT 222 returen the name in the object. 224 If the request was over HTTPS, the resolver SHOULD return an object 225 with all known name-value pairs for which it has information. 227 All names in the returned object MUST be defined in the IANA registry 228 or begin with the substring "temp-". All names MUST consist only of 229 lower-case ASCII characters, digits, and hyphens (that is, Unicode 230 characters U+0061 through 007A, U+0030 through U+0039, and U+002D), 231 and MUST be 63 characters or shorter. As defined in Section 5.2, the 232 IANA registry will not register names that begin with "temp-", so 233 these names can be used freely by any implementer. 235 Note that the message returned by the resolver MUST be in I-JSON 236 format. I-JSON requires that the message MUST be encoded in UTF8. 238 This document only defines one element that can returned: 239 "inventory". All other elements will be defined in other documents. 241 4.1. The "inventory" name 243 The "inventory" name lists all of the types of information for which 244 the resolver has data. The value is an array of strings. 246 4.2. Example 248 The I-JSON object that a resolver returns might look like the 249 following: 251 { 252 "temp-field2": 42, 253 "temp-field1": [ "There is", "no \u000B!" ], 254 "inventory": [ "inventory", "temp-field1", "temp-field2" ] 255 } 257 As specified in [RFC7493], the I-JSON object is encoded as UTF8. 258 This example has no un-escaped non-ASCII characters only because they 259 are not currently allowed in Internet Drafts. For example, the 260 exclamation mark in the second name/value pair could instead be the 261 double exclamation mark character, U+203C. 263 [RFC7493] explicitly allows the returned objects to be in any order. 265 5. IANA Considerations 267 5.1. RESINFO RRtype 269 This document defines a new DNS RR type, RESINFO, whose value TBD 270 will be allocated by IANA from the "Resource Record (RR) TYPEs" sub- 271 registry of the "Domain Name System (DNS) Parameters" registry: 273 Type: RESINFO 275 Value: TBD 277 Meaning: Information self-published by a resolver as an I-JSON (RFC 278 7493) object 280 Reference: This document 282 5.2. Registry for DNS Resolver Information 284 IANA will create a new registry titled "DNS Resolver Information" 285 that will contain definitions of the names that can be used with the 286 protocols defined in this document. The registration procedure is by 287 Expert Review and Specification Required, as defined in [RFC8126]. 289 The specification that is required for registration can be either an 290 Internet-Draft or an RFC. The reviewer for this registry is 291 instructed to generally be liberal in what they accept into the 292 registry: as long as the specification that comes with the 293 registration request is reasonably understandable, the registration 294 should be accepted. 296 The registry has the following fields for each element: 298 Name: The name to be used in the JSON object. This name MUST NOT 299 begin with "temp-". This name MUST conform to the definition of 300 "string" in I-JSON [RFC7493] message format. 302 Value type: The type of data to be used in the JSON object. 304 Specification: The name of the specification for the registered 305 element. 307 5.3. resolver-info Well-known URI 309 Before this draft is complete, mail will be sent to wellknown-uri- 310 review@ietf.org in order to be registered in the "Well-Known URIs" 311 registry at IANA. The mail will contain the following: 313 URI suffix: resolver-info 315 Change controller: IETF 317 Specification document(s): This document 319 Status: permanent 321 6. Security Considerations 323 Unless a DNS request for .{in-addr,ip6}.arpa/IN/RESINFO, 324 or a subdomain, as described in Section 2 is sent over DNS-over-TLS 325 (DoT) [RFC7858] or DNS-over-HTTPS (DoT) [RFC8484], or unless the 326 .{in-addr,ip6}.arpa zone is signed with DNSSEC, the 327 response is susceptible to forgery. Stubs and resolvers SHOULD use 328 normal DNS methods for avoiding forgery such as query ID 329 randomization and source port randomization. A stub resolver will 330 know if it is using DoT or DoH, and if it is using DoT it will know 331 if the communication is authenticated (DoH is always authenticated). 333 An application that is using an operating system API to send queries 334 for .{in-addr,ip6}.arpa/IN/RESINFO or a subdomain will 335 only know if query went over authenticated DoT or DoH if the API 336 supports returning that authentication information. Currently, no 337 common APIs support that type of response. 339 7. References 341 7.1. Normative References 343 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 344 Requirement Levels", BCP 14, RFC 2119, 345 DOI 10.17487/RFC2119, March 1997, 346 . 348 [RFC7493] Bray, T., Ed., "The I-JSON Message Format", RFC 7493, 349 DOI 10.17487/RFC7493, March 2015, 350 . 352 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 353 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 354 May 2017, . 356 [RFC8259] Bray, T., Ed., "The JavaScript Object Notation (JSON) Data 357 Interchange Format", STD 90, RFC 8259, 358 DOI 10.17487/RFC8259, December 2017, 359 . 361 [RFC8499] Hoffman, P., Sullivan, A., and K. Fujiwara, "DNS 362 Terminology", BCP 219, RFC 8499, DOI 10.17487/RFC8499, 363 January 2019, . 365 [SUDN] "Special-Use Domain Names", n.d., 366 . 369 7.2. Informative References 371 [I-D.ietf-acme-ip] 372 Shoemaker, R., "ACME IP Identifier Validation Extension", 373 draft-ietf-acme-ip-05 (work in progress), February 2019. 375 [RFC7858] Hu, Z., Zhu, L., Heidemann, J., Mankin, A., Wessels, D., 376 and P. Hoffman, "Specification for DNS over Transport 377 Layer Security (TLS)", RFC 7858, DOI 10.17487/RFC7858, May 378 2016, . 380 [RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for 381 Writing an IANA Considerations Section in RFCs", BCP 26, 382 RFC 8126, DOI 10.17487/RFC8126, June 2017, 383 . 385 [RFC8484] Hoffman, P. and P. McManus, "DNS Queries over HTTPS 386 (DoH)", RFC 8484, DOI 10.17487/RFC8484, October 2018, 387 . 389 [RFC8615] Nottingham, M., "Well-Known Uniform Resource Identifiers 390 (URIs)", RFC 8615, DOI 10.17487/RFC8615, May 2019, 391 . 393 Acknowledgments 395 The idea of various types of servers publishing information about 396 themselves has been around for decades. However this idea has not 397 been used in the DNS. This document aims to fix this omission. 399 Erik Kline suggested using ".{in-addr,ip6}.arpa" as the 400 domain name to allow for the possibility of DNSSEC-signed responses. 402 Authors' Addresses 404 Puneet Sood 405 Google 407 Email: puneets@google.com 409 Roy Arends 410 ICANN 412 Email: roy.arends@icann.org 414 Paul Hoffman 415 ICANN 417 Email: paul.hoffman@icann.org