idnits 2.17.1 draft-schwartz-svcb-dns-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- == There are 1 instance of lines with non-RFC2606-compliant FQDNs in the document. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (10 August 2020) is 1352 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: A later version (-12) exists of draft-ietf-dnsop-svcb-https-01 Summary: 0 errors (**), 0 flaws (~~), 3 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 add B. Schwartz 3 Internet-Draft Google LLC 4 Intended status: Standards Track 10 August 2020 5 Expires: 11 February 2021 7 Service Binding Mapping for DNS Servers 8 draft-schwartz-svcb-dns-01 10 Abstract 12 The SVCB DNS record type expresses a bound collection of endpoint 13 metadata, for use when establishing a connection to a named service. 14 DNS itself can be such a service, when the server is identified by a 15 domain name. This document provides the SVCB mapping for named DNS 16 servers, allowing them to indicate support for new transport 17 protocols. 19 Discussion Venues 21 This note is to be removed before publishing as an RFC. 23 Discussion of this document takes place on the ADD Working Group 24 mailing list (add@ietf.org), which is archived at 25 https://mailarchive.ietf.org/arch/browse/add/. 27 Source for this draft and an issue tracker can be found at 28 https://github.com/bemasc/svcb-dns. 30 Status of This Memo 32 This Internet-Draft is submitted in full conformance with the 33 provisions of BCP 78 and BCP 79. 35 Internet-Drafts are working documents of the Internet Engineering 36 Task Force (IETF). Note that other groups may also distribute 37 working documents as Internet-Drafts. The list of current Internet- 38 Drafts is at https://datatracker.ietf.org/drafts/current/. 40 Internet-Drafts are draft documents valid for a maximum of six months 41 and may be updated, replaced, or obsoleted by other documents at any 42 time. It is inappropriate to use Internet-Drafts as reference 43 material or to cite them other than as "work in progress." 45 This Internet-Draft will expire on 11 February 2021. 47 Copyright Notice 49 Copyright (c) 2020 IETF Trust and the persons identified as the 50 document authors. All rights reserved. 52 This document is subject to BCP 78 and the IETF Trust's Legal 53 Provisions Relating to IETF Documents (https://trustee.ietf.org/ 54 license-info) in effect on the date of publication of this document. 55 Please review these documents carefully, as they describe your rights 56 and restrictions with respect to this document. Code Components 57 extracted from this document must include Simplified BSD License text 58 as described in Section 4.e of the Trust Legal Provisions and are 59 provided without warranty as described in the Simplified BSD License. 61 Table of Contents 63 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 64 2. Conventions and Definitions . . . . . . . . . . . . . . . . . 3 65 3. Name form . . . . . . . . . . . . . . . . . . . . . . . . . . 3 66 4. Applicable existing SvcParamKeys . . . . . . . . . . . . . . 3 67 4.1. port . . . . . . . . . . . . . . . . . . . . . . . . . . 3 68 4.2. alpn and no-default-alpn . . . . . . . . . . . . . . . . 3 69 4.3. Other applicable SvcParamKeys . . . . . . . . . . . . . . 4 70 5. New SvcParamKeys . . . . . . . . . . . . . . . . . . . . . . 4 71 5.1. dohpath . . . . . . . . . . . . . . . . . . . . . . . . . 4 72 6. Limitations . . . . . . . . . . . . . . . . . . . . . . . . . 4 73 7. Relationship to DNS URIs . . . . . . . . . . . . . . . . . . 4 74 8. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 5 75 9. Security Considerations . . . . . . . . . . . . . . . . . . . 5 76 9.1. Adversary on the query path . . . . . . . . . . . . . . . 5 77 9.2. Adversary on the transport path . . . . . . . . . . . . . 6 78 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6 79 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 7 80 11.1. Normative References . . . . . . . . . . . . . . . . . . 7 81 11.2. Informative References . . . . . . . . . . . . . . . . . 7 82 Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 8 83 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 8 85 1. Introduction 87 The SVCB record type [SVCB] provides clients with information about 88 how to reach alternative endpoints for a service, which may have 89 improved performance or privacy properties. The service is 90 identified by a "scheme" indicating the service type, a hostname, and 91 optionally other information such as a port number. A DNS server is 92 often identified only by its IP address (e.g. in DHCP), but in some 93 contexts it can also be identified by a hostname (e.g. "NS" records, 94 manual resolver configuration). 96 Use of the SVCB record type requires a mapping document for each 97 service type, indicating how a client for that service can interpret 98 the contents of the SVCB SvcParams. This document provides the 99 mapping for the "dns" service type, allowing DNS servers to offer 100 alternative endpoints and transports, including encrypted transports 101 like DNS over TLS and DNS over HTTPS. 103 2. Conventions and Definitions 105 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 106 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 107 "OPTIONAL" in this document are to be interpreted as described in BCP 108 14 [RFC2119] [RFC8174] when, and only when, they appear in all 109 capitals, as shown here. 111 3. Name form 113 Names are formed using Port-Prefix Naming ([SVCB] Section 2.3). For 114 example, a DNS server with the name "dns1.example.com", listening 115 (unusually) on non-default port number 5353, would be represented as 116 "_5353._dns.dns1.example.com.". 118 4. Applicable existing SvcParamKeys 120 4.1. port 122 This key is used to indicate the target port for connection. If 123 omitted, the client SHALL use the default port for each transport 124 protocol: 853 for DNS over TLS and 443 for DNS over HTTPS. 126 This key is automatically mandatory if present. 128 4.2. alpn and no-default-alpn 130 These keys indicate the set of supported protocols. The default 131 protocol is "dot", indicating support for DNS over TLS [DOT]. 133 If the protocol set contains any HTTP versions (e.g. "h2", "h3"), 134 then the record indicates support for DNS over HTTPS [DOH], and the 135 "dohpath" key MUST be present (Section 5.1). All keys specified for 136 use with the HTTPS record are also permissible, and apply to the 137 resulting HTTP connection. 139 If the protocol set contains protocols with different default ports, 140 and no port key is specified, then protocols are contacted separately 141 on their default ports. Note that in this configuration, ALPN 142 negotiation does not defend against cross-protocol downgrade attacks. 144 These keys are automatically mandatory if present. 146 4.3. Other applicable SvcParamKeys 148 These SvcParamKeys apply to the "dns" scheme without modification: 150 * echconfig 152 * ipv4hint 154 * ipv6hint 156 5. New SvcParamKeys 158 5.1. dohpath 160 "dohpath" is a single-valued SvcParamKey whose value (both in 161 presentation and wire format) is a relative URI Template [RFC6570], 162 normally starting with "/". If the "alpn" SvcParamKey indicates 163 support for HTTP, clients MAY construct a DNS over HTTPS URI Template 164 by combining the prefix "https://", the server's hostname, the port 165 from the "port" key if present, and the "dohpath" value. (The 166 server's original port number MUST NOT be used.) 168 Clients SHOULD NOT query for any "HTTPS" RRs when using the 169 constructed URI Template. Instead, the SvcParams and address records 170 associated with this SVCB record SHOULD be used for the HTTPS 171 connection, with the same semantics as an HTTPS RR. However, for 172 consistency, server operators SHOULD publish an equivalent HTTPS RR, 173 especially if clients might learn this URI Template through a 174 different channel. 176 6. Limitations 178 This document is concerned exclusively with the DNS transport, and 179 does not affect or inform the construction or interpretation of DNS 180 messages. For example, nothing in this document indicates whether 181 the server is intended for use as a recursive or authoritative DNS 182 server. Clients must know the intended use in their context. 184 7. Relationship to DNS URIs 186 The "dns:" URI scheme [DNSURI] describes a way to represent DNS 187 queries as URIs. This scheme optionally includes an authority, 188 comprised of a host and port number (with a default of 53). DNS URIs 189 normally omit the authority, or specify an IP address, but a hostname 190 is allowed, in which case it is suitable for use with this mapping. 192 8. Examples 194 * A resolver at "resolver.example" that supports 196 - DNS over TLS on "resolver.example", port 853 and 8530, with 197 "resolver.example" as the Authentication Domain Name, 199 - DNS over HTTPS at "https://resolver.example/dns-query{?dns}", 200 and 202 - an experimental protocol on "fooexp.resolver.example:5353": 204 $ORIGIN example. 205 _dns.resolver 7200 IN SVCB 1 resolver ( 206 alpn=h2,h3 echconfig=... dohpath=/dns-query{?dns} ) 207 _dns.resolver 7200 IN SVCB 2 resolver ( 208 port=8530 echconfig=... ) 209 _dns.resolver 7200 IN SVCB 3 fooexp.resolver ( port=5353 210 echconfig=... alpn=foo no-default-alpn foo-info=... ) 212 * A nameserver at "ns.example" whose service configuration is 213 published on a different domain: 215 $ORIGIN example. 216 _dns.ns 7200 IN SVCB 0 _dns.ns.nic 218 9. Security Considerations 220 9.1. Adversary on the query path 222 This section considers an adversary who can add or remove responses 223 to the SVCB query. 225 Clients MUST authenticate the server to its name during secure 226 transport establishment. This name is the hostname used to construct 227 the original SVCB query, and cannot be influenced by the SVCB record 228 contents. Accordingly, this draft does not mandate the use of 229 DNSSEC. This draft also does not specify how clients authenticate 230 the name (e.g. selection of roots of trust), which might vary 231 according to the context. 233 Although this adversary cannot alter the authentication name of the 234 server, it does have control of the port number and "dohpath" value. 235 As a result, the adversary can direct DNS queries for $HOSTNAME to 236 any port on $HOSTNAME, and any path on "https://$HOSTNAME", even if 237 $HOSTNAME is not actually a DNS server. If the DNS client uses 238 shared TLS or HTTP state, the client could be correctly authenticated 239 (e.g. using a TLS client certificate or HTTP cookie). 241 This behavior creates a number of possible attacks for certain server 242 configurations. For example, if "https://$HOSTNAME/upload" accepts 243 any POST request as a file upload, the adversary could forge a SVCB 244 record containing "dohpath=/upload", causing the client to upload 245 every query, resulting in unexpected storage costs. 247 As a mitigation, a client of this SVCB mapping MUST NOT provide 248 client authentication for DNS queries, except to servers that it 249 specifically knows are not vulnerable to such attacks. Also, if an 250 alternative service endpoint sends an invalid response to a DNS 251 query, the client SHOULD NOT send more queries to that endpoint. 253 9.2. Adversary on the transport path 255 This section considers an adversary who can modify network traffic 256 between the client and the SvcDomainName (i.e. the destination 257 server). 259 A client that attempts a connection using an encrypted DNS transport 260 from a SVCB record SHOULD NOT fall back to unencrypted DNS if 261 connection fails. (This is different from the advice in Section 3 of 262 [SVCB], which assumes the default transport is secured.) 263 Specifications making using of this mapping MAY adjust this fallback 264 behavior to suit their requirements. 266 10. IANA Considerations 268 Per [SVCB] IANA would be directed to add the following entry to the 269 SVCB Service Parameters registry. 271 +========+=========+==============================+=================+ 272 | Number | Name | Meaning | Reference | 273 +========+=========+==============================+=================+ 274 | TBD | dohpath | DNS over HTTPS path template | (This | 275 | | | | document) | 276 +--------+---------+------------------------------+-----------------+ 278 Table 1 280 Per [Attrleaf], IANA would be directed to add the following entry to 281 the DNS Underscore Global Scoped Entry Registry: 283 +=========+============+===============+=================+ 284 | RR TYPE | _NODE NAME | Meaning | Reference | 285 +=========+============+===============+=================+ 286 | SVCB | _dns | DNS SVCB info | (This document) | 287 +---------+------------+---------------+-----------------+ 289 Table 2 291 11. References 293 11.1. Normative References 295 [DOH] Hoffman, P. and P. McManus, "DNS Queries over HTTPS 296 (DoH)", RFC 8484, DOI 10.17487/RFC8484, October 2018, 297 . 299 [DOT] Hu, Z., Zhu, L., Heidemann, J., Mankin, A., Wessels, D., 300 and P. Hoffman, "Specification for DNS over Transport 301 Layer Security (TLS)", RFC 7858, DOI 10.17487/RFC7858, May 302 2016, . 304 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 305 Requirement Levels", BCP 14, RFC 2119, 306 DOI 10.17487/RFC2119, March 1997, 307 . 309 [RFC6570] Gregorio, J., Fielding, R., Hadley, M., Nottingham, M., 310 and D. Orchard, "URI Template", RFC 6570, 311 DOI 10.17487/RFC6570, March 2012, 312 . 314 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 315 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 316 May 2017, . 318 [SVCB] Schwartz, B., Bishop, M., and E. Nygren, "Service binding 319 and parameter specification via the DNS (DNS SVCB and 320 HTTPS RRs)", Work in Progress, Internet-Draft, draft-ietf- 321 dnsop-svcb-https-01, 13 July 2020, . 324 11.2. Informative References 326 [Attrleaf] Crocker, D., "Scoped Interpretation of DNS Resource 327 Records through "Underscored" Naming of Attribute Leaves", 328 BCP 222, RFC 8552, DOI 10.17487/RFC8552, March 2019, 329 . 331 [DNSURI] Josefsson, S., "Domain Name System Uniform Resource 332 Identifiers", RFC 4501, DOI 10.17487/RFC4501, May 2006, 333 . 335 Acknowledgments 337 TODO acknowledge. 339 Author's Address 341 Benjamin Schwartz 342 Google LLC 344 Email: bemasc@google.com