idnits 2.17.1 draft-schwartz-svcb-dns-04.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- == There are 1 instance of lines with non-RFC2606-compliant FQDNs in the document. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (26 July 2021) is 1002 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: A later version (-12) exists of draft-ietf-dnsop-svcb-https-06 Summary: 0 errors (**), 0 flaws (~~), 3 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 add B. Schwartz 3 Internet-Draft Google LLC 4 Intended status: Standards Track 26 July 2021 5 Expires: 27 January 2022 7 Service Binding Mapping for DNS Servers 8 draft-schwartz-svcb-dns-04 10 Abstract 12 The SVCB DNS record type expresses a bound collection of endpoint 13 metadata, for use when establishing a connection to a named service. 14 DNS itself can be such a service, when the server is identified by a 15 domain name. This document provides the SVCB mapping for named DNS 16 servers, allowing them to indicate support for new transport 17 protocols. 19 Discussion Venues 21 This note is to be removed before publishing as an RFC. 23 Discussion of this document takes place on the ADD Working Group 24 mailing list (add@ietf.org), which is archived at 25 https://mailarchive.ietf.org/arch/browse/add/. 27 Source for this draft and an issue tracker can be found at 28 https://github.com/bemasc/svcb-dns. 30 Status of This Memo 32 This Internet-Draft is submitted in full conformance with the 33 provisions of BCP 78 and BCP 79. 35 Internet-Drafts are working documents of the Internet Engineering 36 Task Force (IETF). Note that other groups may also distribute 37 working documents as Internet-Drafts. The list of current Internet- 38 Drafts is at https://datatracker.ietf.org/drafts/current/. 40 Internet-Drafts are draft documents valid for a maximum of six months 41 and may be updated, replaced, or obsoleted by other documents at any 42 time. It is inappropriate to use Internet-Drafts as reference 43 material or to cite them other than as "work in progress." 45 This Internet-Draft will expire on 27 January 2022. 47 Copyright Notice 49 Copyright (c) 2021 IETF Trust and the persons identified as the 50 document authors. All rights reserved. 52 This document is subject to BCP 78 and the IETF Trust's Legal 53 Provisions Relating to IETF Documents (https://trustee.ietf.org/ 54 license-info) in effect on the date of publication of this document. 55 Please review these documents carefully, as they describe your rights 56 and restrictions with respect to this document. Code Components 57 extracted from this document must include Simplified BSD License text 58 as described in Section 4.e of the Trust Legal Provisions and are 59 provided without warranty as described in the Simplified BSD License. 61 Table of Contents 63 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 64 2. Conventions and Definitions . . . . . . . . . . . . . . . . . 3 65 3. Name form . . . . . . . . . . . . . . . . . . . . . . . . . . 3 66 3.1. Special case: non-default ports . . . . . . . . . . . . . 3 67 4. Applicable existing SvcParamKeys . . . . . . . . . . . . . . 4 68 4.1. alpn . . . . . . . . . . . . . . . . . . . . . . . . . . 4 69 4.2. port . . . . . . . . . . . . . . . . . . . . . . . . . . 4 70 4.3. Other applicable SvcParamKeys . . . . . . . . . . . . . . 4 71 5. New SvcParamKeys . . . . . . . . . . . . . . . . . . . . . . 4 72 5.1. dohpath . . . . . . . . . . . . . . . . . . . . . . . . . 5 73 6. Limitations . . . . . . . . . . . . . . . . . . . . . . . . . 5 74 7. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 5 75 8. Security Considerations . . . . . . . . . . . . . . . . . . . 6 76 8.1. Adversary on the query path . . . . . . . . . . . . . . . 6 77 8.2. Adversary on the transport path . . . . . . . . . . . . . 7 78 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 79 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 7 80 10.1. Normative References . . . . . . . . . . . . . . . . . . 7 81 10.2. Informative References . . . . . . . . . . . . . . . . . 8 82 Appendix A. Mapping Summary . . . . . . . . . . . . . . . . . . 8 83 Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 9 84 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 9 86 1. Introduction 88 The SVCB record type [SVCB] provides clients with information about 89 how to reach alternative endpoints for a service, which may have 90 improved performance or privacy properties. The service is 91 identified by a "scheme" indicating the service type, a hostname, and 92 optionally other information such as a port number. A DNS server is 93 often identified only by its IP address (e.g. in DHCP), but in some 94 contexts it can also be identified by a hostname (e.g. "NS" records, 95 manual resolver configuration) and sometimes also a non-default port 96 number. 98 Use of the SVCB record type requires a mapping document for each 99 service type, indicating how a client for that service can interpret 100 the contents of the SVCB SvcParams. This document provides the 101 mapping for the "dns" service type, allowing DNS servers to offer 102 alternative endpoints and transports, including encrypted transports 103 like DNS over TLS and DNS over HTTPS. 105 2. Conventions and Definitions 107 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 108 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 109 "OPTIONAL" in this document are to be interpreted as described in BCP 110 14 [RFC2119] [RFC8174] when, and only when, they appear in all 111 capitals, as shown here. 113 3. Name form 115 Names are formed using Port-Prefix Naming ([SVCB] Section 2.3), with 116 a scheme of "dns". For example, SVCB records for a DNS service 117 identified as "dns1.example.com" would be located at 118 "_dns.dns1.example.com". 120 3.1. Special case: non-default ports 122 Normally, a DNS service is identified by an IP address or a domain 123 name. When connecting to the service using unencrypted DNS over UDP 124 or TCP, clients use the default port number for DNS (53). However, 125 in rare cases, a DNS service might be identified by both a name and a 126 port number. For example, the "dns:" URI scheme [DNSURI] optionally 127 includes an authority, comprised of a host and a port number (with a 128 default of 53). DNS URIs normally omit the authority, or specify an 129 IP address, but a hostname and non-default port number are allowed. 131 When a non-default port number is part of a service identifier, Port- 132 Prefix Naming places the port number in an additional a prefix on the 133 name. For example, SVCB records for a DNS service identified as 134 "dns1.example.com:9953" would be located at 135 "_9953._dns.dns1.example.com". If two DNS services operating on 136 different port numbers provide different behaviors, this arrangement 137 allows them to preserve the distinction when specifying alternative 138 endpoints. 140 4. Applicable existing SvcParamKeys 142 4.1. alpn 144 This key indicates the set of supported protocols ([SVCB] 145 Section 6.1). There is no default protocol, so the "no-default-alpn" 146 key does not apply, and the "alpn" key MUST be present. 148 If the protocol set contains any HTTP versions (e.g. "h2", "h3"), 149 then the record indicates support for DNS over HTTPS [DOH], and the 150 "dohpath" key MUST be present (Section 5.1). All keys specified for 151 use with the HTTPS record are also permissible, and apply to the 152 resulting HTTP connection. 154 If the protocol set contains protocols with different default ports, 155 and no port key is specified, then protocols are contacted separately 156 on their default ports. Note that in this configuration, ALPN 157 negotiation does not defend against cross-protocol downgrade attacks. 159 4.2. port 161 This key is used to indicate the target port for connection (([SVCB] 162 Section 6.2)). If omitted, the client SHALL use the default port for 163 each transport protocol (853 for DNS over TLS [DOT], 443 for DNS over 164 HTTPS). 166 This key is automatically mandatory if present. (See Section 7 of 167 [SVCB] for the definition of "automatically mandatory".) 169 4.3. Other applicable SvcParamKeys 171 These SvcParamKeys from [SVCB] apply to the "dns" scheme without 172 modification: 174 * ech 176 * ipv4hint 178 * ipv6hint 180 Future SvcParamKeys may also be applicable. 182 5. New SvcParamKeys 183 5.1. dohpath 185 "dohpath" is a single-valued SvcParamKey whose value (both in 186 presentation and wire format) is a relative URI Template [RFC6570], 187 normally starting with "/". If the "alpn" SvcParamKey indicates 188 support for HTTP, clients MAY construct a DNS over HTTPS URI Template 189 by combining the prefix "https://", the service name, the port from 190 the "port" key if present, and the "dohpath" value. (The DNS 191 service's original port number MUST NOT be used.) 193 Clients SHOULD NOT query for any "HTTPS" RRs when using the 194 constructed URI Template. Instead, the SvcParams and address records 195 associated with this SVCB record SHOULD be used for the HTTPS 196 connection, with the same semantics as an HTTPS RR. However, for 197 consistency, service operators SHOULD publish an equivalent HTTPS RR, 198 especially if clients might learn this URI Template through a 199 different channel. 201 6. Limitations 203 This document is concerned exclusively with the DNS transport, and 204 does not affect or inform the construction or interpretation of DNS 205 messages. For example, nothing in this document indicates whether 206 the service is intended for use as a recursive or authoritative DNS 207 server. Clients must know the intended use in their context. 209 7. Examples 211 * A resolver at "simple.example" that supports DNS over TLS on port 212 853 (implicitly, as this is its default port): 214 _dns.simple.example. 7200 IN SVCB 1 simple.example. alpn=dot 216 * A resolver at "doh.example" that supports only DNS over HTTPS (DNS 217 over TLS is not supported): 219 _dns.doh.example. 7200 IN SVCB 1 doh.example. ( 220 alpn=h2 dohpath=/dns-query{?dns} ) 222 * A resolver at "resolver.example" that supports 224 - DNS over TLS on "resolver.example" ports 853 (implicit in 225 record 1) and 8530 (explicit in record 2), with 226 "resolver.example" as the Authentication Domain Name, 228 - DNS over HTTPS at "https://resolver.example/dns-query{?dns}" 229 (record 1), and 231 - an experimental protocol on "fooexp.resolver.example:5353" 232 (record 3): 234 $ORIGIN resolver.example. 235 _dns 7200 IN SVCB 1 @ alpn=dot,h2,h3 dohpath=/dns-query{?dns} 236 SVCB 2 @ alpn=dot port=8530 237 SVCB 3 fooexp port=5353 alpn=foo foo-info=... 239 * A nameserver at "ns.example" whose service configuration is 240 published on a different domain: 242 $ORIGIN example. 243 _dns.ns 7200 IN SVCB 0 _dns.ns.nic 245 8. Security Considerations 247 8.1. Adversary on the query path 249 This section considers an adversary who can add or remove responses 250 to the SVCB query. 252 Clients MUST authenticate the server to its name during secure 253 transport establishment. This name is the hostname used to construct 254 the original SVCB query, and cannot be influenced by the SVCB record 255 contents. Accordingly, this draft does not mandate the use of 256 DNSSEC. This draft also does not specify how clients authenticate 257 the name (e.g. selection of roots of trust), which might vary 258 according to the context. 260 Although this adversary cannot alter the authentication name of the 261 service, it does have control of the port number and "dohpath" value. 262 As a result, the adversary can direct DNS queries for $HOSTNAME to 263 any port on $HOSTNAME, and any path on "https://$HOSTNAME", even if 264 $HOSTNAME is not actually a DNS server. If the DNS client uses 265 shared TLS or HTTP state, the client could be correctly authenticated 266 (e.g. using a TLS client certificate or HTTP cookie). 268 This behavior creates a number of possible attacks for certain server 269 configurations. For example, if "https://$HOSTNAME/upload" accepts 270 any POST request as a public file upload, the adversary could forge a 271 SVCB record containing "dohpath=/upload". This would cause the 272 client to upload and publish every query, resulting in unexpected 273 storage costs for the server and privacy loss for the client. 275 To mitigate this attack, a client of this SVCB mapping MUST NOT 276 provide client authentication for DNS queries, except to servers that 277 it specifically knows are not vulnerable to such attacks, and a DoH 278 service operator MUST ensure that all unauthenticated DoH requests to 279 its origin maintain the DoH service's privacy guarantees, regardless 280 of the path. Also, if an alternative service endpoint sends an 281 invalid response to a DNS query, the client SHOULD NOT send more 282 queries to that endpoint. 284 8.2. Adversary on the transport path 286 This section considers an adversary who can modify network traffic 287 between the client and the alternative service (identified by the 288 TargetName). 290 For a SVCB-reliant client ([SVCB] Section 3), this adversary can only 291 cause a denial of service. However, because DNS is unencrypted by 292 default, this adversary can execute a downgrade attack against SVCB- 293 optional clients. Accordingly, when use of this specification is 294 optional, clients SHOULD switch to SVCB-reliant behavior if SVCB 295 resolution succeeds. Specifications making using of this mapping MAY 296 adjust this fallback behavior to suit their requirements. 298 9. IANA Considerations 300 Per [SVCB] IANA would be directed to add the following entry to the 301 SVCB Service Parameters registry. 303 +========+=========+==============================+=================+ 304 | Number | Name | Meaning | Reference | 305 +========+=========+==============================+=================+ 306 | TBD | dohpath | DNS over HTTPS path template | (This | 307 | | | | document) | 308 +--------+---------+------------------------------+-----------------+ 310 Table 1 312 Per [Attrleaf], IANA would be directed to add the following entry to 313 the DNS Underscore Global Scoped Entry Registry: 315 +=========+============+===============+=================+ 316 | RR TYPE | _NODE NAME | Meaning | Reference | 317 +=========+============+===============+=================+ 318 | SVCB | _dns | DNS SVCB info | (This document) | 319 +---------+------------+---------------+-----------------+ 321 Table 2 323 10. References 325 10.1. Normative References 327 [DOH] Hoffman, P. and P. McManus, "DNS Queries over HTTPS 328 (DoH)", RFC 8484, DOI 10.17487/RFC8484, October 2018, 329 . 331 [DOT] Hu, Z., Zhu, L., Heidemann, J., Mankin, A., Wessels, D., 332 and P. Hoffman, "Specification for DNS over Transport 333 Layer Security (TLS)", RFC 7858, DOI 10.17487/RFC7858, May 334 2016, . 336 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 337 Requirement Levels", BCP 14, RFC 2119, 338 DOI 10.17487/RFC2119, March 1997, 339 . 341 [RFC6570] Gregorio, J., Fielding, R., Hadley, M., Nottingham, M., 342 and D. Orchard, "URI Template", RFC 6570, 343 DOI 10.17487/RFC6570, March 2012, 344 . 346 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 347 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 348 May 2017, . 350 [SVCB] Schwartz, B., Bishop, M., and E. Nygren, "Service binding 351 and parameter specification via the DNS (DNS SVCB and 352 HTTPS RRs)", Work in Progress, Internet-Draft, draft-ietf- 353 dnsop-svcb-https-06, 16 June 2021, 354 . 357 10.2. Informative References 359 [Attrleaf] Crocker, D., "Scoped Interpretation of DNS Resource 360 Records through "Underscored" Naming of Attribute Leaves", 361 BCP 222, RFC 8552, DOI 10.17487/RFC8552, March 2019, 362 . 364 [DNSURI] Josefsson, S., "Domain Name System Uniform Resource 365 Identifiers", RFC 4501, DOI 10.17487/RFC4501, May 2006, 366 . 368 Appendix A. Mapping Summary 370 This table serves as a non-normative summary of the DNS mapping for 371 SVCB. 373 +=================+========================================+ 374 +=================+========================================+ 375 | *Mapped scheme* | "dns" | 376 +-----------------+----------------------------------------+ 377 | *RR type* | SVCB (64) | 378 +-----------------+----------------------------------------+ 379 | *Name prefix* | "_dns" for port 53, else "_$PORT._dns" | 380 +-----------------+----------------------------------------+ 381 | *Required keys* | alpn | 382 +-----------------+----------------------------------------+ 383 | *Automatically | port | 384 | Mandatory Keys* | | 385 +-----------------+----------------------------------------+ 386 | *Special | Supports all HTTPS RR SvcParamKeys | 387 | behaviors* | | 388 +-----------------+----------------------------------------+ 389 | | Overrides the HTTPS RR for DoH | 390 +-----------------+----------------------------------------+ 391 | | Default port is per-transport | 392 +-----------------+----------------------------------------+ 393 | | No encrypted -> cleartext fallback | 394 +-----------------+----------------------------------------+ 396 Table 3 398 Acknowledgments 400 Thanks to the many reviewers and contributors, including Daniel 401 Migault, Paul Hoffman, Matt Norhoff, Peter van Dijk, Eric Rescorla, 402 and Andreas Schulze. 404 Author's Address 406 Benjamin Schwartz 407 Google LLC 409 Email: bemasc@google.com