Discovery of Designated Resolvers
draft-ietf-add-ddr-05
The information below is for an old version of the document.
| Document | Type |
This is an older version of an Internet-Draft that was ultimately published as RFC 9462.
|
|
|---|---|---|---|
| Authors | Tommy Pauly , Eric Kinnear , Christopher A. Wood , Patrick McManus , Tommy Jensen | ||
| Last updated | 2022-02-24 (Latest revision 2022-01-31) | ||
| Replaces | draft-pauly-add-deer | ||
| RFC stream | Internet Engineering Task Force (IETF) | ||
| Formats | |||
| Reviews |
GENART Last Call review
(of
-08)
by Robert Sparks
Almost ready
INTDIR Last Call review
(of
-08)
by Juan-Carlos Zúñiga
Ready w/issues
ARTART Last Call review
(of
-07)
by Thomas Fossati
Almost ready
|
||
| Additional resources | Mailing list discussion | ||
| Stream | WG state | In WG Last Call | |
| Document shepherd | (None) | ||
| IESG | IESG state | Became RFC 9462 (Proposed Standard) | |
| Consensus boilerplate | Unknown | ||
| Telechat date | (None) | ||
| Responsible AD | (None) | ||
| Send notices to | (None) |
draft-ietf-add-ddr-05
ADD T. Pauly
Internet-Draft E. Kinnear
Intended status: Standards Track Apple Inc.
Expires: 4 August 2022 C.A. Wood
Cloudflare
P. McManus
Fastly
T. Jensen
Microsoft
31 January 2022
Discovery of Designated Resolvers
draft-ietf-add-ddr-05
Abstract
This document defines Discovery of Designated Resolvers (DDR), a
mechanism for DNS clients to use DNS records to discover a resolver's
encrypted DNS configuration. This mechanism can be used to move from
unencrypted DNS to encrypted DNS when only the IP address of a
resolver is known. This mechanism is designed to be limited to cases
where unencrypted resolvers and their designated resolvers are
operated by the same entity or cooperating entities. It can also be
used to discover support for encrypted DNS protocols when the name of
an encrypted resolver is known.
Discussion Venues
This note is to be removed before publishing as an RFC.
Discussion of this document takes place on the Adaptive DNS Discovery
Working Group mailing list (add@ietf.org), which is archived at
https://mailarchive.ietf.org/arch/browse/add/.
Source for this draft and an issue tracker can be found at
https://github.com/ietf-wg-add/draft-ietf-add-ddr.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Pauly, et al. Expires 4 August 2022 [Page 1]
Internet-Draft DDR January 2022
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on 4 August 2022.
Copyright Notice
Copyright (c) 2022 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights
and restrictions with respect to this document. Code Components
extracted from this document must include Revised BSD License text as
described in Section 4.e of the Trust Legal Provisions and are
provided without warranty as described in the Revised BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Specification of Requirements . . . . . . . . . . . . . . 3
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. DNS Service Binding Records . . . . . . . . . . . . . . . . . 4
4. Discovery Using Resolver IP Addresses . . . . . . . . . . . . 5
4.1. Use of Designated Resolvers . . . . . . . . . . . . . . . 6
4.2. Verified Discovery . . . . . . . . . . . . . . . . . . . 7
4.3. Opportunistic Discovery . . . . . . . . . . . . . . . . . 8
5. Discovery Using Resolver Names . . . . . . . . . . . . . . . 8
6. Deployment Considerations . . . . . . . . . . . . . . . . . . 9
6.1. Caching Forwarders . . . . . . . . . . . . . . . . . . . 9
6.2. Certificate Management . . . . . . . . . . . . . . . . . 10
6.3. Server Name Handling . . . . . . . . . . . . . . . . . . 10
7. Security Considerations . . . . . . . . . . . . . . . . . . . 10
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11
8.1. Special Use Domain Name "resolver.arpa" . . . . . . . . . 11
9. References . . . . . . . . . . . . . . . . . . . . . . . . . 11
9.1. Normative References . . . . . . . . . . . . . . . . . . 11
9.2. Informative References . . . . . . . . . . . . . . . . . 12
Appendix A. Rationale for using SVCB records . . . . . . . . . . 13
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 14
Pauly, et al. Expires 4 August 2022 [Page 2]
Internet-Draft DDR January 2022
1. Introduction
When DNS clients wish to use encrypted DNS protocols such as DNS-
over-TLS (DoT) [RFC7858] or DNS-over-HTTPS (DoH) [RFC8484], they
require additional information beyond the IP address of the DNS
server, such as the resolver's hostname, non-standard ports, or URL
paths. However, common configuration mechanisms only provide the
resolver's IP address during configuration. Such mechanisms include
network provisioning protocols like DHCP [RFC2132] and IPv6 Router
Advertisement (RA) options [RFC8106], as well as manual
configuration.
This document defines two mechanisms for clients to discover
designated resolvers using DNS server Service Binding (SVCB,
[I-D.ietf-dnsop-svcb-https]) records:
1. When only an IP address of an Unencrypted Resolver is known, the
client queries a special use domain name (SUDN) [RFC6761] to
discover DNS SVCB records associated with one or more Encrypted
Resolvers the Unencrypted Resolver has designated for use when
support for DNS encryption is requested (Section 4).
2. When the hostname of an Encrypted Resolver is known, the client
requests details by sending a query for a DNS SVCB record. This
can be used to discover alternate encrypted DNS protocols
supported by a known server, or to provide details if a resolver
name is provisioned by a network (Section 5).
Both of these approaches allow clients to confirm that a discovered
Encrypted Resolver is designated by the originally provisioned
resolver. "Designated" in this context means that the resolvers are
operated by the same entity or cooperating entities; for example, the
resolvers are accessible on the same IP address, or there is a
certificate that claims ownership over the IP address for the
original designating resolver.
1.1. Specification of Requirements
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP
14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here.
2. Terminology
This document defines the following terms:
Pauly, et al. Expires 4 August 2022 [Page 3]
Internet-Draft DDR January 2022
DDR: Discovery of Designated Resolvers. Refers to the mechanisms
defined in this document.
Designated Resolver: A resolver, presumably an Encrypted Resolver,
designated by another resolver for use in its own place. This
designation can be verified with TLS certificates.
Encrypted Resolver: A DNS resolver using any encrypted DNS
transport. This includes current mechanisms such as DoH and DoT
as well as future mechanisms.
Unencrypted Resolver: A DNS resolver using TCP or UDP port 53.
3. DNS Service Binding Records
DNS resolvers can advertise one or more Designated Resolvers that may
offer support over encrypted channels and are controlled by the same
entity.
When a client discovers Designated Resolvers, it learns information
such as the supported protocols and ports. This information is
provided in ServiceMode Service Binding (SVCB) records for DNS
Servers, although AliasMode SVCB records can be used to direct
clients to the needed ServiceMode SVCB record per
[I-D.ietf-dnsop-svcb-https]. The formatting of these records,
including the DNS-unique parameters such as "dohpath", are defined by
[I-D.ietf-add-svcb-dns].
The following is an example of an SVCB record describing a DoH server
discovered by querying for _dns.example.net:
_dns.example.net. 7200 IN SVCB 1 example.net. (
alpn=h2 dohpath=/dns-query{?dns} )
The following is an example of an SVCB record describing a DoT server
discovered by querying for _dns.example.net:
_dns.example.net 7200 IN SVCB 1 dot.example.net (
alpn=dot port=8530 )
If multiple Designated Resolvers are available, using one or more
encrypted DNS protocols, the resolver deployment can indicate a
preference using the priority fields in each SVCB record
[I-D.ietf-dnsop-svcb-https].
If the client encounters a mandatory parameter in an SVCB record it
does not understand, it MUST NOT use that record to discover a
Designated Resolver. The client can still use others records in the
Pauly, et al. Expires 4 August 2022 [Page 4]
Internet-Draft DDR January 2022
same response if the client can understand all of their mandatory
parameters. This allows future encrypted deployments to
simultaneously support protocols even if a given client is not aware
of all those protocols. For example, if the Unencrypted Resolver
returns three SVCB records, one for DoH, one for DoT, and one for a
yet-to-exist protocol, a client which only supports DoH and DoT
should be able to use those records while safely ignoring the third
record.
To avoid name lookup deadlock, Designated Resolvers SHOULD follow the
guidance in Section 10 of [RFC8484] regarding the avoidance of DNS-
based references that block the completion of the TLS handshake.
This document focuses on discovering DoH and DoT Designated
Resolvers. Other protocols can also use the format defined by
[I-D.ietf-add-svcb-dns]. However, if any protocol does not involve
some form of certificate validation, new validation mechanisms will
need to be defined to support validating designation as defined in
Section 4.2.
4. Discovery Using Resolver IP Addresses
When a DNS client is configured with an Unencrypted Resolver IP
address, it SHOULD query the resolver for SVCB records for
"dns://resolver.arpa" before making other queries. Specifically, the
client issues a query for _dns.resolver.arpa with the SVCB resource
record type (64) [I-D.ietf-dnsop-svcb-https].
Because this query is for an SUDN, which no entity can claim
ownership over, the ServiceMode SVCB response MUST NOT use the "."
value for the TargetName. Instead, the domain name used for DoT or
used to construct the DoH template MUST be provided.
The following is an example of an SVCB record describing a DoH server
discovered by querying for _dns.resolver.arpa:
_dns.resolver.arpa 7200 IN SVCB 1 doh.example.net (
alpn=h2 dohpath=/dns-query{?dns} )
The following is an example of an SVCB record describing a DoT server
discovered by querying for _dns.resolver.arpa:
_dns.resolver.arpa 7200 IN SVCB 1 dot.example.net (
alpn=dot port=8530 )
If the recursive resolver that receives this query has one or more
Designated Resolvers, it will return the corresponding SVCB records.
When responding to these special queries for "dns://resolver.arpa",
Pauly, et al. Expires 4 August 2022 [Page 5]
Internet-Draft DDR January 2022
the recursive resolver SHOULD include the A and AAAA records for the
name of the Designated Resolver in the Additional Answers section.
This will allow the DNS client to make queries over an encrypted
connection without waiting to resolve the Encrypted Resolver name per
[I-D.ietf-dnsop-svcb-https]. If no A/AAAA records or SVCB IP address
hints are included, clients will be forced to delay use of the
Encrypted Resolver until an additional DNS lookup for the A and AAAA
records can be made to the Unencrypted Resolver (or some other
resolver the DNS client has been configured to use).
If the recursive resolver that receives this query has no Designated
Resolvers, it SHOULD return NODATA for queries to the "resolver.arpa"
SUDN.
4.1. Use of Designated Resolvers
When a client discovers Designated Resolvers from an Unencrypted
Resolver IP address, it can choose to use these Designated Resolvers
either automatically, or based on some other policy, heuristic, or
user choice.
This document defines two preferred methods to automatically use
Designated Resolvers:
* Verified Discovery Section 4.2, for when a TLS certificate can be
used to validate the resolver's identity.
* Opportunistic Discovery Section 4.3, for when a resolver is
accessed using a non-public IP address.
A client MAY additionally use a discovered Designated Resolver
without either of these methods, based on implementation-specific
policy or user input. Details of such policy are out of scope of
this document. Clients SHOULD NOT automatically use a Designated
Resolver without some sort of validation, such as the two methods
defined in this document or a future mechanism.
A client MUST NOT use a Designated Resolver designated by one
Unencrypted Resolver in place of another Unencrypted Resolver. As
these are known only by IP address, this means each unique IP address
used for unencrypted DNS requires its own designation discovery.
This ensures queries are being sent to a party designated by the
resolver originally being used.
Pauly, et al. Expires 4 August 2022 [Page 6]
Internet-Draft DDR January 2022
Generally, clients also SHOULD NOT reuse the Designated Resolver
discovered from an Unencrypted Resolver over one network connection
in place of the same Unencrypted Resolver on another network
connection. Instead, clients SHOULD repeat the discovery process on
the other network connection.
However, if a given Unencrypted Resolver designates a Designated
Resolver that uses a public IP address and can be verified using the
mechanism described in Section 4.2, it MAY be used on different
network connections so long as the subsequent connections over other
networks can also be successfully verified using the mechanism
described in Section 4.2. This is a tradeoff between performance (by
having no delay in establishing an encrypted DNS connection on the
new network) and functionality (if the Unencrypted Resolver intends
to designate different Designated Resolvers based on the network from
which clients connect).
4.2. Verified Discovery
Verified Discovery is a mechanism that allows automatic use of a
Designated Resolver that supports DNS encryption that performs a TLS
handshake.
In order to be considered a verified Designated Resolver, the TLS
certificate presented by the Designated Resolver MUST contain the IP
address of the designating Unencrypted Resolver in a subjectAltName
extension. If the certificate can be validated, the client SHOULD
use the discovered Designated Resolver for any cases in which it
would have otherwise used the Unencrypted Resolver. If the
Designated Resolver has a different IP address than the Unencrypted
Resolver and the TLS certificate does not cover the Unencrypted
Resolver address, the client MUST NOT automatically use the
discovered Designated Resolver. Additionally, the client SHOULD
suppress any further queries for Designated Resolvers using this
Unencrypted Resolver for the length of time indicated by the SVCB
record's Time to Live (TTL).
If the Designated Resolver and the Unencrypted Resolver share an IP
address, clients MAY choose to opportunistically use the Designated
Resolver even without this certificate check (Section 4.3).
If resolving the name of a Designated Resolver from an SVCB record
yields an IP address that was not presented in the Additional Answers
section or ipv4hint or ipv6hint fields of the original SVCB query,
the connection made to that IP address MUST pass the same TLS
certificate checks before being allowed to replace a previously known
and validated IP address for the same Designated Resolver name.
Pauly, et al. Expires 4 August 2022 [Page 7]
Internet-Draft DDR January 2022
4.3. Opportunistic Discovery
There are situations where Verified Discovery of encrypted DNS
configuration over unencrypted DNS is not possible. This includes
Unencrypted Resolvers on non-public IP addresses such as those
defined in [RFC1918] whose identity cannot be confirmed using TLS
certificates.
Opportunistic Privacy is defined for DoT in Section 4.1 of [RFC7858]
as a mode in which clients do not validate the name of the resolver
presented in the certificate. A client MAY use information from the
SVCB record for "dns://resolver.arpa" with this "opportunistic"
approach (not validating the names presented in the
SubjectAlternativeName field of the certificate) as long as the IP
address of the Encrypted Resolver does not differ from the IP address
of the Unencrypted Resolver. Clients SHOULD use this mode only for
resolvers using non-public IP addresses. This approach can be used
for any encrypted DNS protocol that uses TLS.
5. Discovery Using Resolver Names
A DNS client that already knows the name of an Encrypted Resolver can
use DDR to discover details about all supported encrypted DNS
protocols. This situation can arise if a client has been configured
to use a given Encrypted Resolver, or if a network provisioning
protocol (such as DHCP or IPv6 Router Advertisements) provides a name
for an Encrypted Resolver alongside the resolver IP address.
For these cases, the client simply sends a DNS SVCB query using the
known name of the resolver. This query can be issued to the named
Encrypted Resolver itself or to any other resolver. Unlike the case
of bootstrapping from an Unencrypted Resolver (Section 4), these
records SHOULD be available in the public DNS.
For example, if the client already knows about a DoT server
resolver.example.com, it can issue an SVCB query for
_dns.resolver.example.com to discover if there are other encrypted
DNS protocols available. In the following example, the SVCB answers
indicate that resolver.example.com supports both DoH and DoT, and
that the DoH server indicates a higher priority than the DoT server.
_dns.resolver.example.com. 7200 IN SVCB 1 resolver.example.com. (
alpn=h2 dohpath=/dns-query{?dns} )
_dns.resolver.example.com. 7200 IN SVCB 1 resolver.example.com. (
alpn=dot )
Pauly, et al. Expires 4 August 2022 [Page 8]
Internet-Draft DDR January 2022
Clients MUST validate that for any Encrypted Resolver discovered
using a known resolver name, the TLS certificate of the resolver
contains the known name in a subjectAltName extension. In the
example above, this means that both servers need to have certificates
that cover the name resolver.example.com. Often, the various
supported encrypted DNS protocols will be specified such that the
SVCB TargetName matches the known name, as is true in the example
above. However, even when the TargetName is different (for example,
if the DoH server had a TargetName of doh.example.com), the clients
still check for the original known resolver name in the certificate.
Note that this resolver validation is not related to the DNS resolver
that provided the SVCB answer.
As another example, being able to discover a Designated Resolver for
a known Encrypted Resolver is useful when a client has a DoT
configuration for foo.resolver.example.com but is on a network that
blocks DoT traffic. The client can still send a query to any other
accessible resolver (either the local network resolver or an
accessible DoH server) to discover if there is a designated DoH
server for foo.resolver.example.com.
6. Deployment Considerations
Resolver deployments that support DDR are advised to consider the
following points.
6.1. Caching Forwarders
A DNS forwarder SHOULD NOT forward queries for "resolver.arpa"
upstream. This prevents a client from receiving an SVCB record that
will fail to authenticate because the forwarder's IP address is not
in the upstream resolver's Designated Resolver's TLS certificate SAN
field. A DNS forwarder which already acts as a completely blind
forwarder MAY choose to forward these queries when the operator
expects that this does not apply, either because the operator knows
the upstream resolver does have the forwarder's IP address in its TLS
certificate's SAN field or that the operator expects clients of the
unencrypted resolver to use the SVCB information opportunistically.
Operators who choose to forward queries for "resolver.arpa" upstream
should note that client behavior is never guaranteed and use of DDR
by a resolver does not communicate a requirement for clients to use
the SVCB record when it cannot be verified.
Pauly, et al. Expires 4 August 2022 [Page 9]
Internet-Draft DDR January 2022
6.2. Certificate Management
Resolver owners that support Verified Discovery will need to list
valid referring IP addresses in their TLS certificates. This may
pose challenges for resolvers with a large number of referring IP
addresses.
6.3. Server Name Handling
Clients MUST NOT use "resolver.arpa" as the server name either in the
TLS Server Name Indication (SNI) ([RFC8446]) for DoT or DoH
connections, or in the URI host for DoH requests.
When performing discovery using resolver IP addresses, clients MUST
use the IP address as the URI host for DoH requests.
Note that since IP addresses are not supported by default in the TLS
SNI, resolvers that support discovery using IP addresses will need to
be configured to present the appropriate TLS certificate when no SNI
is present for both DoT and DoH.
7. Security Considerations
Since clients can receive DNS SVCB answers over unencrypted DNS, on-
path attackers can prevent successful discovery by dropping SVCB
packets. Clients should be aware that it might not be possible to
distinguish between resolvers that do not have any Designated
Resolver and such an active attack. To limit the impact of discovery
queries being dropped either maliciously or unintentionally, clients
can re-send their SVCB queries periodically.
DoH resolvers that allow discovery using DNS SVCB answers over
unencrypted DNS MUST NOT provide differentiated behavior based on the
HTTP path alone, since an attacker could modify the "dohpath"
parameter.
While the IP address of the Unencrypted Resolver is often provisioned
over insecure mechanisms, it can also be provisioned securely, such
as via manual configuration, a VPN, or on a network with protections
like RA guard [RFC6105]. An attacker might try to direct Encrypted
DNS traffic to itself by causing the client to think that a
discovered Designated Resolver uses a different IP address from the
Unencrypted Resolver. Such a Designated Resolver might have a valid
certificate, but be operated by an attacker that is trying to observe
or modify user queries without the knowledge of the client or
network.
Pauly, et al. Expires 4 August 2022 [Page 10]
Internet-Draft DDR January 2022
If the IP address of a Designated Resolver differs from that of an
Unencrypted Resolver, clients applying Verified Discovery
(Section 4.2) MUST validate that the IP address of the Unencrypted
Resolver is covered by the SubjectAlternativeName of the Designated
Resolver's TLS certificate.
Clients using Opportunistic Discovery (Section 4.3) MUST be limited
to cases where the Unencrypted Resolver and Designated Resolver have
the same IP address.
The constraints on the use of Designated Resolvers specified here
apply specifically to the automatic discovery mechanisms defined in
this document, which are referred to as Verified Discovery and
Opportunistic Discovery. Clients MAY use some other mechanism to
verify and use Designated Resolvers discovered using the DNS SVCB
record. However, use of such an alternate mechanism needs to take
into account the attack scenarios detailed here.
8. IANA Considerations
8.1. Special Use Domain Name "resolver.arpa"
This document calls for the addition of "resolver.arpa" to the
Special-Use Domain Names (SUDN) registry established by [RFC6761].
This will allow resolvers to respond to queries directed at
themselves rather than a specific domain name. While this document
uses "resolver.arpa" to return SVCB records indicating designated
encrypted capability, the name is generic enough to allow future
reuse for other purposes where the resolver wishes to provide
information about itself to the client.
The "resolver.arpa" SUDN is similar to "ipv4only.arpa" in that the
querying client is not interested in an answer from the authoritative
"arpa" name servers. The intent of the SUDN is to allow clients to
communicate with the Unencrypted Resolver much like "ipv4only.arpa"
allows for client-to-middlebox communication. For more context, see
the rationale behind "ipv4only.arpa" in [RFC8880].
9. References
9.1. Normative References
[I-D.ietf-add-svcb-dns]
Schwartz, B., "Service Binding Mapping for DNS Servers",
Work in Progress, Internet-Draft, draft-ietf-add-svcb-dns-
01, 21 October 2021,
<https://datatracker.ietf.org/doc/html/draft-ietf-add-
svcb-dns-01>.
Pauly, et al. Expires 4 August 2022 [Page 11]
Internet-Draft DDR January 2022
[I-D.ietf-dnsop-svcb-https]
Schwartz, B., Bishop, M., and E. Nygren, "Service binding
and parameter specification via the DNS (DNS SVCB and
HTTPS RRs)", Work in Progress, Internet-Draft, draft-ietf-
dnsop-svcb-https-08, 12 October 2021,
<https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-
svcb-https-08>.
[RFC1918] Rekhter, Y., Moskowitz, B., Karrenberg, D., de Groot, G.
J., and E. Lear, "Address Allocation for Private
Internets", BCP 5, RFC 1918, DOI 10.17487/RFC1918,
February 1996, <https://www.rfc-editor.org/rfc/rfc1918>.
[RFC6761] Cheshire, S. and M. Krochmal, "Special-Use Domain Names",
RFC 6761, DOI 10.17487/RFC6761, February 2013,
<https://www.rfc-editor.org/rfc/rfc6761>.
[RFC7858] Hu, Z., Zhu, L., Heidemann, J., Mankin, A., Wessels, D.,
and P. Hoffman, "Specification for DNS over Transport
Layer Security (TLS)", RFC 7858, DOI 10.17487/RFC7858, May
2016, <https://www.rfc-editor.org/rfc/rfc7858>.
[RFC8484] Hoffman, P. and P. McManus, "DNS Queries over HTTPS
(DoH)", RFC 8484, DOI 10.17487/RFC8484, October 2018,
<https://www.rfc-editor.org/rfc/rfc8484>.
9.2. Informative References
[I-D.ietf-tls-esni]
Rescorla, E., Oku, K., Sullivan, N., and C. A. Wood, "TLS
Encrypted Client Hello", Work in Progress, Internet-Draft,
draft-ietf-tls-esni-13, 12 August 2021,
<https://datatracker.ietf.org/doc/html/draft-ietf-tls-
esni-13>.
[I-D.schinazi-httpbis-doh-preference-hints]
Schinazi, D., Sullivan, N., and J. Kipp, "DoH Preference
Hints for HTTP", Work in Progress, Internet-Draft, draft-
schinazi-httpbis-doh-preference-hints-02, 13 July 2020,
<https://datatracker.ietf.org/doc/html/draft-schinazi-
httpbis-doh-preference-hints-02>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/rfc/rfc2119>.
Pauly, et al. Expires 4 August 2022 [Page 12]
Internet-Draft DDR January 2022
[RFC2132] Alexander, S. and R. Droms, "DHCP Options and BOOTP Vendor
Extensions", RFC 2132, DOI 10.17487/RFC2132, March 1997,
<https://www.rfc-editor.org/rfc/rfc2132>.
[RFC5507] IAB, Faltstrom, P., Ed., Austein, R., Ed., and P. Koch,
Ed., "Design Choices When Expanding the DNS", RFC 5507,
DOI 10.17487/RFC5507, April 2009,
<https://www.rfc-editor.org/rfc/rfc5507>.
[RFC6105] Levy-Abegnoli, E., Van de Velde, G., Popoviciu, C., and J.
Mohacsi, "IPv6 Router Advertisement Guard", RFC 6105,
DOI 10.17487/RFC6105, February 2011,
<https://www.rfc-editor.org/rfc/rfc6105>.
[RFC8106] Jeong, J., Park, S., Beloeil, L., and S. Madanapalli,
"IPv6 Router Advertisement Options for DNS Configuration",
RFC 8106, DOI 10.17487/RFC8106, March 2017,
<https://www.rfc-editor.org/rfc/rfc8106>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/rfc/rfc8174>.
[RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol
Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018,
<https://www.rfc-editor.org/rfc/rfc8446>.
[RFC8880] Cheshire, S. and D. Schinazi, "Special Use Domain Name
'ipv4only.arpa'", RFC 8880, DOI 10.17487/RFC8880, August
2020, <https://www.rfc-editor.org/rfc/rfc8880>.
Appendix A. Rationale for using SVCB records
This mechanism uses SVCB/HTTPS resource records
[I-D.ietf-dnsop-svcb-https] to communicate that a given domain
designates a particular Designated Resolver for clients to use in
place of an Unencrypted Resolver (using a SUDN) or another Encrypted
Resolver (using its domain name).
There are various other proposals for how to provide similar
functionality. There are several reasons that this mechanism has
chosen SVCB records:
* Discovering encrypted resolver using DNS records keeps client
logic for DNS self-contained and allows a DNS resolver operator to
define which resolver names and IP addresses are related to one
another.
Pauly, et al. Expires 4 August 2022 [Page 13]
Internet-Draft DDR January 2022
* Using DNS records also does not rely on bootstrapping with higher-
level application operations (such as
[I-D.schinazi-httpbis-doh-preference-hints]).
* SVCB records are extensible and allow definition of parameter
keys. This makes them a superior mechanism for extensibility as
compared to approaches such as overloading TXT records. The same
keys can be used for discovering Designated Resolvers of different
transport types as well as those advertised by Unencrypted
Resolvers or another Encrypted Resolver.
* Clients and servers that are interested in privacy of names will
already need to support SVCB records in order to use Encrypted TLS
Client Hello [I-D.ietf-tls-esni]. Without encrypting names in
TLS, the value of encrypting DNS is reduced, so pairing the
solutions provides the largest benefit.
* Clients that support SVCB will generally send out three queries
when accessing web content on a dual-stack network: A, AAAA, and
HTTPS queries. Discovering a Designated Resolver as part of one
of these queries, without having to add yet another query,
minimizes the total number of queries clients send. While
[RFC5507] recommends adding new RRTypes for new functionality,
SVCB provides an extension mechanism that simplifies client
behavior.
Authors' Addresses
Tommy Pauly
Apple Inc.
One Apple Park Way
Cupertino, California 95014,
United States of America
Email: tpauly@apple.com
Eric Kinnear
Apple Inc.
One Apple Park Way
Cupertino, California 95014,
United States of America
Email: ekinnear@apple.com
Pauly, et al. Expires 4 August 2022 [Page 14]
Internet-Draft DDR January 2022
Christopher A. Wood
Cloudflare
101 Townsend St
San Francisco,
United States of America
Email: caw@heapingbits.net
Patrick McManus
Fastly
Email: mcmanus@ducksong.com
Tommy Jensen
Microsoft
Email: tojens@microsoft.com
Pauly, et al. Expires 4 August 2022 [Page 15]