Publishing organization boundaries in the DNS
draft-levine-orgboundary-01
The information below is for an old version of the document.
| Document | Type |
This is an older version of an Internet-Draft whose latest revision state is "Replaced".
|
|
|---|---|---|---|
| Author | John R. Levine | ||
| Last updated | 2013-07-06 | ||
| Replaced by | draft-levine-dbound-dns, draft-levine-dbound-dns | ||
| RFC stream | (None) | ||
| Formats | |||
| Stream | Stream state | (No stream defined) | |
| Consensus boilerplate | Unknown | ||
| RFC Editor Note | (None) | ||
| IESG | IESG state | I-D Exists | |
| Telechat date | (None) | ||
| Responsible AD | (None) | ||
| Send notices to | (None) |
draft-levine-orgboundary-01
Network Working Group J. Levine
Internet-Draft Taughannock Networks
Intended status: Informational July 07, 2013
Expires: January 08, 2014
Publishing organization boundaries in the DNS
draft-levine-orgboundary-01
Abstract
Often, the organization that manages a subtree in the DNS is is
different from the one that manages the tree above it. Rather than
describing a particular design, we describe an architecture to
publish in the DNS the boundaries between organizations that can be
adapted to various policy models.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on January 08, 2014.
Copyright Notice
Copyright (c) 2013 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Levine Expires January 08, 2014 [Page 1]
Internet-Draft Org Boundaries July 2013
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Design issues . . . . . . . . . . . . . . . . . . . . . . . . 2
3. Lookup process . . . . . . . . . . . . . . . . . . . . . . . 3
4. DNS records . . . . . . . . . . . . . . . . . . . . . . . . . 4
5. Nitpicky DNS notes . . . . . . . . . . . . . . . . . . . . . 5
6. Security considerations . . . . . . . . . . . . . . . . . . . 5
7. Informative References . . . . . . . . . . . . . . . . . . . 6
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 6
1. Introduction
Often, the organization that manages a subtree in the DNS is is
different from the one that manages the tree above it. Many
applications use information about such boundaries to implement
security policies. For example, web browsers use them to limit the
names where web cookies can be set. SSL certificate services use
them to determine the responsible party for the domain in a signing
request. Some mail security applications such as DMARC use them to
locate an organization's policy records.
The most widely used source of boundary data is the Public Suffix
List, maintained by the Mozilla Foundation. It is distributed as a
text file available at a well known URL, with some libraries to parse
and search it. While it has worked adequately, it has a variety of
issues. Downloading the file is relatively slow, and adequate
performance requires that each application cache a copy of the file.
The file is in a unique format that requires a specialized parser and
lookup routines. The file is managed by a third party rather than
directly by the domain owners, which may or may not be considered a
problem.
2. Design issues
Organization boundaries can be assigned on what one could call an
opt-in or opt-out basis. Opt-in means that two names are only
managed by the same organization if both actively assert that they
are related. Opt-out means that if there is any boundary information
at all for a DNS subtree, each name is assumed to be under the same
management as its parent unless there is a boundary assertion to the
contrary. This design describes an opt-out model.
Within the opt-out model, this design can adapt to a variety of
design points.
Policies can be published by the domains themselves, or by a third
party. In the former case, each domain might assert its own boundary
Levine Expires January 08, 2014 [Page 2]
Internet-Draft Org Boundaries July 2013
policies. In the latter case, the third party makes the assertions,
which may or may not agree with what the domains themselves would
want.
Multiple levels of delegation may be implemented, which is different
from irregular boundaries. For example, ca, on.ca, and toronto.on.ca
are irregular boundaries, because they're all handled by CIRA.
CentralNIC's uk.com would be a second level of delegation below
Verisign's com.
Different sets of boundary rules can be published for different
applications. For example, the boundaries for SSL certificates might
be different from the boundaries for e-mail policies, or for web
cookie setting policies.
In the lookup process below, the boundary point data is stored in TXT
records. While it wouldn't hurt anything to use a new RRTYPE, it
wouldn't be useful. All of the DNS names used include a distinctive
prefixed name component, so there shouldn't be any RRs at those names
other than the TXT record for the boundary. To avoid confusion due
to top-level wildcards that might inadvertently cover the subtree of
boundary records, the TXT strings contain a prefix tag.
3. Lookup process
Each collection of boundary data has a base name and a prefix tag.
If domains publish their own information, the base name is the DNS
root. Otherwise it is a domain belonging to the publishing entity.
The tag is _ob and is intended to be unique. If there are different
kinds of boundary data, the tag can be further prefixed, e.g.,
_cookie._ob or _dmarc._ob.
Every valid policy record starts with a fixed prefix "ob=1 " for
organization boundary version 1. If a lookup returns no TXT records
that start with the prefix, or more than one record that starts with
the prefix, the lookup fails.
The lookup process takes a domain name and returns the name of the
node closest to the root that belongs to the same organization. This
may be the domain itself or a parent. If there is no policy for the
domain the lookup fails; there are no defaults and the DNS root is
not within any organization boundary. (Applications may apply
defaults of their own, but that is beyond the scope of this
specification.)
For the first lookup, the client extracts the top level component of
the domain name from the subcomponents, if any, and inserts the
prefix in front of the top level component. For example, if the
Levine Expires January 08, 2014 [Page 3]
Internet-Draft Org Boundaries July 2013
domain to be checked is example.com or www.example.com, the client
looks up _ob.com. If the domain is just example, the client looks up
_ob.example. If the base name is not null, it is appended to the
name to be looked up, so if the name example.com were to be checked
in a collection with the base cookies.example, the name looked up
would be _ob.com.cookies.example.
If the lookup returns a valid policy record, the contents of the
record disregarding the prefix are the domain names just above the
policy boundaries. For example, if there is a boundary between
example.com and the com TLD, the record would contain "ob=1 com" when
checking example.com or www.example.com. If a domain has multiple
boundaries, the record contains a space separated list of the
boundary points, e.g., "ob=1 ca on.ca toronto.on.ca".
If there are no boundaries below the TLD, the policy record contains
"." for the root. For example, if all subdomains of the "example"
TLD are under the same management as the TLD itself, checks for
_ob.example would return "ob=1 .".
If the lookup process only allows a single level of delegation, the
process stops after a single lookup. If it allows multiple levels of
delegation, the client prefixes the tag to the name just below the
name below the boundary just found and repeats the lookup. For
example, if the domain in question is www.foo.example.com, and a
lookup of _ob.com returned "ob=1 com", the next lookup would be
_ob.example.com. or if the domain were www.example.on.ca, and a
lookup of _ob.ca returned "ob=1 ca on.ca toronto.on.ca" the next
lookup would be _ob.example.on.ca. This process repeats until a DNS
lookup returns NXDOMAIN, at which point the result is the result of
the last successful lookup. The total number of DNS lookups is the
number of levels of boundary delegation, which is unlikely to be more
than 1 or 2 in realistic scenarios.
4. DNS records
The publishing entity uses prefixed names that parallel the regular
names under a TLD to cover the relevant name space.
If there is a boundary below a given name, an entry in the TLD record
covers the names below it. For example, if there is a boundary
immediately below .TEST, a suitable record would be:
_ob.test txt "ob=1 test"
If the boundary is at the .TEST domain, i.e., TEST. is under the same
management as FOO.TEXT, the record would indicate no boundaries:
Levine Expires January 08, 2014 [Page 4]
Internet-Draft Org Boundaries July 2013
_ob.test txt "ob=1 ."
In domains with irregular policy boundaries, multiple strings in the
record describe the boundary points. For example, in the .CA TLD,
for national organizations there might be a boundary directly below
the TLD, for provincial organizations a boundary below a provincial
subdomain such as on.ca, and for local organizations, a boundary
below a municipal subdomain such as toronto.on.ca. A suitable list
of names covers this structure. The boundary is the longest boundary
point that matches a suffix of the domain name. (Note: "longest"
means longest, like, you know, the most characters.)
_ob.ca txt "ob=1 ca on.ca toronto.on.ca"
For any set of policy boundaries in a tree of DNS names, a suitable
set of policy records can describe the boundaries, so a client can
find the boundary for any name in the tree with a single policy
lookup per level of delegation.
5. Nitpicky DNS notes
Some domains have very irregular boundaries. For example, the .CA
domain has boundaries ten provinces and probably a hundred
municipalities, so the record for _ob.ca would be quite long,
probably requiring a fallback to TCP for clients that don't support
EDNS0. While it would be possible to break the record up into
smaller pieces that fit in 512 bytes and reassemble them, it's
probably not worth the hassle, and slower than a short TCP session.
The record format described above uses spaces and dots as reserved
characters to indicate the boundaries between names and between name
components. This is adequate if policies only apply to host names,
but if it's important to allow arbitrary names, it would be easy to
encode them in TXT records. Keeping in mind that a TXT record
contains a sequence of strings, each preceded by a count byte, each
component of the name is represented as a string, and the boundary
between names is represented by a zero-length string. So the record
above would be represented as
_ob.ca txt "ob=1" "ca" "" "on" "ca" "" "toronto" "on" "ca"
6. Security considerations
The point of publishing organization boundaries is to provide advice
to third parties that wish to know whether two names are managed by
Levine Expires January 08, 2014 [Page 5]
Internet-Draft Org Boundaries July 2013
the same organization so the names can be treated "the same" in some
sense. Clients that rely on published boundaries are outsourcing
some part of their own security policy to the publisher, so their own
security depends on the publisher's boundaries being accurate.
Although in some sense domains are always in control of their
subdomains, there are many situations in which parent domains are not
expected to mess with child subdomains, e.g., ICANN contracted gTLDs
and registered second level domains. Since there is no technical bar
to a parent publishing records that shadow part or all of the
boundary record namespace for delegated subdomains, correct operation
depends on the parent and subdomains agreeing about who publishes
what.
7. Informative References
[RFC1034] Mockapetris, P., "Domain names - concepts and facilities",
STD 13, RFC 1034, November 1987.
[RFC1035] Mockapetris, P., "Domain names - implementation and
specification", STD 13, RFC 1035, November 1987.
Author's Address
John Levine
Taughannock Networks
PO Box 727
Trumansburg, NY 14886
Phone: +1 831 480 2300
Email: standards@taugh.com
URI: http://jl.ly
Levine Expires January 08, 2014 [Page 6]