Discovery of Equivalent Encrypted Resolvers
draft-pauly-add-deer-00

Document Type Active Internet-Draft (individual)
Authors Tommy Pauly  , Eric Kinnear  , Christopher Wood  , Patrick McManus  , Tommy Jensen 
Last updated 2020-11-02
Stream (None)
Intended RFC status (None)
Formats plain text html xml pdf htmlized (tools) htmlized bibtex
Stream Stream state (No stream defined)
Consensus Boilerplate Unknown
RFC Editor Note (None)
IESG IESG state I-D Exists
Telechat date
Responsible AD (None)
Send notices to (None)
Network Working Group                                           T. Pauly
Internet-Draft                                                E. Kinnear
Intended status: Standards Track                              Apple Inc.
Expires: 6 May 2021                                            C.A. Wood
                                                              Cloudflare
                                                              P. McManus
                                                                  Fastly
                                                               T. Jensen
                                                               Microsoft
                                                         2 November 2020

              Discovery of Equivalent Encrypted Resolvers
                        draft-pauly-add-deer-00

Abstract

   This document defines Discovery of Equivalent Encrypted Resolvers
   (DEER), a mechanism for DNS clients to use DNS records to discover a
   resolver's encrypted DNS configuration.  This mechanism can be used
   to move from unencrypted DNS to encrypted DNS when only the IP
   address of an encrypted resolver is known.  It can also be used to
   discover support for encrypted DNS protocols when the name of an
   encrypted resolver is known.  This mechanism is designed to be
   limited to cases where equivalent encrypted and unencrypted resolvers
   are operated by the same entity.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on 6 May 2021.

Copyright Notice

   Copyright (c) 2020 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

Pauly, et al.              Expires 6 May 2021                   [Page 1]
Internet-Draft                    DEER                     November 2020

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents (https://trustee.ietf.org/
   license-info) in effect on the date of publication of this document.
   Please review these documents carefully, as they describe your rights
   and restrictions with respect to this document.  Code Components
   extracted from this document must include Simplified BSD License text
   as described in Section 4.e of the Trust Legal Provisions and are
   provided without warranty as described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
     1.1.  Specification of Requirements . . . . . . . . . . . . . .   3
   2.  Terminology . . . . . . . . . . . . . . . . . . . . . . . . .   3
   3.  DNS Service Binding Records . . . . . . . . . . . . . . . . .   3
   4.  Discovery Using Resolver IP Addresses . . . . . . . . . . . .   4
     4.1.  Authenticated Discovery . . . . . . . . . . . . . . . . .   5
     4.2.  Opportunistic Discovery . . . . . . . . . . . . . . . . .   5
   5.  Discovery Using Resolver Names  . . . . . . . . . . . . . . .   6
   6.  Deployment Considerations . . . . . . . . . . . . . . . . . .   6
     6.1.  Caching Forwarders  . . . . . . . . . . . . . . . . . . .   7
     6.2.  Certificate Management  . . . . . . . . . . . . . . . . .   7
   7.  Security Considerations . . . . . . . . . . . . . . . . . . .   7
   8.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   8
     8.1.  Special Use Domain Name "resolver.arpa" . . . . . . . . .   8
   9.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   8
     9.1.  Normative References  . . . . . . . . . . . . . . . . . .   8
     9.2.  Informative References  . . . . . . . . . . . . . . . . .   9
   Appendix A.  Rationale for using SVCB records . . . . . . . . . .  10
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  11

1.  Introduction

   When DNS clients wish to use encrypted DNS protocols such as DNS-
   over-TLS (DoT) [RFC7858] or DNS-over-HTTPS (DoH) [RFC8484], they
   require additional information beyond the IP address of the DNS
   server, such as the resolver's hostname, non-standard ports, or URL
   paths.  However, common configuration mechanisms only provide the
   resolver's IP address during configuration.  Such mechanisms include
   network provisioning protocols like DHCP [RFC2132] and IPv6 Router
   Advertisement (RA) options [RFC8106], as well as manual
   configuration.

   This document defines two mechanisms for clients to discover
Show full document text