Private DNS Subdomains
draft-pusateri-dnsop-private-subdomains-01

Document Type Active Internet-Draft (individual)
Last updated 2019-03-24
Stream (None)
Intended RFC status (None)
Formats plain text xml pdf html bibtex
Stream Stream state (No stream defined)
Consensus Boilerplate Unknown
RFC Editor Note (None)
IESG IESG state I-D Exists
Telechat date
Responsible AD (None)
Send notices to (None)
DNSOP Working Group                                          T. Pusateri
Internet-Draft                                              Unaffiliated
Intended status: Experimental                             March 24, 2019
Expires: September 25, 2019

                         Private DNS Subdomains
               draft-pusateri-dnsop-private-subdomains-01

Abstract

   This document describes a method of providing private DNS subdomains
   such that each subdomain can be shared among multiple devices of a
   single owner or group.  A private subdomain can be used for sharing
   personal services while increasing privacy and limiting knowledge of
   scarce resources.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on September 25, 2019.

Copyright Notice

   Copyright (c) 2019 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (https://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Pusateri               Expires September 25, 2019               [Page 1]
Internet-Draft           Private DNS Subdomains               March 2019

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Requirements Language . . . . . . . . . . . . . . . . . . . .   3
   3.  Subdomain Operations  . . . . . . . . . . . . . . . . . . . .   3
     3.1.  Zone Creation . . . . . . . . . . . . . . . . . . . . . .   3
     3.2.  Adding / Removing Resource Records  . . . . . . . . . . .   4
     3.3.  Zone Destruction  . . . . . . . . . . . . . . . . . . . .   5
   4.  Querying Resource Records . . . . . . . . . . . . . . . . . .   5
     4.1.  Signed Requests . . . . . . . . . . . . . . . . . . . . .   5
   5.  Responses . . . . . . . . . . . . . . . . . . . . . . . . . .   5
   6.  Security Considerations . . . . . . . . . . . . . . . . . . .   5
   7.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   7
     7.1.  Normative References  . . . . . . . . . . . . . . . . . .   7
     7.2.  Informative References  . . . . . . . . . . . . . . . . .   8
   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . .   8

1.  Introduction

   Section 6.6 of [RFC7558] highlights the privacy risks of DNS service
   announcements in clear text.  While there has been a long focus on
   access control to private services including the use of encryption
   and authentication through TLS [RFC8446] for connections, the DNS-SD
   announcements [RFC6763] themselves may leak private information
   including but not limited to device types and versions, enabled
   services on the device subject to attack, personal names and
   identifiers used for tracking, etc.

   Some services are meant to be advertised and used freely by devices
   on the link but other services are restricted to an owner or group
   and these services are announced publicly as a side effect of the
   current service discovery deployment.

   This document defines a method for collaborating devices to share
   private services with one another but without revealing the existence
   of these services in a public way.  This provides an additional layer
   of privacy protection for an individual's devices or those of a
   defined group sharing a common purpose.

   The additional privacy is achieved by creating private subdomains
   that require a private key for bidirectional access to DNS queries
   and responses for the zone.

   This document defines a subdomain hierarchy for providers to enable
   this feature as well as a mechanism for interoperable transfers to
   and from the subdomain.  This includes creating and destroying the
   subdomains, adding and removing records through DNS Update, and
   private authenticated queries.

Pusateri               Expires September 25, 2019               [Page 2]
Internet-Draft           Private DNS Subdomains               March 2019
Show full document text