Network Working Group P. Sood
Internet-Draft Google
Intended status: Standards Track P. Hoffman
Expires: October 26, 2020 ICANN
April 24, 2020
Upgrading Communication from Stub Resolvers to DoT or DoH
draft-pp-add-stub-upgrade-00
Abstract
This document describes methods for a DNS stub resolver to upgrade
its communications with a known recursive resolver to include
encrytion using DoT or DoH. This protocol is designed for the
scenario where the stub resolver already has the IP address of the
recursive resolver.
Other protocols under develpment address scenarios where the stub
resolver wants to discover recursive resolvers that use DoT or DoH.
This document does not cover such discovery.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on October 26, 2020.
Copyright Notice
Copyright (c) 2020 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
Sood & Hoffman Expires October 26, 2020 [Page 1]
Internet-Draft Stub upgrade to DoT or DoH April 2020
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Definitions . . . . . . . . . . . . . . . . . . . . . . . 2
2. Method Overview . . . . . . . . . . . . . . . . . . . . . . . 3
2.1. Order of Desired Protocols . . . . . . . . . . . . . . . 4
3. Method Details . . . . . . . . . . . . . . . . . . . . . . . 4
3.1. Inputs to the process . . . . . . . . . . . . . . . . . . 4
3.2. Use of Resolver Information for DoH . . . . . . . . . . . 5
3.3. TLS Authentication . . . . . . . . . . . . . . . . . . . 5
4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6
5. Security Considerations . . . . . . . . . . . . . . . . . . . 6
6. References . . . . . . . . . . . . . . . . . . . . . . . . . 6
6.1. Normative References . . . . . . . . . . . . . . . . . . 6
6.2. Informative References . . . . . . . . . . . . . . . . . 7
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 7
1. Introduction
A stub resolver (hereafter called "a stub") using traditional DNS
over port 53 may wish to use encrypted communication with the
recursive resolver (hereafter called "a resolver"). In such a
scenario, the stub needs to know how to probe the resolver to find
out if it can use encrypted communication. This document describes a
mechanism for a stub that knows the IP address of the resolver to do
so.
The mechanism in this document assumes that a stub wants to attempt
to upgrade its communication with the resolver to either DNS-over-TLS
(DoT, [RFC7858]) or DNS-over-HTTPS (DoH, [RFC8484]). It can later be
extended to other secure transports for stub-to-resolver
communication transports.
1.1. Definitions
In the rest of this document, the term "resolver" without
qualification means "recursive resolver" as defined in [RFC8499].
Also, the term "stub" is used to mean "stub resolver".
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP
Sood & Hoffman Expires October 26, 2020 [Page 2]
Internet-Draft Stub upgrade to DoT or DoH April 2020
14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here.
2. Method Overview
The pseudocode for the method is:
# Things the stub resolver knows
# dohCapable Does the stub know how to do DoH
# dotCapable Does the stub know how to do DoT
# resIP IP address of resolver
# upgradeNoAuth Does the stub want to upgrade even if it can't
authenticate the TLS session
# insecureOK Does the stub want to use unauthenticated classic
DNS if DoH/DoT upgrades fail
if dohCapable:
start TLS session on resIP:443
if it succeeds
if it authenticates correctly
https://resIP/.well-known/resolver-info
if 200-level response
use result to do DoH; finished
else if 300-level response
follow redirect, act appropriately
else if 400-level response
break
else if upgradeNoAuth:
https://resIP/.well-known/resolver-info
if 200-level response
use result to do DoH; finished
else if 300-level response
follow redirect, act appropriately
else if 400-level response
break
else
break
else
break
Sood & Hoffman Expires October 26, 2020 [Page 3]
Internet-Draft Stub upgrade to DoT or DoH April 2020
if dotCapable:
start TLS session on resIP:853
if it succeeds
if it authenticates correctly
start doing DoT; finished
else if upgradeNoAuth:
start doing DoT; finished
else
break
else
break
if insecureOK:
Use unencrypted DNS on port 53
else
DNS transport setup failed
2.1. Order of Desired Protocols
The pseudocode in the previous section attempts to use DoH, DoT, and
unencrypted DNS, in that order. This is done to keep the pseudocode
simple while demonstrating one possible order of transport selection.
A stub implementation could attempt some or all of the available DNS
transports in an implementation-specific or user-defined order. For
example, possible lists of transports to attempt might be:
o DoH, DoT, classic DNS
o DoT, DoH
o DoT, classic DNS
o Classic DNS
3. Method Details
3.1. Inputs to the process
The method described here requires the following information. It is
listed with variable names from the pseudocode in Section 2.
resIP The IP address of resolver. This can be either an IPv4 or
IPv6 address.
dohCapable Set to true if the stub knows how to be a DoH client
dohCapable Set to true if the stub knows how to be a DoT client
Sood & Hoffman Expires October 26, 2020 [Page 4]
Internet-Draft Stub upgrade to DoT or DoH April 2020
upgradeNoAuth Set to true the stub wants to use unauthenticated DoT
or DoH if it is available. Note that using unauthenticated DoT or
DoH is inherently insecure because an on-path attacker can
impersonate the resolver.
insecureOK Set to true if the stub wants to keep using classic
(unencrypted) DNS on port 53 if the attempt to upgrade fails.
Note that setting this to false will cause further DNS queries to
fail if upgrade fails.
3.2. Use of Resolver Information for DoH
[pp-add-resinfo] describes how to use HTTPS to get information about
a resolver. In the protocol described in this document, the JSON
returned from resolving the URI with the .well-known prefix MUST have
a name/value pair with a name of "doh-uri-template". The value for
this name is the URI template for the DoH service, as described in
[RFC8484].
3.3. TLS Authentication
In this mechanism, the stub has an IP address of the resolver. It
does not necessarily have a domain name associated with that IP
address.
In order to authenticate TLS sessions, the stub resolver must have a
set of TLS trust anchors, such as those maintained by some operating
systems.
If the stub has a domain name associated with the resolver's IP
address, and if the resolver uses that domain name in one of the
subject identifiers in its certificate during the TLS exchange, the
stub can use the domain name for authentication of the TLS session.
The stub always has an IP address for the resolver. If the resolver
uses the same IP address used by the stub in one of the subject
identifiers in its certificate during the TLS exchange, the stub can
use the IP address for authentication of the TLS session.
A resolver that uses this method to publish its information SHOULD,
if possible, have a TLS certificate whose subject identifiers contain
any of the IP addresses that stubs might be using for the resolver.
At the time that this document is published, getting IP addresses in
TLS certificates is possible, but there are only a few widely-trusted
CAs that issue such certificates. [RFC8738] describes a protocol
that may cause IP address certificates to become more common.
Sood & Hoffman Expires October 26, 2020 [Page 5]
Internet-Draft Stub upgrade to DoT or DoH April 2020
4. IANA Considerations
This document needs no IANA actions.
5. Security Considerations
The method described in this document explicitly allows a stub to
perform DNS communications over traditional unencrypted,
unauthenticated DNS on port 53.
The method described in this document explicitly allows a stub to
choose to allow unauthenticated TLS. In this case, the resulting
communication will be susceptible to obvious and well-understood
attacks from an attacker in the path of the communications.
6. References
6.1. Normative References
[pp-add-resinfo]
"DNS Resolver Information Self-publication", n.d..
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>.
[RFC7858] Hu, Z., Zhu, L., Heidemann, J., Mankin, A., Wessels, D.,
and P. Hoffman, "Specification for DNS over Transport
Layer Security (TLS)", RFC 7858, DOI 10.17487/RFC7858, May
2016, <https://www.rfc-editor.org/info/rfc7858>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>.
[RFC8484] Hoffman, P. and P. McManus, "DNS Queries over HTTPS
(DoH)", RFC 8484, DOI 10.17487/RFC8484, October 2018,
<https://www.rfc-editor.org/info/rfc8484>.
[RFC8499] Hoffman, P., Sullivan, A., and K. Fujiwara, "DNS
Terminology", BCP 219, RFC 8499, DOI 10.17487/RFC8499,
January 2019, <https://www.rfc-editor.org/info/rfc8499>.
Sood & Hoffman Expires October 26, 2020 [Page 6]
Internet-Draft Stub upgrade to DoT or DoH April 2020
6.2. Informative References
[RFC8738] Shoemaker, R., "Automated Certificate Management
Environment (ACME) IP Identifier Validation Extension",
RFC 8738, DOI 10.17487/RFC8738, February 2020,
<https://www.rfc-editor.org/info/rfc8738>.
Authors' Addresses
Puneet Sood
Google
Email: puneets@google.com
Paul Hoffman
ICANN
Email: paul.hoffman@icann.org
Sood & Hoffman Expires October 26, 2020 [Page 7]