[Docs] [txt|pdf|xml|html] [Tracker] [Email] [Diff1] [Diff2] [Nits]



add                                                          B. Schwartz
Internet-Draft                                                Google LLC
Intended status: Standards Track                          10 August 2020
Expires: 11 February 2021


                Service Binding Mapping for DNS Servers
                       draft-schwartz-svcb-dns-01

Abstract

   The SVCB DNS record type expresses a bound collection of endpoint
   metadata, for use when establishing a connection to a named service.
   DNS itself can be such a service, when the server is identified by a
   domain name.  This document provides the SVCB mapping for named DNS
   servers, allowing them to indicate support for new transport
   protocols.

Discussion Venues

   This note is to be removed before publishing as an RFC.

   Discussion of this document takes place on the ADD Working Group
   mailing list (add@ietf.org), which is archived at
   https://mailarchive.ietf.org/arch/browse/add/.

   Source for this draft and an issue tracker can be found at
   https://github.com/bemasc/svcb-dns.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on 11 February 2021.






Schwartz                Expires 11 February 2021                [Page 1]


Internet-Draft                SVCB for DNS                   August 2020


Copyright Notice

   Copyright (c) 2020 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents (https://trustee.ietf.org/
   license-info) in effect on the date of publication of this document.
   Please review these documents carefully, as they describe your rights
   and restrictions with respect to this document.  Code Components
   extracted from this document must include Simplified BSD License text
   as described in Section 4.e of the Trust Legal Provisions and are
   provided without warranty as described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Conventions and Definitions . . . . . . . . . . . . . . . . .   3
   3.  Name form . . . . . . . . . . . . . . . . . . . . . . . . . .   3
   4.  Applicable existing SvcParamKeys  . . . . . . . . . . . . . .   3
     4.1.  port  . . . . . . . . . . . . . . . . . . . . . . . . . .   3
     4.2.  alpn and no-default-alpn  . . . . . . . . . . . . . . . .   3
     4.3.  Other applicable SvcParamKeys . . . . . . . . . . . . . .   4
   5.  New SvcParamKeys  . . . . . . . . . . . . . . . . . . . . . .   4
     5.1.  dohpath . . . . . . . . . . . . . . . . . . . . . . . . .   4
   6.  Limitations . . . . . . . . . . . . . . . . . . . . . . . . .   4
   7.  Relationship to DNS URIs  . . . . . . . . . . . . . . . . . .   4
   8.  Examples  . . . . . . . . . . . . . . . . . . . . . . . . . .   5
   9.  Security Considerations . . . . . . . . . . . . . . . . . . .   5
     9.1.  Adversary on the query path . . . . . . . . . . . . . . .   5
     9.2.  Adversary on the transport path . . . . . . . . . . . . .   6
   10. IANA Considerations . . . . . . . . . . . . . . . . . . . . .   6
   11. References  . . . . . . . . . . . . . . . . . . . . . . . . .   7
     11.1.  Normative References . . . . . . . . . . . . . . . . . .   7
     11.2.  Informative References . . . . . . . . . . . . . . . . .   7
   Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . .   8
   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . .   8

1.  Introduction

   The SVCB record type [SVCB] provides clients with information about
   how to reach alternative endpoints for a service, which may have
   improved performance or privacy properties.  The service is
   identified by a "scheme" indicating the service type, a hostname, and
   optionally other information such as a port number.  A DNS server is
   often identified only by its IP address (e.g. in DHCP), but in some
   contexts it can also be identified by a hostname (e.g.  "NS" records,
   manual resolver configuration).



Schwartz                Expires 11 February 2021                [Page 2]


Internet-Draft                SVCB for DNS                   August 2020


   Use of the SVCB record type requires a mapping document for each
   service type, indicating how a client for that service can interpret
   the contents of the SVCB SvcParams.  This document provides the
   mapping for the "dns" service type, allowing DNS servers to offer
   alternative endpoints and transports, including encrypted transports
   like DNS over TLS and DNS over HTTPS.

2.  Conventions and Definitions

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
   "OPTIONAL" in this document are to be interpreted as described in BCP
   14 [RFC2119] [RFC8174] when, and only when, they appear in all
   capitals, as shown here.

3.  Name form

   Names are formed using Port-Prefix Naming ([SVCB] Section 2.3).  For
   example, a DNS server with the name "dns1.example.com", listening
   (unusually) on non-default port number 5353, would be represented as
   "_5353._dns.dns1.example.com.".

4.  Applicable existing SvcParamKeys

4.1.  port

   This key is used to indicate the target port for connection.  If
   omitted, the client SHALL use the default port for each transport
   protocol: 853 for DNS over TLS and 443 for DNS over HTTPS.

   This key is automatically mandatory if present.

4.2.  alpn and no-default-alpn

   These keys indicate the set of supported protocols.  The default
   protocol is "dot", indicating support for DNS over TLS [DOT].

   If the protocol set contains any HTTP versions (e.g. "h2", "h3"),
   then the record indicates support for DNS over HTTPS [DOH], and the
   "dohpath" key MUST be present (Section 5.1).  All keys specified for
   use with the HTTPS record are also permissible, and apply to the
   resulting HTTP connection.

   If the protocol set contains protocols with different default ports,
   and no port key is specified, then protocols are contacted separately
   on their default ports.  Note that in this configuration, ALPN
   negotiation does not defend against cross-protocol downgrade attacks.




Schwartz                Expires 11 February 2021                [Page 3]


Internet-Draft                SVCB for DNS                   August 2020


   These keys are automatically mandatory if present.

4.3.  Other applicable SvcParamKeys

   These SvcParamKeys apply to the "dns" scheme without modification:

   *  echconfig

   *  ipv4hint

   *  ipv6hint

5.  New SvcParamKeys

5.1.  dohpath

   "dohpath" is a single-valued SvcParamKey whose value (both in
   presentation and wire format) is a relative URI Template [RFC6570],
   normally starting with "/".  If the "alpn" SvcParamKey indicates
   support for HTTP, clients MAY construct a DNS over HTTPS URI Template
   by combining the prefix "https://", the server's hostname, the port
   from the "port" key if present, and the "dohpath" value.  (The
   server's original port number MUST NOT be used.)

   Clients SHOULD NOT query for any "HTTPS" RRs when using the
   constructed URI Template.  Instead, the SvcParams and address records
   associated with this SVCB record SHOULD be used for the HTTPS
   connection, with the same semantics as an HTTPS RR.  However, for
   consistency, server operators SHOULD publish an equivalent HTTPS RR,
   especially if clients might learn this URI Template through a
   different channel.

6.  Limitations

   This document is concerned exclusively with the DNS transport, and
   does not affect or inform the construction or interpretation of DNS
   messages.  For example, nothing in this document indicates whether
   the server is intended for use as a recursive or authoritative DNS
   server.  Clients must know the intended use in their context.

7.  Relationship to DNS URIs

   The "dns:" URI scheme [DNSURI] describes a way to represent DNS
   queries as URIs.  This scheme optionally includes an authority,
   comprised of a host and port number (with a default of 53).  DNS URIs
   normally omit the authority, or specify an IP address, but a hostname
   is allowed, in which case it is suitable for use with this mapping.




Schwartz                Expires 11 February 2021                [Page 4]


Internet-Draft                SVCB for DNS                   August 2020


8.  Examples

   *  A resolver at "resolver.example" that supports

      -  DNS over TLS on "resolver.example", port 853 and 8530, with
         "resolver.example" as the Authentication Domain Name,

      -  DNS over HTTPS at "https://resolver.example/dns-query{?dns}",
         and

      -  an experimental protocol on "fooexp.resolver.example:5353":

         $ORIGIN example.
         _dns.resolver 7200 IN SVCB 1 resolver (
           alpn=h2,h3 echconfig=... dohpath=/dns-query{?dns} )
         _dns.resolver 7200 IN SVCB 2 resolver (
           port=8530 echconfig=... )
         _dns.resolver 7200 IN SVCB 3 fooexp.resolver ( port=5353
           echconfig=... alpn=foo no-default-alpn foo-info=... )

   *  A nameserver at "ns.example" whose service configuration is
      published on a different domain:

      $ORIGIN example.
      _dns.ns 7200 IN SVCB 0 _dns.ns.nic

9.  Security Considerations

9.1.  Adversary on the query path

   This section considers an adversary who can add or remove responses
   to the SVCB query.

   Clients MUST authenticate the server to its name during secure
   transport establishment.  This name is the hostname used to construct
   the original SVCB query, and cannot be influenced by the SVCB record
   contents.  Accordingly, this draft does not mandate the use of
   DNSSEC.  This draft also does not specify how clients authenticate
   the name (e.g. selection of roots of trust), which might vary
   according to the context.

   Although this adversary cannot alter the authentication name of the
   server, it does have control of the port number and "dohpath" value.
   As a result, the adversary can direct DNS queries for $HOSTNAME to
   any port on $HOSTNAME, and any path on "https://$HOSTNAME", even if
   $HOSTNAME is not actually a DNS server.  If the DNS client uses
   shared TLS or HTTP state, the client could be correctly authenticated
   (e.g. using a TLS client certificate or HTTP cookie).



Schwartz                Expires 11 February 2021                [Page 5]


Internet-Draft                SVCB for DNS                   August 2020


   This behavior creates a number of possible attacks for certain server
   configurations.  For example, if "https://$HOSTNAME/upload" accepts
   any POST request as a file upload, the adversary could forge a SVCB
   record containing "dohpath=/upload", causing the client to upload
   every query, resulting in unexpected storage costs.

   As a mitigation, a client of this SVCB mapping MUST NOT provide
   client authentication for DNS queries, except to servers that it
   specifically knows are not vulnerable to such attacks.  Also, if an
   alternative service endpoint sends an invalid response to a DNS
   query, the client SHOULD NOT send more queries to that endpoint.

9.2.  Adversary on the transport path

   This section considers an adversary who can modify network traffic
   between the client and the SvcDomainName (i.e. the destination
   server).

   A client that attempts a connection using an encrypted DNS transport
   from a SVCB record SHOULD NOT fall back to unencrypted DNS if
   connection fails.  (This is different from the advice in Section 3 of
   [SVCB], which assumes the default transport is secured.)
   Specifications making using of this mapping MAY adjust this fallback
   behavior to suit their requirements.

10.  IANA Considerations

   Per [SVCB] IANA would be directed to add the following entry to the
   SVCB Service Parameters registry.

   +========+=========+==============================+=================+
   | Number | Name    | Meaning                      | Reference       |
   +========+=========+==============================+=================+
   | TBD    | dohpath | DNS over HTTPS path template | (This           |
   |        |         |                              | document)       |
   +--------+---------+------------------------------+-----------------+

                                  Table 1

   Per [Attrleaf], IANA would be directed to add the following entry to
   the DNS Underscore Global Scoped Entry Registry:










Schwartz                Expires 11 February 2021                [Page 6]


Internet-Draft                SVCB for DNS                   August 2020


        +=========+============+===============+=================+
        | RR TYPE | _NODE NAME | Meaning       | Reference       |
        +=========+============+===============+=================+
        | SVCB    | _dns       | DNS SVCB info | (This document) |
        +---------+------------+---------------+-----------------+

                                 Table 2

11.  References

11.1.  Normative References

   [DOH]      Hoffman, P. and P. McManus, "DNS Queries over HTTPS
              (DoH)", RFC 8484, DOI 10.17487/RFC8484, October 2018,
              <https://www.rfc-editor.org/info/rfc8484>.

   [DOT]      Hu, Z., Zhu, L., Heidemann, J., Mankin, A., Wessels, D.,
              and P. Hoffman, "Specification for DNS over Transport
              Layer Security (TLS)", RFC 7858, DOI 10.17487/RFC7858, May
              2016, <https://www.rfc-editor.org/info/rfc7858>.

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <https://www.rfc-editor.org/info/rfc2119>.

   [RFC6570]  Gregorio, J., Fielding, R., Hadley, M., Nottingham, M.,
              and D. Orchard, "URI Template", RFC 6570,
              DOI 10.17487/RFC6570, March 2012,
              <https://www.rfc-editor.org/info/rfc6570>.

   [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
              2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
              May 2017, <https://www.rfc-editor.org/info/rfc8174>.

   [SVCB]     Schwartz, B., Bishop, M., and E. Nygren, "Service binding
              and parameter specification via the DNS (DNS SVCB and
              HTTPS RRs)", Work in Progress, Internet-Draft, draft-ietf-
              dnsop-svcb-https-01, 13 July 2020, <http://www.ietf.org/
              internet-drafts/draft-ietf-dnsop-svcb-https-01.txt>.

11.2.  Informative References

   [Attrleaf] Crocker, D., "Scoped Interpretation of DNS Resource
              Records through "Underscored" Naming of Attribute Leaves",
              BCP 222, RFC 8552, DOI 10.17487/RFC8552, March 2019,
              <https://www.rfc-editor.org/info/rfc8552>.




Schwartz                Expires 11 February 2021                [Page 7]


Internet-Draft                SVCB for DNS                   August 2020


   [DNSURI]   Josefsson, S., "Domain Name System Uniform Resource
              Identifiers", RFC 4501, DOI 10.17487/RFC4501, May 2006,
              <https://www.rfc-editor.org/info/rfc4501>.

Acknowledgments

   TODO acknowledge.

Author's Address

   Benjamin Schwartz
   Google LLC

   Email: bemasc@google.com





































Schwartz                Expires 11 February 2021                [Page 8]


Html markup produced by rfcmarkup 1.129d, available from https://tools.ietf.org/tools/rfcmarkup/