idnits 2.17.00 (12 Aug 2021) /tmp/idnits57214/draft-boucadair-opsawg-add-encrypted-dns-04.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- == There are 8 instances of lines with non-RFC2606-compliant FQDNs in the document. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 571 has weird spacing: '...Address ipv6...' == Line 572 has weird spacing: '...Address ipv4...' == Line 574 has weird spacing: '...riority int...' -- The document date (13 December 2021) is 152 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: 'RFC2131' is defined on line 651, but no explicit reference was found in the text == Outdated reference: A later version (-07) exists of draft-ietf-add-dnr-04 == Outdated reference: A later version (-09) exists of draft-ietf-dnsop-svcb-https-08 == Outdated reference: draft-ietf-dprive-dnsoquic has been published as RFC 9250 Summary: 0 errors (**), 0 flaws (~~), 9 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 opsawg M. Boucadair 3 Internet-Draft Orange 4 Intended status: Standards Track T. Reddy 5 Expires: 16 June 2022 McAfee 6 13 December 2021 8 RADIUS Extensions for Encrypted DNS 9 draft-boucadair-opsawg-add-encrypted-dns-04 11 Abstract 13 This document specifies new Remote Authentication Dial-In User 14 Service (RADIUS) attributes that carry an authentication domain name, 15 a list of IP addresses, and a set of service parameters of encrypted 16 DNS resolvers. 18 Status of This Memo 20 This Internet-Draft is submitted in full conformance with the 21 provisions of BCP 78 and BCP 79. 23 Internet-Drafts are working documents of the Internet Engineering 24 Task Force (IETF). Note that other groups may also distribute 25 working documents as Internet-Drafts. The list of current Internet- 26 Drafts is at https://datatracker.ietf.org/drafts/current/. 28 Internet-Drafts are draft documents valid for a maximum of six months 29 and may be updated, replaced, or obsoleted by other documents at any 30 time. It is inappropriate to use Internet-Drafts as reference 31 material or to cite them other than as "work in progress." 33 This Internet-Draft will expire on 16 June 2022. 35 Copyright Notice 37 Copyright (c) 2021 IETF Trust and the persons identified as the 38 document authors. All rights reserved. 40 This document is subject to BCP 78 and the IETF Trust's Legal 41 Provisions Relating to IETF Documents (https://trustee.ietf.org/ 42 license-info) in effect on the date of publication of this document. 43 Please review these documents carefully, as they describe your rights 44 and restrictions with respect to this document. Code Components 45 extracted from this document must include Revised BSD License text as 46 described in Section 4.e of the Trust Legal Provisions and are 47 provided without warranty as described in the Revised BSD License. 49 Table of Contents 51 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 52 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 5 53 3. Encrypted DNS RADIUS Attributes . . . . . . . . . . . . . . . 5 54 3.1. IPv6-Encrypted-DNS Attribute . . . . . . . . . . . . . . 6 55 3.2. IPv4-Encrypted-DNS Attribute . . . . . . . . . . . . . . 7 56 3.3. RADIUS TLVs for Encrypted DNS . . . . . . . . . . . . . . 8 57 3.3.1. Encrypted-DNS-ADN TLV . . . . . . . . . . . . . . . . 9 58 3.3.2. Encrypted-DNS-IPv6-Address TLV . . . . . . . . . . . 9 59 3.3.3. Encrypted-DNS-IPv4-Address TLV . . . . . . . . . . . 10 60 3.3.4. Encrypted-DNS-SvcParams TLV . . . . . . . . . . . . . 10 61 3.3.5. Encrypted-DNS-SvcPriority TLV . . . . . . . . . . . . 11 62 4. Security Considerations . . . . . . . . . . . . . . . . . . . 11 63 5. Table of Attributes . . . . . . . . . . . . . . . . . . . . . 12 64 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12 65 6.1. New RADIUS Attributes . . . . . . . . . . . . . . . . . . 12 66 6.2. New RADIUS TLVs . . . . . . . . . . . . . . . . . . . . . 12 67 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 13 68 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 13 69 8.1. Normative References . . . . . . . . . . . . . . . . . . 13 70 8.2. Informative References . . . . . . . . . . . . . . . . . 14 71 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 15 73 1. Introduction 75 In the context of broadband services, ISPs traditionally provide DNS 76 resolvers to their customers. To that aim, ISPs deploy dedicated 77 mechanisms to advertise a list of DNS Recursive DNS server(s) to 78 their customers (e.g., DHCP, IPv6 Router Advertisement). The 79 information used to populate DHCP messages and/or IPv6 Router 80 Advertisements relies upon specific Remote Authentication Dial-In 81 User Service (RADIUS) [RFC2865] attributes such as the DNS-Server- 82 IPv6-Address Attribute specified in [RFC6911]. 84 With the advent of Encrypted DNS (e.g., DNS-over-HTTPS (DoH) 85 [RFC8484], DNS-over-TLS (DoT) [RFC7858], or DNS-over-QUIC (DoQ) 86 [I-D.ietf-dprive-dnsoquic]), additional means are required to 87 provision hosts with network-designated Encrypted DNS. To fill that 88 void, [I-D.ietf-add-dnr] leverages existing protocols such as DHCP 89 and IPv6 Router Advertisement to provide hosts with the required 90 information to connect to an Encrypted DNS server. However, there 91 are no RADIUS attributes that can be used to populate the discovery 92 messages discussed in [I-D.ietf-add-dnr]. 94 This document specifies two new RADIUS attributes: IPv6-Encrypted-DNS 95 (Section 3.1) and IPv4-Encrypted-DNS (Section 3.2) Attributes. Note 96 that two attributes are specified in order to accommodate both IPv4 97 and IPv6 deployment contexts while taking into account the 98 constraints in Section 3.4 of [RFC6158]. 100 Typical deployment scenarios are similar to those described, for 101 instance, in Section 2 of [RFC6911]. Some of these deployments may 102 rely upon the mechanisms defined in [RFC4014] or [RFC7037], which 103 allows a Network Access Server (NAS) to pass attributes obtained from 104 a RADIUS server to a DHCP server. For illustration purposes, 105 Figure 1 shows an example where a Customer Premises Equipment (CPE) 106 is provided with an Encrypted DNS server. This example assumes that 107 the NAS embeds both RADIUS client and DHCPv6 server capabilities. 109 +-------------+ +-------------+ +-------+ 110 | CPE | | NAS | | AAA | 111 |DHCPv6 client| |DHCPv6 server| |Server | 112 +------+------+ +------+------+ +---+---+ 113 | | | 114 o-----DHCPv6 Solicit----->| | 115 | o----Access-Request ---->| 116 | | | 117 | |<----Access-Accept------o 118 | | IPv6-Encrypted-DNS | 119 |<--DHCPv6 Advertisement--o | 120 | (OPTION_V6_DNR) | | 121 | | | 122 o-----DHCPv6 Request----->| | 123 | | | 124 |<------DHCPv6 Reply------o | 125 | (OPTION_V6_DNR) | | 126 | | | 128 DHCPv6 RADIUS 130 Figure 1: Example of RADIUS IPv6 Encrypted DNS 132 Upon receipt of the DHCPv6 Solicit message from a CPE, the NAS sends 133 a RADIUS Access-Request message to the AAA server. Once the AAA 134 server receives the request, it replies with an Access-Accept message 135 (possibly after having sent a RADIUS Access-Challenge message and 136 assuming the CPE is entitled to connect to the network) that carries 137 a list of parameters to be used for this session, and which include 138 the Encrypted DNS information. The content of the IPv6-Encrypted-DNS 139 Attribute is then used by the NAS to complete the DHCPv6 procedure 140 that the CPE initiated to retrieve information about the encrypted 141 DNS service to use. The procedure defined in [I-D.ietf-add-dnr] is 142 thus followed between the DHCPv6 client and the DHCPv6 server. The 143 same procedure is followed between the DHCPv6 client on endpoints 144 serviced by the CPE and the DHCPv6 server on CPE. 146 Upon change of the any Encrypted DNS-related information (e.g., ADN, 147 IPv6 address), the RADIUS server sends a RADIUS CoA message [RFC5176] 148 that carries the RADIUS IPv6-Encrypted-DNS Attributed to the NAS. 149 Once that message is accepted by the NAS, it replies with a RADIUS 150 CoA ACK message. The NAS replaces the old Encrypted DNS server 151 information with the new one and sends a DHCPv6 Reconfigure message 152 to cause the DHCPv6 client to initiate a Renew/Reply message exchange 153 with the DHCPv6 server. 155 Figure 2 shows another example where a CPE is provided an Encrypted 156 DNS server, but the CPE uses DHCPv4 to retrieve its encrypted DNS 157 server. 159 +-------------+ +-------------+ +-------+ 160 | CPE | | NAS | | AAA | 161 |DHCPv4 client| |DHCPv4 server| |Server | 162 +------+------+ +------+------+ +---+---+ 163 | | | 164 o------DHCPDISCOVER------>| | 165 | o----Access-Request ---->| 166 | | | 167 | |<----Access-Accept------o 168 | | IPv4-Encrypted-DNS | 169 |<-----DHCPOFFER----------o | 170 | (OPTION_V4_DNR) | | 171 | | | 172 o-----DHCPREQUEST-------->| | 173 | (OPTION_V4_DNR) | | 174 | | | 175 |<-------DHCPACK----------o | 176 | (OPTION_V4_DNR) | | 177 | | | 179 DHCPv4 RADIUS 181 Figure 2: Example of RADIUS IPv4 Encrypted DNS 183 Other deployment scenarios can be envisaged such as returning 184 customized service parameters (e.g., different DoH URI) as a function 185 of the service/policies/preferences that are set by a home network 186 administrator. How an administrator indicates its service/policies/ 187 preferences to an AAA server is out of scope. 189 This document adheres to [RFC8044] for defining the new attributes. 191 2. Terminology 193 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 194 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 195 "OPTIONAL" in this document are to be interpreted as described in BCP 196 14 [RFC2119][RFC8174] when, and only when, they appear in all 197 capitals, as shown here. 199 This document makes use of the terms defined in [RFC8499]. The 200 following additional terms are used: 202 Encrypted DNS: refers to a scheme where DNS exchanges are 203 transported over an encrypted channel. Examples of encrypted DNS 204 are DNS-over-TLS (DoT) [RFC7858], DNS-over-HTTPS (DoH) [RFC8484], 205 or DNS-over-QUIC (DoQ) [I-D.ietf-dprive-dnsoquic]. 207 *-Encrypted-DNS: refers to IPv6-Encrypted-DNS and IPv4-Encrypted-DNS 208 Attributes. 210 Encrypted-DNS-*: refers to any of these attributes: Encrypted-DNS- 211 ADN, Encrypted-DNS-IPv6-Address, Encrypted-DNS-IPv4-Address, 212 Encrypted-DNS-SvcParams, and Encrypted-DNS-SvcPriority. 214 3. Encrypted DNS RADIUS Attributes 216 Both IPv6-Encrypted-DNS and IPv4-Encrypted-DNS have the same format 217 shown in Figure 3. The description of the fields is provided in 218 Sections 3.1 and 3.2. 220 These attributes and their embedded TLVs (Section 3.3) are defined 221 with globally unique names and follow the guidelines in Section 2.7.1 222 of [RFC6929]. 224 0 1 2 3 225 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 226 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 227 | Type | Length | Extended-Type | Value ... 228 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 230 Figure 3: Format of IPv6-Encrypted-DNS and IPv4-Encrypted-DNS 231 Attributes 233 The value fields of *-Encrypted-DNS and Encrypted-DNS-* Attributes 234 are encoded in clear and not encrypted as, for example, Tunnel- 235 Password Attribute [RFC2868]. 237 3.1. IPv6-Encrypted-DNS Attribute 239 This attribute is of type "tlv" as defined in Section 2.3 of 240 [RFC6929]. 242 The IPv6-Encrypted-DNS Attribute includes the authentication domain 243 name, a list of IPv6 addresses, and a set of service parameters of an 244 encrypted DNS resolver [I-D.ietf-add-dnr]. 246 Because multiple IPv6-Encrypted-DNS Attributes may be provisioned to 247 a requesting host, multiple instances of the IPv6-Encrypted-DNS 248 attribute MAY be included; each instance of the attribute carries a 249 distinct Encrypted DNS server. These TLVs SHOULD be processed 250 following their service priority (i.e., smaller service priority 251 indicates a higher preference). 253 The IPv6-Encrypted-DNS Attribute MAY appear in a RADIUS Access-Accept 254 packet. It MAY also appear in a RADIUS Access-Request packet as a 255 hint to the RADIUS server to indicate a preference. However, the 256 server is not required to honor such a preference. 258 The IPv6-Encrypted-DNS Attribute MAY appear in a RADIUS CoA-Request 259 packet. 261 The IPv6-Encrypted-DNS Attribute MAY appear in a RADIUS Accounting- 262 Request packet. 264 The IPv6-Encrypted-DNS Attribute MUST NOT appear in any other RADIUS 265 packet. 267 The IPv6-Encrypted-DNS Attribute is structured as follows: 269 Type 271 241 273 Length 275 This field indicates the total length, in octets, of all fields of 276 this attribute, including the Type, Length, Extended-Type, and the 277 entire length of the embedded TLVs. 279 Extended-Type 281 TBA1 (see Section 6.1). 283 Value 284 This field contains a set of TLVs as follows: 286 Encrypted-DNS-ADN TLV: The IPv6-Encrypted-DNS Attribute MUST 287 include exactly one instance of Encrypted-DNS-ADN TLV 288 (Section 3.3.1). 290 Encrypted-DNS-IPv6-Address TLV: The IPv6-Encrypted-DNS Attribute 291 MUST include one or multiple instances of Encrypted-DNS- 292 IPv6-Address TLV (Section 3.3.2). 294 Encrypted-DNS-SvcParams TLV: The IPv6-Encrypted-DNS Attribute 295 SHOULD include one instance of Encrypted-DNS-SvcParams TLV 296 (Section 3.3.4). 298 Encrypted-DNS-SvcPriority TLV: The IPv6-Encrypted-DNS Attribute 299 SHOULD include one instance of Encrypted-DNS-SvcPriority TLV 300 (Section 3.3.5). 302 The IPv6-Encrypted-DNS Attribute is associated with the following 303 identifier: 241.TBA1. 305 3.2. IPv4-Encrypted-DNS Attribute 307 This attribute is of type "tlv" as defined in Section 2.3 of 308 [RFC6929]. 310 The IPv4-Encrypted-DNS Attribute includes the authentication domain 311 name, a list of IPv4 addresses, and a set of service parameters of an 312 encrypted DNS resolver [I-D.ietf-add-dnr]. 314 Because multiple IPv4-Encrypted-DNS attributes may be provisioned to 315 a requesting host, multiple instances of the IPv4-Encrypted-DNS 316 attribute MAY be included; each instance of the attribute carries a 317 distinct Encrypted DNS server. These TLVs SHOULD be processed 318 following their service priority (i.e., smaller service priority 319 indicates a higher preference). 321 The IPv4-Encrypted-DNS Attribute MAY appear in a RADIUS Access-Accept 322 packet. It MAY also appear in a RADIUS Access-Request packet as a 323 hint to the RADIUS server to indicate a preference. However, the 324 server is not required to honor such a preference. 326 The IPv4-Encrypted-DNS Attribute MAY appear in a RADIUS CoA-Request 327 packet. 329 The IPv4-Encrypted-DNS Attribute MAY appear in a RADIUS Accounting- 330 Request packet. 332 The IPv4-Encrypted-DNS Attribute MUST NOT appear in any other RADIUS 333 packet. 335 The IPv4-Encrypted-DNS Attribute is structured as follows: 337 Type 339 241 341 Length 343 This field indicates the total length, in octets, of all fields of 344 this attribute, including the Type, Length, Extended-Type, and the 345 entire length of the embedded TLVs. 347 Extended-Type 349 TBA2 (see Section 6.1). 351 Value 353 This field contains a set of TLVs as follows: 355 Encrypted-DNS-ADN TLV: The IPv4-Encrypted-DNS Attribute MUST 356 include exactly one instance of Encrypted-DNS-ADN TLV 357 (Section 3.3.1). 359 Encrypted-DNS-IPv4-Address TLV: The IPv4-Encrypted-DNS Attribute 360 MUST include one or multiple instances of Encrypted-DNS- 361 IPv4-Address TLV (Section 3.3.3). 363 Encrypted-DNS-SvcParams TLV: The IPv4-Encrypted-DNS Attribute 364 SHOULD include one instance of Encrypted-DNS-SvcParams TLV 365 (Section 3.3.4). 367 Encrypted-DNS-SvcPriority TLV: The IPv4-Encrypted-DNS Attribute 368 SHOULD include one instance of Encrypted-DNS-SvcPriority TLV 369 (Section 3.3.5). 371 The IPv4-Encrypted-DNS Attribute is associated with the following 372 identifier: 241.TBA2. 374 3.3. RADIUS TLVs for Encrypted DNS 376 The TLVs defined in the following subsections use the format defined 377 in [RFC6929]. These TLVs have the same name and number when 378 encapsulated in any of the parent attributes defined in Sections 3.1 379 and 3.2. 381 The encoding of the "Value" field of these TLVs follows the 382 recommendation of [RFC6158]. 384 3.3.1. Encrypted-DNS-ADN TLV 386 TLV-Type 388 TBA3 (see Section 6.2). 390 TLV-Length 392 Length of included ADN + 2 octets. 394 Data Type 396 The Encrypted-DNS-ADN TLV is of type text (Section 3.4 of 397 [RFC8044]). 399 TLV-Value 401 This field includes a fully qualified domain name of the Encrypted 402 DNS server. This field is formatted as specified in Section 10 of 403 [RFC8415]. 405 This TLV is identified as 241.TBA1.TBA3 when included in the IPv6- 406 Encrypted-DNS Attribute (Section 3.1) and as 241.TBA2.TBA3 when 407 included in the IPv4-Encrypted-DNS Attribute (Section 3.2). 409 3.3.2. Encrypted-DNS-IPv6-Address TLV 411 TLV-Type 413 TBA4 (see Section 6.2). 415 TLV-Length 417 18 419 Data Type 421 The Encrypted-DNS-IPv6-Address TLV is of type ip6addr (Section 3.9 422 of [RFC8044]). 424 TLV-Value 426 This field includes an IPv6 address (128 bits) of the Encrypted 427 DNS server. 429 The Encrypted-DNS-IPv6-Address attribute MUST NOT include 430 multicast and host loopback addresses [RFC6890]. 432 This TLV is identified as 241.TBA1.TBA4 as part of the IPv6- 433 Encrypted-DNS Attribute (Section 3.1). 435 3.3.3. Encrypted-DNS-IPv4-Address TLV 437 TLV-Type 439 TBA5 (see Section 6.2). 441 TLV-Length 443 6 445 Data Type 447 The Encrypted-DNS-IPv4-Address TLV is of type ip4addr (Section 3.8 448 of [RFC8044]). 450 TLV-Value 452 This field includes an IPv4 address (32 bits) of the Encrypted DNS 453 server. 455 The Encrypted-DNS-IPv4-Address attribute MUST NOT include 456 multicast and host loopback addresses. 458 This TLV is identified as 241.TBA1.TBA5 as part of the IPv4- 459 Encrypted-DNS Attribute (Section 3.2). 461 3.3.4. Encrypted-DNS-SvcParams TLV 463 TLV-Type 465 TBA6 (see Section 6.2). 467 TLV-Length 469 Length of included service parameters + 2 octets. 471 Data Type 473 The Encrypted-DNS-SvcParams TLV is of type string (Section 3.5 of 474 [RFC8044]). 476 TLV-Value 477 Specifies a set of service parameters that are encoded following 478 the rules in [I-D.ietf-dnsop-svcb-https]. Service parameters may 479 include, for example, a list of ALPN protocol identifiers or 480 alternate port numbers. 482 The service parameters MUST NOT include "ipv4hint" or "ipv6hint" 483 SvcParams as they are superseded by the included IP addresses. 485 This TLV is identified as 241.TBA1.TBA6 when included in the IPv6- 486 Encrypted-DNS Attribute (Section 3.1) and as 241.TBA2.TBA6 when 487 included in the IPv4-Encrypted-DNS Attribute (Section 3.2). 489 3.3.5. Encrypted-DNS-SvcPriority TLV 491 TLV-Type 493 TBA7 (see Section 6.2). 495 TLV-Length 497 Six octets. 499 Data Type 501 The Encrypted-DNS-SvcPriority TLV is of type integer (Section 3.1 502 of [RFC8044]). 504 TLV-Value 506 Specifies the priority (unsigned16) of this *-Encrypted-DNS 507 instance compared to other instances, right justified, and the 508 unused bits in this field MUST be set to zero. 510 This TLV is identified as 241.TBA1.TBA7 when included in the IPv6- 511 Encrypted-DNS Attribute (Section 3.1) and as 241.TBA2.TBA7 when 512 included in the IPv4-Encrypted-DNS Attribute (Section 3.2). 514 4. Security Considerations 516 RADIUS-related security considerations are discussed in [RFC2865]. 518 This document targets deployments where a trusted relationship is in 519 place between the RADIUS client and server with communication 520 optionally secured by IPsec or Transport Layer Security (TLS) 521 [RFC6614]. 523 Security considerations (including traffic theft) are discussed in 524 [I-D.ietf-add-dnr]. 526 5. Table of Attributes 528 The following table provides a guide as what type of RADIUS packets 529 that may contain these attributes, and in what quantity. 531 Access- Access- Access- Challenge Acct. # Attribute 532 Request Accept Reject Request 533 0+ 0+ 0 0 0+ TBA1 IPv6-Encrypted-DNS 534 0+ 0+ 0 0 0+ TBA2 IPv4-Encrypted-DNS 536 CoA-Request CoA-ACK CoA-NACK # Attribute 537 0+ 0 0 TBA1 IPv6-Encrypted-DNS 538 0+ 0 0 TBA1 IPv4-Encrypted-DNS 540 The following table defines the meaning of the above table entries: 542 0 This attribute MUST NOT be present in packet. 543 0+ Zero or more instances of this attribute MAY be present in packet. 545 6. IANA Considerations 547 6.1. New RADIUS Attributes 549 IANA is requested to assign two new RADIUS attribute types from the 550 IANA registry "Radius Attribute Types" located at 551 http://www.iana.org/assignments/radius-types: 553 IPv6-Encrypted-DNS (241.TBA1) 555 IPv4-Encrypted-DNS (241.TBA2) 557 Type Description Data Type Reference 558 -------- ------------------ --------- ------------- 559 241.TBA1 IPv6-Encrypted-DNS tlv This-Document 560 241.TBA2 IPv4-Encrypted-DNS tlv This-Document 562 6.2. New RADIUS TLVs 564 IANA is requested to create a new registry called "RADIUS Encrypted 565 DNS TLVs". The registry is initially populated as follows: 567 Value Description Data Type Reference 568 ----- ------------------------- --------- ------------- 569 0 Reserved 570 1 Encrypted-DNS-ADN text Section 3.3.1 571 2 Encrypted-DNS-IPv6-Address ipv6addr Section 3.3.2 572 3 Encrypted-DNS-IPv4-Address ipv4addr Section 3.3.3 573 4 Encrypted-DNS-SvcParams string Section 3.3.4 574 5 Encrypted-DNS-SvcPriority integer Section 3.3.5 575 6-255 Unassigned 577 7. Acknowledgements 579 Thanks to Christian Jacquenet, Neil Cook, and Alan Dekok for the 580 review and suggestions. 582 Thanks to Ben Schwartz for the comment. 584 8. References 586 8.1. Normative References 588 [I-D.ietf-add-dnr] 589 Boucadair, M., Reddy, T., Wing, D., Cook, N., and T. 590 Jensen, "DHCP and Router Advertisement Options for the 591 Discovery of Network-designated Resolvers (DNR)", Work in 592 Progress, Internet-Draft, draft-ietf-add-dnr-04, 8 593 December 2021, . 596 [I-D.ietf-dnsop-svcb-https] 597 Schwartz, B., Bishop, M., and E. Nygren, "Service binding 598 and parameter specification via the DNS (DNS SVCB and 599 HTTPS RRs)", Work in Progress, Internet-Draft, draft-ietf- 600 dnsop-svcb-https-08, 12 October 2021, 601 . 604 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 605 Requirement Levels", BCP 14, RFC 2119, 606 DOI 10.17487/RFC2119, March 1997, 607 . 609 [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, 610 "Remote Authentication Dial In User Service (RADIUS)", 611 RFC 2865, DOI 10.17487/RFC2865, June 2000, 612 . 614 [RFC6158] DeKok, A., Ed. and G. Weber, "RADIUS Design Guidelines", 615 BCP 158, RFC 6158, DOI 10.17487/RFC6158, March 2011, 616 . 618 [RFC6890] Cotton, M., Vegoda, L., Bonica, R., Ed., and B. Haberman, 619 "Special-Purpose IP Address Registries", BCP 153, 620 RFC 6890, DOI 10.17487/RFC6890, April 2013, 621 . 623 [RFC6929] DeKok, A. and A. Lior, "Remote Authentication Dial In User 624 Service (RADIUS) Protocol Extensions", RFC 6929, 625 DOI 10.17487/RFC6929, April 2013, 626 . 628 [RFC8044] DeKok, A., "Data Types in RADIUS", RFC 8044, 629 DOI 10.17487/RFC8044, January 2017, 630 . 632 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 633 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 634 May 2017, . 636 [RFC8415] Mrugalski, T., Siodelski, M., Volz, B., Yourtchenko, A., 637 Richardson, M., Jiang, S., Lemon, T., and T. Winters, 638 "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)", 639 RFC 8415, DOI 10.17487/RFC8415, November 2018, 640 . 642 8.2. Informative References 644 [I-D.ietf-dprive-dnsoquic] 645 Huitema, C., Dickinson, S., and A. Mankin, "DNS over 646 Dedicated QUIC Connections", Work in Progress, Internet- 647 Draft, draft-ietf-dprive-dnsoquic-07, 1 December 2021, 648 . 651 [RFC2131] Droms, R., "Dynamic Host Configuration Protocol", 652 RFC 2131, DOI 10.17487/RFC2131, March 1997, 653 . 655 [RFC2868] Zorn, G., Leifer, D., Rubens, A., Shriver, J., Holdrege, 656 M., and I. Goyret, "RADIUS Attributes for Tunnel Protocol 657 Support", RFC 2868, DOI 10.17487/RFC2868, June 2000, 658 . 660 [RFC4014] Droms, R. and J. Schnizlein, "Remote Authentication Dial- 661 In User Service (RADIUS) Attributes Suboption for the 662 Dynamic Host Configuration Protocol (DHCP) Relay Agent 663 Information Option", RFC 4014, DOI 10.17487/RFC4014, 664 February 2005, . 666 [RFC5176] Chiba, M., Dommety, G., Eklund, M., Mitton, D., and B. 667 Aboba, "Dynamic Authorization Extensions to Remote 668 Authentication Dial In User Service (RADIUS)", RFC 5176, 669 DOI 10.17487/RFC5176, January 2008, 670 . 672 [RFC6614] Winter, S., McCauley, M., Venaas, S., and K. Wierenga, 673 "Transport Layer Security (TLS) Encryption for RADIUS", 674 RFC 6614, DOI 10.17487/RFC6614, May 2012, 675 . 677 [RFC6911] Dec, W., Ed., Sarikaya, B., Zorn, G., Ed., Miles, D., and 678 B. Lourdelet, "RADIUS Attributes for IPv6 Access 679 Networks", RFC 6911, DOI 10.17487/RFC6911, April 2013, 680 . 682 [RFC7037] Yeh, L. and M. Boucadair, "RADIUS Option for the DHCPv6 683 Relay Agent", RFC 7037, DOI 10.17487/RFC7037, October 684 2013, . 686 [RFC7858] Hu, Z., Zhu, L., Heidemann, J., Mankin, A., Wessels, D., 687 and P. Hoffman, "Specification for DNS over Transport 688 Layer Security (TLS)", RFC 7858, DOI 10.17487/RFC7858, May 689 2016, . 691 [RFC8484] Hoffman, P. and P. McManus, "DNS Queries over HTTPS 692 (DoH)", RFC 8484, DOI 10.17487/RFC8484, October 2018, 693 . 695 [RFC8499] Hoffman, P., Sullivan, A., and K. Fujiwara, "DNS 696 Terminology", BCP 219, RFC 8499, DOI 10.17487/RFC8499, 697 January 2019, . 699 Authors' Addresses 701 Mohamed Boucadair 702 Orange 703 35000 Rennes 704 France 706 Email: mohamed.boucadair@orange.com 707 Tirumaleswar Reddy 708 McAfee, Inc. 709 Embassy Golf Link Business Park 710 Bangalore 560071 711 Karnataka 712 India 714 Email: kondtir@gmail.com