idnits 2.17.00 (12 Aug 2021) /tmp/idnits41005/draft-ietf-add-svcb-dns-03.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- -- The document date (22 April 2022) is 22 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Duplicate reference: RFC8484, mentioned in 'RFC8484', was also mentioned in 'DOH'. == Outdated reference: A later version (-09) exists of draft-ietf-dnsop-svcb-https-08 Summary: 0 errors (**), 0 flaws (~~), 1 warning (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 add B. Schwartz 3 Internet-Draft Google LLC 4 Intended status: Standards Track 22 April 2022 5 Expires: 24 October 2022 7 Service Binding Mapping for DNS Servers 8 draft-ietf-add-svcb-dns-03 10 Abstract 12 The SVCB DNS record type expresses a bound collection of endpoint 13 metadata, for use when establishing a connection to a named service. 14 DNS itself can be such a service, when the server is identified by a 15 domain name. This document provides the SVCB mapping for named DNS 16 servers, allowing them to indicate support for new transport 17 protocols. 19 Discussion Venues 21 This note is to be removed before publishing as an RFC. 23 Discussion of this document takes place on the ADD Working Group 24 mailing list (add@ietf.org), which is archived at 25 https://mailarchive.ietf.org/arch/browse/add/. 27 Source for this draft and an issue tracker can be found at 28 https://github.com/bemasc/svcb-dns. 30 Status of This Memo 32 This Internet-Draft is submitted in full conformance with the 33 provisions of BCP 78 and BCP 79. 35 Internet-Drafts are working documents of the Internet Engineering 36 Task Force (IETF). Note that other groups may also distribute 37 working documents as Internet-Drafts. The list of current Internet- 38 Drafts is at https://datatracker.ietf.org/drafts/current/. 40 Internet-Drafts are draft documents valid for a maximum of six months 41 and may be updated, replaced, or obsoleted by other documents at any 42 time. It is inappropriate to use Internet-Drafts as reference 43 material or to cite them other than as "work in progress." 45 This Internet-Draft will expire on 24 October 2022. 47 Copyright Notice 49 Copyright (c) 2022 IETF Trust and the persons identified as the 50 document authors. All rights reserved. 52 This document is subject to BCP 78 and the IETF Trust's Legal 53 Provisions Relating to IETF Documents (https://trustee.ietf.org/ 54 license-info) in effect on the date of publication of this document. 55 Please review these documents carefully, as they describe your rights 56 and restrictions with respect to this document. Code Components 57 extracted from this document must include Revised BSD License text as 58 described in Section 4.e of the Trust Legal Provisions and are 59 provided without warranty as described in the Revised BSD License. 61 Table of Contents 63 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 64 2. Conventions and Definitions . . . . . . . . . . . . . . . . . 3 65 3. Identities and Names . . . . . . . . . . . . . . . . . . . . 3 66 3.1. Special case: non-default ports . . . . . . . . . . . . . 4 67 4. Applicable existing SvcParamKeys . . . . . . . . . . . . . . 4 68 4.1. alpn . . . . . . . . . . . . . . . . . . . . . . . . . . 4 69 4.2. port . . . . . . . . . . . . . . . . . . . . . . . . . . 4 70 4.3. Other applicable SvcParamKeys . . . . . . . . . . . . . . 5 71 5. New SvcParamKeys . . . . . . . . . . . . . . . . . . . . . . 5 72 5.1. dohpath . . . . . . . . . . . . . . . . . . . . . . . . . 5 73 6. Limitations . . . . . . . . . . . . . . . . . . . . . . . . . 6 74 7. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 6 75 8. Security Considerations . . . . . . . . . . . . . . . . . . . 7 76 8.1. Adversary on the query path . . . . . . . . . . . . . . . 7 77 8.1.1. Downgrade attacks . . . . . . . . . . . . . . . . . . 7 78 8.1.2. Redirection attacks . . . . . . . . . . . . . . . . . 7 79 8.2. Adversary on the transport path . . . . . . . . . . . . . 8 80 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 81 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 9 82 10.1. Normative References . . . . . . . . . . . . . . . . . . 9 83 10.2. Informative References . . . . . . . . . . . . . . . . . 10 84 Appendix A. Mapping Summary . . . . . . . . . . . . . . . . . . 10 85 Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 11 86 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 11 88 1. Introduction 90 The SVCB record type [SVCB] provides clients with information about 91 how to reach alternative endpoints for a service, which may have 92 improved performance or privacy properties. The service is 93 identified by a "scheme" indicating the service type, a hostname, and 94 optionally other information such as a port number. A DNS server is 95 often identified only by its IP address (e.g. in DHCP), but in some 96 contexts it can also be identified by a hostname (e.g. "NS" records, 97 manual resolver configuration) and sometimes also a non-default port 98 number. 100 Use of the SVCB record type requires a mapping document for each 101 service type, indicating how a client for that service can interpret 102 the contents of the SVCB SvcParams. This document provides the 103 mapping for the "dns" service type, allowing DNS servers to offer 104 alternative endpoints and transports, including encrypted transports 105 like DNS over TLS (DoT) and DNS over HTTPS (DoH). 107 2. Conventions and Definitions 109 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 110 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 111 "OPTIONAL" in this document are to be interpreted as described in BCP 112 14 [RFC2119] [RFC8174] when, and only when, they appear in all 113 capitals, as shown here. 115 3. Identities and Names 117 SVCB record names (i.e. QNAMEs) for DNS services are formed using 118 Port-Prefix Naming (Section 2.3 of [SVCB]), with a scheme of "dns". 119 For example, SVCB records for a DNS service identified as 120 "dns1.example.com" would be queried at "_dns.dns1.example.com". 122 In some use cases, the name used for retrieving these DNS records is 123 different from the server identity used to authenticate the secure 124 transport. To distinguish between these, this document uses the 125 following terms: 127 * Binding authority - The service name (Section 1.4 of [SVCB]) and 128 optional port number used as input to Port-Prefix Naming. 130 * Authentication name - The name used for secure transport 131 authentication. This MUST be a DNS hostname or a literal IP 132 address. Unless otherwise specified, this is the service name 133 from the binding authority. 135 3.1. Special case: non-default ports 137 Normally, a DNS service is identified by an IP address or a domain 138 name. When connecting to the service using unencrypted DNS over UDP 139 or TCP, clients use the default port number for DNS (53). However, 140 in rare cases, a DNS service might be identified by both a name and a 141 port number. For example, the dns: URI scheme [DNSURI] optionally 142 includes an authority, comprised of a host and a port number (with a 143 default of 53). DNS URIs normally omit the authority, or specify an 144 IP address, but a hostname and non-default port number are allowed. 146 When the binding authority specifies a non-default port number, Port- 147 Prefix Naming places the port number in an additional a prefix on the 148 name. For example, if the binding authority is 149 "dns1.example.com:9953", the client would query for SVCB records at 150 "_9953._dns.dns1.example.com". If two DNS services operating on 151 different port numbers provide different behaviors, this arrangement 152 allows them to preserve the distinction when specifying alternative 153 endpoints. 155 4. Applicable existing SvcParamKeys 157 4.1. alpn 159 This key indicates the set of supported protocols (Section 6.1 of 160 [SVCB]). There is no default protocol, so the no-default-alpn key 161 does not apply, and the alpn key MUST be present. 163 If the protocol set contains any HTTP versions (e.g. "h2", "h3"), 164 then the record indicates support for DNS over HTTPS [DOH], and the 165 "dohpath" key MUST be present (Section 5.1). All keys specified for 166 use with the HTTPS record are also permissible, and apply to the 167 resulting HTTP connection. 169 If the protocol set contains protocols with different default ports, 170 and no port key is specified, then protocols are contacted separately 171 on their default ports. Note that in this configuration, ALPN 172 negotiation does not defend against cross-protocol downgrade attacks. 174 4.2. port 176 This key is used to indicate the target port for connection 177 (Section 6.2 of [SVCB]). If omitted, the client SHALL use the 178 default port for each transport protocol (853 for DNS over TLS [DOT], 179 443 for DNS over HTTPS). 181 This key is automatically mandatory if present. (See Section 7 of 182 [SVCB] for the definition of "automatically mandatory".) 183 Support for the port key can be unsafe if the client has implicit 184 elevated access to some network service (e.g. a local service that is 185 inaccessible to remote parties) and that service uses a TCP-based 186 protocol other than TLS. A hostile DNS server might be able to 187 manipulate this service by causing the client to send a specially 188 crafted TLS SNI or session ticket that can be misparsed as a command 189 or exploit. To avoid such attacks, clients SHOULD NOT support the 190 port key unless one of the following conditions applies: 192 * The client is being used with a DNS server that it trusts not 193 attempt this attack. 195 * The client is being used in a context where implicit elevated 196 access cannot apply. 198 * The client restricts the set of allowed TCP port values to exclude 199 any ports where a confusion attack is likely to be possible (e.g. 200 the "bad ports" list from the "Port blocking" section of [FETCH]). 202 4.3. Other applicable SvcParamKeys 204 These SvcParamKeys from [SVCB] apply to the "dns" scheme without 205 modification: 207 * mandatory 209 * ech 211 * ipv4hint 213 * ipv6hint 215 Future SvcParamKeys may also be applicable. 217 5. New SvcParamKeys 219 5.1. dohpath 221 "dohpath" is a single-valued SvcParamKey whose value (both in 222 presentation and wire format) MUST be a URI Template [RFC6570] 223 encoded in UTF-8 [RFC3629]. If the "alpn" SvcParam indicates support 224 for HTTP, "dohpath" MUST be present. The URI Template MUST contain a 225 "dns" variable, and MUST be chosen such that the result after DoH 226 template expansion (Section 6 of [RFC8484]) is always a valid and 227 functional ":path" value ([RFC7540], Section 8.1.2.3). 229 When using this SVCB record, the client MUST send any DoH requests to 230 the HTTP origin identified by the "https" scheme, the authentication 231 name, and the port from the "port" SvcParam (if present). HTTP 232 requests MUST be directed to the resource resulting from DoH template 233 expansion of the "dohpath" value. 235 Clients SHOULD NOT query for any "HTTPS" RRs when using "dohpath". 236 Instead, the SvcParams and address records associated with this SVCB 237 record SHOULD be used for the HTTPS connection, with the same 238 semantics as an HTTPS RR. However, for consistency, service 239 operators SHOULD publish an equivalent HTTPS RR, especially if 240 clients might learn about this DoH service through a different 241 channel. 243 6. Limitations 245 This document is concerned exclusively with the DNS transport, and 246 does not affect or inform the construction or interpretation of DNS 247 messages. For example, nothing in this document indicates whether 248 the service is intended for use as a recursive or authoritative DNS 249 server. Clients need to know the intended use of services based on 250 their context. 252 7. Examples 254 * A resolver at "simple.example" that supports DNS over TLS on port 255 853 (implicitly, as this is its default port): 257 _dns.simple.example. 7200 IN SVCB 1 simple.example. alpn=dot 259 * A DoH-only resolver at https://doh.example/dns-query{?dns}. (DNS 260 over TLS is not supported.): 262 _dns.doh.example. 7200 IN SVCB 1 doh.example. ( 263 alpn=h2 dohpath=/dns-query{?dns} ) 265 * A resolver at "resolver.example" that supports: 267 - DoT on "resolver.example" ports 853 (implicit in record 1) and 268 8530 (explicit in record 2), with "resolver.example" as the 269 Authentication Domain Name, 271 - DoH at https://resolver.example/dns-query{?dns} (record 1), and 273 - an experimental protocol on fooexp.resolver.example:5353 274 (record 3): 276 _dns.resolver.example. 7200 IN SVCB 1 resolver.example. ( 277 alpn=dot,h2,h3 dohpath=/dns-query{?dns} ) 278 _dns.resolver.example. 7200 IN SVCB 2 resolver.example. ( 279 alpn=dot port=8530 ) 280 _dns.resolver.example. 7200 IN SVCB 3 fooexp ( 281 port=5353 alpn=foo foo-info=... ) 283 * A nameserver at "ns.example" whose service configuration is 284 published on a different domain: 286 _dns.ns.example. 7200 IN SVCB 0 _dns.ns.nic.example. 288 8. Security Considerations 290 8.1. Adversary on the query path 292 This section considers an adversary who can add or remove responses 293 to the SVCB query. 295 During secure transport establishment, clients MUST authenticate the 296 server to its authentication name, which is not influenced by the 297 SVCB record contents. Accordingly, this draft does not mandate the 298 use of DNSSEC. This draft also does not specify how clients 299 authenticate the name (e.g. selection of roots of trust), which might 300 vary according to the context. 302 8.1.1. Downgrade attacks 304 This attacker cannot impersonate the secure endpoint, but it can 305 forge a response indicating that the requested SVCB records do not 306 exist. For a SVCB-reliant client ([SVCB], Section 3) this only 307 results in a denial of service. However, SVCB-optional clients will 308 generally fall back to insecure DNS in this case, exposing all DNS 309 traffic to attacks. 311 8.1.2. Redirection attacks 313 SVCB-reliant clients always enforce the authentication domain name, 314 but they are still subject to attacks using the transport, port 315 number, and "dohpath" value, which are controlled by this adversary. 316 By changing these values in the SVCB answers, the adversary can 317 direct DNS queries for $HOSTNAME to any port on $HOSTNAME, and any 318 path on "https://$HOSTNAME". If the DNS client uses shared TLS or 319 HTTP state, the client could be correctly authenticated (e.g. using a 320 TLS client certificate or HTTP cookie). 322 This behavior creates a number of possible attacks for certain server 323 configurations. For example, if "https://$HOSTNAME/upload" accepts 324 any POST request as a public file upload, the adversary could forge a 325 SVCB record containing dohpath=/upload{?dns}. This would cause the 326 client to upload and publish every query, resulting in unexpected 327 storage costs for the server and privacy loss for the client. 328 Similarly, if two DoH endpoints are available on the same origin, and 329 the service has designated one of them for use with this 330 specification, this adversary can cause clients to use the other 331 endpoint instead. 333 To mitigate redirection attacks, a client of this SVCB mapping MUST 334 NOT identify or authenticate itself when performing DNS queries, 335 except to servers that it specifically knows are not vulnerable to 336 such attacks. If an endpoint sends an invalid response to a DNS 337 query, the client SHOULD NOT send more queries to that endpoint. 338 Multiple DNS services MUST NOT share a hostname identifier 339 (Section 3) unless they are so similar that it is safe to allow an 340 attacker to choose which one is used. 342 8.2. Adversary on the transport path 344 This section considers an adversary who can modify network traffic 345 between the client and the alternative service (identified by the 346 TargetName). 348 For a SVCB-reliant client, this adversary can only cause a denial of 349 service. However, because DNS is unencrypted by default, this 350 adversary can execute a downgrade attack against SVCB-optional 351 clients. Accordingly, when use of this specification is optional, 352 clients SHOULD switch to SVCB-reliant behavior if SVCB resolution 353 succeeds. Specifications making using of this mapping MAY adjust 354 this fallback behavior to suit their requirements. 356 9. IANA Considerations 358 Per [SVCB] IANA is directed to add the following entry to the SVCB 359 Service Parameters registry. 361 +========+=========+==============================+=================+ 362 | Number | Name | Meaning | Reference | 363 +========+=========+==============================+=================+ 364 | 7 | dohpath | DNS over HTTPS path template | (This | 365 | | | | document) | 366 +--------+---------+------------------------------+-----------------+ 368 Table 1 370 Per [Attrleaf], IANA is directed to add the following entry to the 371 DNS Underscore Global Scoped Entry Registry: 373 +=========+============+===============+=================+ 374 | RR TYPE | _NODE NAME | Meaning | Reference | 375 +=========+============+===============+=================+ 376 | SVCB | _dns | DNS SVCB info | (This document) | 377 +---------+------------+---------------+-----------------+ 379 Table 2 381 10. References 383 10.1. Normative References 385 [DOH] Hoffman, P. and P. McManus, "DNS Queries over HTTPS 386 (DoH)", RFC 8484, DOI 10.17487/RFC8484, October 2018, 387 . 389 [DOT] Hu, Z., Zhu, L., Heidemann, J., Mankin, A., Wessels, D., 390 and P. Hoffman, "Specification for DNS over Transport 391 Layer Security (TLS)", RFC 7858, DOI 10.17487/RFC7858, May 392 2016, . 394 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 395 Requirement Levels", BCP 14, RFC 2119, 396 DOI 10.17487/RFC2119, March 1997, 397 . 399 [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO 400 10646", STD 63, RFC 3629, DOI 10.17487/RFC3629, November 401 2003, . 403 [RFC6570] Gregorio, J., Fielding, R., Hadley, M., Nottingham, M., 404 and D. Orchard, "URI Template", RFC 6570, 405 DOI 10.17487/RFC6570, March 2012, 406 . 408 [RFC7540] Belshe, M., Peon, R., and M. Thomson, Ed., "Hypertext 409 Transfer Protocol Version 2 (HTTP/2)", RFC 7540, 410 DOI 10.17487/RFC7540, May 2015, 411 . 413 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 414 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 415 May 2017, . 417 [RFC8484] Hoffman, P. and P. McManus, "DNS Queries over HTTPS 418 (DoH)", RFC 8484, DOI 10.17487/RFC8484, October 2018, 419 . 421 [SVCB] Schwartz, B., Bishop, M., and E. Nygren, "Service binding 422 and parameter specification via the DNS (DNS SVCB and 423 HTTPS RRs)", Work in Progress, Internet-Draft, draft-ietf- 424 dnsop-svcb-https-08, 12 October 2021, 425 . 428 10.2. Informative References 430 [Attrleaf] Crocker, D., "Scoped Interpretation of DNS Resource 431 Records through "Underscored" Naming of Attribute Leaves", 432 BCP 222, RFC 8552, DOI 10.17487/RFC8552, March 2019, 433 . 435 [DNSURI] Josefsson, S., "Domain Name System Uniform Resource 436 Identifiers", RFC 4501, DOI 10.17487/RFC4501, May 2006, 437 . 439 [FETCH] "Fetch Living Standard", February 2022, 440 . 442 Appendix A. Mapping Summary 444 This table serves as a non-normative summary of the DNS mapping for 445 SVCB. 447 +=================+====================================+ 448 +=================+====================================+ 449 | *Mapped scheme* | "dns" | 450 +-----------------+------------------------------------+ 451 | *RR type* | SVCB (64) | 452 +-----------------+------------------------------------+ 453 | *Name prefix* | _dns for port 53, else _$PORT._dns | 454 +-----------------+------------------------------------+ 455 | *Required keys* | alpn | 456 +-----------------+------------------------------------+ 457 | *Automatically | port | 458 | Mandatory Keys* | | 459 +-----------------+------------------------------------+ 460 | *Special | Supports all HTTPS RR SvcParamKeys | 461 | behaviors* | | 462 +-----------------+------------------------------------+ 463 | | Overrides the HTTPS RR for DoH | 464 +-----------------+------------------------------------+ 465 | | Default port is per-transport | 466 +-----------------+------------------------------------+ 467 | | No encrypted -> cleartext fallback | 468 +-----------------+------------------------------------+ 470 Table 3 472 Acknowledgments 474 Thanks to the many reviewers and contributors, including Daniel 475 Migault, Paul Hoffman, Matt Norhoff, Peter van Dijk, Eric Rescorla, 476 and Andreas Schulze. 478 Author's Address 480 Benjamin Schwartz 481 Google LLC 482 Email: bemasc@google.com