idnits 2.17.00 (12 Aug 2021) /tmp/idnits20483/draft-ietf-ipsecme-split-dns-09.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document seems to lack the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords -- however, there's a paragraph with a matching beginning. Boilerplate error? (The document does seem to have the reference to RFC 2119 which the ID-Checklist requires). -- The document date (July 18, 2018) is 1403 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) No issues found here. Summary: 0 errors (**), 0 flaws (~~), 2 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network T. Pauly 3 Internet-Draft Apple Inc. 4 Intended status: Standards Track P. Wouters 5 Expires: January 19, 2019 Red Hat 6 July 18, 2018 8 Split DNS Configuration for IKEv2 9 draft-ietf-ipsecme-split-dns-09 11 Abstract 13 This document defines two Configuration Payload Attribute Types for 14 the IKEv2 protocol that add support for private DNS domains. These 15 domains are intended to be resolved using DNS servers reachable 16 through an IPsec connection, while leaving all other DNS resolution 17 unchanged. This approach of resolving a subset of domains using non- 18 public DNS servers is referred to as "Split DNS". 20 Status of This Memo 22 This Internet-Draft is submitted in full conformance with the 23 provisions of BCP 78 and BCP 79. 25 Internet-Drafts are working documents of the Internet Engineering 26 Task Force (IETF). Note that other groups may also distribute 27 working documents as Internet-Drafts. The list of current Internet- 28 Drafts is at http://datatracker.ietf.org/drafts/current/. 30 Internet-Drafts are draft documents valid for a maximum of six months 31 and may be updated, replaced, or obsoleted by other documents at any 32 time. It is inappropriate to use Internet-Drafts as reference 33 material or to cite them other than as "work in progress." 35 This Internet-Draft will expire on January 19, 2019. 37 Copyright Notice 39 Copyright (c) 2018 IETF Trust and the persons identified as the 40 document authors. All rights reserved. 42 This document is subject to BCP 78 and the IETF Trust's Legal 43 Provisions Relating to IETF Documents 44 (http://trustee.ietf.org/license-info) in effect on the date of 45 publication of this document. Please review these documents 46 carefully, as they describe your rights and restrictions with respect 47 to this document. Code Components extracted from this document must 48 include Simplified BSD License text as described in Section 4.e of 49 the Trust Legal Provisions and are provided without warranty as 50 described in the Simplified BSD License. 52 Table of Contents 54 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 55 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 56 2. Background . . . . . . . . . . . . . . . . . . . . . . . . . 3 57 3. Protocol Exchange . . . . . . . . . . . . . . . . . . . . . . 3 58 3.1. Configuration Request . . . . . . . . . . . . . . . . . . 4 59 3.2. Configuration Reply . . . . . . . . . . . . . . . . . . . 4 60 3.3. Mapping DNS Servers to Domains . . . . . . . . . . . . . 5 61 3.4. Example Exchanges . . . . . . . . . . . . . . . . . . . . 5 62 3.4.1. Simple Case . . . . . . . . . . . . . . . . . . . . . 5 63 3.4.2. Requesting Domains and DNSSEC trust anchors . . . . . 6 64 4. Payload Formats . . . . . . . . . . . . . . . . . . . . . . . 6 65 4.1. INTERNAL_DNS_DOMAIN Configuration Attribute Type Request 66 and Reply . . . . . . . . . . . . . . . . . . . . . . . . 7 67 4.2. INTERNAL_DNSSEC_TA Configuration Attribute . . . . . . . 7 68 5. INTERNAL_DNS_DOMAIN Usage Guidelines . . . . . . . . . . . . 9 69 6. INTERNAL_DNSSEC_TA Usage Guidelines . . . . . . . . . . . . . 10 70 7. Security Considerations . . . . . . . . . . . . . . . . . . . 11 71 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12 72 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 12 73 9.1. Normative References . . . . . . . . . . . . . . . . . . 12 74 9.2. Informative References . . . . . . . . . . . . . . . . . 13 75 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 13 77 1. Introduction 79 Split DNS is a common configuration for secure tunnels, such as 80 Virtual Private Networks in which host machines private to an 81 organization can only be resolved using internal DNS resolvers 82 [RFC2775]. In such configurations, it is often desirable to only 83 resolve hosts within a set of private domains using the tunnel, while 84 letting resolutions for public hosts be handled by a device's default 85 DNS configuration. 87 The Internet Key Exchange protocol version 2 [RFC7296] negotiates 88 configuration parameters using Configuration Payload Attribute Types. 89 This document defines two Configuration Payload Attribute Types that 90 add support for trusted Split DNS domains. 92 The INTERNAL_DNS_DOMAIN attribute type is used to convey one or more 93 DNS domains that SHOULD be resolved only using the provided DNS 94 nameserver IP addresses, causing these requests to use the IPsec 95 connection. 97 The INTERNAL_DNSSEC_TA attribute type is used to convey DNSSEC trust 98 anchors for those domains. 100 When only a subset of traffic is routed into a private network using 101 an IPsec SA, these Configuration Payload options can be used to 102 define which private domains are intended to be resolved through the 103 IPsec connection without affecting the client's global DNS 104 resolution. 106 For the purposes of this document, DNS resolution servers accessible 107 through an IPsec connection will be referred to as "internal DNS 108 servers", and other DNS servers will be referred to as "external DNS 109 servers". 111 A client using these configuration payloads will be able to request 112 and receive Split DNS configurations using the INTERNAL_DNS_DOMAIN 113 and INTERNAL_DNSSEC_TA configuration attributes. The client device 114 can use the internal DNS server(s) for any DNS queries within the 115 assigned domains. DNS queries for other domains SHOULD be sent to 116 the regular external DNS server. 118 1.1. Requirements Language 120 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 121 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 122 "OPTIONAL" in this document are to be interpreted as described in BCP 123 14 [RFC2119] [RFC8174] when, and only when, they appear in all 124 captials, as shown here. 126 2. Background 128 Split DNS is a common configuration for enterprise VPN deployments, 129 in which only one or a few private DNS domains are accessible and 130 resolvable via an IPsec based VPN connection. 132 Other tunnel-establishment protocols already support the assignment 133 of Split DNS domains. For example, there are proprietary extensions 134 to IKEv1 that allow a server to assign Split DNS domains to a client. 135 However, the IKEv2 standard does not include a method to configure 136 this option. This document defines a standard way to negotiate this 137 option for IKEv2. 139 3. Protocol Exchange 141 In order to negotiate which domains are considered internal to an 142 IKEv2 tunnel, initiators indicate support for Split DNS in their 143 CFG_REQUEST payloads, and responders assign internal domains (and 144 DNSSEC trust anchors) in their CFG_REPLY payloads. When Split DNS 145 has been negotiated, the existing DNS server configuration attributes 146 will be interpreted as internal DNS servers that can resolve 147 hostnames within the internal domains. 149 3.1. Configuration Request 151 To indicate support for Split DNS, an initiator includes one more 152 INTERNAL_DNS_DOMAIN attributes as defined in Section 4 as part of the 153 CFG_REQUEST payload. If an INTERNAL_DNS_DOMAIN attribute is included 154 in the CFG_REQUEST, the initiator SHOULD also include one or more 155 INTERNAL_IP4_DNS and INTERNAL_IP6_DNS attributes in the CFG_REQUEST. 157 The INTERNAL_DNS_DOMAIN attribute sent by the initiator is usually 158 empty but MAY contain a suggested domain name. 160 The absence of INTERNAL_DNS_DOMAIN attributes in the CFG_REQUEST 161 payload indicates that the initiator does not support or is unwilling 162 to accept Split DNS configuration. 164 To indicate support for DNSSEC, an initiator includes one or more 165 INTERNAL_DNSSEC_TA attributes as defined in Section 4 as part of the 166 CFG_REQUEST payload. If an INTERNAL_DNSSEC_TA attribute is included 167 in the CFG_REQUEST, the initiator SHOULD also include one or more 168 INTERNAL_DNS_DOMAIN attributes in the CFG_REQUEST. If the initiator 169 includes an INTERNAL_DNSSEC_TA attribute, but does not inclue an 170 INTERNAL_DNS_DOMAIN attribute, the responder MAY still respond with 171 both INTERNAL_DNSSEC_TA and INTERNAL_DNS_DOMAIN attributes. 173 An initiator MAY convey its current DNSSEC trust anchors for the 174 domain specified in the INTERNAL_DNS_DOMAIN attribute. If it does 175 not wish to convey this information, it MUST use a length of 0. 177 The absence of INTERNAL_DNSSEC_TA attributes in the CFG_REQUEST 178 payload indicates that the initiator does not support or is unwilling 179 to accept DNSSEC trust anchor configuration. 181 3.2. Configuration Reply 183 Responders MAY send one or more INTERNAL_DNS_DOMAIN attributes in 184 their CFG_REPLY payload. If an INTERNAL_DNS_DOMAIN attribute is 185 included in the CFG_REPLY, the responder MUST also include one or 186 both of the INTERNAL_IP4_DNS and INTERNAL_IP6_DNS attributes in the 187 CFG_REPLY. These DNS server configurations are necessary to define 188 which servers can receive queries for hostnames in internal domains. 189 If the CFG_REQUEST included an INTERNAL_DNS_DOMAIN attribute, but the 190 CFG_REPLY does not include an INTERNAL_DNS_DOMAIN attribute, the 191 initiator SHOULD behave as if Split DNS configurations are not 192 supported by the server. 194 Each INTERNAL_DNS_DOMAIN represents a domain that the DNS servers 195 address listed in INTERNAL_IP4_DNS and INTERNAL_IP6_DNS can resolve. 197 If the CFG_REQUEST included INTERNAL_DNS_DOMAIN attributes with non- 198 zero lengths, the content MAY be ignored or be interpreted as a 199 suggestion by the responder. 201 For each DNS domain specified in an INTERNAL_DNS_DOMAIN attribute, 202 one or more INTERNAL_DNSSEC_TA attributes MAY be included by the 203 responder. This attribute lists the corresponding internal DNSSEC 204 trust anchor in the DNS presentation format of a DS record as 205 specified in [RFC4034]. The INTERNAL_DNSSEC_TA attribute MUST 206 immediately follow the INTERNAL_DNS_DOMAIN attribute that it applies 207 to. 209 3.3. Mapping DNS Servers to Domains 211 All DNS servers provided in the CFG_REPLY MUST support resolving 212 hostnames within all INTERNAL_DNS_DOMAIN domains. In other words, 213 the INTERNAL_DNS_DOMAIN attributes in a CFG_REPLY payload form a 214 single list of Split DNS domains that applies to the entire list of 215 INTERNAL_IP4_DNS and INTERNAL_IP6_DNS attributes. 217 3.4. Example Exchanges 219 3.4.1. Simple Case 221 In this example exchange, the initiator requests INTERNAL_IP4_DNS and 222 INTERNAL_DNS_DOMAIN attributes in the CFG_REQUEST, but does not 223 specify any value for either. This indicates that it supports Split 224 DNS, but has no preference for which DNS requests will be routed 225 through the tunnel. 227 The responder replies with two DNS server addresses, and two internal 228 domains, "example.com" and "city.other.com". 230 Any subsequent DNS queries from the initiator for domains such as 231 "www.example.com" SHOULD use 198.51.100.2 or 198.51.100.4 to resolve. 233 CP(CFG_REQUEST) = 234 INTERNAL_IP4_ADDRESS() 235 INTERNAL_IP4_DNS() 236 INTERNAL_DNS_DOMAIN() 238 CP(CFG_REPLY) = 239 INTERNAL_IP4_ADDRESS(198.51.100.234) 240 INTERNAL_IP4_DNS(198.51.100.2) 241 INTERNAL_IP4_DNS(198.51.100.4) 242 INTERNAL_DNS_DOMAIN(example.com) 243 INTERNAL_DNS_DOMAIN(city.other.com) 245 3.4.2. Requesting Domains and DNSSEC trust anchors 247 In this example exchange, the initiator requests INTERNAL_IP4_DNS, 248 INTERNAL_DNS_DOMAIN and INTERNAL_DNSSEC_TA attributes in the 249 CFG_REQUEST. 251 Any subsequent DNS queries from the initiator for domains such as 252 "www.example.com" or "city.other.com" would be DNSSEC validated using 253 the DNSSEC trust anchor received in the CFG_REPLY. 255 In this example, the initiator has no existing DNSSEC trust anchors 256 would the requested domain. the "example.com" dommain has DNSSEC 257 trust anchors that are returned, while the "other.com" domain has no 258 DNSSEC trust anchors. 260 CP(CFG_REQUEST) = 261 INTERNAL_IP4_ADDRESS() 262 INTERNAL_IP4_DNS() 263 INTERNAL_DNS_DOMAIN() 264 INTERNAL_DNSSEC_TA() 266 CP(CFG_REPLY) = 267 INTERNAL_IP4_ADDRESS(198.51.100.234) 268 INTERNAL_IP4_DNS(198.51.100.2) 269 INTERNAL_IP4_DNS(198.51.100.4) 270 INTERNAL_DNS_DOMAIN(example.com) 271 INTERNAL_DNSSEC_TA(43547,8,1,B6225AB2CC613E0DCA7962BDC2342EA4...) 272 INTERNAL_DNSSEC_TA(31406,8,2,F78CF3344F72137235098ECBBD08947C...) 273 INTERNAL_DNS_DOMAIN(city.other.com) 275 4. Payload Formats 277 All multi-octet fields representing integers are laid out in big 278 endian order (also known as "most significant byte first", or 279 "network byte order"). 281 4.1. INTERNAL_DNS_DOMAIN Configuration Attribute Type Request and Reply 283 1 2 3 284 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 285 +-+-----------------------------+-------------------------------+ 286 |R| Attribute Type | Length | 287 +-+-----------------------------+-------------------------------+ 288 | | 289 ~ Domain Name in DNS presentation format ~ 290 | | 291 +---------------------------------------------------------------+ 293 o Reserved (1 bit) - Defined in IKEv2 RFC [RFC7296]. 295 o Attribute Type (15 bits) set to value 25 for INTERNAL_DNS_DOMAIN. 297 o Length (2 octets) - Length of domain name. 299 o Domain Name (0 or more octets) - A Fully Qualified Domain Name 300 used for Split DNS rules, such as "example.com", in DNS 301 presentation format and optionally using IDNA [RFC5890] for 302 Internationalized Domain Names. Implementors need to be careful 303 that this value is not null-terminated. 305 4.2. INTERNAL_DNSSEC_TA Configuration Attribute 307 An INTERNAL_DNSSEC_TA Configuration Attribute can either be empty, or 308 it can contain one Trust Anchor by containing a non-zero Length with 309 a DNSKEY Key Tag, DNSKEY Algorithm, Digest Type and Digest Data 310 fields. 312 An empty INTERNAL_DNSSEC_TA CFG attribute: 314 1 2 3 315 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 316 +-+-----------------------------+-------------------------------+ 317 |R| Attribute Type | Length (set to 0) | 318 +-+-----------------------------+-------------------------------+ 320 A non-empty INTERNAL_DNSSEC_TA CFG attribute: 322 1 2 3 323 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 324 +-+-----------------------------+-------------------------------+ 325 |R| Attribute Type | Length | 326 +-+-----------------------------+---------------+---------------+ 327 | DNSKEY Key Tag | DNSKEY Alg | Digest Type | 328 +-------------------------------+---------------+---------------+ 329 | | 330 ~ Digest Data ~ 331 | | 332 +---------------------------------------------------------------+ 334 o Reserved (1 bit) - Defined in IKEv2 RFC [RFC7296]. 336 o Attribute Type (15 bits) set to value 26 for INTERNAL_DNSSEC_TA. 338 o Length (0 or 2 octets) - Length of DNSSEC Trust Anchor data (4 339 octets plus the length of the Digest Data). 341 o DNSKEY Key Tag value (0 or 2 octets) - Delegation Signer (DS) Key 342 Tag as specified in [RFC4034] Section 5.1. 344 o DNSKEY Algorithm (0 or 1 octet) - DNSKEY algorithm value from the 345 IANA DNS Security Algorithm Numbers Registry. 347 o Digest Type (0 or 1 octet) - DS algorithm value from the IANA 348 Delegation Signer (DS) Resource Record (RR) Type Digest Algorithms 349 Registry. 351 o Digest Data (0 or more octets) - The DNSKEY digest as specified in 352 [RFC4034] Section 5.1 in presentation format. 354 INTERNAL_DNSSEC_TA payloads MUST immediately follow an 355 INTERNAL_DNS_DOMAIN payload. As the INTERNAL_DNSSEC_TA format itself 356 does not contain the domain name, it relies on the preceding 357 INTERNAL_DNS_DOMAIN to provide the domain for which it specifies the 358 trust anchor. 360 5. INTERNAL_DNS_DOMAIN Usage Guidelines 362 If a CFG_REPLY payload contains no INTERNAL_DNS_DOMAIN attributes, 363 the client MAY use the provided INTERNAL_IP4_DNS or INTERNAL_IP6_DNS 364 servers as the default DNS server(s) for all queries. 366 If a client is configured by local policy to only accept a limited 367 number of INTERNAL_DNS_DOMAIN values, the client MUST ignore any 368 other INTERNAL_DNS_DOMAIN values. 370 For each INTERNAL_DNS_DOMAIN entry in a CFG_REPLY payload that is not 371 prohibited by local policy, the client MUST use the provided 372 INTERNAL_IP4_DNS or INTERNAL_IP6_DNS DNS servers as the only 373 resolvers for the listed domains and its sub-domains and it MUST NOT 374 attempt to resolve the provided DNS domains using its external DNS 375 servers. 377 If the initiator host is configured to block DNS answers containing 378 IP addresses from special IP address ranges such as those of 379 [RFC1918], the initiator SHOULD allow the DNS domains listed in the 380 INTERNAL_DNS_DOMAIN attributes to contain those Special IP addresses. 382 If a CFG_REPLY contains one or more INTERNAL_DNS_DOMAIN attributes 383 and its local policy does not forbid these values, the client MUST 384 configure its DNS resolver to resolve those domains and all their 385 subdomains using only the DNS resolver(s) listed in that CFG_REPLY 386 message. If those resolvers fail, those names MUST NOT be resolved 387 using any other DNS resolvers. Other domain names SHOULD be resolved 388 using some other external DNS resolver(s), configured independently 389 from IKE. Queries for these other domains MAY be sent to the 390 internal DNS resolver(s) listed in that CFG_REPLY message, but have 391 no guarantee of being answered. For example, if the 392 INTERNAL_DNS_DOMAIN attribute specifies "example.com", then 393 "example.com", "www.example.com" and "mail.eng.example.com" MUST be 394 resolved using the internal DNS resolver(s), but "anotherexample.com" 395 and "ample.com" SHOULD NOT be resolved using the internal resolver 396 and SHOULD use the system's external DNS resolver(s). 398 When an IKE SA is terminated, the DNS forwarding MUST be 399 unconfigured. This includes deleting the DNS forwarding rules; 400 flushing all cached data for DNS domains provided by the 401 INTERNAL_DNS_DOMAIN attribute, including negative cache entries; 402 removing any obtained DNSSEC trust anchors from the list of trust 403 anchors; and clearing the outstanding DNS request queue. 405 INTERNAL_DNS_DOMAIN attributes SHOULD only be used on split tunnel 406 configurations where only a subset of traffic is routed into a 407 private remote network using the IPsec connection. If all traffic is 408 routed over the IPsec connection, the existing global 409 INTERNAL_IP4_DNS and INTERNAL_IP6_DNS can be used without creating 410 specific DNS exemptions. 412 6. INTERNAL_DNSSEC_TA Usage Guidelines 414 DNS records can be used to publish specific records containing trust 415 anchors for applications. The most common record type is the TLSA 416 record specified in [RFC6698]. This DNS record type publishes which 417 CA certificate or EE certificate to expect for a certain host name. 418 These records are protected by DNSSEC and thus can be trusted by the 419 application. Whether to trust TLSA records instead of the 420 traditional WebPKI depends on the local policy of the client. By 421 accepting an INTERNAL_DNSSEC_TA trust anchor via IKE from the remote 422 IKE server, the IPsec client might be allowing the remote IKE server 423 to override the trusted certificates for TLS. Similar override 424 concerns apply to other public key or fingerprint based DNS records, 425 such as OPENPGPKEY, SMIMEA or IPSECKEY records. 427 Thus, installing an INTERNAL_DNSSEC_TA trust anchor can be seen as 428 the equivalent of installing an Enterprise Certificate Agency (CA) 429 certificate. It allows the remote IKE/IPsec server to modify DNS 430 answers including its DNSSEC cryptographic signatures by overriding 431 existing DNS information with trust anchor conveyed via IKE and 432 (temporarilly) installed on the IKE client. Of specific concern is 433 the overriding of [RFC6698] based TLSA records, which represent a 434 confirmation or override of an existing WebPKI TLS certificate. 435 Other DNS record types that convey cryptographic materials (public 436 keys or fingerprints) are OPENPGPKEY, SMIMEA, SSHP and IPSECKEY 437 records. 439 IKE clients MUST use a preconfigured whitelist of domain names for 440 which it will allow INTERNAL_DNSSEC_TA updates. 442 The DNS root zone (".") MUST NOT be whitelisted. 444 Any updates to this whitelist of domain names MUST happen via 445 explicit human interaction to prevent invisible installation of trust 446 anchors. 448 IKE clients SHOULD accept any INTERNAL_DNSSEC_TA updates for 449 subdomain names of the whitelisted domain names. For example, if 450 "example.net" is whitelisted, then INTERNAL_DNSSEC_TA received for 451 "antartica.example.net" SHOULD be accepted. 453 IKE clients MAY interpret an INTERNAL_DNSSEC_TA for domain that was 454 not preconfigured as an indication that it needs to update its IKE 455 configuration (out of band). The client MUST NOT use such a 456 INTERNAL_DNSSEC_TA to reconfigure its local DNS settings. 458 IKE clients MUST ignore any received INTERNAL_DNSSEC_TA requests for 459 a FDQN for which it did not receive and accept an INTERNAL_DNS_DOMAIN 460 Configuration Payload. 462 In most deployment scenario's, the IKE client has an expectation that 463 it is connecting, using a split-network setup, to a specific 464 organisation or enterprise. A recommended policy would be to only 465 accept INTERNAL_DNSSEC_TA directives from that organization's DNS 466 names. However, this might not be possible in all deployment 467 scenarios, such as one where the IKE server is handing out a number 468 of domains that are not within one parent domain. 470 7. Security Considerations 472 The use of Split DNS configurations assigned by an IKEv2 responder is 473 predicated on the trust established during IKE SA authentication. 474 However, if IKEv2 is being negotiated with an anonymous or unknown 475 endpoint (such as for Opportunistic Security [RFC7435]), the 476 initiator MUST ignore Split DNS configurations assigned by the 477 responder. 479 If a host connected to an authenticated IKE peer is connecting to 480 another IKE peer that attempts to claim the same domain via the 481 INTERNAL_DNS_DOMAIN attribute, the IKE connection SHOULD only process 482 the DNS information if the two connections are part of the same 483 logical entity. Otherwise, the client SHOULD refuse the DNS 484 information and potentially warn the end-user. 486 If the initiator is using DNSSEC validation for a domain in its 487 public DNS view, and it requests and receives an INTERNAL_DNS_DOMAIN 488 attribute without an INTERNAL_DNSSEC_TA, it will need to reconfigure 489 its DNS resolver to allow for an insecure delegation. It SHOULD NOT 490 accept insecure delegations for domains that are DNSSEC signed in the 491 public DNS view, for which it has not explicitely requested such 492 deletation by specifying the domain specifically using a 493 INTERNAL_DNS_DOMAIN(domain) request. 495 Deployments that configure INTERNAL_DNS_DOMAIN domains should pay 496 close attention to their use of indirect reference RRtypes such as 497 CNAME, DNAME, MX or SRV records so that resolving works as intended 498 when all, some, or none of the IPsec connections are established. 500 The content of INTERNAL_DNS_DOMAIN and INTERNAL_DNSSEC_TA may be 501 passed to another (DNS) program for processing. As with any network 502 input, the content SHOULD be considered untrusted and handled 503 accordingly. 505 8. IANA Considerations 507 This document defines two new IKEv2 Configuration Payload Attribute 508 Types, which are allocated from the "IKEv2 Configuration Payload 509 Attribute Types" namespace. 511 Multi- 512 Value Attribute Type Valued Length Reference 513 ------ ------------------- ------ ---------- --------------- 514 25 INTERNAL_DNS_DOMAIN YES 0 or more [this document] 515 26 INTERNAL_DNSSEC_TA YES 0 or more [this document] 517 Figure 1 519 9. References 521 9.1. Normative References 523 [RFC1918] Rekhter, Y., Moskowitz, B., Karrenberg, D., de Groot, G., 524 and E. Lear, "Address Allocation for Private Internets", 525 BCP 5, RFC 1918, DOI 10.17487/RFC1918, February 1996, 526 . 528 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 529 Requirement Levels", BCP 14, RFC 2119, 530 DOI 10.17487/RFC2119, March 1997, . 533 [RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S. 534 Rose, "Resource Records for the DNS Security Extensions", 535 RFC 4034, DOI 10.17487/RFC4034, March 2005, 536 . 538 [RFC5890] Klensin, J., "Internationalized Domain Names for 539 Applications (IDNA): Definitions and Document Framework", 540 RFC 5890, DOI 10.17487/RFC5890, August 2010, 541 . 543 [RFC6698] Hoffman, P. and J. Schlyter, "The DNS-Based Authentication 544 of Named Entities (DANE) Transport Layer Security (TLS) 545 Protocol: TLSA", RFC 6698, DOI 10.17487/RFC6698, August 546 2012, . 548 [RFC7296] Kaufman, C., Hoffman, P., Nir, Y., Eronen, P., and T. 549 Kivinen, "Internet Key Exchange Protocol Version 2 550 (IKEv2)", STD 79, RFC 7296, DOI 10.17487/RFC7296, October 551 2014, . 553 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 554 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 555 May 2017, . 557 9.2. Informative References 559 [RFC2775] Carpenter, B., "Internet Transparency", RFC 2775, 560 DOI 10.17487/RFC2775, February 2000, . 563 [RFC7435] Dukhovni, V., "Opportunistic Security: Some Protection 564 Most of the Time", RFC 7435, DOI 10.17487/RFC7435, 565 December 2014, . 567 Authors' Addresses 569 Tommy Pauly 570 Apple Inc. 571 One Apple Park Way 572 Cupertino, California 95014 573 US 575 Email: tpauly@apple.com 577 Paul Wouters 578 Red Hat 580 Email: pwouters@redhat.com