DPRIVE WG | T. Reddy |
Internet-Draft | McAfee |
Intended status: Standards Track | D. Wing |
Expires: November 8, 2019 | Citrix |
M. Richardson | |
Sandelman Software Works | |
M. Boucadair | |
Orange | |
May 7, 2019 |
A Bootstrapping Procedure to Discover and Authenticate DNS-over-(D)TLS and DNS-over-HTTPS Servers
draft-reddy-dprive-bootstrap-dns-server-03
This document specifies mechanisms to automatically bootstrap endpoints (e.g., hosts, Customer Equipment) to discover and authenticate DNS-over-(D)TLS and DNS-over-HTTPS servers provided by a local network.
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."
This Internet-Draft will expire on November 8, 2019.
Copyright (c) 2019 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
Traditionally a caching DNS server has been provided by local networks. This provides benefits such as low latency to reach that DNS server (owing to its network proximity to the endpoint). However, if an endpoint is configured to use Internet-hosted or public DNS-over-(D)TLS [RFC7858] [RFC8094] or DNS-over-HTTPS [RFC8484] servers, any available local DNS server cannot serve DNS requests from local endpoints. If public DNS servers are used instead of using local DNS servers, some operational problems can occur such as those listed below:
If public DNS servers are used instead of using local DNS servers, the following discusses the impact on network-based security:
If the network security service fails to block DNS-over-(D)TLS or DNS-over-HTTPS traffic, this can compromise the endpoint security; some of the potential security threats are listed below:
If the network security service sucessfully blocks DNS-over-(D)TLS and DNS-over-HTTPS traffic, this can still compromise the endpoint security and privacy; some of the potential security threats are listed below:
To overcome the above threats, this document specifies a mechanism to automatically bootstrap endpoints to discover and authenticate the DNS-over-(D)TLS and DNS-over-HTTPS servers provided by their local network. The overall procedure can be structured into the following steps:
Note: The strict and opportunistic privacy profiles as defined in [RFC8310] only applies to DNS-over-(D)TLS protocols, there has been no such distinction made for DNS-over-HTTPS protocol.
The problems discussed in Section 1 will be encountered in Enterprise networks. Typically Enterprise networks do not assume that all devices in their network are managed by the IT team or Mobile Device Management (MDM) devices, especially in the quite common BYOD ("Bring Your Own Device") scenario. The mechanisms specified in this document can be used by BYOD devices to discover and authenticate DNS-over-(D)TLS and DNS-over-HTTPS servers provided by the Enterprise network. This mechanism can also be used by IoT devices (managed by IT team) after onboarding to discover and authenticate DNS-over-(D)TLS and DNS-over-HTTPS servers provided by the Enterprise network.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119][RFC8174] when, and only when, they appear in all capitals, as shown here.
(D)TLS is used for statements that apply to both Transport Layer Security [RFC8446] and Datagram Transport Layer Security [RFC6347]. Specific terms are used for any statement that applies to either protocol alone.
This document uses the terms defined in [RFC8499].
The following steps detail the mechanism to automatically bootstrap an endpoint with the local network's DNS server certificate:
Figure 1 illustrates a sequence diagram for bootstrapping an endpoint with the local network's DNS server certificate.
+----------+ +--------+ +--------+ | Endpoint | | EST | | DNS | | | | Server | | Server | +----------+ +--------+ +--------+ | DNS-SD query to discover the EST server | | |-------------------------------------------------------->| | | | | optional: mDNS query to | | | discover the EST server | | |--------------------------------------------->| | | | | | Establish provisional TLS connection | | |<-------------------------------------------->| | | | | | PAKE scheme to authenticate the EST server | | |<-------------------------------------------->| | | | | [Generate reference identifier for the EST server | | to compare with the EST server certificate | | in subsequent TLS connections] | | | | | | Get EE certificates | | |--------------------------------------------->| | | | | [Identify the DNS server certificate in EE | | certificates to match with the certificate | | by the DNS server in (D)TLS handshake] | | | | [Configure ADN and associate DNS server certificate] | | | | |
Figure 1: Bootstrapping Endpoint Devices
The following steps explain the mechanism to automatically bootstrap IoT devices with local network's CA certificates and DNS server certificate:
This specification defines "DPRIVE" as the application service tag (Section 12.1.1) and "dns.tls" (Section 12.1.2), "dns.dtls" (Section 12.1.3), and "dns.https" (Section 12.1.4) as application protocol tags. A DNS client discovers the DNS server in the local network supporting DNS-over-TLS, DNS-over-DTLS and DNS-over-HTTPS protocols by using the following discovery mechanism:
example.net. IN NAPTR 100 10 "" DPRIVE:dns.tls "" dns1.example.net. IN NAPTR 200 10 "" DPRIVE:dns.dtls "" dns2.example.net. dns1.example.net. IN NAPTR 100 10 S DPRIVE:dns.tls "" _domain-s._tcp.example.net. dns2.example.net. IN NAPTR 100 10 S DPRIVE:dns.dtls "" _domain-s._udp.example.net. _domain-s._tcp.example.net. IN SRV 0 0 853 a.example.net. _domain-s._udp.example.net. IN SRV 0 0 853 a.example.net. a.example.net. IN A 192.0.2.1 IN AAAA 2001:db8:8:4::2
Figure 2
The DNS client initiates (D)TLS handshake with the DNS server, the DNS server presents its certificate in ServerHello message, and the DNS client MUST match the DNS server certificate downloaded in Step 4 in Section 4 or Section 5 with the certificate provided by the DNS server in (D)TLS handshake. If the match is successful, the DNS client MUST validate the server certificate using the Implicit Trust Anchor database (i.e., the DNS server certificate must pass PKIX certification path validation).
If the match is successful and server certificate is successfully validated, the client continues with the connection as normal. Otherwise, the client MUST treat the server certificate validation failure as a non-recoverable error. If the DNS client cannot reach or establish an authenticated and encrypted connection with the privacy-enabling DNS server provided by the local network, the DNS client can fallback to the privacy-enabling public DNS server.
DNS-based Service Discovery (DNS-SD) [RFC6763] and Multicast DNS (mDNS) [RFC6762] provide generic solutions for discovering services available in a local network. DNS-SD/mDNS define a set of naming rules for certain DNS record types that they use for advertising and discovering services.
Section 4.1 of [RFC6763] specifies that a service instance name in DNS-SD has the following structure:
<Instance> . <Service> . <Domain>
The <Domain> portion specifies the DNS sub-domain where the service instance is registered. It may be "local.", indicating the mDNS local domain, or it may be a conventional domain name such as "example.com.". The <Service> portion of the EST service instance name MUST be "_est._tcp".
A EST client application can proactively discover EST server being advertised in the site by multicasting a PTR query to the following:
A EST server can send out gratuitous multicast DNS answer packets whenever it starts up, wakes from sleep, or detects a change in EST server configuration. EST client application receive these gratuitous packets and cache information contained in it.
On subsequent attachments to the network, the endpoint discovers the privacy-enabling DNS server using the authentication domain name (configured in Step 5 of Section 4 or Section 5), initiates (D)TLS handshake with the DNS server and follows the mechanism discussed in Section 7 to validate the DNS server certificate.
If the DNS server certificate invalid (e.g., revoked or expired) or the procedure to discover the privacy-enabling DNS server fails (e.g. the domain name of the privacy-enabling DNS server has changed because the Enterprise network has switched to a public privacy-enabling DNS server capable of blocking access to malicious domains), the endpoint discovers and initiates TLS handshake with the EST server, and uses the validation techniques described in [RFC6125] to compare the reference identifier (created in Step 2 of Section 4 in this document) to the EST server certificate and verifies the entire certification path as per [RFC5280]. The endpoint then gets the DNS server certificate from the EST server. If the DNS-ID identifier type within subjectAltName entry in the DNS server certificate does not match the configured ADN, the ADN is replaced with the DNS-ID identifier type. The DNS server certificate associated with the ADN is replaced with the one provided by the EST server. If the ADN has changed, the endpoint discovers the privacy-enabling DNS server, initiates (D)TLS handshake with the DNS server and follows the mechanism discussed in Section 7 to validate the DNS server certificate.
Figure 3 illustrates a sequence diagram for re-configuring an endpoint with ADN and local network's DNS server certificate on subsequent attachments to the network.
+----------+ +--------+ +--------+ | Endpoint | | EST | | DNS | | | | Server | | Server | +----------+ +--------+ +--------+ | DNS-SD query to discover the EST server | | |-------------------------------------------------------->| | | | | optional: mDNS query to | | | discover the EST server | | |--------------------------------------------->| | | | | | Establish TLS connection | | | and validate EST server certificate | | |<-------------------------------------------->| | | | | | Get EE certificates | | |<-------------------------------------------->| | | | | [Identify the DNS server certificate in EE | | certificates to match with the certificate | | by the DNS server in (D)TLS handshake] | | | | [Re-configure ADN and associate DNS server certificate]| | | | |
Figure 3: Bootstrapping Endpoint Devices on subsequent attachments to the network
[RFC7626] discusses DNS privacy considerations in both "on the wire" (Section 2.4 of [RFC7626]) and "in the server" (Section 2.5 of [RFC7626] contexts. The endpoint may not know if the DNS-over-(D)TLS or DNS-over-HTTPS server in the local network has a privacy preserving data policy. A new privacy certificate extension is defined that identifies the privacy preserving data policy of the DNS server.
Like all X.509 certificate extensions, the privacy certificate extension is defined using ASN.1 [ASN1-88]. The non-critical privacy extension is identified by id-pe-privacy.
PKIX Object Identifier Registry id-pkix OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) } PKIX Arcs id-mod OBJECT IDENTIFIER ::= { id-pkix 0 } -- modules id-pe OBJECT IDENTIFIER ::= { id-pkix 1 } -- private certificate extensions PKIX modules id-mod-privacy-extn OBJECT IDENTIFIER ::= { id-mod TBD2 } id-pe-privacy OBJECT IDENTIFIER ::= { id-pe TBD1 }
A non-null privacy always includes a base privacy. The privacy extension includes the following information:
The syntax for the privacy extension is as follows:
Privacy ::= CHOICE { none NULL, -- No privacy policy provided pPolicy PrivacyPolicy -- Privacy preserving data policy } PrivacyPolicy ::= SEQUENCE { base PrivacyInfo, pURL [0] PrivacyURL OPTIONAL, aURL [1] AuditURL OPTIONAL } PrivacyInfo ::= SEQUENCE { ipaddresspii BOOLEAN, -- TRUE means client IP address is PII log [0] Logging, retention [1] DataRetention, sdata [2] ShareData, transferdata [3] BOOLEAN, -- TRUE means share or sell data to third parties blockdomains [4] BOOLEAN -- TRUE means domains will be blocked } Logging ::= SEQUENCE { logip BOOLEAN, -- TRUE means client IP address logging temporary BOOLEAN OPTIONAL -- TRUE means temporary logs } DataRetention ::= SEQUENCE { cleardata BOOLEAN, -- TRUE means the server clears -- the stored transaction data period INTEGER OPTIONAL -- Number of Hours the -- transaction data is stored } ShareData ::= SEQUENCE { sharepartners BOOLEAN, -- TRUE means data is shared with partners partners [1] SEQUENCE SIZE (1..MAX) OF UTF8String OPTIONAL, -- Names of the partners anonymizeddata [0] BOOLEAN OPTIONAL -- TRUE means anonymized data -- is shared with partners } PrivacyURL ::= IA5String -- MUST use https scheme AuditURL ::= IA5String -- MUST use https scheme
The bootstrapping procedure to obtain the certificate of the local networks DNS server uses a client identity and password to authenticate the EST server using PAKE schemes. Security considerations such as those discussed in [I-D.barnes-tls-pake] or [RFC8120] and [RFC8121] need to be taken into consideration.
Users cannot be expected to enable or disable the bootstrapping or the discovery procedure as they switch networks. Thus, it is RECOMMENDED that users indicate to their system in some way that they desire bootstrapping to be performed when connecting to a specific network, similar to the way users disable VPN connection in specific network (e.g., Enterprise network) and enable VPN connection by default in other networks.
If an endpoint has enabled strict privacy profile, and the network security service blocks the traffic to the privacy-enabling public DNS server, a hard failure occurs and the user is notified. The user has a choice to switch to another network or if the user trusts the network, the user can enable strict privacy profile with the DNS-over-(D)TLS or DNS-over-HTTPS server discovered in the network instead of downgrading to opportunistic privacy profile.
The primary attacks against the methods described in Section 6 are the ones that would lead to impersonation of a DNS server and spoofing the DNS response to indicate that the DNS server does not support any privacy-enabling protocols. To protect against DNS-vectored attacks, secured DNS (DNSSEC) can be used to ensure the validity of the DNS records received. Impersonation of the DNS server is prevented by validating the certificate presented by the DNS server. If the EST server conveys the DNS server certificate, but the S-NAPTR lookup indicates that the DNS server does not support any privacy-enabling protocols, the client can detect the DNS response is spoofed.
Security considerations in [I-D.ietf-anima-bootstrapping-keyinfra] need to be taken into consideration for IoT devices.
IANA is requested to allocate the SRV service name of "est".
IANA is requested to add the following entry in the "SMI Security for PKIX Certificate Extension" (1.3.6.1.5.5.7.1) registry:
Decimal Description References ------- ------------------------------ --------------------- TBD1 id-pe-privacy this document
IANA is requested to add the following entry in the "SMI Security for PKIX Module Identifier" (1.3.6.1.5.5.7.0) registry:
Decimal Description References ------- ------------------------------ --------------------- TBD2 id-mod-privacy-extn this document
This document requests IANA to make the following allocations from the registry available at: https://www.iana.org/assignments/s-naptr-parameters/s-naptr-parameters.xhtml.
Thanks to Joe Hildebrand, Harsha Joshi, Shashank Jain, Patrick McManus, Eliot Lear and Sara Dickinson for the discussion and comments.