Internet DRAFT - draft-deccio-dbound-name-relationships
draft-deccio-dbound-name-relationships
Internet Engineering Task Force C. Deccio
Internet-Draft Verisign Labs
Intended status: Informational J. Levine
Expires: January 7, 2016 Taughannock Networks
July 6, 2015
Concepts for Domain Name Relationships
draft-deccio-dbound-name-relationships-00
Abstract
Various Internet protocols and applications require some mechanism
for identifying relationships between Domain Name System (DNS) names.
In this document we provide examples of protocols and applications
for which knowledge of these relationships is useful, if not
required. Further we discuss the various types of domain name
relationships, review current needs and solutions, and identify
considerations for solution sets.
Status of this Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on January 7, 2016.
Copyright Notice
Copyright (c) 2015 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
Deccio & Levine Expires January 7, 2016 [Page 1]
Internet-Draft Concepts for Domain Name Relationships July 2015
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Domain Name Concepts . . . . . . . . . . . . . . . . . . . . . 3
2.1. Domain Names . . . . . . . . . . . . . . . . . . . . . . . 3
2.2. Domain Name Scope . . . . . . . . . . . . . . . . . . . . 4
2.2.1. Public/private Boundaries . . . . . . . . . . . . . . 4
2.3. Domain Name Relationships . . . . . . . . . . . . . . . . 4
3. Policy-based Domain Name Relationships . . . . . . . . . . . . 5
3.1. Cross-Scope Policy Relationships . . . . . . . . . . . . . 5
3.2. Intra-Scope Policy Relationships . . . . . . . . . . . . . 5
3.2.1. Public-public Policy Relationships . . . . . . . . . . 6
3.2.2. Private-private Policy Relationships . . . . . . . . . 6
4. Known Applications Requiring Identification of
Policy-based Domain Relationships . . . . . . . . . . . . . . 6
4.1. HTTP Cookies . . . . . . . . . . . . . . . . . . . . . . . 6
4.2. Email sender verification . . . . . . . . . . . . . . . . 7
4.3. SSL certificate requests . . . . . . . . . . . . . . . . . 7
5. Public Suffix List . . . . . . . . . . . . . . . . . . . . . . 8
5.1. Known Application Usage . . . . . . . . . . . . . . . . . 9
6. Solution Considerations . . . . . . . . . . . . . . . . . . . 9
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10
8. Security Considerations . . . . . . . . . . . . . . . . . . . 11
9. Informative References . . . . . . . . . . . . . . . . . . . . 11
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 12
Deccio & Levine Expires January 7, 2016 [Page 2]
Internet-Draft Concepts for Domain Name Relationships July 2015
1. Introduction
The use of various Internet protocols and applications has introduced
the desire and need for designated relationships between Domain Name
System (DNS) names, beyond the lineal relationship inherent in the
names themselves. While protocols, such as that used by HTTP
Cookies, have traditionally used ancestral relationships to determine
allowable scope of information sharing and authorization, there is an
increasing need to identify relationships between arbitrary domains.
We begin by establishing terminology and concepts, after which we
discuss known applications for which the identification of domain
name relationships are desirable or required. We then discuss the
Public Suffix List, the primary solution for domain relationships
currently available. Finally, we recommend considerations for
solutions in this problem space.
2. Domain Name Concepts
For consistency in language we define terms and concepts surrounding
domain names.
2.1. Domain Names
A DNS domain name is represented as sequence of dot-separated labels,
such as www.example.com (i.e., comprised of labels "www", "example",
and "com"). This sequence corresponds to the list of the labels
formed by traversing the tree representing the domain name space,
from the node representing the name itself to the root (top) of the
tree ([RFC1034]). In this tree context, we thus refer to domain
name's parent as the domain name formed by removing the leftmost
label (i.e., the domain name corresponding to the node directly above
it in the tree). The parent of www.example.com is example.com.
As there are no requirements or inferences surrounding delegation
(i.e., zone cut) at any point in the DNS tree, there are no
assumptions in this document about administrative boundaries drawn by
delegations, unless explicitly stated otherwise. That is to say that
this document considers DNS names independently from their
administration, as defined by the DNS.
As noted in [RFC1034], the term "domain name" is used in contexts
outside the DNS. The scope of this document is limited to domain
names as defined by the DNS.
Deccio & Levine Expires January 7, 2016 [Page 3]
Internet-Draft Concepts for Domain Name Relationships July 2015
2.2. Domain Name Scope
The use of domain names in various applications over time has
produced a notion of scope, which we use to refer to the general
ability of arbitrary entities to register children of a domain name
(i.e., create child nodes in the domain name tree). In some contexts
these are called "public suffixes" or "registry controlled domains"
([RFC6265]). For example, children of the top-level domain (TLD)
com, are generally registrable by arbitrary entities, which puts the
com domain name in the public scope. However, com's children are
typically not used in the same fashion (though certainly there are
exceptions), which puts them largely in the private scope.
The children of public domain names may either be in public or
private scope; likewise the children of private domain names may
either be in public or private scope.
While zone cuts often exist along public/private scope boundaries
(e.g., between com and example.com), they are not required at these
boundaries, nor are scope boundaries required at zone cuts. In this
document public/private scope is considered independent of
administrative boundaries defined by the DNS (i.e., zone cuts).
The most well-known delineator of public/private scope is the Public
Suffix List (PSL) [PSL], which is described later in this document.
2.2.1. Public/private Boundaries
If we consider the root domain name itself to be public, then between
the root domain name and any private domain name (below), there must
exist at least one boundary going from some public parent to private
child. The first such boundary encountered upon downward traversal
from the root is the first-level public boundary. Subsequent public-
to-private boundaries are referred to as lower-level public
boundaries. For example, because the com domain name is considered
public, if we assume that example.com is private, then the first-
level public boundary is between com and example.com. If the
public.example.com domain name is considered public (i.e., children
domain names can be registered by arbitrary third parties) and
foo.public.example.com is a private domain name, then a lower-level
public boundary exists between public.example.com and
foo.public.example.com.
2.3. Domain Name Relationships
In this document two types of domain name relationships are
identified: ancestry and policy. An ancestral relationship exists
between two domains if one domain name is an ancestor of the other.
Deccio & Levine Expires January 7, 2016 [Page 4]
Internet-Draft Concepts for Domain Name Relationships July 2015
A policy relationship exists between two domain names if their
relationship is such that application policy should treat them as
equivalent. For example, the two names might be administered by the
operating organization, or there might business or other
relationships between the two operating entities.
In the simplest case, two domain names might be policy-related for
all applications or purposes. However, it is possible that two
domains are related only for explicitly defined purposes.
An ancestral relationship between two names can be identified merely
by comparing the names themselves to determine whether one is a
substring of the other. However, there is no inherent way to
determine policy relationships neither by examination of the names
themselves, nor by examining the administrative boundaries (i.e.,
zone cuts) defined in the DNS. This is the problem being considered
in this document.
3. Policy-based Domain Name Relationships
Because policy-based domain name relationships are not inherently
apparent based on the names themselves or DNS protocol, mechanisms
outside the DNS namespace and base protocol are necessary to
advertise and detect those relationships.
In this section we enumerate the different types of ancestral and
scope relationships upon which policy-based relationships can be
overlaid.
3.1. Cross-Scope Policy Relationships
If scope of one domain name is public and another is private, then it
can be inferred, by the definition of their respective scopes, that
there exists no policy-based relationship between the two. That is,
a public domain name cannot be related, for policy purposes, to a
private domain name.
Note that this doesn't prohibit policy relationships between two
domain names of the same scope but having (an even number) of scope
boundaries in between.
3.2. Intra-Scope Policy Relationships
We now consider the existence of a policy relationship between two
domains names of the same scope.
Deccio & Levine Expires January 7, 2016 [Page 5]
Internet-Draft Concepts for Domain Name Relationships July 2015
3.2.1. Public-public Policy Relationships
The connotation of a public domain name in the context of policy is
that it should not be used for purposes normally associated with
private domain names. For example, it would be unreasonable to
expect legitimate mail to come from an email address having the exact
suffix of org.au (a domain name currently identified by [PSL] as
being public). This is especially true of domain names above the
first-level public boundary.
Because of this connotation, one consideration for policy amongst two
domain names, both public, is that no effective relationship exists
because they are ineligible by definition. Other than that, there is
insufficient information from only domain names and scope alone to
confirm or deny a policy relationship.
3.2.2. Private-private Policy Relationships
There are two classes of potential private-private policy
relationships: ancestral and cross-domain (non-ancestral). In
neither case can the presence or absence of a policy relationship be
confirmed using only the names and scope information.
4. Known Applications Requiring Identification of Policy-based Domain
Relationships
In this section we discuss the current state of known applications
requiring identification of policy-based domain name relationships.
4.1. HTTP Cookies
Domain names are used extensively in conjunction with the Hypertext
Transfer Protocol (HTTP) ([RFC7230], [RFC7231]). The domain names
used in Uniform Resource Identifiers (URIs) [RFC3986] are used by
HTTP clients not only for resolution to an HTTP server Internet
Protocol (IP) address, but also for enforcing policy.
HTTP clients maintain local state in the form of key/value pairs
known as cookies ([RFC6265]). While most often cookies are initially
set by HTTP servers, HTTP clients send all cookies in HTTP requests
for which the domain name in the URI is within the cookies' scope.
The scope of a cookie is defined using a domain name in the "domain"
attribute of the cookie. When a cookie's "domain" attribute is
specified as a domain name (as opposed to an IP address), the domain
name in the URL is considered within scope if it is a descendant of
the "domain" attribute.
Deccio & Levine Expires January 7, 2016 [Page 6]
Internet-Draft Concepts for Domain Name Relationships July 2015
RFC 2965 [RFC2965] (now obsolete) required that the value of the
"domain" field carry at least one embedded dot. This was to prohibit
TLDs--which were almost exclusively public--from being associated, by
policy, with other domains. Cookies having public scope would enable
the association of HTTP requests across different, independently
operated domains, which policy association raises concerns of user
privacy and security.
In the current specification ([RFC6265]), the semantic requirements
were modified to match "public suffixes" because it was recognized
that TLDs are not the only domain names with public scope--and that
not all TLDs are public suffixes. The notion that all TLDs are
inherently public has been challenged by the many and diverse domain
names that have been delegated since 2013 as part of the new generic
top-level domain (gTLD) program ([NewgTLDs]).
4.2. Email sender verification
An emerging sender verification called Domain-based Message
Authentication, Reporting and Conformance (DMARC)
[I-D.kucherawy-dmarc-base] attempts to validate the domain name of
the author's address on the message's "From:" header using the
DomainKeys Identified Email (DKIM) [RFC5585] and Sender Policy
Framework (SPF) [RFC7208] authentication schemes. A DKIM signature
and SPF check each validate a specific domain name. For DKIM it is
the domain name corresponding the DKIM signature. For SPF the domain
name of the message's bounce address is validated. DMARC allows
approximate matching between the author's domain and the validated
domain name, where one can be an ancestor or descendant of the other.
DMARC validators are supposed to ensure that the two domain names are
under the same management, the specifics of which are deliberately
left out of the spec.
4.3. SSL certificate requests
Secure Socket Layer (SSL) certificate authorities typically validate
certificate signing requests by sending a confirmation message to one
of the WHOIS contacts for the (private scope) domain name (CA/B
Ballot 74 [CA/B-Ballot-74]). In cases where there are multiple
levels of delegation (i.e., crossing public/private scopes), the
WHOIS contact needs to be the one for the registrant of the domain,
not a higher level registration.
When an SSL certificate is for a wildcard domain name, the entire
range of names covered by the wildcard needs to be under the same
control. Authorities do not (knowingly) issue certificates for
public domain names such as *.org.au.
Deccio & Levine Expires January 7, 2016 [Page 7]
Internet-Draft Concepts for Domain Name Relationships July 2015
5. Public Suffix List
The most well-known resource currently available for identifying
public domain names is the Public Suffix List (PSL) [PSL]. The PSL
is explicitly referenced as an example of an up-to-date public suffix
list in [RFC6265]. The PSL was developed by Mozilla Firefox
developers to further address HTTP security and privacy concerns
surrounding cookie scope when the "no embedded dot" rule of [RFC2965]
was the upper limit.
The PSL contains a list of known public suffixes, and includes
placeholder public domains designated by "wildcard" notation in the
file. A wildcard implies that all children of the wildcard's parent
are in fact public domain names themselves--except where otherwise
noted as a wildcard exception. For example, we use the contrived
entries in Table 1 to demonstrate this use of the PSL.
+--------------+------------------------------------+
| Entry | Meaning |
+--------------+------------------------------------+
| example | example is public |
| *.example | All children of example are public |
| !foo.example | foo.example is private |
+--------------+------------------------------------+
Table 1: Contrived PSL Entries
These entries result in the scopes shown in Table 2:
+---------------------+---------+
| Name | Scope |
+---------------------+---------+
| example | Public |
| foo.example | Private |
| baz.foo.example | Private |
| bar.example | Public |
| baz.bar.example | Private |
| www.baz.bar.example | Private |
+---------------------+---------+
Domain name scope based on the PSL entries from Table 1.
Table 2: Contrived PSL Entries
The PSL effectively identifies scope, insomuch as the list is
accurate. Of the 6,823 entries in the PSL at the time of this
writing, all but 50 are used to designate first-level public
boundaries; the remainder designate lower-level boundaries. The
Deccio & Levine Expires January 7, 2016 [Page 8]
Internet-Draft Concepts for Domain Name Relationships July 2015
primary function of the PSL, therefore, is to delineate first-level
public boundaries.
Matters of policy that can be settled simply by identifying the scope
of the names in question are thus addressed by the PSL. However, the
question of determining whether a policy-based relationship between
intra-scope names (with the possible exception of those of public
scope) are unaddressed.
5.1. Known Application Usage
The PSL is used by several browsers, including Mozilla Firefox, to
identify domain names as public or private. This is used for
validating the domain attribute of cookies. Additionally, it
provides visual and organizational convenience for readily
identifying the highest intra-scope private ancestor for a given
private domain name (i.e., the child of the domain name's nearest
public ancestor). This is useful for organizing names and URIs by
domain name, as in bookmarks, and for highlighting key parts of URIs
or certificates in the address bar or other parts of the browser
interface.
Existing DMARC implementations are known to use the PSL to assert
policy-based relationships between SPF- or DKIM-authenticated
validated domain names and domain name corresponding to the address
in the "From:" header. Such a relationship is identified if two
domain names are both of private scope and share an ancestral
relationship.
DMARC implementations also use the PSL to identify the highest intra-
scope ancestor of a (private) domain name for the purpose of looking
up the DMARC DNS record. The the appropriate ancestor name is
identified it is appended to the label "_dmarc" to find the
appropriate information in the DNS.
SSL certificate authorities use the PSL to ensure that wildcards are
not issued for domain names having public scope.
6. Solution Considerations
The problem discussed in this document is the association of domain
names for policy purposes. The PSL has been the de-facto
supplementary resource utilized for identifying such relationships.
The shortcomings of only having domain names and their scope (e.g.,
via the PSL) have been treated in Section Section 5.
An alternate paradigm for addressing the problem involves a system
Deccio & Levine Expires January 7, 2016 [Page 9]
Internet-Draft Concepts for Domain Name Relationships July 2015
wherein policy-based relationships are explicitly defined on a per-
domain name (pair) basis. For scalability and dynamic response this
is most effectively achieved through defining these relationships in
the DNS itself, e.g., through special records included in the DNS at
(or near) the domain names themselves, such as the mechanism proposed
in [I-D.sullivan-domain-origin-assert]. One benefit to this paradigm
is that it allows the definition of policy-based relationships
between arbitrary names at any locations in the DNS domain name tree,
and the notion of scope becomes moot. Another benefit is that it
puts the definition of those relationships in the hands of the
administrators and operators of the domain names themselves, rather
than a third party.
There are several challenges with the domain name-centric paradigm as
well. One challenge is that it requires correct, consistent, and
coordinated efforts by affected domain name operators. The number of
involved parties, moving parts, and dependencies introduces more
chance for error. Additionally, having the information available
online (e.g., in the DNS) means that consumption by local
applications is dependent on real-time Internet connectivity, which
is not always possible nor desirable.
Another solution set is that which includes both a scope definition
resource (e.g., the PSL) and a mechanism for explicit definition of
policy-based relationships on a per-domain name basis. In this case
the scope definitions are consulted first to determine whether a
policy-based relationship is possible, after which (if necessary)
special domain name-specific lookups are issued to further determine
whether such a relationship exists. This addresses what might be the
most common issues using a central, relatively simple, and
established mechanism, leaving the flexibility for additional
extensibility with domain name-specific relationship definitions.
We recommend that the cost and the value of the different solution
paradigms be considered when developing solutions for the problem of
defining policy-based relationships between domain names. As part of
this, the model of domain name relationships outlined in Section
Section 2.3 should be analyzed to consider which types of
relationships are most in demand, and which solutions are sufficient
for the circumstances in highest demand. Such will enable an
appropriate and usable balance of efficiency, robustness,
flexibility, and autonomy.
7. IANA Considerations
This document includes no requests for IANA.
Deccio & Levine Expires January 7, 2016 [Page 10]
Internet-Draft Concepts for Domain Name Relationships July 2015
8. Security Considerations
This document does not specify a protocol or usage and, therefore,
there are no new security considerations for it. There are security
considerations for major cases in which domain boundaries are used,
such as HTTP Cookies and DMARC, both discussed here. See the
Security Considerations of RFC 6265 [RFC6265] and
[I-D.kucherawy-dmarc-base].
9. Informative References
[CA/B-Ballot-74]
Certificate Authority(CA)/Browser Forum, "Ballot 74",
2015, <https://cabforum.org/2012/05/31/
ballot-74-updates-to-domain-and-ip-validation-high-risk-
requests-and-data-source-in-the-baseline-requirements/>.
[I-D.kucherawy-dmarc-base]
Kucherawy, M. and E. Zwicky, "Domain-based Message
Authentication, Reporting and Conformance (DMARC)",
draft-kucherawy-dmarc-base-13 (work in progress),
February 2015.
[I-D.sullivan-domain-origin-assert]
Sullivan, A., "Asserting DNS Administrative Boundaries
Within DNS Zones", draft-sullivan-domain-origin-assert-02
(work in progress), October 2012.
[NewgTLDs]
ICANN, "New Generic Top-Level Domains", 2015,
<http://newgtlds.icann.org/>.
[PSL] Mozilla Foundation, "Public Suffix List", 2015,
<https://publicsuffix.org/>.
[RFC1034] Mockapetris, P., "Domain names - concepts and facilities",
STD 13, RFC 1034, November 1987.
[RFC2965] Kristol, D. and L. Montulli, "HTTP State Management
Mechanism", RFC 2965, October 2000.
[RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
Resource Identifier (URI): Generic Syntax", STD 66,
RFC 3986, January 2005.
[RFC5585] Hansen, T., Crocker, D., and P. Hallam-Baker, "DomainKeys
Identified Mail (DKIM) Service Overview", RFC 5585,
Deccio & Levine Expires January 7, 2016 [Page 11]
Internet-Draft Concepts for Domain Name Relationships July 2015
July 2009.
[RFC6265] Barth, A., "HTTP State Management Mechanism", RFC 6265,
April 2011.
[RFC7208] Kitterman, S., "Sender Policy Framework (SPF) for
Authorizing Use of Domains in Email, Version 1", RFC 7208,
April 2014.
[RFC7230] Fielding, R. and J. Reschke, "Hypertext Transfer Protocol
(HTTP/1.1): Message Syntax and Routing", RFC 7230,
June 2014.
[RFC7231] Fielding, R. and J. Reschke, "Hypertext Transfer Protocol
(HTTP/1.1): Semantics and Content", RFC 7231, June 2014.
Authors' Addresses
Casey Deccio
Verisign Labs
12061 Bluemont Way
Reston, VA 20190
USA
Phone: +1 703-948-3200
Email: cdeccio@verisign.com
John Levine
Taughannock Networks
PO Box 727
Trumansburg, NY 14886
Phone: +1 831 480 2300
Email: standards@taugh.com
URI: http://jl.ly
Deccio & Levine Expires January 7, 2016 [Page 12]