Internet DRAFT - draft-hildebrand-deth

draft-hildebrand-deth







Network Working Group                                      J. Hildebrand
Internet-Draft                                             Cisco Systems
Intended status: Informational                                P. Hoffman
Expires: September 22, 2016                                        ICANN
                                                          March 21, 2016


                    DNS Editing Through HTTPS (DETH)
                        draft-hildebrand-deth-00

Abstract

   There is a strong desire in many communities for service operators to
   be able to dynamically update DNS records in an easy-to-deploy,
   standardized method.  For example, operating SIP requires DNS records
   to be added and updated as the SIP service starts and is moved among
   different servers.  This document describes an HTTPS-based mechanism
   for service operators who are authorized by their DNS administrator
   to add, change, and delete DNS records.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on September 22, 2016.

Copyright Notice

   Copyright (c) 2016 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must



Hildebrand & Hoffman   Expires September 22, 2016               [Page 1]

Internet-Draft                     I-D                        March 2016


   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

1.  Introduction

   This document describes a standardized mechanism called DNS Editing
   Through HTTPS (DETH) for developer-friendly dynamic DNS updates over
   HTTPS [RFC7230].  Such a mechanism allows a DNS administrator to
   authorize particular users to update the records in their zones
   without any manual intervention on the part of the DNS administrator.

   All transactions described here are authorized.  Two types of
   authorization are specified: authenticated by HTTP Digest [RFC7235]
   and OAUTH [RFC6749].  The DNS administrator can create policies to
   allow different users different capabilities for updating zones; such
   policies are outside the scope of this document.

   A client determines the DETH server for a zone using a DNS lookup.
   It then sends HTTPS queries to that server to get information about
   what the client can change, as well as requests for changes.

   The DETH protocol is meant for users who do not currently have a way
   to update a zone using the DNS protocol itself.  Although there
   already is a protocol for dynamic update of DNS records, [RFC3007],
   it is rarely used in practice for more anything more complicated than
   inserting a single A or AAAA record.  In many scenarios, using DETH
   is a simpler way to allow users to update a zone than provisioning
   DNS dynamic update.

   Some large DNS operators have implemented their own non-standard
   mechanisms for allowing users to update their DNS records, often
   using HTTP.  This indicates that HTTP-based update is desired in the
   industry, and a standardized mechanism could be valuable in many
   environments.

1.1.  Goals of this Protocol

   o  Authorized additions of a new record to a zone

   o  Authorized changes to the RDATA and TTL of a record in a zone

   o  Authorized deletions of a record from a zone

   o  Discovery of a URI used for editing a zone, such that the client
      doing the editing can tell that the server they are contacting is
      authorized for the record being edited




Hildebrand & Hoffman   Expires September 22, 2016               [Page 2]

Internet-Draft                     I-D                        March 2016


   o  Discovery of what actions can be taken by an authorized user

   o  Responses can give useful information about why a request was
      rejected

   o  Ease of writing an implementation for a wide variety of languages
      and platforms is of paramount importance

1.2.  Non-Goals for this Protocol

   o  Updating the contents of any type of configuration other than DNS
      zones

   o  Managing DNS servers for anything other than the contents of zones
      for which they are authoritative, such as causing them to reload a
      zone after update or to clear cache entries

   o  Pluggable authorization modules

   o  Editing records in DNS Classes other than IN

1.3.  Possible Deployment Architectures

   There are many ways that the DETH protocol could be deployed.  This
   section gives some sample architectures.

   Native:  An authoritative DNS server system also speaks DETH and uses
      the results of updates directly in the zones it serves.  The DETH
      protocol could be built into DNS server software.

   Bridge:  A DETH server is deployed in front of the management
      interface for an authoritative DNS server.  The DETH server
      receives authorized updates from users, and uses DNS dynamic
      update [RFC3007] to update the zones on the authoritative DNS
      server.

   Data store front end:  A DETH server receives authorized updates from
      users, modifies a DNS data store, tells DNS server to reload.

1.4.  Actors

   The following actors are used in this document:

   DETH Server:  A server that speaks HTTPS, and provides an
      implementation of the server side of the DETH API, rooted at a
      discoverable HTTPS URI.  The DETH Server is authorized by the
      associated DNS infrastructure for a set of domains to make policy




Hildebrand & Hoffman   Expires September 22, 2016               [Page 3]

Internet-Draft                     I-D                        March 2016


      decisions about DNS edits.  The DETH server is responsible for
      enforcing authorization in conformance with this policy.

   DETH Client:  A piece of authorized software that would like to make
      changes to one or more DNS records.  In order to make man-in-the-
      middle attacks more difficult, the DETH client is responsible for
      ensuring that it is communicating with the correct DETH Server for
      the domain it wants to modify.

   Parent Domain:  The thing that you want to add records to.  (Paul:
      need DNS terminology here)

1.5.  Terminology

   In this document, the key words "MUST", "MUST NOT", "REQUIRED",
   "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY",
   and "OPTIONAL" are to be interpreted as described in BCP 14, RFC 2119
   [RFC2119].

2.  Protocol

   The DETH protocol uses a simple client-server interactions.  The
   client determines the location of the server either through a DNS
   lookup or local configuration.  After that, all protocol interactions
   are over HTTPS.

   In the following sections, the client wants to edit records in the
   "example.com" zone.  The HTTPS examples use the "dig" program [dig]
   and "curl" program [curl] to get URLs, but clients will most likely
   use internal calls to get this information.

2.1.  Determining the DETH Server for a Zone

   A client uses a DNS query with the TXT RTYPE using the name of the
   parent zone, prefixed with the "_deth" label, for the QNAME.  The
   answer is the base URI for the HTTPS server running the DETH
   protocol.  This URI returned MUST use the HTTPS scheme.

   For example, to find the DETH server for the "example.com" zone, the
   query would have a QNAME of "_deth.example.com" and a QTYPE of TXT.
   A command-line equivalent would be:

   $ dig +short TXT _deth.example.com
   https://example.com/deth/v1/

   If no TXT record is found for a name, the client can assume that the
   parent does not implement the DETH protocol.  However, explicit
   configuration might still allow a client to find a DETH server.



Hildebrand & Hoffman   Expires September 22, 2016               [Page 4]

Internet-Draft                     I-D                        March 2016


   If the DETH server is found using the DNS lookup described here, the
   client MUST perform the following checks before using the result:

   o  Ensure that the string is a valid HTTPS URI (see [RFC7230],
      section 2.7.2).

   o  Ensure that the TXT record has a valid DNSSEC [RFC4035] signature
      OR that the host portion of the URI matches the parent domain,
      with no port specified.

   o  Ensure that the certificate offered when the URI is accessed using
      HTTPS matches the domain name using the rules in [RFC6125].

   o  Ensure that the DETH server's certificate is signed by a trusted
      Certificate Authority.

2.2.  Determining Authorized Edits

   The DETH client does an HTTPS GET request to the DETH server go get a
   list of edits that the client is authorized to perform.  For example:

   curl -X GET https://example.com/deth/v1/

   Might return:

   {
     "A": {
       "URI": "https://example.com/deth/v1/A/",
       "methods": ["PUT", "DELETE"]
     },
     "AAAA": {
       "URI": "https://example.com/deth/v1/AAAA/",
       "methods": ["PUT"]
     },
     "SRV": {
       "URI": "https://example.com/deth/v1/example.com/SRV/",
       "methods": ["PUT", "DELETE"]
     },
     "TYPE255": {
       "URI": "https://example.com/deth/v1/example.com/TYPE255/",
       "methods": ["PUT", "DELETE"]
     }
   }

                        Figure 1: Directory Example

   The valid keys for the top level JSON object are a popular subset of
   [IANA-rrtypes], plus a mechanism for supporting all other RDATA.  The



Hildebrand & Hoffman   Expires September 22, 2016               [Page 5]

Internet-Draft                     I-D                        March 2016


   response is formally described in CDDL
   [I-D.greevenbosch-appsawg-cbor-cddl] as:

   directory = {
     * rrtype => edit_details
   }

   rrtype =  "A" / "AAAA" / "CNAME" / "NS" / "PTR" / "MX" /
             "TXT" / "SPF" / "SRV" /
             rrtype_num

   rrtype_num = tstr .regexp "TYPE\\d+"

   edit_details = {
     URI: tstr,
     methods: [+ method_name]
   }

   method_name = "GET" / "PUT" / "DELETE"

                       Figure 2: DETH Directory CDDL

3.  Authentication and Authorization

   All requests are authenticated either by by HTTP Digest [RFC7235] and
   OAUTH [RFC6749].  Parameters supported for either of these mechanisms
   are determined by the DETH Server.  This document makes no
   recommendations for best authentication practices beyond what have
   already been described in other documents published by the IETF.

   After the DETH server authenticates a user, it determines which
   actions that user is authorized to make.  If using HTTP Digest, the
   authorization policy probably comes from a database.  If using OAUTH,
   that determination might be part of the OAUTH interaction.

4.  Forming Request URIs

   When a client wants to edit a particular DNS record, it appends the
   full name of the record to the URI for the RTYPE found in the
   directory JSON (see Section 2.2).  For example, if the directory JSON
   was that specified in Figure 1, and the client wanted to edit a
   "AAAA" record for "foo.example.com", the URL would be

   https://example.com/deth/v1/AAAA/foo.example.com

   TODO: specify more rules about URL combination to avoid attacks.





Hildebrand & Hoffman   Expires September 22, 2016               [Page 6]

Internet-Draft                     I-D                        March 2016


5.  Record Editing

   This section describes the semantics of requests to edit DNS records.
   The specification covers how to specify which edits are desired, but
   does not yet cover how the DNS server deals with updating SOA
   records, nor how any DNSSEC records would need to be updated.

5.1.  Encoding in JSON

   The JSON sent to the URIs formed according to the rules in Section 4
   looks like:

   {
     "RTYPE": "AAAA",
     "v6address": "::1",
     "TTL": 3600,
     "comment": "This is my home"
   }

                         Figure 3: Update Example

   All of the potential updates are specified by the following CDDL:

   update = A_update / AAAA_update / CNAME_update / NS_update /
            PTR_update / MX_update / SRV_update / TXT_update /
            rrtype_update

   A_update = {
     RTYPE: "A",
     v4address: tstr,
     common
   }

   AAAA_update = {
     RTYPE: "AAAA",
     v6address: tstr,
     common
   }

   CNAME_update = {
     RTYPE: "CNAME",
     cname: tstr,
     common
   }

   NS_update = {
     RTYPE: "NS",
     nsdname: tstr,



Hildebrand & Hoffman   Expires September 22, 2016               [Page 7]

Internet-Draft                     I-D                        March 2016


     common
   }

   PTR_update = {
     RTYPE: "PTR",
     ptrdname: tstr,
     common
   }

   MX_update = {
     RTYPE: "MX",
     preference: uint,
     exchange: tstr,
     common
   }

   SRV_update = {
     RTYPE: "SRV",
     priority: uint,
     weight: uint,
     target: tstr,
     common
   }

   TXT_update = {
     RTYPE: "TXT",
     data: tstr,
     common
   }

   rrtype_update = {
     RTYPE: tstr .regexp "TYPE\\d+",
     RDATA: tstr,
     common
   }

   common = (
     ? TTL: uint,
     ? comment: tstr
   )

                        Figure 4: DETH Update CDDL

   For updates that match the rrtype_update syntax, the rules for
   encoding RDATA from [RFC3597] are used.






Hildebrand & Hoffman   Expires September 22, 2016               [Page 8]

Internet-Draft                     I-D                        March 2016


5.2.  Getting Records

   Sending "GET" requests to the URIs formed in Section 4 is supported
   in order to allow clients more easily edit records.

   TODO: The response types for "GET" responses will be specified in a
   future version of this document.

5.3.  Creating Records

   A new record is created by sending the desired JSON document that
   matches Figure 4 to the URI formed by the rules in Section 4, using
   the "POST" HTTP verb.

   If a TTL is not sent with the request, a system default will be used.
   The response from this "PUT" will be the JSON form of the record, as
   inserted.  This response MUST have the TTL included.

5.4.  Deleting Records

   A new record is created by sending the desired JSON document that
   matches Figure 4 to the URI formed by the rules in Section 4, using
   the "DELETE" HTTP verb.

   Currently, this will delete all matching records.  TODO: Once
   matching rules have been defined in a later version of this document,
   individual record deleting may be allowed.

5.5.  Updating Records

   Updating records in place is not yet specified.  A prerequisite for
   this feature will be a way to match existing records, so that only
   one of several existing records with the same name and RTYPE will be
   modified.

   For now, a combination of request as specified in Section 5.4 and
   Section 5.3 may be used.

   TODO: Add matching feature or change this section.

5.6.  Return Codes and Errors

   Errors use the approach from [I-D.ietf-appsawg-http-problem].

   TODO: Error information will be specified in a future revision of
   this document.





Hildebrand & Hoffman   Expires September 22, 2016               [Page 9]

Internet-Draft                     I-D                        March 2016


6.  IANA Considerations

   No new IANA registries are expected.

7.  Security Considerations

   Careful authorization of all edits is very important.  All changes
   that are allowed by this specification MUST be authorized using the
   model described.

8.  References

8.1.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <http://www.rfc-editor.org/info/rfc2119>.

   [RFC3597]  Gustafsson, A., "Handling of Unknown DNS Resource Record
              (RR) Types", RFC 3597, DOI 10.17487/RFC3597, September
              2003, <http://www.rfc-editor.org/info/rfc3597>.

   [RFC4035]  Arends, R., Austein, R., Larson, M., Massey, D., and S.
              Rose, "Protocol Modifications for the DNS Security
              Extensions", RFC 4035, DOI 10.17487/RFC4035, March 2005,
              <http://www.rfc-editor.org/info/rfc4035>.

   [RFC6125]  Saint-Andre, P. and J. Hodges, "Representation and
              Verification of Domain-Based Application Service Identity
              within Internet Public Key Infrastructure Using X.509
              (PKIX) Certificates in the Context of Transport Layer
              Security (TLS)", RFC 6125, DOI 10.17487/RFC6125, March
              2011, <http://www.rfc-editor.org/info/rfc6125>.

   [RFC6749]  Hardt, D., Ed., "The OAuth 2.0 Authorization Framework",
              RFC 6749, DOI 10.17487/RFC6749, October 2012,
              <http://www.rfc-editor.org/info/rfc6749>.

   [RFC7230]  Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer
              Protocol (HTTP/1.1): Message Syntax and Routing",
              RFC 7230, DOI 10.17487/RFC7230, June 2014,
              <http://www.rfc-editor.org/info/rfc7230>.

   [RFC7235]  Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer
              Protocol (HTTP/1.1): Authentication", RFC 7235,
              DOI 10.17487/RFC7235, June 2014,
              <http://www.rfc-editor.org/info/rfc7235>.



Hildebrand & Hoffman   Expires September 22, 2016              [Page 10]

Internet-Draft                     I-D                        March 2016


8.2.  Informative References

   [I-D.greevenbosch-appsawg-cbor-cddl]
              Vigano, C. and H. Birkholz, "CBOR data definition language
              (CDDL): a notational convention to express CBOR data
              structures", draft-greevenbosch-appsawg-cbor-cddl-08 (work
              in progress), March 2016.

   [I-D.ietf-appsawg-http-problem]
              mnot, m. and E. Wilde, "Problem Details for HTTP APIs",
              draft-ietf-appsawg-http-problem-03 (work in progress),
              January 2016.

   [draft-jennings-app-dns-update]
              Jennings, C., Daly, T., and J. Hitchcock, "HTTP API for
              Updating DNS Records", 2009, <https://tools.ietf.org/html/
              draft-jennings-app-dns-update>.

   [RFC3007]  Wellington, B., "Secure Domain Name System (DNS) Dynamic
              Update", RFC 3007, DOI 10.17487/RFC3007, November 2000,
              <http://www.rfc-editor.org/info/rfc3007>.

   [dig]      ISC, "dig utility", 2016, <https://www.isc.org/downloads/
              bind/>.

   [curl]     Stenberg, D., "curl program", 2016,
              <https://curl.haxx.se/>.

   [IANA-rrtypes]
              IANA, "Resource Record TYPEs", February 2016,
              <http://www.iana.org/assignments/dns-parameters/
              dns-parameters.xhtml#dns-parameters-4>.

Appendix A.  Acknowledgements

   This document borrows heavily from many earlier protocols.  Some of
   the text of this document is liberally lifted from the long-expired
   [draft-jennings-app-dns-update].

Authors' Addresses

   Joe Hildebrand
   Cisco Systems

   Email: jhildebr@cisco.com






Hildebrand & Hoffman   Expires September 22, 2016              [Page 11]

Internet-Draft                     I-D                        March 2016


   Paul Hoffman
   ICANN

   Email: paul.hoffman@icann.org















































Hildebrand & Hoffman   Expires September 22, 2016              [Page 12]