Internet DRAFT - draft-mglt-front-end-naming-delegation
draft-mglt-front-end-naming-delegation
HOMENET W. Cloetens
Internet-Draft SoftAtHome
Intended status: Standards Track P. Lemordant
Expires: January 4, 2013 D. Migault (Ed)
Francetelecom - Orange
July 3, 2012
Home Network Front End Naming Delegation
draft-mglt-front-end-naming-delegation-00.txt
Abstract
This document proposes a Naming Delegation Architecture that makes
possible End Users to reach the hosts or services of their Home
Network using Names instead of IP addresses.
This document shows how the Naming Delegation between the CPE and the
ISP can be set so the CPE is not exposed on the Internet. This
document describes an Naming Architecture where ISPs provide Front
End Delegating DNS Servers whereas the CPEs constitute a Back End
Network of Delegated DNS Servers. All DNS queries for any Home
Network are addressed to the Delegating Front End Server. The
response is expected to be stored on a CPE, and the Front End
Delegating DNS Server sends a DNS Query to that CPE before answering
to the initial DNS query.
The negotiation between the CPE and the ISP is using DHCP Options.
This document provides options so Front End Delegating and the
Delegated DNS Servers configure their respective Zone files and so
that CPEs restrict access and protect themselves from unauthorized
DNS Queries.
Status of this Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
Cloetens, et al. Expires January 4, 2013 [Page 1]
�
Internet-Draft Home Network Front End Naming Delegation July 2012
This Internet-Draft will expire on January 4, 2013.
Copyright Notice
Copyright (c) 2012 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Cloetens, et al. Expires January 4, 2013 [Page 2]
�
Internet-Draft Home Network Front End Naming Delegation July 2012
Table of Contents
1. Requirements notation . . . . . . . . . . . . . . . . . . . . 4
2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4
3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 5
4. Front End Naming Delegation Architecture Overview . . . . . . 5
4.1. Home Network Naming Architecture Requirements . . . . . . 5
4.2. Front End Naming Delegation Architecture Description . . . 7
4.3. Front End Naming Delegation Configuration . . . . . . . . 8
4.4. Difference between the Front End Delegating DNS Server
and traditional DNS Recursive DNS Server . . . . . . . . . 10
4.5. How the Front End Configuration impacts the CPE . . . . . 11
5. Protocol Exchange . . . . . . . . . . . . . . . . . . . . . . 11
5.1. CPE Request Creation and Transmission for the Front
End Naming Delegation Architecture . . . . . . . . . . . . 11
5.2. ISP DHCP Server Responding to the CPE Request for the
Front End Naming Delegation Architecture . . . . . . . . . 12
5.3. CPE Receiving the ISP DHCP Response for the Front End
Naming Delegation Architecture . . . . . . . . . . . . . . 12
6. DHCP Options . . . . . . . . . . . . . . . . . . . . . . . . . 13
6.1. Delegated DNS Architecture Option . . . . . . . . . . . . 13
6.2. Front End Delegating Information Option . . . . . . . . . 14
6.3. Delegating Authorized Resolvers Option . . . . . . . . . . 15
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 15
8. Security Considerations . . . . . . . . . . . . . . . . . . . 15
9. Acknowledgment . . . . . . . . . . . . . . . . . . . . . . . . 16
10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 16
10.1. Normative References . . . . . . . . . . . . . . . . . . . 16
10.2. Informational References . . . . . . . . . . . . . . . . . 16
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 16
Cloetens, et al. Expires January 4, 2013 [Page 3]
�
Internet-Draft Home Network Front End Naming Delegation July 2012
1. Requirements notation
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
2. Introduction
[I-D.mglt-naming-delegation] describes the Naming Delegation
Architecture that makes possible Services and Objects of a Home
Network to be globally reachable with Names on the Internet. For
that purpose, the Costumer Premise Equipment (CPE) hosts the
authoritative DNS Server of the Home Network. The zone associated to
the Home Network ("my-homenet") is a subzone of a zone managed by the
ISP ("example."). This zone is attached to the global DNS
Architecture. Because the ISP delegates the Naming service to the
CPE, we call the DNS server responsible for "example." the Delegating
DNS Server, and the DNS server responsible for "my-homenet.example."
the Delegated DNS Server. The Delegated DNS Server runs on the CPE,
and [I-D.mglt-naming-delegation] describes how the CPE can
automatically set the Naming Delegation between the Delegated and the
Delegating DNS Server. Necessary pieces of information to configure
the respective DNS Zones are exchanged between the DHCP client of the
CPE and the ISP DHCP Server through DHCP Options.
The resulting Naming Delegation Architecture
[I-D.mglt-naming-delegation] results in a CPE hosting a Service on
the Internet. CPEs have not been designed for heavy load, and, as a
result, the Delegating exposes the Home Network to potential Deny of
Service attacks. The Front End Naming Delegation Architecture
proposed in this document is an alternative to the Naming Delegation
Architecture [I-D.mglt-naming-delegation] where the ISP provides
Front End Delegating Servers that handles the whole DNS traffic. The
CPE remains responsible for the zone "my-homenet.example.", but only
responds to DNS queries sent by the Front End Delegating Servers.
For this reason we call the CPE Delegated DNS Server the Back End
Delegated DNS Server.
The Front End Naming Delegation Architecture can be seen as providing
a Authoritative DNS Server for all the Home Networks: the Front End
Delegating DNS Server. However this Authoritative Server distributes
the Zone between multiple nodes (the CPE). The CPE constitutes the
Back End Network. The Front End Delegating DNS Server receives DNS
query from the Internet, and to respond requires to retrieve this
information on the CPE hosting this information. In this document,
the Front End Delegating DNS Server uses the DNS protocol to retrieve
this information from the CPE. Other protocols may have been chosen.
Cloetens, et al. Expires January 4, 2013 [Page 4]
�
Internet-Draft Home Network Front End Naming Delegation July 2012
The Front End Naming Delegation Architecture is based on the Naming
Delegation Architecture [I-D.mglt-naming-delegation] and addresses
the same requirements. It addresses the Deny of Service Security
issue. On the other hand, it requires the ISP to provide an adapted
infrastructure, and that all DNS traffic is (partly) handled by the
ISP. The document shows how the CPE can be configured automatically
and be part of the Front End Naming Delegation Architecture.
In this document we only considered IPv6 and DHCP. As such DHCP MUST
be understood as DHCPv6. We also assume the reader has read
[I-D.mglt-naming-delegation]
3. Terminology
This document uses the terminology defined in
[I-D.mglt-naming-delegation], and introduces the following
terminology:
- Front End Delegating DNS Server or Delegating DNS Server: The DNS
Server of the ISP that handles with the DNS queries addressed
to the Home Network.
- Back End Delegated DNS Server or Delegated DNS Server: CPE are
hosting a DNS Service
- Front End Delegating Information: Information like FQDNs and IP
addresses of the Front End Delegating DNS Servers. These
pieces of information are provided from the ISP DHCP Server to
the CPE so it can properly configure its DNS zone file.
- Delegating Authorized Resolvers: The hosts that are authorized to
send DNS queries to the CPE. These Resolvers can be the Front
End Delegating DNS Servers, but we keep these functions
independent since some ISP may use dedicated Interfaces for the
Front End Delegating DNS Server and for the Delegating
Authorized Resolvers.
4. Front End Naming Delegation Architecture Overview
4.1. Home Network Naming Architecture Requirements
The Home Network Naming Requirements for the Naming Delegation listed
in [I-D.mglt-naming-delegation] are:
Cloetens, et al. Expires January 4, 2013 [Page 5]
�
Internet-Draft Home Network Front End Naming Delegation July 2012
- 1: Centralized Naming Configuration: The CPE is responsible to
bind Names and IP addresses for the whole Home Network.
- 2: Automatic Configuration: The CPE MUST be able to set the Naming
architecture when plugged, with minimum configuration from the
End User.
- 3: Advanced Configuration enable: The CPE enables advanced
specific configurations.
- 4: Privacy Protection By Design: The Names and the Home Network IP
address plan is administrated by the CPE and are not
communicated to the ISP. This prevents the ISP to be aware of
the hosts, Services and Objects that compose the Home Network.
- 5: Make the Home Network Naming Architecture Scalable: The Naming
Architecture MUST be scalable and designed to handle a large
increase of Objects, Services and hosts in each Home Networks.
The Naming Delegation Architecture fulfills these requirements, and
we consider this architecture as the base architecture. However,
this architecture major drawback is that the CPE hosts the Delegated
DNS Server. CPE are usually not designed to handle heavy traffic,
and thus are sensitive to DoS attacks. The Front End Naming
Delegation Architecture adds one requirement to the currently
designed Naming Delegation Architecture [I-D.mglt-naming-delegation]:
- 6: the Naming Architecture MUST be protected by the ISP
Infrastructure: The CPE MUST NOT expose the Home Network Naming
service to DoS attacks. The ISP MUST be able to provide the
necessary infrastructure that handle DoS attacks, or heavy
loads.
In order to match Requirement 6, the Front End Naming delegation
Architecture introduces Front End DNS Delegating Server that handles
with all DNS traffic. This means that all DNS queries that concern
the Home Network are addressed to the Front End DNS Delegating Server
of the ISP and are not addressed to the CPE. CPEs belong to the Back
End DNS Network.
The Front End DNS Naming Delegation Architecture fulfills all the
above Requirements. However, Requirement 4 needs to be balanced
against Requirement 6. Requirement 6 requires the ISP to handle all
DNS queries that concern the Home Network. This makes the ISP aware
of all queried Services, Objects and hosts in the Home Network. This
may, in that sense, reduces the Privacy of the Home Network compared
to the Naming Delegation Architecture. In fact with the Naming
Delegation Architecture, the DNS query is directly sent to the CPE
Cloetens, et al. Expires January 4, 2013 [Page 6]
�
Internet-Draft Home Network Front End Naming Delegation July 2012
when the DNS client has the IP address of the CPE in its cache. In
that case, the ISP is not aware of the existence of the queried FQDN.
However, if the DNS client does not have the IP address of the CPE,
then the DNS query is sent first to the ISP Delegating Server. In
this latter case, the Front End DNS Naming Delegation Architecture
does not provide less privacy.
4.2. Front End Naming Delegation Architecture Description
Figure 1 shows how the Resolution is performed. In [1], the Resolver
sends a DNS query to the Front End Delegated Server for the host
"hots1.my-homenet.example.". The Front End Delegated Server does not
have the response in its cache or in its zone file. The Front End
Delegating DNS Server MUST send a query to the Back End Delegated DNS
Sever. The IP address of the Back End Delegated DNS Sever MUST NOT
be revealed to the Resolver, for example by setting the NS field in
the DNS Zone File. In Figure 1, we mentioned the Delegated Server
Information Database where this IP address is stored. The Front End
Delegating Server sends the DNS(SEC) query to the Back End Delegated
Server hosting the zone "my-homenet.example.". The source IP address
used is one the Delegating Authorized Resolvers IP addresses. This
query is represented in [2]. The Back End Delegated Server responds
in [3] with the DNS(SEC) Response. Note that the "AUTHORITY" and
"ADDITIONAL SECTION" of the DNS response MUST indicate the FQDN and
the IP addresses of the Front End Delegated DNS Server. These pieces
of information have been provided by the ISP DHCP Server with the
Front End Delegating Information DHCP Option. The CPE can also be
configured to respond without these fields. Finally in [4], the
Front End Delegating Server forwards the DNS(SEC) response to the
Resolver. "AUTHORITY" and "ADDITIONAL SECTION" fields MUST be filled
in appropriately.
Cloetens, et al. Expires January 4, 2013 [Page 7]
�
Internet-Draft Home Network Front End Naming Delegation July 2012
+-----------------------------+ [1] DNS Query +---+
| ZONE "example.": | hots1.my-homenet.example. AAAA | R |
| Front End Delegating Servers| <------------------------------- | E |
| | [4] DNS Response: | S |
+-------------------------+ | my-homenet.example. AAAA IP6 | O |
| Delegated Server Info | | [my-homenet.example. RRSIG [...] ] | L |
| Database | | -------------------------------> | V |
+-------------------------+---+ | E |
| [2] DNS Query ^ | R |
| hots1.my-homenet.example. AAAA +---+
| | [3] DNS Response:
| | my-homenet.example. AAAA IP6
v | [my-homenet.example. RRSIG [...] ]
+-----------------------------+
| CPE |
| Back End Delegated Server |
| ZONE "my-homenet.example." |
| IP6 DELEGATED_DNS_ADDR_INFO |
+-----------------------------+
| |
+------------+ +------------+
| Host 1 | | Host n |
+------------+ +------------+
Figure 1: DNS Resolution with the Home Network Delegating Architecture
4.3. Front End Naming Delegation Configuration
Figure 2 describes the Interactions between the CPE and the ISP DHCP
Server.
Similarly to [I-D.mglt-naming-delegation], the CPE hosts a DHCP
Server (DHCP_SRV) that is used to assign IP addresses and FQDNs to
the Hosts of the Home Network. In this document we considered DHCP,
but other protocols can also be used in combination with DHCP or
instead of DHCP. The CPE also has a DHCP Client (DHCP_CLT) that is
used to exchange information with the ISP DHCP Server. This document
describes how these exchanges properly configure the Front End Naming
Delegation Architecture. The CPE also hosts a Authoritative DNS
Server (DNS_SRV) that is responsible of the subzone associated to the
Home Network. This Authoritative DNS Server is called the Back End
Delegated Server. At last the CPE also has a Firewall (FIREWALL),
that can be configured with security Policies. In this document, the
CPE is not expected to received DNS queries from any other peer but
the Front End Delegation DNS Servers, that are in the ISP Network.
In Figure 2. the CPE sends a DHCP Request for a Front End Naming
Delegation Architecture (DELEGATED_DNS_ARCHITECTURE). Similarly to
Cloetens, et al. Expires January 4, 2013 [Page 8]
�
Internet-Draft Home Network Front End Naming Delegation July 2012
the Naming Delegation Architecture, the CPE provides the necessary
information so the ISP can derive the IP address of the Back End
Delegated DNS Server (DELEGATED_DNS_ADDR_INFO). If the CPE wants a
DNSSEC Delegation to be set it also provides the Delegation of
Signing Information (DS). In our case, the CPE also sends a request
for a Prefix Delegation (IA_PD).
To the difference with [I-D.mglt-naming-delegation], the IP address
of the Back End Delegated DNS Server is not mentioned in the Zone
file of the Front End Delegating DNS Server. In this document, the
Back End Delegated DNS Server is not expected to receive any DNS
query from anyone but the Front End Delegating DNS Server. For DNS
Resolvers, the only Authoritative DNS Server they are aware of is the
Front End Delegating DNS Server.
Similarly to [I-D.mglt-naming-delegation], the ISP DHCP Server
provides the CPE the IP Prefix so the CPE can configure its Prefix
Delegation. To set the DNS(SEC) Naming Delegation the ISP DHCP
Server indicates the type of Naming Delegation Architecture agreed
between the CPE and the ISP DHCP Server (DELEGATED_DNS_ARCHITECTURE).
In addition, the ISP DHCP Server, provides the Delegated Domain
(DELEGATED_DOMAIN) as well as the IP addresses and FQDNs of the Front
End Delegating DNS Servers (FRONT_END_DELEGATING_INFO). These pieces
of information are necessary to configure the zone file of the Home
Network. In fact the zone file MUST be configured with the Front End
Delegating Server as the authoritative servers. In addition, the ISP
DHCP Server may also provide the IP addresses or subnet prefix of the
Delegating Authorized Resolvers (DELEGATING_AUTH_RESOLVERS). These
Resolvers are the only hosts supposed to send DNS queries to the CPE.
DNS queries from any other IP address MUST be discarded.
Upon receiving these pieces of information, the Front End Delegating
Server and the Back End Delegated Server configure their Zones. In
addition the CPE also configures its Firewall, so to discard any DNS
queries but those emitted from the Delegating Authorized Resolvers.
Cloetens, et al. Expires January 4, 2013 [Page 9]
�
Internet-Draft Home Network Front End Naming Delegation July 2012
<--------- Home Network ----------> <--------- ISP --------->
+--------+ +---------------------+ +-----------------------+
| Host 1 +--+ CPE | | ISP DHCP |
+--------+ +----------+----------+ +-----------------------+
. | DHCP_SRV | DHCP_CLT | | |
. | v | | | |
. | v | DHCP Request ----------------------> |
. | v | DELEGATED_DNS_ARCHITECTURE, |
. +----------| DELEGATED_DNS_ADDR_INFO, |
. | DNS_SRV | ORO(IA_PD) [DS] |
. +----------| | | |
. | ^ | <---------------------- DHCP Reply |
. | ^ | DELEGATED_DNS_ARCHITECTURE, |
. | < < < DHCP_CLT DELEGATED_DOMAIN, IA_PD, |
. | v | FRONT_END_DELEGATING_INFO, |
+--------+ +----------+ DELEGATING_AUTH_RESOLVERS, |
| Host n +--| FIREWALL | | | |
+--------+ +----------+--------- + +-----------------------+
Figure 2: Front End Naming Delegation Architecture
4.4. Difference between the Front End Delegating DNS Server and
traditional DNS Recursive DNS Server
From Figure 1, one may assimilate the Front End Delegating DNS Server
to a Recursive DNS Resolver. The main differences are:
- 1. The Front End Delegating DNS Server only proceeds to Resolution
for the FQDNs that are hosted in one of the Back End Delegated
DNS Servers.
- 2. The Back End Delegated DNS Servers are not Public DNS. More
especially, the Delegated DNS Server may have a public IP
address, but the DNS Service is not provided for any Resolver
but the authorized Resolvers.
As a result, the Front End Delegating DNS Server is a mixed mode
between Authoritative and Recursive DNS Server. As an Authoritative
Server, the Response [4] in figure 1 MUST have a Authoritative Answer
(AA) bit set, which indicates the Response is from an Authoritative
Server. Then the Resolution [2] and [3] in figure 1 MUST be
processed even if the Recursion Desired (RD) bit is not set in the
DNS query [1].
It is also recommended that the Front End Delegating DNS Server
provides the Authoritative and Additional Section of the Response in
[4], without considering the sections of [3]. In other word, it is
recommended not to forward these section from [3], and the CPE should
Cloetens, et al. Expires January 4, 2013 [Page 10]
�
Internet-Draft Home Network Front End Naming Delegation July 2012
be configured not to provide these sections in [3].
4.5. How the Front End Configuration impacts the CPE
Figure 2 shows that the ISP DHCP Server provides the IP addresses of
the Front End Delegating DNS Server as well as the Name of the Front
End Delegating DNS Server. These are the information the Back End
Delegated DNS Server MUST put in its Zone file. More especially in
the NS fields.
Figure 2 also shows that the ISP DHCP Server provides the CPE the IP
addresses or subnet prefix of the Authorized Delegating Resolvers.
These are the IP addresses authorized to send DNS queries that should
not be discarded on the WAN Interface. Any other DNS query on the
WAN should be discarded. These rules are set by the Firewall as
represented in Figure 2.
The Firewall rules does not prevent the CPE to be a DNS forwarder or
a DNS Resolver for the hosts of the Home Network. In fact the CPE
can still receive DNS queries from the LAN Interface. The issue is
that the CPE may provide Multiple DNS Services. In this document, we
consider the CPE provides at least a DNS Authoritative servers on its
WAN Interface for the Authorized Delegating Resolvers. For the LAN
Interface, the CPE may be configured in various ways, depending on
the ISP DNS Infrastructure. A first configuration consists in
configuring the CPE LAN DNS Service into a DNS forwarder. In that
case, the CPE DHCP server of the Home Network provides an IP address
of the CPE for the DNS Resolver. DNS queries for the Home Network
are answered by the CPE, others are forwarded to the Resolver of the
ISP. This resolver is provided via DHCP. Another alternative
consists in configuring the CPE as a Recursive DNS Server. Without
any specific configurations, DNS queries for the Home Network are
sent to the Front End Delegating DNS Server. Optimization may be
done to bypass the Front End Delegating DNS Server for the Home
Network Zone and are CPE or software implementation specific.
5. Protocol Exchange
5.1. CPE Request Creation and Transmission for the Front End Naming
Delegation Architecture
When the CPE wants to set a Front End Naming Delegation Architecture,
it requests this set up to the ISP DHCP Server. For that purpose, we
consider two new naming-delegation-action:
SET_FRONT_END_NAMING_DELEGATION_WITH_DNS when the delegation is only
performed with DNS or SET_FRONT_END_NAMING_DELEGATION_WITH_DNSSEC if
the CPE wants a DNSSEC delegation. These naming-delegation-actions
Cloetens, et al. Expires January 4, 2013 [Page 11]
�
Internet-Draft Home Network Front End Naming Delegation July 2012
are proposed in the Delegated DNS Architecture DHCP Option
(OPTION_DELEGATED_DNS_ARCHITECTURE). Then, the CPE proceeds as
described in [I-D.mglt-naming-delegation].
5.2. ISP DHCP Server Responding to the CPE Request for the Front End
Naming Delegation Architecture
When the DHCP Server receives a Delegated DNS Architecture DHCP
Option (OPTION_DELEGATED_DNS_ARCHITECTURE), Delegated DNS Address
Information DHCP Option (OPTION_DELEGATED_DNS_ADDR_INFO) or a
Delegation of Signing DHCP Option (OPTION_DS), the DHCP Server
proceeds as described in [I-D.mglt-naming-delegation].
In addition, when the naming-delegation-action is set to
SET_FRONT_END_NAMING_DELEGATION_WITH_DNS or
SET_FRONT_END_NAMING_DELEGATION_WITH_DNSSEC, the DHCP Server MUST
include in the Response the two additional DCHP Options. The Front
End Delegating Information DHCP Option
(OPTION_FRONT_END_DELEGATING_INFO) which indicates the FQDNs of the
Front End Delegating Servers and their associated IP addresses.
Then, it also MUST include the Delegating Authorized Resolvers DHCP
Option (OPTION_DELEGATING_AUTH_RESOLVERS) which indicates the IP
addresses or subnet prefixes of the Authorized Delegating Resolvers.
Note that Naming Delegation is set differently for the Front End
Naming Delegation Architecture and for the Naming Delegation
Architecture. More specifically, in the Front End Naming Delegation,
the ISP DHCP Server MUST NOT make the IP address of the Delegated DNS
Server public in its zone file.
5.3. CPE Receiving the ISP DHCP Response for the Front End Naming
Delegation Architecture
Similarly to [I-D.mglt-naming-delegation], if the CPE has not
received all expected DHCP Options, or cannot proceed to the
configuration of the Naming Delegation Architecture, it MUST either
clear the Naming Delegation settings or proceed to the appropriated
settings.
When the CPE receives the Delegating Authorized Resolvers DHCP Option
(OPTION_DELEGATING_AUTH_RESOLVERS), the CPE may update its Firewall
rules. The Front End Delegating Information DHCP Option
(OPTION_FRONT_END_DELEGATING_INFO) is used to configure the DNS zone
of the Home Network.
The CPE may receive the Delegating Authorized Resolvers or the Front
End Delegating Information DHCP Option from the ISP DHCP Server that
are not the response to a Delegated DNS Architecture DHCP Option.
Cloetens, et al. Expires January 4, 2013 [Page 12]
�
Internet-Draft Home Network Front End Naming Delegation July 2012
This may happen if the ISP DHCP Server is updating or modifying its
Front End Delegating DNS Server or the associated Delegating
Authorized Resolvers. In that case, the CPE MUST make sure the
message provides from the ISP DHCP Server and updates its Firewall
rules as well as its DNS zone file.
6. DHCP Options
The options detailed in this section are
- Delegated DNS Architecture (OPTION_DELEGATED_DNS_ARCHITECTURE): is
used by the DHCP Client on the CPE to inform how the Naming
Delegation Architecture should be configured. In return, it is
used by the ISP DHCP Server to report the Status Code.
- Front End Delegating Information DHCP Option
(OPTION_FRONT_END_DELEGATING_INFO): is used by the ISP DHCP Server
to provide the CPE the FQDN and IP addresses of the
Authoritative DNS Server of the Home Network Zone file. These
Authoritative DNS Servers are the Front End DNS Server.
- Delegating Authorized Resolvers DHCP Option
(OPTION_DELEGATING_AUTH_RESOLVERS): is used by the DHCP Server to
provide the CPE the IP addresses or subnet prefixes of the
Delegating Authorized Resolvers. These are the resolvers
authorized to send DNS(SEC) queries.
6.1. Delegated DNS Architecture Option
The Delegated DNS Architecture DHCP Option is defined in
[I-D.mglt-naming-delegation]. This document adds two new naming-
delegation-actions defined below:
- SET_FRONT_END_NAMING_DELEGATION_WITH_DNS - 2 - : Indicates that
the DHCP Server MUST set the Front End Naming Delegation
Architecture with only DNS, and MUST NOT consider DNSSEC
Delegation.
- SET_FRONT_END_NAMING_DELEGATION_WITH_DNSSEC - 3 - : Indicates that
the DHCP Server MUST set the Front End Naming Delegation
Architecture with DNSSEC.
Cloetens, et al. Expires January 4, 2013 [Page 13]
�
Internet-Draft Home Network Front End Naming Delegation July 2012
6.2. Front End Delegating Information Option
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| OPT_FRONT_END_DELEGATING_INFO | option-len |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| front-end-length | front-end-fqdn-length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
/ front-end-delegating-fqdn /
| |
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
| |
| ipv6-address |
| |
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
| |
| ipv6-address |
| |
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- option-code: OPT_FRONT_END_DELEGATING_INFO (16 bits)
- option-len: Length (16 bits) of the Front End Delegating
Information Option in octets.
- front-end-length: Length (16 bits) of the Front End Delegating
Server.
- front-end-fqdn-length: Length (16 bits) of the Front End
Delegating Server FQDN.
- ipv6-address: IPv6 Address (128 bits).
Cloetens, et al. Expires January 4, 2013 [Page 14]
�
Internet-Draft Home Network Front End Naming Delegation July 2012
6.3. Delegating Authorized Resolvers Option
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|OPTION_DELEGATED_AUTH_RESOLVERS| option-len |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| prefix-length | |
+-+-+-+-+-+-+-+-+ |
| |
| ipv6-prefix |
| |
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | prefix-length | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
| |
/ ipv6-prefix /
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- option-code: OPTION_DELEGATED_AUTH_RESOLVERS (16 bits)
- option-len: Length (16 bits) of the Delegating Authorized
Resolvers Option in octets.
- prefix-length: Length (8 bits) for this prefix in bits.
- ipv6-prefix: IPv6 address or IPv6 prefix used by the authoritative
DNS server to send DNS queries to the delegated domain name.
7. IANA Considerations
This document adds two new DHCP Options:
- OPTION_FRONT_END_DELEGATING_INFO: TBD
- OPTION_DELEGATING_AUTH_RESOLVERS: TBD
8. Security Considerations
This document addresses the DoS security issue of
[I-D.mglt-naming-delegation]. Other security considerations remains
as described in [I-D.mglt-naming-delegation].
Cloetens, et al. Expires January 4, 2013 [Page 15]
�
Internet-Draft Home Network Front End Naming Delegation July 2012
9. Acknowledgment
The authors wish to thank Ole Troan for pointing out issues with the
IPv6 routed home concept and placing the scope of this document in a
wider picture, Mark Townsley for encouragement and injecting a
healthy debate on the merits of the idea, Ulrik de Bie for providing
alternative solutions, Paul Mockapetris for pointing out issues of
the trustworthiness of a reverse lookup, and Christian Jacquenet for
seeing the value from a Service Provider point of view.
10. References
10.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
10.2. Informational References
[I-D.mglt-naming-delegation]
Cloetens, W., Lemordant, P., and D. Migault, "IPv6 Home
Network Naming Delegation Architecture",
draft-mglt-naming-delegation-00 (work in progress),
July 2012.
Authors' Addresses
Wouter Cloetens
SoftAtHome
vaartdijk 3 701
3018 Wijgmaal
Belgium
Phone:
Email: wouter.cloetens@softathome.com
Philippe Lemordant
Francetelecom - Orange
2 avenue Pierre Marzin
22300 Lannion
France
Phone: +33 2 96 05 35 11
Email: philippe.lemordant@orange.com
Cloetens, et al. Expires January 4, 2013 [Page 16]
�
Internet-Draft Home Network Front End Naming Delegation July 2012
Daniel Migault
Francetelecom - Orange
38 rue du General Leclerc
92794 Issy-les-Moulineaux Cedex 9
France
Phone: +33 1 45 29 60 52
Email: mglt.ietf@gmail.com
Cloetens, et al. Expires January 4, 2013 [Page 17]
�
