Internet DRAFT - draft-pp-add-stub-upgrade
draft-pp-add-stub-upgrade
Network Working Group P. Sood
Internet-Draft Google
Intended status: Standards Track P. Hoffman
Expires: January 1, 2021 ICANN
June 30, 2020
Upgrading Communication from Stub Resolvers to DoT or DoH
draft-pp-add-stub-upgrade-02
Abstract
This document describes methods for a DNS stub resolver to upgrade
its communications with a known recursive resolver to include
encrytion using DoT or DoH. This protocol is designed for the
scenario where the stub resolver already has the IP address of the
recursive resolver.
Other protocols under develpment address scenarios where the stub
resolver wants to discover recursive resolvers that use DoT or DoH.
This document does not cover such discovery.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on January 1, 2021.
Copyright Notice
Copyright (c) 2020 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
Sood & Hoffman Expires January 1, 2021 [Page 1]
Internet-Draft Stub upgrade to DoT or DoH June 2020
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Definitions . . . . . . . . . . . . . . . . . . . . . . . 3
2. Using RESINFO Responses for Upgrade . . . . . . . . . . . . . 3
2.1. Contacting This Resolver Using DoH . . . . . . . . . . . 3
2.2. Contacting This Resolver Using DoT . . . . . . . . . . . 3
2.3. Examples . . . . . . . . . . . . . . . . . . . . . . . . 4
3. Method Overview . . . . . . . . . . . . . . . . . . . . . . . 4
3.1. Order of Desired Protocols . . . . . . . . . . . . . . . 6
4. Method Details . . . . . . . . . . . . . . . . . . . . . . . 6
4.1. Inputs to the Process . . . . . . . . . . . . . . . . . . 6
4.2. TLS Authentication . . . . . . . . . . . . . . . . . . . 7
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7
5.1. Registration for doh-templates in the IANA DNS Resolver
Information Registry . . . . . . . . . . . . . . . . . . 7
5.2. Registration for dot-ports in the IANA DNS Resolver
Information Registry . . . . . . . . . . . . . . . . . . 7
6. Security Considerations . . . . . . . . . . . . . . . . . . . 8
7. References . . . . . . . . . . . . . . . . . . . . . . . . . 8
7.1. Normative References . . . . . . . . . . . . . . . . . . 8
7.2. Informative References . . . . . . . . . . . . . . . . . 9
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 9
1. Introduction
A stub resolver (hereafter called "a stub") using traditional DNS
over port 53 may wish to use encrypted communication with the
recursive resolver (hereafter called "a resolver"). In such a
scenario, the stub needs to know how to probe the resolver to find
out if it can use encrypted communication. This document describes a
mechanism for a stub that knows the IP address of the resolver to do
so. It is assumed that the IP address was received insecurely, such
as through DHCP.
The method in this document assumes that a stub wants to attempt to
upgrade its communication with the resolver to either DNS-over-TLS
(DoT, [RFC7858]) or DNS-over-HTTPS (DoH, [RFC8484]). The method is
basically to use a DNS request as defined in [I-D.pp-add-resinfo] to
get information about whether the resolver supports DoT or DoH. The
method can later be extended to other secure transports for stub-to-
resolver communication transports.
Sood & Hoffman Expires January 1, 2021 [Page 2]
Internet-Draft Stub upgrade to DoT or DoH June 2020
1.1. Definitions
In the rest of this document, the term "resolver" without
qualification means "recursive resolver" as defined in [RFC8499].
Also, the term "stub" is used to mean "stub resolver".
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP
14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here.
2. Using RESINFO Responses for Upgrade
This document defines two entries for the IANA DNS Resolver
Information Registry that is defined in [I-D.pp-add-resinfo].
2.1. Contacting This Resolver Using DoH
The "doh-templates" name is used to specify the URI template or
templates that can be used by the stub resolver for DoH queries. The
value MUST be an array of URI templates. Each element of the array
in the value is a JSON string. The host part of the URI template
MUST be an IP address.
[[ For future: maybe drop the "MUST be an IP address" restriction and
say that it can be either an IP address or host name. ]]
The array in the value can be empty, which indicates that the
resolver does not offer DoH service. An empty array and the absence
of a name/value pair for "doh-templates" have identical meanings.
The value of "doh-templates" is an array of strings instead of just
one string because a resolver might have more than one IP address or
URL paths. The order of the elements in the array has no meaning;
that is, the array could instead be considered a set.
[[ This section needs to be updated to handle DoH over HTTP/3. These
updates then need to be reflected in Section 3. ]]
2.2. Contacting This Resolver Using DoT
The "dot-ports" name is used to specify the port(s) that can be used
by the stub resolver for DoT queries. The value MUST be an array of
port numbers. Each element of the array in the value is a JSON
number.
Sood & Hoffman Expires January 1, 2021 [Page 3]
Internet-Draft Stub upgrade to DoT or DoH June 2020
The value of "dot-ports" is an array of numbers instead of just one
number because a resolver might support DoT on more than one port.
The order of the elements in the array has no meaning; that is, the
array could instead be considered a set.
The array in the value can be empty, which indicates that the
resolver does not offer DoT service. An empty array and the absence
of a name/value pair for "dot-ports" have identical meanings.
[[ For future: maybe add "dot-hostnames" to enable authentication.
]]
2.3. Examples
A resolver has two IP addresses, 192.0.2.222 and 203.0.113.77. It
offers DoH service, and offers DoT service on the default port. It's
response to the RESINFO query might be either one of:
{ "dot-ports": [ 853 ], "doh-templates":
[ "https://203.0.113.77//dns-query{?dns}",
"https://192.0.2.222//dns-query{?dns}" ] }
A resolver does not offer DoH service, but does offer DoT service on
the default port. It's response to the RESINFO query might be either
one of:
{ "dot-ports": [ 853 ], "doh-templates": [] }
or
{ "dot-ports": [ 853 ] }
3. Method Overview
The pseudocode for the method is:
# Things the stub resolver knows
# dohCapable Does the stub know how to do DoH
# dotCapable Does the stub know how to do DoT
# resIP IP address of resolver
# upgradeNoAuth Does the stub want to upgrade even if it can't
authenticate the TLS session
# insecureOK Does the stub want to use unauthenticated classic
DNS if DoH/DoT upgrades fail
[[ Need to fix dohCapable to deal with DoH templates that point to
resolvers other than the one queried. ]]
Sood & Hoffman Expires January 1, 2021 [Page 4]
Internet-Draft Stub upgrade to DoT or DoH June 2020
if dohCapable:
send a DNS query of resolver-info.arpa/IN/RESINFO
if there is a non-empty "doh-templates" name in the response:
for each template in the name/value pair:
start TLS session on resIP, port from DoH template
if it succeeds
if it authenticates correctly
resolve the URI template
if 200-level response
use result to do DoH; finished
else if 300-level response
follow redirect, act appropriately
else if 400-level response
continue
else if upgradeNoAuth:
resolve the URI template
if 200-level response
use result to do DoH; finished
else if 300-level response
follow redirect, act appropriately
else if 400-level response
continue
else
continue
else
continue
# no DoH template worked
if dotCapable:
send a DNS query of resolver-info.arpa/IN/RESINFO
if there is a non-empty "dot-ports" name in the response:
for each port in the name/value pair:
start TLS session on resIP and the port number
if it succeeds
if it authenticates correctly
start doing DoT; finished
else if upgradeNoAuth:
start doing DoT; finished
else
continue
else
continue
# no DoT port worked
if insecureOK:
Use unencrypted DNS on port 53
else
DNS transport setup failed
Sood & Hoffman Expires January 1, 2021 [Page 5]
Internet-Draft Stub upgrade to DoT or DoH June 2020
3.1. Order of Desired Protocols
The pseudocode in the previous section attempts to use DoH, DoT, and
unencrypted DNS, in that order. This is done to keep the pseudocode
simple while demonstrating one possible order of transport selection.
A stub implementation could attempt some or all of the available DNS
transports in an implementation-specific or user-defined order. For
example, possible lists of transports to attempt might be:
o DoH, DoT, classic DNS
o DoT, DoH
o DoT, classic DNS
o Classic DNS
4. Method Details
4.1. Inputs to the Process
The method described here requires the following information. It is
listed with variable names from the pseudocode in Section 3.
resIP The IP address of resolver. This can be either an IPv4 or
IPv6 address.
dohCapable Set to true if the stub knows how to be a DoH client
dotCapable Set to true if the stub knows how to be a DoT client
upgradeNoAuth Set to true the stub wants to use unauthenticated DoT
or DoH if it is available. Note that using unauthenticated DoT or
DoH is inherently insecure because an on-path attacker can
impersonate the resolver.
insecureOK Set to true if the stub wants to keep using classic
(unencrypted) DNS on port 53 if the attempt to upgrade fails.
Note that setting this to false will cause further DNS queries to
fail if upgrade fails.
[[ Add some possible implementation examples. Here's one. ]]
For example, if an OS implementation's design is "just try TLS on
port 853 of the current resolver", resIP is the resolver address,
dohCapable is false, dotCapable is true, and upgradeNoAuth is set to
true.
Sood & Hoffman Expires January 1, 2021 [Page 6]
Internet-Draft Stub upgrade to DoT or DoH June 2020
4.2. TLS Authentication
In this mechanism, the stub has an IP address of the resolver. It
does not necessarily have a domain name associated with that IP
address.
In order to authenticate TLS sessions, the stub resolver must have a
set of TLS trust anchors, such as those maintained by some operating
systems.
If the stub has a domain name associated with the resolver's IP
address, and if the resolver uses that domain name in one of the
subject identifiers in its certificate during the TLS exchange, the
stub can use the domain name for authentication of the TLS session.
The stub always has an IP address for the resolver. If the resolver
uses the same IP address used by the stub in one of the subject
identifiers in its certificate during the TLS exchange, the stub can
use the IP address for authentication of the TLS session.
A resolver that uses this method to publish its information SHOULD,
if possible, have a TLS certificate whose subject identifiers contain
any of the IP addresses that stubs might be using for the resolver.
At the time that this document is published, getting IP addresses in
TLS certificates is possible, but there are only a few widely-trusted
CAs that issue such certificates. [RFC8738] describes a protocol
that may cause IP address certificates to become more common.
5. IANA Considerations
This document defines two entries for the IANA DNS Resolver
Information Registry that is defined in [I-D.pp-add-resinfo].
5.1. Registration for doh-templates in the IANA DNS Resolver
Information Registry
Name: doh-templates
Value type: Array of strings
Specification: This document, Section 2.1
5.2. Registration for dot-ports in the IANA DNS Resolver Information
Registry
Name: dot-ports
Value type: Array of numbers
Sood & Hoffman Expires January 1, 2021 [Page 7]
Internet-Draft Stub upgrade to DoT or DoH June 2020
Specification: This document, Section 2.2
6. Security Considerations
The method described in this document explicitly allows a stub to
perform DNS communications over traditional unencrypted,
unauthenticated DNS on port 53.
The method described in this document explicitly allows a stub to
choose to allow unauthenticated TLS. In this case, the resulting
communication will be susceptible to obvious and well-understood
attacks from an attacker in the path of the communications.
7. References
7.1. Normative References
[I-D.pp-add-resinfo]
Sood, P. and P. Hoffman, "DNS Resolver Information Self-
publication", draft-pp-add-resinfo-01 (work in progress),
May 2020.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>.
[RFC7858] Hu, Z., Zhu, L., Heidemann, J., Mankin, A., Wessels, D.,
and P. Hoffman, "Specification for DNS over Transport
Layer Security (TLS)", RFC 7858, DOI 10.17487/RFC7858, May
2016, <https://www.rfc-editor.org/info/rfc7858>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>.
[RFC8484] Hoffman, P. and P. McManus, "DNS Queries over HTTPS
(DoH)", RFC 8484, DOI 10.17487/RFC8484, October 2018,
<https://www.rfc-editor.org/info/rfc8484>.
[RFC8499] Hoffman, P., Sullivan, A., and K. Fujiwara, "DNS
Terminology", BCP 219, RFC 8499, DOI 10.17487/RFC8499,
January 2019, <https://www.rfc-editor.org/info/rfc8499>.
Sood & Hoffman Expires January 1, 2021 [Page 8]
Internet-Draft Stub upgrade to DoT or DoH June 2020
7.2. Informative References
[RFC8738] Shoemaker, R., "Automated Certificate Management
Environment (ACME) IP Identifier Validation Extension",
RFC 8738, DOI 10.17487/RFC8738, February 2020,
<https://www.rfc-editor.org/info/rfc8738>.
Authors' Addresses
Puneet Sood
Google
Email: puneets@google.com
Paul Hoffman
ICANN
Email: paul.hoffman@icann.org
Sood & Hoffman Expires January 1, 2021 [Page 9]