-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathdraft-btw-add-home-08.txt
1624 lines (1100 loc) · 65.2 KB
/
draft-btw-add-home-08.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
ADD M. Boucadair
Internet-Draft Orange
Intended status: Standards Track T. Reddy
Expires: February 14, 2021 McAfee
D. Wing
Citrix
N. Cook
Open-Xchange
August 13, 2020
Encrypted DNS Discovery and Deployment Considerations for Home Networks
draft-btw-add-home-08
Abstract
This document discusses encrypted DNS (e.g., DoH, DoT, DoQ)
deployment considerations for home networks. It particularly
sketches the required steps to use of encrypted DNS capabilities
provided by local networks.
The document specifies new DHCP and Router Advertisement Options to
convey a DNS Authentication Domain Name.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on February 14, 2021.
Copyright Notice
Copyright (c) 2020 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
Boucadair, et al. Expires February 14, 2021 [Page 1]
Internet-Draft Encrypted DNS in Home Networks August 2020
(https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4
3. Sample Deployment Scenarios . . . . . . . . . . . . . . . . . 5
3.1. Managed CPEs . . . . . . . . . . . . . . . . . . . . . . 5
3.2. Unmanaged CPEs . . . . . . . . . . . . . . . . . . . . . 6
4. DNS Reference Identifier Option . . . . . . . . . . . . . . . 8
4.1. DHCPv6 Reference Identifier Option . . . . . . . . . . . 8
4.2. DHCP DNS Reference Identifier Option . . . . . . . . . . 10
4.3. RA DNS Reference Identifier Option . . . . . . . . . . . 12
5. Locating Encrypted DNS Servers . . . . . . . . . . . . . . . 13
6. DoH URI Templates . . . . . . . . . . . . . . . . . . . . . . 14
7. Make Use of Discovered Encrypted DNS Server . . . . . . . . . 15
7.1. Encrypted DNS Auto-Upgrade . . . . . . . . . . . . . . . 15
7.2. DNS Server Identity Assertion . . . . . . . . . . . . . . 15
7.3. Other Deployment Options . . . . . . . . . . . . . . . . 16
8. Hosting Encrypted DNS Forwarder in the CPE . . . . . . . . . 16
8.1. Managed CPEs . . . . . . . . . . . . . . . . . . . . . . 16
8.1.1. ACME . . . . . . . . . . . . . . . . . . . . . . . . 16
8.1.2. Auto-Upgrade Based on Domains and their Subdomains . 17
8.2. Unmanaged CPEs . . . . . . . . . . . . . . . . . . . . . 18
9. Legacy CPEs . . . . . . . . . . . . . . . . . . . . . . . . . 19
10. Security Considerations . . . . . . . . . . . . . . . . . . . 19
10.1. Spoofing Attacks . . . . . . . . . . . . . . . . . . . . 19
10.2. Deletion Attacks . . . . . . . . . . . . . . . . . . . . 21
10.3. Passive Attacks . . . . . . . . . . . . . . . . . . . . 21
10.4. Security Capabilities of CPEs . . . . . . . . . . . . . 21
10.5. Wireless Security - Authentication Attacks . . . . . . . 21
11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 22
11.1. DHCPv6 Option . . . . . . . . . . . . . . . . . . . . . 22
11.2. DHCP Option . . . . . . . . . . . . . . . . . . . . . . 22
11.3. RA Option . . . . . . . . . . . . . . . . . . . . . . . 23
12. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 23
13. References . . . . . . . . . . . . . . . . . . . . . . . . . 23
13.1. Normative References . . . . . . . . . . . . . . . . . . 23
13.2. Informative References . . . . . . . . . . . . . . . . . 24
Appendix A. Customized Port Numbers and IP Addresses . . . . . . 28
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 28
Boucadair, et al. Expires February 14, 2021 [Page 2]
Internet-Draft Encrypted DNS in Home Networks August 2020
1. Introduction
Internet Service Providers (ISPs) traditionally provide DNS resolvers
to their customers. Typically, ISPs deploy the following mechanisms
to advertise a list of DNS Recursive DNS server(s) to their
customers:
o Protocol Configuration Options in cellular networks [TS.24008].
o DHCP [RFC2132] (Domain Name Server Option) or DHCPv6
[RFC8415][RFC3646] (OPTION_DNS_SERVERS).
o IPv6 Router Advertisement [RFC4861][RFC8106] (Type 25 (Recursive
DNS Server Option)).
The communication between a customer's device (possibly via Customer
Premises Equipment (CPE)) and an ISP-supplied DNS resolver takes
place by using cleartext DNS messages (Do53)
[I-D.ietf-dnsop-terminology-ter]. Some examples are depicted in
Figure 1. In the case of cellular networks, the cellular network
will provide connectivity directly to a host (e.g., smartphone,
tablet) or via a CPE. Do53 mechanisms used within the Local Area
Network (LAN) are similar in both fixed and cellular CPE-based
broadband service offerings.
(a) Fixed Networks
,--,--,--. ,--,--,--.
,-' +--+ `-. ,-' ISP `-.
( LAN |H | CPE----( )
`-. +--+ ,-' `-. ,-'
`--'|-'--' `--'--'--'
| |
|<=======Do53========>|
(b) Cellular Networks
|<===========Do53=========>|
,--,-|,--. |
,-' +--+ `-. ,--,--,--.
( LAN |H | CPE------------+ \
`-. +--+ ,-' ,' ISP `-.
`--'--'--' ( )
+-----+-. ,-'
+--+ | `--'--'--'
|H +------------+
+--+
Legend:
* H: refers to a host.
Figure 1: Sample Legacy Deployments
Boucadair, et al. Expires February 14, 2021 [Page 3]
Internet-Draft Encrypted DNS in Home Networks August 2020
This document focuses on the support of encrypted DNS such as DNS-
over-HTTPS (DoH) [RFC8484], DNS-over-TLS (DoT) [RFC7858], or DNS-
over-QUIC (DoQ) [I-D.ietf-dprive-dnsoquic] in local networks. In
particular, the document describes how a local encrypted DNS server
can be discovered and used by connected hosts. This document
specifies options that allow DNS clients to discover local encrypted
DNS servers. Section 4 describes DHCP, DHCPv6, and RA options to
convey the DNS Authentication Domain Name (ADN) [RFC8310].
Some ISPs rely upon external resolvers (e.g., outsourced service or
public resolvers); these ISPs provide their customers with the IP
addresses of these resolvers. These addresses are typically
configured on CPEs using the same mechanisms listed above. Likewise,
users can modify the default DNS configuration of their CPEs (e.g.,
supplied by their ISP) to configure their favorite DNS servers. This
document permits such deployments.
Both managed and unmanaged CPEs are discussed in the document
(Section 3). Also, considerations related to hosting a DNS forwarder
in the CPE are described (Section 8).
Hosts and/or CPEs may be connected to multiple networks; each
providing their own DNS configuration using the discovery mechanisms
specified in this document. Nevertheless, it is out of the scope of
this specification to discuss DNS selection of multi-interface
devices. The reader may refer to [RFC6731] for a discussion of
issues and an example of DNS server selection for multi-interfaced
devices.
2. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP
14 [RFC2119][RFC8174] when, and only when, they appear in all
capitals, as shown here.
This document makes use of the terms defined in [RFC8499] and
[I-D.ietf-dnsop-terminology-ter].
Do53 refers to unencrypted DNS.
'DoH/DoT' refers to DNS-over-HTTPS and/or DNS-over-TLS.
Boucadair, et al. Expires February 14, 2021 [Page 4]
Internet-Draft Encrypted DNS in Home Networks August 2020
3. Sample Deployment Scenarios
3.1. Managed CPEs
ISPs have developed an expertise in managing service-specific
configuration information (e.g., CPE WAN Management Protocol
[TR-069]). For example, these tools may be used to provision the ADN
to managed CPEs if an encrypted DNS is supported by a local network
similar to what is depicted in Figure 2.
For example, DoH-capable (or DoT) clients establish the DoH (or DoT)
session with the discovered DoH (or DoT) server.
The DNS client discovers whether the DNS server in the local network
supports DoH/DoT/DoQ by using a dedicated field in the discovery
message: Encrypted DNS Types (Section 4).
(a) Fixed Networks
,--,--,--. ,--,--,--.
,-' +--+ `-. ,-' ISP `-.
( LAN |H | CPE----( DNS Server )
`-. +--+ ,-' `-. ,-'
`--'|-'--' `--'--'--'
| |
|<===Encrypted DNS===>|
(b) Cellular Networks
|<=====Encrypted DNS======>|
,--,-|,--. |
,-' +--+ `-. ,--,--,--.
( LAN |H | CPE------------+ \
`-. +--+ ,-' ,' ISP `-.
`--'--'--' ( DNS Server )
+-----+-. ,-'
+--+ | `--'--'--'
|H +-----------+
+--+
Figure 2: Encrypted DNS in the WAN
Figure 2 shows the scenario where the CPE relays the list of
encrypted DNS servers it learns for the network by using mechanisms
like DHCP or a specific Router Advertisement message. In such
context, direct encrypted DNS sessions will be established between a
host serviced by a CPE and an ISP-supplied encrypted DNS server (see
the example depicted in Figure 3 for a DoH/DoT-capable host).
Boucadair, et al. Expires February 14, 2021 [Page 5]
Internet-Draft Encrypted DNS in Home Networks August 2020
,--,--,--. ,--,--,--.
,-' `-. ,-' ISP `-.
Host---( LAN CPE----( DNS Server )
| `-. ,-' `-. ,-'
| `--'--'--' `--'--'--'
| |
|<=========Encrypted DNS===========>|
Figure 3: Direct Encrypted DNS Sessions
Figure 4 shows a deployment where the CPE embeds a caching DNS
forwarder. The CPE advertises itself as the default DNS server to
the hosts it serves. The CPE relies upon DHCP or RA to advertise
itself to internal hosts as the default DoT/DoH/Do53 server. When
receiving a DNS request it cannot handle locally, the CPE forwards
the request to an upstream DoH/DoT/Do53 resolver. Such deployment is
required for IPv4 service continuity purposes (e.g.,
[I-D.ietf-v6ops-rfc7084-bis]) or for supporting advanced services
within the home (e.g., malware filtering, parental control,
Manufacturer Usage Description (MUD) [RFC8520] to only allow intended
communications to and from an IoT device). When the CPE behaves as a
DNS forwarder, DNS communications can be decomposed into two legs:
o The leg between an internal host and the CPE.
o The leg between the CPE and an upstream DNS resolver.
An ISP that offers encrypted DNS to its customers may enable
encrypted DNS in both legs as shown in Figure 4. Additional
considerations related to this deployment are discussed in Section 8.
,--,--,--. ,--,--,--.
,-' `-. ,-' ISP `-.
Host---( LAN CPE----( DNS Server )
| `-. ,-'| `-. ,-'
| `--'--'--' | `--'--'--'
| | |
|<=====Encrypted=====>|<=Encrypted=>|
DNS DNS
Figure 4: Proxied Encrypted DNS Sessions
3.2. Unmanaged CPEs
Customers may decide to deploy unmanaged CPEs (assuming the CPE is
compliant with the network access technical specification that is
usually published by ISPs). Upon attachment to the network, an
unmanaged CPE receives from the network its service configuration
Boucadair, et al. Expires February 14, 2021 [Page 6]
Internet-Draft Encrypted DNS in Home Networks August 2020
(including the DNS information) by means of, e.g., DHCP. That DNS
information is shared within the LAN following the same mechanisms as
those discussed in Section 3.1. A host can thus, for example,
establish DoH/DoT session with a DoH/DoT server similar to what is
depicted in Figure 3.
Customers may also decide to deploy internal home routers (called
hereafter, Internal CPEs) for a variety of reasons that are not
detailed here. Absent any explicit configuration on the internal CPE
to override the DNS configuration it receives from the ISP-supplied
CPE, an Internal CPE relays the DNS information it receives via DHCP/
RA from the ISP-supplied CPE to connected hosts. Encrypted DNS
sessions can be established by a host with the DNS servers of the ISP
(see Figure 5).
,--,--,--. ,--,--,--.
,-' Internal ,-' ISP `-.
Host--( Network#A CPE----CPE---( DNS Server )
| `-. ,-' `-. ,-'
| `--'--'--' `--'--'--'
| |
|<==============Encrypted DNS=============>|
Figure 5: Direct Encrypted DNS Sessions with the ISP DNS Resolver
(Internal CPE)
Similar to managed CPEs, a user may modify the default DNS
configuration of an unmanaged CPE to use his/her favorite DNS servers
instead. Encrypted DNS sessions can be established directly between
a host and a 3rd Party DNS server (see Figure 6).
,--,--,--. ,--,
,' Internal ,-' '- 3rd Party
Host--( Network#A CPE----CPE---( ISP )--- DNS Server
| `. ,-' `-. -' |
| `-'--'--' `--' |
| |
|<=================Encrypted DNS==================>|
Figure 6: Direct Encrypted DNS Sessions with a Third Party DNS
Resolver
Section 8.2 discusses considerations related to hosting a forwarder
in the Internal CPE.
Boucadair, et al. Expires February 14, 2021 [Page 7]
Internet-Draft Encrypted DNS in Home Networks August 2020
4. DNS Reference Identifier Option
This section describes how a DNS client can discover the ADN of local
encrypted DNS server(s) using DHCP (Sections 4.1 and 4.2) and
Neighbor Discovery protocol (Section 4.3).
As reported in Section 1.7.2 of [RFC6125]:
"few certification authorities issue server certificates based on
IP addresses, but preliminary evidence indicates that such
certificates are a very small percentage (less than 1%) of issued
certificates".
In order to allow for PKIX-based authentication between a DNS client
and an encrypted DNS server while accommodating the current best
practices for issuing certificates, this document allows for
configuring an authentication domain name to be presented as a
reference identifier for DNS authentication purposes.
The DNS client establishes an encrypted DNS session with the
discovered DNS IP address(es) (Section 5) and uses the mechanism
discussed in Section 8 of [RFC8310] to authenticate the DNS server
certificate using the authentication domain name conveyed in the DNS
Reference Identifier. This assumes that default port numbers are
used to establish an encrypted DNS session (e.g., 853 for DoT, 443
for DoH). A discussion on the use of customized port numbers is
included in Appendix A.
If the DNS Reference Identifier is discovered by a host using both RA
and DHCP, the rules discussed in Section 5.3.1 of [RFC8106] MUST be
followed.
4.1. DHCPv6 Reference Identifier Option
The DHCPv6 Reference Identifier option is used to configure an
authentication domain name of the encrypted DNS server. The format
of this option is shown in Figure 7.
Boucadair, et al. Expires February 14, 2021 [Page 8]
Internet-Draft Encrypted DNS in Home Networks August 2020
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| OPTION_V6_DNS_RI | Option-length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Encr DNS Types| |
+---------------+ |
| |
~ Authentication Domain Name ~
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 7: DHCPv6 DNS Reference Identifier Option
The fields of the option shown in Figure 7 are as follows:
o Option-code: OPTION_V6_DNS_RI (TBA1, see Section 11.1)
o Option-length: Length of the enclosed data in octets.
o Encr DNS Types (Encrypted DNS Types): Indicates the type(s) of the
encrypted DNS server conveyed in this attribute. The format of
this 8-bit field is shown in Figure 8.
+-+-+-+-+-+-+-+-+
|U|U|U|U|U|Q|H|T|
+-+-+-+-+-+-+-+-+
Figure 8: Encrypted DNS Types
T: If set, this bit indicates that the server supports DoT
[RFC7858].
H: If set, this bit indicates that the server supports DoH
[RFC8484].
Q: If set, this bit indicates that the server supports DoQ
[I-D.ietf-dprive-dnsoquic].
U: Unassigned bits. These bits MUST be unset by the sender.
Associating a meaning with an unassigned bit can be done via
Standards Action [RFC8126].
In a request, these bits are assigned to indicate the requested
encrypted DNS server type(s) by the client. In a response, these
bits are set as a function of the encrypted DNS supported by the
server and the requested encrypted DNS server type(s).
To keep the packet small, if more than one encrypted DNS type
(e.g., both DoH and DoT) are to be returned to a requesting client
and the same ADN is used for these types, the corresponding bits
MUST be set in the 'Encrypted DNS Types' field of the same option
instance in a response. For example, if the client requested DoH
Boucadair, et al. Expires February 14, 2021 [Page 9]
Internet-Draft Encrypted DNS in Home Networks August 2020
and DoTand the server supports both, then both T and H bits must
be set.
o Authentication Domain Name: A fully qualified domain name of the
encrypted DNS server. This field is formatted as specified in
Section 10 of [RFC8415].
An example of the Authentication Domain Name encoding is shown in
Figure 9. This example conveys the FQDN "doh1.example.com.".
+------+------+------+------+------+------+------+------+------+
| 0x04 | d | o | h | 1 | 0x07 | e | x | a |
+------+------+------+------+------+------+------+------+------+
| m | p | l | e | 0x03 | c | o | m | 0x00 |
+------+------+------+------+------+------+------+------+------+
Figure 9: An example of the authentication-domain-name Encoding
Multiple instances of OPTION_V6_DNS_RI may be returned to a DHCPv6
client; each pointing to a distinct encrypted DNS server type.
To discover an encrypted DNS server, the DHCPv6 client including
OPTION_V6_DNS_RI in an Option Request Option (ORO), as in Sections
18.2.1, 18.2.2, 18.2.4, 18.2.5, 18.2.6, and 21.7 of [RFC8415]. The
DHCPv6 client sets the Encrypted DNS Types field to the requested
encrypted DNS server type(s).
If the DHCPv6 client requested more than one encrypted DNS server
type, the DHCP client MUST be prepared to receive multiple DHCP
OPTION_V6_DNS_RI options; each option is to be treated as a separate
encrypted DNS server.
4.2. DHCP DNS Reference Identifier Option
The DHCP DNS Reference Identifier option is used to configure an
authentication domain name of the encrypted DNS server. The format
of this option is illustrated in Figure 10.
Boucadair, et al. Expires February 14, 2021 [Page 10]
Internet-Draft Encrypted DNS in Home Networks August 2020
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| TBA2 | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Encr DNS Types| |
+-+-+-+-+-+-+-+-+ |
| |
~ Authentication Domain Name ~
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
with:
Authentication Domain Name
+-----+-----+-----+-----+-----+--
| s1 | s2 | s3 | s4 | s5 | ...
+-----+-----+-----+-----+-----+--
The values s1, s2, s3, etc. represent the domain name labels in the
domain name encoding.
Figure 10: DHCP DNS Reference Identifier Option
The fields of the option shown in Figure 10 are as follows:
o Code: OPTION_V4_DNS_RI (TBA2, see Section 11.2).
o Length: Length of the enclosed data in octets.
o Encr DNS Types (Encrypted DNS Types): Indicates the type(s) of the
encrypted DNS server conveyed in this attribute. The format of
this field is shown in Figure 8.
o Authentication Domain Name: The domain name of the DoH/DoT server.
This field is formatted as specified in Section 10 of [RFC8415].
OPTION_V4_DNS_RI is a concatenation-requiring option. As such, the
mechanism specified in [RFC3396] MUST be used if OPTION_V4_DNS_RI
exceeds the maximum DHCP option size of 255 octets.
To discover an encrypted DNS server, the DHCP client requests the
Encrypted DNS Reference Identifier by including OPTION_V4_DNS_RI in a
Parameter Request List option [RFC2132]. The DHCP client sets the
Encrypted DNS Types field to the requested encrypted DNS server.
If the DHCP client requested more than one encrypted DNS server type,
the DHCP client MUST be prepared to receive multiple DHCP
OPTION_V4_DNS_RI options; each option is to be treated as a separate
encrypted DNS server.
Boucadair, et al. Expires February 14, 2021 [Page 11]
Internet-Draft Encrypted DNS in Home Networks August 2020
4.3. RA DNS Reference Identifier Option
The IPv6 Router Advertisement (RA) DNS Reference Identifier option is
used to configure an authentication domain name of the DoH/DoT
server. The format of this option is illustrated in Figure 11.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Encr DNS Types| Unassigned |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Lifetime |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
: Authentication Domain Name :
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 11: RA DNS Reference Identifier Option
The fields of the option shown in Figure 11 are as follows:
o Type: 8-bit identifier of the DNS Reference Identifier Option as
assigned by IANA (TBA3, see Section 11.3).
o Length: 8-bit unsigned integer. The length of the option
(including the Type and Length fields) is in units of 8 octets.
o Encr DNS Types (Encrypted DNS Types): Indicates the type(s) of the
encrypted DNS server conveyed in this attribute. The format of
this field is shown in Figure 8.
o Unassigned: This field is unused. It MUST be initialized to zero
by the sender and MUST be ignored by the receiver.
o Lifetime: 32-bit unsigned integer. The maximum time in seconds
(relative to the time the packet is received) over which the
authentication domain name MAY be used as a DNS Reference
Identifier.
The value of Lifetime SHOULD by default be at least 3 *
MaxRtrAdvInterval, where MaxRtrAdvInterval is the maximum RA
interval as defined in [RFC4861].
A value of all one bits (0xffffffff) represents infinity.
A value of zero means that the DNS Reference Identifier MUST no
longer be used.
o Authentication Domain Name: The domain name of the encrypted DNS
server. This field is formatted as specified in Section 10 of
[RFC8415].
Boucadair, et al. Expires February 14, 2021 [Page 12]
Internet-Draft Encrypted DNS in Home Networks August 2020
This field MUST be padded with zeros so that its size is a
multiple of 8 octets.
5. Locating Encrypted DNS Servers
From an IP reachability standpoint, encrypted DNS servers SHOULD be
located by their address literals rather than passing the discovered
names (ADN) to a resolution library. This avoids adding a dependency
on another server to resolve the ADN.
In the various scenarios sketched in Section 3, encrypted DNS servers
may terminate on the same IP address or distinct IP addresses.
Terminating encrypted DNS servers on the same or distinct IP
addresses is deployment-specific.
In order to optimize the size of discovery messages when all servers
terminate on the same IP address, a CPE or a host relies upon the
discovery mechanisms specified in [RFC2132][RFC3646][RFC8106] to
retrieve a list of IP addresses to reach their DNS servers.
In deployments where encrypted DNS servers are not co-located, a list
of servers that is composed of encrypted DNS servers can be returned
using in [RFC2132][RFC3646][RFC8106]. For example, a host that is
also DoH-capable (and/or DoT-capable), will try to establish a DoH
(and/or DoT) session to that list. DoT and/or DoH are supported if
the client succeeds to establish a session.
Let's consider that the DoH server is reachable at
2001:db8:122:300::2 while the Do53 server is reachable at
2001:db8:122:300::1. The DHCP server will then return a list that
includes both 2001:db8:122:300::1 and 2001:db8:122:300::2 to a
requesting DNS client. That list is passed to the DNS client. The
DNS clients will try connecting to the DNS servers using both IP
addresses and the standard ports for DoH and Do53 protocols in a
fashion similar to the Happy Eyeballs mechanism defined in [RFC8305].
The DoH client selects the IP address 2001:db8:122:300::2 with which
the TLS session is established, whereas the legacy Do53 client
selects the IP address 2001:db8:122:300::1 with which cleartext DNS
messages are exchanged over UDP or TCP.
Boucadair, et al. Expires February 14, 2021 [Page 13]
Internet-Draft Encrypted DNS in Home Networks August 2020
Legacy Do53
client
|<===RA======|
| {RI,@1,@2} | |
| | |
|========Do53 Query=======>|
| | --,--,-
,+-,--,--. | ,/ S1 (@1)\.
,-' `-. | ,-' ISP `-.
DoH/DoT --( LAN CPE----( )
capable client `-. ,-'| `-. S2 (@2) ,-'
| `--'--'--' | `--'--'--'
|<=========RA==========| |
| {RI,@1,@2} | |
| |
|<===============DoT/DoH============>|
Legend:
* S1: Do53 server
* S2: DoH/DoT server
* @1: IP address of S1
* @1: IP address of S2
* RI: DNS Reference Identifier
The DHCP server may return a customized DNS configuration ([RFC7969])
as a function of the requested DHCP options. For example, if the
DHCP client does not include a DNS Reference Identifier option in its
request, the DHCP server will return the IP address of the Do53
server (2001:db8:122:300::1). If a DNS Reference Identifier option
is present in the request, the DHCP server returns the IP address(es)
of the DoH server (2001:db8:122:300::2) (or 2001:db8:122:300::2 and
2001:db8:122:300::1 in this order).
An alternate design where a list of IP addresses is also included in
the same option conveying ADN is discussed in Appendix A.
6. DoH URI Templates
DoH servers may support more than one URI Template [RFC8484]. Also,
if the resolver hosts several DoH services (e.g., no-filtering,
blocking adult content, blocking malware), these services can be
discovered as templates. The following discusses a mechanism for a
DoH client to retrieve the list of supported templates by a DoH
server.
Upon discovery of a DoH resolver (Section 4), the DoH client contacts
that DoH resolver to retrieve the list of supported DoH services
using the well-known URI defined in
Boucadair, et al. Expires February 14, 2021 [Page 14]
Internet-Draft Encrypted DNS in Home Networks August 2020
[I-D.btw-add-rfc8484-clarification]. DoH clients re-iterates that
request regularly to retrieve an updated list of supported DoH
services. Note that a "push" mode can be considered using the
mechanism defined in [I-D.ietf-dnssd-push].
How a DoH client makes use of the configured DoH services is out of
scope of this document.
7. Make Use of Discovered Encrypted DNS Server
Even if the use of a discovered encrypted DNS server is beyond the
discovery process and falls under encrypted server selection, the
following subsections discuss conditions under which discovered
encrypted DNS server can be used.
7.1. Encrypted DNS Auto-Upgrade
Additional considerations are discussed below for the use of DoH and
DoT servers provided by local networks:
o If the DNS server's IP address discovered by using DHCP/RA is pre-
configured in the OS or Browser as a verified resolver (e.g., part
of an auto-upgrade program such as [Auto-upgrade]), the DNS client
auto-upgrades to use the pre-configured encrypted DNS server tied
to the discovered DNS server IP address. In such a case the DNS
client will perform additional checks out of band, such as
confirming that the Do53 IP address and the encrypted DNS server
are owned and operated by the same organisation.
o Similarly, if the ADN conveyed in DHCP/RA (Section 4) is pre-
configured in the OS or browser as a verified resolver, the DNS
client auto-upgrades to establish an encrypted a DoH/DoT/DoQ
session with the ADN.
In such case, the DNS client matches the domain name in the DNS
Reference Identifier DHCP/RA option with the 'DNS-ID' identifier
type within subjectAltName entry in the server certificate
conveyed in the TLS handshake.
7.2. DNS Server Identity Assertion
If the discovered encrypted DNS server information is not pre-
configured in the OS or the browser, the DNS client needs evidence
about the encrypted server to assess its trustworthiness and a way to
appraise such evidence. The DNS client can validate the Policy
Assertion Token signature (Section 7 of
[I-D.reddy-add-server-policy-selection]) to cryptographically assert
Boucadair, et al. Expires February 14, 2021 [Page 15]
Internet-Draft Encrypted DNS in Home Networks August 2020
the DNS server identity to identify it is connecting to an encrypted
DNS server hosted by a specific organization (e.g., ISP).
7.3. Other Deployment Options
Some deployment options to securely configure hosts are discussed
below. These options are provided for the sake of completeness.
o If Device Provisioning Protocol (DPP) [DPP] is used, the
configurator can securely configure devices in the home network
with the local DoT/DoH server using DPP. If the DoT/DoH servers
use raw public keys [RFC7250], the Subject Public Key Info (SPKI)
pin set [RFC7250] of raw public keys may be encoded in a QR code.
The configurator (e.g., mobile device) can scan the QR code and
provision SPKI pin set in OS/Browser. The configurator can in-
turn securely configure devices (e.g., thermostat) in the home
network with the SPKI pin set using DPP.
o If a CPE is co-located with security services within the home
network, the CPE can use WPA-PSK but with unique pre-shared keys
for different endpoints to deal with security issues. In such
networks, [I-D.reddy-add-iot-byod-bootstrap] may be used to
securely bootstrap endpoint devices with the authentication domain
name and DNS server certificate of the local network's DoH/DoT
server.
The OS would not know if the WPA pre-shared-key is the same for
all clients or a unique pre-shared key is assigned to the host.
Hence, the user has to indicate to the system that a unique pre-
shared key is assigned to trigger the bootstrapping procedure.
If the device joins a home network using a single shared password
among all the attached devices, a compromised device can host a
fake access point, and the device cannot be securely bootstrapped
with the home network's DoH/DoT server.
8. Hosting Encrypted DNS Forwarder in the CPE
8.1. Managed CPEs
The following mechanisms can be used to host a DoH/DoT forwarder in a
managed CPE (Section 3.1).
8.1.1. ACME
The ISP can assign a unique FQDN (e.g., cpe1.example.com) and a
domain-validated public certificate to the encrypted DNS forwarder
hosted on the CPE. Automatic Certificate Management Environment
Boucadair, et al. Expires February 14, 2021 [Page 16]
Internet-Draft Encrypted DNS in Home Networks August 2020
(ACME) [RFC8555] can be used by the ISP to automate certificate
management functions such as domain validation procedure, certificate
issuance and certificate revocation.
The managed CPE should support a configuration parameter to instruct
the CPE whether it has to relay the encrypted DNS server received
from the ISP's network or has to announce itself as a forwarder
within the local network. The default behavior of the CPE is to
supply the encrypted DNS server received from the ISP's network.
8.1.2. Auto-Upgrade Based on Domains and their Subdomains
If the ADN conveyed in DHCP/RA (Section 4) is pre-configured in
popular OSes or browsers as a verified resolver and the auto-upgrade
(Section 7.1) is allowed for both the pre-configured ADN and its sub-
domains, the DoH/DoT client will learn the local encrypted DNS
forwarder using DHCP/RA and auto-upgrade because the left-most label
of the pre-configured ADN would match the subjectAltName value in the
server certificate. Concretely, the CPE can communicate the ADN of
the local DoH forwarder (Section 8.1.1) to internal hosts using DHCP/
RA (Section 4).
Let's suppose that "example.net" is pre-configured as a verified
resolved in the browser or OS. If the DoH/DoT client discovers a
local forwarder "cpe1-internal.example.net", the encrypted DNS client
will auto-upgrade because the pre-configured ADN would match
subjectAltName value "cpe1-internal.example.net" of type dNSName. As
shown in Figure 12, the auto-upgrade to a rogue server advertising
"rs.example.org" will fail.
Boucadair, et al. Expires February 14, 2021 [Page 17]
Internet-Draft Encrypted DNS in Home Networks August 2020
Rogue Server
| |
X<==DHCP=======|
| {ADN= |
| rs.example.org, @rs}
| | --,--,-
| ,+-,--+--. ,/ ISP \.
| ,-' `-. ,-' `-.
DoH/DoT --( LAN CPE----( S (@1) )
capable client `-. ,-'| `-. ,-'
| `--'--'--' | `--'--'--'
|<========DHCP========>|
|{ADN= |
| cpe1-internal.example.net, @i}
|
|<========DoH=========>|
| |
Legend:
* S: DoH/DoT server
* @1: IP address of S
* @i: internal IP address of the CPE
* @rs: IP address of a rogue server
Figure 12: A Simplified Example of Auto-upgrade based on Sub-domains
8.2. Unmanaged CPEs
The approach specified in Section 8.1 does not apply for hosting a
DNS forwarder in an unmanaged CPE.
The unmanaged CPE administrator (referred to as administrator) can
host a DoH/DoT forwarder on the unmanaged CPE. This assumes the
following:
o The encrypted DNS server certificate is managed by the entity in-
charge of hosting the encrypted DNS forwarder.
Alternatively, a security service provider can assign a unique
FQDN to the CPE. The encrypted DNS forwarder will act like a
private encrypted DNS server only be accessible from within the
home network.
o The encrypted DNS forwarder will either be configured to use the
ISP's or a 3rd party encrypted DNS server.