-
Notifications
You must be signed in to change notification settings - Fork 7
/
Copy pathdraft-ietf-dprive-dnsoquic-07.txt
1736 lines (1157 loc) · 69.4 KB
/
draft-ietf-dprive-dnsoquic-07.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
Network Working Group C. Huitema
Internet-Draft Private Octopus Inc.
Intended status: Standards Track S. Dickinson
Expires: 4 June 2022 Sinodun IT
A. Mankin
Salesforce
1 December 2021
DNS over Dedicated QUIC Connections
draft-ietf-dprive-dnsoquic-07
Abstract
This document describes the use of QUIC to provide transport privacy
for DNS. The encryption provided by QUIC has similar properties to
that provided by TLS, while QUIC transport eliminates the head-of-
line blocking issues inherent with TCP and provides more efficient
packet loss recovery than UDP. DNS over QUIC (DoQ) has privacy
properties similar to DNS over TLS (DoT) specified in RFC7858, and
latency characteristics similar to classic DNS over UDP.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on 4 June 2022.
Copyright Notice
Copyright (c) 2021 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights
Huitema, et al. Expires 4 June 2022 [Page 1]
Internet-Draft DNS over Dedicated QUIC December 2021
and restrictions with respect to this document. Code Components
extracted from this document must include Simplified BSD License text
as described in Section 4.e of the Trust Legal Provisions and are
provided without warranty as described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Key Words . . . . . . . . . . . . . . . . . . . . . . . . . . 4
3. Document work via GitHub . . . . . . . . . . . . . . . . . . 5
4. Design Considerations . . . . . . . . . . . . . . . . . . . . 5
4.1. Provide DNS Privacy . . . . . . . . . . . . . . . . . . . 5
4.2. Design for Minimum Latency . . . . . . . . . . . . . . . 5
4.3. Middlebox Considerations . . . . . . . . . . . . . . . . 6
4.4. No Server Initiated Transactions . . . . . . . . . . . . 6
5. Specifications . . . . . . . . . . . . . . . . . . . . . . . 6
5.1. Connection Establishment . . . . . . . . . . . . . . . . 6
5.1.1. Draft Version Identification . . . . . . . . . . . . 7
5.1.2. Port Selection . . . . . . . . . . . . . . . . . . . 7
5.2. Stream Mapping and Usage . . . . . . . . . . . . . . . . 7
5.2.1. DNS Message IDs . . . . . . . . . . . . . . . . . . . 8
5.3. DoQ Error Codes . . . . . . . . . . . . . . . . . . . . . 9
5.3.1. Transaction Cancellation . . . . . . . . . . . . . . 9
5.3.2. Transaction Errors . . . . . . . . . . . . . . . . . 10
5.3.3. Protocol Errors . . . . . . . . . . . . . . . . . . . 10
5.3.4. Alternative error codes . . . . . . . . . . . . . . . 11
5.4. Connection Management . . . . . . . . . . . . . . . . . . 11
5.5. Session Resumption and 0-RTT . . . . . . . . . . . . . . 12
5.6. Message Sizes . . . . . . . . . . . . . . . . . . . . . . 13
6. Implementation Requirements . . . . . . . . . . . . . . . . . 13
6.1. Authentication . . . . . . . . . . . . . . . . . . . . . 13
6.2. Fallback to Other Protocols on Connection Failure . . . . 14
6.3. Address Validation . . . . . . . . . . . . . . . . . . . 14
6.4. Padding . . . . . . . . . . . . . . . . . . . . . . . . . 14
6.5. Connection Handling . . . . . . . . . . . . . . . . . . . 15
6.5.1. Connection Reuse . . . . . . . . . . . . . . . . . . 15
6.5.2. Resource Management . . . . . . . . . . . . . . . . . 15
6.5.3. Using 0-RTT and Session Resumption . . . . . . . . . 16
6.5.4. Controlling Connection Migration For Privacy . . . . 17
6.6. Processing Queries in Parallel . . . . . . . . . . . . . 17
6.7. Zone transfer . . . . . . . . . . . . . . . . . . . . . . 17
6.8. Flow Control Mechanisms . . . . . . . . . . . . . . . . . 18
7. Implementation Status . . . . . . . . . . . . . . . . . . . . 18
7.1. Performance Measurements . . . . . . . . . . . . . . . . 19
8. Security Considerations . . . . . . . . . . . . . . . . . . . 20
9. Privacy Considerations . . . . . . . . . . . . . . . . . . . 20
9.1. Privacy Issues With 0-RTT data . . . . . . . . . . . . . 20
9.2. Privacy Issues With Session Resumption . . . . . . . . . 21
Huitema, et al. Expires 4 June 2022 [Page 2]
Internet-Draft DNS over Dedicated QUIC December 2021
9.3. Privacy Issues With Address Validation Tokens . . . . . . 22
9.4. Privacy Issues With Long Duration Sessions . . . . . . . 22
9.5. Traffic Analysis . . . . . . . . . . . . . . . . . . . . 23
10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 23
10.1. Registration of DoQ Identification String . . . . . . . 23
10.2. Reservation of Dedicated Port . . . . . . . . . . . . . 23
10.2.1. Port number 784 for experimentations . . . . . . . . 24
10.3. Reservation of Extended DNS Error Code Too Early . . . . 24
10.4. DNS over QUIC Error Codes Registry . . . . . . . . . . . 24
11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 26
12. References . . . . . . . . . . . . . . . . . . . . . . . . . 26
12.1. Normative References . . . . . . . . . . . . . . . . . . 26
12.2. Informative References . . . . . . . . . . . . . . . . . 29
Appendix A. The NOTIFY Service . . . . . . . . . . . . . . . . . 30
Appendix B. Notable Changes From Previous Versions . . . . . . . 30
B.1. Stream Mapping Incompatibility With Draft-02 . . . . . . 31
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 31
1. Introduction
Domain Name System (DNS) concepts are specified in "Domain names -
concepts and facilities" [RFC1034]. The transmission of DNS queries
and responses over UDP and TCP is specified in "Domain names -
implementation and specification" [RFC1035].
This document presents a mapping of the DNS protocol over the QUIC
transport [RFC9000] [RFC9001]. DNS over QUIC is referred here as
DoQ, in line with "DNS Terminology" [I-D.ietf-dnsop-rfc8499bis].
The goals of the DoQ mapping are:
1. Provide the same DNS privacy protection as DNS over TLS (DoT)
[RFC7858]. This includes an option for the client to
authenticate the server by means of an authentication domain name
as specified in "Usage Profiles for DNS over TLS and DNS over
DTLS" [RFC8310].
2. Provide an improved level of source address validation for DNS
servers compared to classic DNS over UDP.
3. Provide a transport that is not constrained by path MTU
limitations on the size of DNS responses it can send.
In order to achieve these goals, and to support ongoing work on
encryption of DNS, the scope of this document includes
* the "stub to recursive resolver" scenario
Huitema, et al. Expires 4 June 2022 [Page 3]
Internet-Draft DNS over Dedicated QUIC December 2021
* the "recursive resolver to authoritative nameserver" scenario and
* the "nameserver to nameserver" scenario (mainly used for zone
transfers (XFR) [RFC1995], [RFC5936]).
In other words, this document is intended to specify QUIC as a
general purpose transport for DNS.
The specific non-goals of this document are:
1. No attempt is made to evade potential blocking of DNS over QUIC
traffic by middleboxes.
2. No attempt to support server initiated transactions, which are
used only in DNS Stateful Operations (DSO) [RFC8490].
Specifying the transmission of an application over QUIC requires
specifying how the application's messages are mapped to QUIC streams,
and generally how the application will use QUIC. This is done for
HTTP in "Hypertext Transfer Protocol Version 3
(HTTP/3)"[I-D.ietf-quic-http]. The purpose of this document is to
define the way DNS messages can be transmitted over QUIC.
DNS over HTTP [RFC8484] can be used with HTTP/3 to get some of the
benefits of QUIC. However, a lightweight direct mapping for DNS over
QUIC can be regarded as a more natural fit for both the recursive to
authoritative and zone transfer scenarios which rarely involve
intermediaries. In these scenarios, the additional overhead of HTTP
is not offset by, e.g., benefits of HTTP proxying and caching
behavior.
In this document, Section 4 presents the reasoning that guided the
proposed design. Section 5 specifies the actual mapping of DoQ.
Section 6 presents guidelines on the implementation, usage and
deployment of DoQ.
2. Key Words
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in BCP 14 [RFC8174].
Huitema, et al. Expires 4 June 2022 [Page 4]
Internet-Draft DNS over Dedicated QUIC December 2021
3. Document work via GitHub
(RFC EDITOR NOTE: THIS SECTION TO BE REMOVED BEFORE PUBLICATION)The
Github repository for this document is at https://github.com/huitema/
dnsoquic. Proposed text and editorial changes are very much welcomed
there, but any functional changes should always first be discussed on
the IETF DPRIVE WG (dns-privacy) mailing list.
4. Design Considerations
This section and its subsections present the design guidelines that
were used for DoQ. This section is informative in nature.
4.1. Provide DNS Privacy
DoT [RFC7858] defines how to mitigate some of the issues described in
"DNS Privacy Considerations" [RFC9076] by specifying how to transmit
DNS messages over TLS. The "Usage Profiles for DNS over TLS and DNS
over DTLS" [RFC8310] specify Strict and Opportunistic Usage Profiles
for DoT including how stub resolvers can authenticate recursive
resolvers.
QUIC connection setup includes the negotiation of security parameters
using TLS, as specified in "Using TLS to Secure QUIC" [RFC9001],
enabling encryption of the QUIC transport. Transmitting DNS messages
over QUIC will provide essentially the same privacy protections as
DoT [RFC7858] including Strict and Opportunistic Usage Profiles
[RFC8310]. Further discussion on this is provided in Section 9.
4.2. Design for Minimum Latency
QUIC is specifically designed to reduce protocol-induced delays, with
features such as:
1. Support for 0-RTT data during session resumption.
2. Support for advanced packet loss recovery procedures as specified
in "QUIC Loss Detection and Congestion Control" [RFC9002].
3. Mitigation of head-of-line blocking by allowing parallel delivery
of data on multiple streams.
This mapping of DNS to QUIC will take advantage of these features in
three ways:
1. Optional support for sending 0-RTT data during session resumption
(the security and privacy implications of this are discussed in
later sections).
Huitema, et al. Expires 4 June 2022 [Page 5]
Internet-Draft DNS over Dedicated QUIC December 2021
2. Long-lived QUIC connections over which multiple DNS transactions
are performed, generating the sustained traffic required to
benefit from advanced recovery features.
3. Mapping of each DNS Query/Response transaction to a separate
stream, to mitigate head-of-line blocking. This enables servers
to respond to queries "out of order". It also enables clients to
process responses as soon as they arrive, without having to wait
for in order delivery of responses previously posted by the
server.
These considerations are reflected in the mapping of DNS traffic to
QUIC streams in Section 5.2.
4.3. Middlebox Considerations
Using QUIC might allow a protocol to disguise its purpose from
devices on the network path using encryption and traffic analysis
resistance techniques like padding. This specification does not
include any measures that are designed to avoid such classification.
Consequently, firewalls and other middleboxes might be able to
distinguish DoQ from other protocols that use QUIC, like HTTP, and
apply different treatment.
The lack of measures in this specification to avoid protocol
classification is not an endorsement of such practices.
4.4. No Server Initiated Transactions
As stated in Section 1, this document does not specify support for
server initiated transactions within established DoQ connections.
That is, only the initiator of the DoQ connection may send queries
over the connection.
DSO does support server-initiated transactions within existing
connections. However DoQ as defined here does not meet the criteria
for an applicable transport for DSO because it does not guarantee in-
order delivery of messages, see Section 4.2 of [RFC8490].
5. Specifications
5.1. Connection Establishment
DoQ connections are established as described in the QUIC transport
specification [RFC9000]. During connection establishment, DoQ
support is indicated by selecting the ALPN token "doq" in the crypto
handshake.
Huitema, et al. Expires 4 June 2022 [Page 6]
Internet-Draft DNS over Dedicated QUIC December 2021
5.1.1. Draft Version Identification
(RFC EDITOR NOTE: THIS SECTION TO BE REMOVED BEFORE PUBLICATION) Only
implementations of the final, published RFC can identify themselves
as "doq". Until such an RFC exists, implementations MUST NOT
identify themselves using this string.
Implementations of draft versions of the protocol MUST add the string
"-" and the corresponding draft number to the identifier. For
example, draft-ietf-dprive-dnsoquic-00 is identified using the string
"doq-i00".
5.1.2. Port Selection
By default, a DNS server that supports DoQ MUST listen for and accept
QUIC connections on the dedicated UDP port TBD (number to be defined
in Section 10), unless there is a mutual agreement to use another
port.
By default, a DNS client desiring to use DoQ with a particular server
MUST establish a QUIC connection to UDP port TBD on the server,
unless there is a mutual agreement to use another port.
In order to use a port other than TBD, both clients and servers would
need a configuration option in their software.
DoQ connections MUST NOT use UDP port 53. This recommendation
against use of port 53 for DoQ is to avoid confusion between DoQ and
the use of DNS over UDP [RFC1035].
In the stub to recursive scenario, the use of port 443 as a mutually
agreed alternative port can be operationally beneficial, since port
443 is less likely to be blocked than other ports. Several
mechanisms for stubs to discover recursives offering encrypted
transports, including the use of custom ports, are the subject of
ongoing work.
5.2. Stream Mapping and Usage
The mapping of DNS traffic over QUIC streams takes advantage of the
QUIC stream features detailed in Section 2 of [RFC9000], the QUIC
transport specification.
DNS traffic follows a simple pattern in which the client sends a
query, and the server provides one or more responses (multiple
responses can occur in zone transfers).
Huitema, et al. Expires 4 June 2022 [Page 7]
Internet-Draft DNS over Dedicated QUIC December 2021
The mapping specified here requires that the client selects a
separate QUIC stream for each query. The server then uses the same
stream to provide all the response messages for that query. In order
that multiple responses can be parsed, a 2-octet length field is used
in exactly the same way as the 2-octet length field defined for DNS
over TCP [RFC1035]. The practical result of this is that the content
of each QUIC stream is exactly the same as the content of a TCP
connection that would manage exactly one query.
All DNS messages (queries and responses) sent over DoQ connections
MUST be encoded as a 2-octet length field followed by the message
content as specified in [RFC1035].
The client MUST select the next available client-initiated
bidirectional stream for each subsequent query on a QUIC connection,
in conformance with the QUIC transport specification [RFC9000].
The client MUST send the DNS query over the selected stream, and MUST
indicate through the STREAM FIN mechanism that no further data will
be sent on that stream.
The server MUST send the response(s) on the same stream and MUST
indicate, after the last response, through the STREAM FIN mechanism
that no further data will be sent on that stream.
Therefore, a single client initiated DNS transaction consumes a
single stream. This means that the client's first query occurs on
QUIC stream 0, the second on 4, and so on.
Servers MAY defer processing of a query until the STREAM FIN has been
indicated on the stream selected by the client. Servers and clients
MAY monitor the number of "dangling" streams for which the expected
queries or responses have been received but not the STREAM FIN.
Implementations MAY impose a limit on the number of such dangling
streams. If limits are encountered, implementations MAY close the
connection.
5.2.1. DNS Message IDs
When sending queries over a QUIC connection, the DNS Message ID MUST
be set to zero. The stream mapping for DoQ allows for unambiguous
correlation of queries and responses and so the Message ID field is
not required.
Huitema, et al. Expires 4 June 2022 [Page 8]
Internet-Draft DNS over Dedicated QUIC December 2021
This has implications for proxying DoQ message to and from other
transports. For example, proxies may have to manage the fact that
DoQ can support a larger number of outstanding queries on a single
connection than e.g., DNS over TCP because DoQ is not limited by the
Message ID space. This issue already exists for DoH, where a Message
ID of 0 is recommended.
When forwarding a DNS message from DoQ over another transport, a DNS
Message ID MUST be generated according to the rules of the protocol
that is in use. When forwarding a DNS message from another transport
over DoQ, the Message ID MUST be set to zero.
5.3. DoQ Error Codes
The following error codes are defined for use when abruptly
terminating streams, aborting reading of streams, or immediately
closing connections:
DOQ_NO_ERROR (0x0): No error. This is used when the connection or
stream needs to be closed, but there is no error to signal.
DOQ_INTERNAL_ERROR (0x1): The DoQ implementation encountered an
internal error and is incapable of pursuing the transaction or the
connection.
DOQ_PROTOCOL_ERROR (0x2): The DoQ implementation encountered an
protocol error and is forcibly aborting the connection.
DOQ_REQUEST_CANCELLED (0x3): A DoQ client uses this to signal that
it wants to cancel an outstanding transaction.
DOQ_EXCESSIVE_LOAD (0x4): A DoQ implementation uses this to signal
when closing a connection due to excessive load.
DOQ_ERROR_RESERVED (0xd098ea5e): Alternative error code used for
tests.
See Section 10.4 for details on registering new error codes.
5.3.1. Transaction Cancellation
In QUIC, sending STOP_SENDING requests that a peer cease transmission
on a stream. If a DoQ client wishes to cancel an outstanding
request, it MUST issue a QUIC Stop Sending with error code
DOQ_REQUEST_CANCELLED. This may be sent at any time but will be
ignored if the server has already sent the response. The
corresponding DNS transaction MUST be abandoned.
Huitema, et al. Expires 4 June 2022 [Page 9]
Internet-Draft DNS over Dedicated QUIC December 2021
Servers that receive STOP_SENDING act in accordance with Section 3.5
of [RFC9000]. Servers MAY impose implementation limits on the total
number or rate of request cancellations. If limits are encountered,
servers MAY close the connection. In this case, servers wanting to
help client debugging MAY use the error code DOQ_EXCESSIVE_LOAD.
There is always a trade-off between helping good faith clients debug
issues and allowing denial-of-service attackers to test server
defenses, so depending on circumstances servers might very well chose
to send different error codes.
Note that this mechanism provides a way for secondaries to cancel a
single zone transfer occurring on a given stream without having to
close the QUIC connection.
5.3.2. Transaction Errors
Servers normally complete transactions by sending a DNS response (or
responses) on the transaction's stream, including cases where the DNS
response indicates a DNS error. For example, a Server Failure
(SERVFAIL, [RFC1035]) SHOULD be notified to the client by sending
back a response with the Response Code set to SERVFAIL.
If a server is incapable of sending a DNS response due to an internal
error, it SHOULD issue a QUIC Stream Reset. The error code SHOULD be
set to DOQ_INTERNAL_ERROR. The corresponding DNS transaction MUST be
abandoned. Clients MAY limit the number of unsolicited QUIC Stream
Resets received on a connection before choosing to close the
connection.
Note that this mechanism provides a way for primaries to abort a
single zone transfer occurring on a given stream without having to
close the QUIC connection.
5.3.3. Protocol Errors
Other error scenarios can occur due to malformed, incomplete or
unexpected messages during a transaction. These include (but are not
limited to)
* a client or server receives a message with a non-zero Message ID
* a client or server receives a STREAM FIN before receiving all the
bytes for a message indicated in the 2-octet length field
* a client receives a STREAM FIN before receiving all the expected
responses
* a server receives more than one query on a stream
Huitema, et al. Expires 4 June 2022 [Page 10]
Internet-Draft DNS over Dedicated QUIC December 2021
* a client receives a different number of responses on a stream than
expected (e.g. multiple responses to a query for an A record)
* a client receives a STOP_SENDING request
* the client or server does not indicate the expected STREAM FIN
after sending requests or responses (see Section 5.2).
* an implementation receives a message containing the edns-tcp-
keepalive EDNS(0) Option [RFC7828] (see Section 6.5.2)
* a client or a server attempts to open an unidirectional QUIC
stream
* a server attempts to open a server-initiated bidirectional QUIC
stream
If a peer encounters such an error condition it is considered a fatal
error. It SHOULD forcibly abort the connection using QUIC's
CONNECTION_CLOSE mechanism, and SHOULD use the DoQ error code
DOQ_PROTOCOL_ERROR.
It is noted that the restrictions on use of the above EDNS(0) options
has implications for proxying message from TCP/DoT/DoH over DoQ.
5.3.4. Alternative error codes
This specification suggests specific error codes Section 5.3.1,
Section 5.3.2, and Section 5.3.3. These error codes are meant to
facilitate investigation of failures and other incidents. New error
codes may be defined in future versions of DoQ, or registered as
specified in Section 10.4.
Because new error codes can be defined without negotiation, use of an
error code in an unexpected context or receipt of an unknown error
code MUST be treated as equivalent to DOQ_NO_ERROR.
Implementations MAY wish to test the support for the error code
extension mechanism by using error codes not listed in this document,
or they MAY use DOQ_ERROR_RESERVED.
5.4. Connection Management
Section 10 of [RFC9000], the QUIC transport specification, specifies
that connections can be closed in three ways:
* idle timeout
Huitema, et al. Expires 4 June 2022 [Page 11]
Internet-Draft DNS over Dedicated QUIC December 2021
* immediate close
* stateless reset
Clients and servers implementing DoQ SHOULD negotiate use of the idle
timeout. Closing on idle timeout is done without any packet
exchange, which minimizes protocol overhead. Per Section 10.1 of
[RFC9000], the QUIC transport specification, the effective value of
the idle timeout is computed as the minimum of the values advertised
by the two endpoints. Practical considerations on setting the idle
timeout are discussed in Section 6.5.2.
Clients SHOULD monitor the idle time incurred on their connection to
the server, defined by the time spent since the last packet from the
server has been received. When a client prepares to send a new DNS
query to the server, it will check whether the idle time is
sufficient lower than the idle timer. If it is, the client will send
the DNS query over the existing connection. If not, the client will
establish a new connection and send the query over that connection.
Clients MAY discard their connections to the server before the idle
timeout expires. A client that has outstanding queries SHOULD close
the connection explicitly using QUIC's CONNECTION_CLOSE mechanism and
the DoQ error code DOQ_NO_ERROR.
Clients and servers MAY close the connection for a variety of other
reasons, indicated using QUIC's CONNECTION_CLOSE. Client and servers
that send packets over a connection discarded by their peer MAY
receive a stateless reset indication. If a connection fails, all the
in progress transaction on that connection MUST be abandoned.
5.5. Session Resumption and 0-RTT
A client MAY take advantage of the session resumption mechanisms
supported by QUIC transport [RFC9000] and QUIC TLS [RFC9001].
Clients SHOULD consider potential privacy issues associated with
session resumption before deciding to use this mechanism. These
privacy issues are detailed in Section 9.2 and Section 9.1, and the
implementation considerations are discussed in Section 6.5.3.
The 0-RTT mechanism SHOULD NOT be used to send DNS requests that are
not "replayable" transactions. In this specification, only
transactions that have an OPCODE of QUERY or NOTIFY are considered
replayable and MAY be sent in 0-RTT data. See Appendix A for a
detailed discussion of why NOTIFY is included here.
Servers MUST NOT execute non replayable transactions received in
0-RTT data. Servers MUST adopt one of the following behaviors:
Huitema, et al. Expires 4 June 2022 [Page 12]
Internet-Draft DNS over Dedicated QUIC December 2021
* Queue the offending transaction and only execute it after the QUIC
handshake has been completed, as defined in Section 4.1.1 of
[RFC9001].
* Reply to the offending transaction with a response code REFUSED
and an Extended DNS Error Code (EDE) "Too Early", see
Section 10.3.
* Close the connection with the error code DOQ_PROTOCOL_ERROR.
5.6. Message Sizes
DoQ Queries and Responses are sent on QUIC streams, which in theory
can carry up to 2^62 bytes. However, DNS messages are restricted in
practice to a maximum size of 65535 bytes. This maximum size is
enforced by the use of a two-octet message length field in DNS over
TCP [RFC1035] and DNS over TLS [RFC7858], and by the definition of
the "application/dns-message" for DNS over HTTP [RFC8484]. DoQ
enforces the same restriction.
The Extension Mechanisms for DNS (EDNS) [RFC6891] allow peers to
specify the UDP message size. This parameter is ignored by DoQ. DoQ
implementations always assume that the maximum message size is 65535
bytes.
6. Implementation Requirements
6.1. Authentication
For the stub to recursive resolver scenario, the authentication
requirements are the same as described in DoT [RFC7858] and "Usage
Profiles for DNS over TLS and DNS over DTLS" [RFC8310]. [RFC8932]
states that DNS privacy services SHOULD provide credentials that
clients can use to authenticate the server. Given this, and to align
with the authentication model for DoH, DoQ stubs SHOULD use a Strict
authentication profile. Client authentication for the encrypted stub
to recursive scenario is not described in any DNS RFC.
For zone transfer, the requirements are the same as described in
[RFC9103].
For the recursive resolver to authoritative nameserver scenario,
authentication requirements are unspecified at the time of writing
and are the subject on ongoing work in the DPRIVE WG.
Huitema, et al. Expires 4 June 2022 [Page 13]
Internet-Draft DNS over Dedicated QUIC December 2021
6.2. Fallback to Other Protocols on Connection Failure
If the establishment of the DoQ connection fails, clients MAY attempt
to fall back to DoT and then potentially clear text, as specified in
DoT [RFC7858] and "Usage Profiles for DNS over TLS and DNS over DTLS"
[RFC8310], depending on their privacy profile.
DNS clients SHOULD remember server IP addresses that don't support
DoQ. Timeouts, connection refusals, and QUIC handshake failures are
valid indicators that a server does not support DoQ. Clients SHOULD
NOT attempt DoQ queries to a server that does not support DoQ for a
reasonable period (such as one hour per server). DNS clients
following an out-of-band key-pinned privacy profile ([RFC7858]) MAY
be more aggressive about retrying DoQ connection failures.
6.3. Address Validation
Section 8 of [RFC9000], the QUIC transport specification, defines
Address Validation procedures to avoid servers being used in address
amplification attacks. DoQ implementations MUST conform to this
specification, which limits the worst case amplification to a factor
3.
DoQ implementations SHOULD consider configuring servers to use the
Address Validation using Retry Packets procedure defined in
Section 8.1.2 of [RFC9000], the QUIC transport specification. This
procedure imposes a 1-RTT delay for verifying the return routability
of the source address of a client, similar to the DNS Cookies
mechanism [RFC7873].
DoQ implementations that configure Address Validation using Retry
Packets SHOULD implement the Address Validation for Future
Connections procedure defined in Section 8.1.3 of [RFC9000], the QUIC
transport specification. This defines how servers can send NEW_TOKEN
frames to clients after the client address is validated, in order to
avoid the 1-RTT penalty during subsequent connections by the client
from the same address.
6.4. Padding
Implementations SHOULD protect against the traffic analysis attacks
described in Section 9.5 by the judicious injection of padding. This
could be done either by padding individual DNS messages using the
EDNS(0) Padding Option [RFC7830] and by padding QUIC packets (see
Section 8.6 of [RFC9000], the QUIC transport specification.
Huitema, et al. Expires 4 June 2022 [Page 14]
Internet-Draft DNS over Dedicated QUIC December 2021
In theory, padding at the QUIC level could result in better
performance for the equivalent protection, because the amount of
padding can take into account non-DNS frames such as acknowledgeemnts
or flow control updates, and also because QUIC packets can carry
multiple DNS messages. However, applications can only control the
amount of padding in QUIC packets if the implementation of QUIC
exposes adequate APIs. This leads to the following recommendation:
* if the implementation of QUIC exposes APIs to set a padding
policy, DNS over QUIC SHOULD use that API to align the packet
length to a small set of fixed sizes, aligned with the
recommendations of the "Padding Policies for Extension Mechanisms
for DNS (EDNS(0))" [RFC8467].
* if padding at the QUIC level is not available or not used, DNS
over QUIC MUST ensure that all DNS queries and responses are
padded to a small set of fixed sizes, using the EDNS padding
extension as specified in "Padding Policies for Extension
Mechanisms for DNS (EDNS(0))" [RFC8467].
6.5. Connection Handling
"DNS Transport over TCP - Implementation Requirements" [RFC7766]
provides updated guidance on DNS over TCP, some of which is
applicable to DoQ. This section provides similar advice on
connection handling for DoQ.
6.5.1. Connection Reuse
Historic implementations of DNS clients are known to open and close
TCP connections for each DNS query. To amortise connection setup
costs, both clients and servers SHOULD support connection reuse by
sending multiple queries and responses over a single persistent QUIC
connection.
In order to achieve performance on par with UDP, DNS clients SHOULD
send their queries concurrently over the QUIC streams on a QUIC
connection. That is, when a DNS client sends multiple queries to a
server over a QUIC connection, it SHOULD NOT wait for an outstanding
reply before sending the next query.
6.5.2. Resource Management
Proper management of established and idle connections is important to
the healthy operation of a DNS server.
Huitema, et al. Expires 4 June 2022 [Page 15]
Internet-Draft DNS over Dedicated QUIC December 2021
An implementation of DoQ SHOULD follow best practices similar to
those specified for DNS over TCP [RFC7766], in particular with regard
to:
* Concurrent Connections (Section 6.2.2 of [RFC7766], updated by
Section 6.4 of [RFC9103])
* Security Considerations (Section 10 of [RFC7766])
Failure to do so may lead to resource exhaustion and denial of
service.
Clients that want to maintain long duration DoQ connections SHOULD
use the idle timeout mechanisms defined in Section 10.1 of [RFC9000],
the QUIC transport specification. Clients and servers MUST NOT send
the edns-tcp-keepalive EDNS(0) Option [RFC7828] in any messages sent
on a DoQ connection (because it is specific to the use of TCP/TLS as
a transport).
This document does not make specific recommendations for timeout
values on idle connections. Clients and servers should reuse and/or
close connections depending on the level of available resources.
Timeouts may be longer during periods of low activity and shorter
during periods of high activity.
6.5.3. Using 0-RTT and Session Resumption
Using 0-RTT for DNS over QUIC has many compelling advantages.
Clients can establish connections and send queries without incurring
a connection delay. Servers can thus negotiate low values of the
connection timers, which reduces the total number of connections that
they need to manage. They can do that because the clients that use
0-RTT will not incur latency penalties if new connections are
required for a query.
Session resumption and 0-RTT data transmission create privacy risks
detailed in detailed in Section 9.2 and Section 9.1. The following
recommendations are meant to reduce the privacy risks while enjoying
the performance benefits of 0-RTT data, with the restriction
specified in Section 5.5.
Clients SHOULD use resumption tickets only once, as specified in
Appendix C.4 to [RFC8446]. By default, clients SHOULD NOT use
session resumption if the client's connectivity has changed.
Huitema, et al. Expires 4 June 2022 [Page 16]
Internet-Draft DNS over Dedicated QUIC December 2021
Clients could receive address validation tokens from the server using
the NEW_TOKEN mechanism; see Section 8 of [RFC9000]. The associated
tracking risks are mentioned in Section 9.3. Clients SHOULD only use
the address validation tokens when they are also using session
resumption, thus avoiding additional tracking risks.
Servers SHOULD issue session resumption tickets with a sufficiently
long life time (e.g., 6 hours), so that clients are not tempted to
either keep connection alive or frequently poll the server to renew
session resumption tickets. Servers SHOULD implement the anti-replay
mechanisms specified in Section 8 of [RFC8446].
6.5.4. Controlling Connection Migration For Privacy
DoQ implementation might consider using the connection migration
features defined in Section 9 of [RFC9000]. These features enable
connections to continue operating as the client's connectivity
changes. As detailed in Section 9.4, these features trade off
privacy for latency. By default, clients SHOULD be configured to
prioritise privacy and start new sessions if their connectivity
changes.
6.6. Processing Queries in Parallel
As specified in Section 7 of [RFC7766] "DNS Transport over TCP -
Implementation Requirements", resolvers are RECOMMENDED to support
the preparing of responses in parallel and sending them out of order.
In DoQ, they do that by sending responses on their specific stream as
soon as possible, without waiting for availability of responses for
previously opened streams.
6.7. Zone transfer
[RFC9103] specifies zone transfer over TLS (XoT) and includes updates
to [RFC1995] (IXFR), [RFC5936] (AXFR) and [RFC7766]. Considerations
relating to the re-use of XoT connections described there apply
analogously to zone transfers performed using DoQ connections. For
example:
* DoQ servers MUST be able to handle multiple concurrent IXFR
requests on a single QUIC connection
* DoQ servers MUST be able to handle multiple concurrent AXFR
requests on a single QUIC connection
* DoQ implementations SHOULD
Huitema, et al. Expires 4 June 2022 [Page 17]
Internet-Draft DNS over Dedicated QUIC December 2021
- use the same QUIC connection for both AXFR and IXFR requests to
the same primary
- pipeline such requests (if they pipeline XFR requests in
general) and MAY intermingle them
- send the response(s) for each request as soon as they are
available i.e. responses MAY be sent intermingled
6.8. Flow Control Mechanisms
Servers and Clients manage flow control using the mechanisms defined
in Section 4 of [RFC9000]. These mechanisms allow clients and
servers to specify how many streams can be created, how much data can
be sent on a stream, and how much data can be sent on the union of
all streams. For DNS over QUIC, controlling how many streams are
created allows servers to control how many new requests the client
can send on a given connection.
Flow control exists to protect endpoint resources. For servers,
global and per-stream flow control limits control how much data can
be sent by clients. The same mechanisms allow clients to control how
much data can be sent by servers. Values that are too small will
unnecessarily limit performance. Values that are too large might
expose endpoints to overload or memory exhaustion. Implementations
or deployments will need to adjust flow control limits to balance
these concerns. In particular, zone transfer implementations will
need to control these limits carefully to ensure both large and
concurrent zone transfers are well managed.
Initial values of parameters control how many requests and how much
data can be sent by clients and servers at the beginning of the
connection. These values are specified in transport parameters
exchanged during the connection handshake. The parameter values
received in the initial connection also control how many requests and
how much data can be sent by clients using 0-RTT data in a resumed
connection. Using too small values of these initial parameters would
restrict the usefulness of allowing 0-RTT data.
7. Implementation Status
(RFC EDITOR NOTE: THIS SECTION TO BE REMOVED BEFORE PUBLICATION) This
section records the status of known implementations of the protocol
defined by this specification at the time of posting of this