-
Notifications
You must be signed in to change notification settings - Fork 4
/
Copy pathdraft-reddy-dprive-bootstrap-dns-server-04.txt
1176 lines (816 loc) · 48.4 KB
/
draft-reddy-dprive-bootstrap-dns-server-04.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
DPRIVE WG T. Reddy
Internet-Draft McAfee
Intended status: Standards Track D. Wing
Expires: November 8, 2019 Citrix
M. Richardson
Sandelman Software Works
M. Boucadair
Orange
May 7, 2019
A Bootstrapping Procedure to Discover and Authenticate DNS-over-(D)TLS
and DNS-over-HTTPS Servers
draft-reddy-dprive-bootstrap-dns-server-04
Abstract
This document specifies mechanisms to automatically bootstrap
endpoints (e.g., hosts, Customer Equipment) to discover and
authenticate DNS-over-(D)TLS and DNS-over-HTTPS servers provided by a
local network.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on November 8, 2019.
Copyright Notice
Copyright (c) 2019 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
Reddy, et al. Expires November 8, 2019 [Page 1]
Internet-Draft DoT/DoH server discovery May 2019
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 5
4. Bootstrapping Endpoint Devices . . . . . . . . . . . . . . . 5
5. Bootstrapping IoT Devices . . . . . . . . . . . . . . . . . . 7
6. DNS-over-(D)TLS and DNS-over-HTTPS Server Discovery Procedure 8
7. Connection Handshake and Service Invocation . . . . . . . . . 10
8. EST Service Discovery Procedure . . . . . . . . . . . . . . . 10
8.1. mDNS . . . . . . . . . . . . . . . . . . . . . . . . . . 10
9. Network Reattachment . . . . . . . . . . . . . . . . . . . . 11
10. Privacy Considerations . . . . . . . . . . . . . . . . . . . 12
10.1. Privacy Extension Format . . . . . . . . . . . . . . . . 12
10.2. Privacy Extension Syntax . . . . . . . . . . . . . . . . 14
11. Security Considerations . . . . . . . . . . . . . . . . . . . 15
12. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 16
12.1. Application Service & Application Protocol Tags . . . . 16
12.1.1. DNS Application Service Tag Registration . . . . . . 17
12.1.2. dns.tls Application Protocol Tag Registration . . . 17
12.1.3. dns.dtls Application Protocol Tag Registration . . . 17
12.1.4. dns.https Application Protocol Tag Registration . . 17
13. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 17
14. References . . . . . . . . . . . . . . . . . . . . . . . . . 18
14.1. Normative References . . . . . . . . . . . . . . . . . . 18
14.2. Informative References . . . . . . . . . . . . . . . . . 19
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 21
1. Introduction
Traditionally a caching DNS server has been provided by local
networks. This provides benefits such as low latency to reach that
DNS server (owing to its network proximity to the endpoint).
However, if an endpoint is configured to use Internet-hosted or
public DNS-over-(D)TLS [RFC7858] [RFC8094] or DNS-over-HTTPS
[RFC8484] servers, any available local DNS server cannot serve DNS
requests from local endpoints. If public DNS servers are used
instead of using local DNS servers, some operational problems can
occur such as those listed below:
o "Split DNS" [RFC2775] to use the special internal-only domain
names (e.g., "internal.example.com") in enterprise networks will
Reddy, et al. Expires November 8, 2019 [Page 2]
Internet-Draft DoT/DoH server discovery May 2019
not work, and ".local" and "home.arpa" names cannot be locally
resolved in home networks.
o Content Delivery Networks (CDNs) that map traffic based on DNS may
lose the ability to direct end-user traffic to a nearby service-
specific cluster in cases where a DNS service is being used that
is not affiliated with the local network and which does not send
"EDNS Client Subnet" (ECS) information [RFC7871] to the CDN's DNS
authorities [CDN].
If public DNS servers are used instead of using local DNS servers,
the following discusses the impact on network-based security:
o Various network security services are provided by Enterprise
networks to protect endpoints (e.g,. Hosts, IoT devices).
[I-D.camwinget-tls-use-cases] discusses some of the network-based
security service use cases. These network security services act
on DNS requests originating from endpoints.
o However, if an endpoint is configured to use public DNS-
over-(D)TLS or DNS-over-HTTPS servers, network security services
cannot act efficiently on DNS requests from these endpoints.
o In order to act on DNS requests from endpoints, network security
services can block DNS-over-(D)TLS traffic by dropping outgoing
packets to destination port 853. Identifying DNS-over-HTTPS
traffic is far more challenging than DNS-over-(D)TLS traffic.
Network security services may try to identify the domains offering
DNS-over-HTTPS servers, and DNS-over-HTTPS traffic can be blocked
by dropping outgoing packets to these domains. If an endpoint has
enabled strict privacy profile (Section 5 of [RFC8310]), and the
network security service blocks the traffic to the public DNS
server, the DNS service won't be available to the endpoint and
ultimately the endpoint cannot access Internet-reachable services.
o If an endpoint has enabled opportunistic privacy profile
(Section 5 of [RFC8310]), and the network security service blocks
traffic to the public DNS server, the endpoint will either
fallback to an encrypted connection without authenticating the DNS
server provided by the local network or fallback to clear text
DNS, and cannot exchange encrypted DNS messages.
If the network security service fails to block DNS-over-(D)TLS or
DNS-over-HTTPS traffic, this can compromise the endpoint security;
some of the potential security threats are listed below:
o The network security service cannot prevent an endpoint from
accessing malicious domains.
Reddy, et al. Expires November 8, 2019 [Page 3]
Internet-Draft DoT/DoH server discovery May 2019
o If the endpoint is an IoT device which is configured to use public
DNS-over-(D)TLS or DNS-over-HTTPS servers, and if a policy
enforcement point in the local network is programmed using, for
example, a Manufacturer Usage Description (MUD) file [RFC8520] by
a MUD manager to only allow intented communications to and from
the IoT device, the policy enforcement point cannot enforce the
network Access Control List (ACL) rules based on domain names
(Section 8 of [RFC8520]).
If the network security service successfully blocks DNS-over-(D)TLS
and DNS-over-HTTPS traffic, this can still compromise the endpoint
security and privacy; some of the potential security threats are
listed below:
o Pervasive monitoring of DNS traffic.
o An internal attacker can modify the DNS responses to re-direct the
client to malicious servers.
To overcome the above threats, this document specifies a mechanism to
automatically bootstrap endpoints to discover and authenticate the
DNS-over-(D)TLS and DNS-over-HTTPS servers provided by their local
network. The overall procedure can be structured into the following
steps:
o Bootstrapping (Section 4) is necessary only when connecting to a
new network or when the network's DNS certificate has changed.
Bootstrapping authenticates the Enrollment over Secure Transport
(EST) [RFC7030] server to the endpoint. After authenticating the
EST server, DNS server certificate used by the local network is
downloaded to the endpoint. This DNS server certificate enables
subsequent authenticated encrypted communication with the local
DNS server (e.g., DNS-over-HTTPS) during in the connection phase.
o Discovery (Section 6) is performed by a previously bootstrapped
endpoint whenever connecting to a network. During discovery, the
endpoint is instructed which privacy-enabling DNS protocol(s),
port number(s), and IP addresses are supported on a local network.
This effectively takes the place of DNS server IP address
traditionally provided by IPv4 or IPv6 DHCP or by IPv6 Router
Advertisement [RFC8106].
o Connection handshake and service invocation (Section 7): The DNS
client initiates a (D)TLS handshake with the DNS server learned in
the discovery phase, and validates the DNS server's identity using
the credentials obtained in the bootstrapping phase.
Reddy, et al. Expires November 8, 2019 [Page 4]
Internet-Draft DoT/DoH server discovery May 2019
Note: The strict and opportunistic privacy profiles as defined in
[RFC8310] only applies to DNS-over-(D)TLS protocols, there has been
no such distinction made for DNS-over-HTTPS protocol.
2. Scope
The problems discussed in Section 1 will be encountered in Enterprise
networks. Typically Enterprise networks do not assume that all
devices in their network are managed by the IT team or Mobile Device
Management (MDM) devices, especially in the quite common BYOD ("Bring
Your Own Device") scenario. The mechanisms specified in this
document can be used by BYOD devices to discover and authenticate
DNS-over-(D)TLS and DNS-over-HTTPS servers provided by the Enterprise
network. This mechanism can also be used by IoT devices (managed by
IT team) after onboarding to discover and authenticate DNS-
over-(D)TLS and DNS-over-HTTPS servers provided by the Enterprise
network.
3. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP
14 [RFC2119][RFC8174] when, and only when, they appear in all
capitals, as shown here.
(D)TLS is used for statements that apply to both Transport Layer
Security [RFC8446] and Datagram Transport Layer Security [RFC6347].
Specific terms are used for any statement that applies to either
protocol alone.
This document uses the terms defined in [RFC8499].
4. Bootstrapping Endpoint Devices
The following steps detail the mechanism to automatically bootstrap
an endpoint with the local network's DNS server certificate:
1. The endpoint authenticates to the local network and discovers the
Enrollment over Secure Transport (EST) [RFC7030] server using the
procedure discussed in Section 8.
2. The endpoint establishes provisional TLS connection with that EST
server, i.e., the endpoint provisionally accepts the unverified
TLS server certificate. However, the endpoint MUST authenticate
the EST server before it accepts the DNS server certificate. The
endpoint either uses password-based authenticated key exchange
(PAKE) with TLS 1.3 [I-D.barnes-tls-pake] as an authentication
Reddy, et al. Expires November 8, 2019 [Page 5]
Internet-Draft DoT/DoH server discovery May 2019
method or uses the mutual authentication protocol for HTTP
[RFC8120] to authenticate the discovered EST server.
As a reminder, PAKE is an authentication method that allows the
use of usernames and passwords over unencrypted channels without
revealing the passwords to an eavesdropper. Similarly, the
mutual authentication for HTTP is based on PAKE and provides
mutual authentication between an HTTP client and an HTTP server
using username and password as credentials. The cryptographic
algorithms to use with the mutual authentication protocol for
HTTP are defined in [RFC8121].
3. The endpoint needs to use PAKE scheme to perform authentication
the first time it connects to an EST server. If the EST server
authentication is successful, the server's identity can be used
to authenticate subsequent TLS connections to that EST server.
The endpoint configures the reference identifier for the EST
server using the DNS-ID identifier type in the EST server
certificate. On subsequent connections to the EST server, the
endpoint MUST validate the EST server certificate using the
Implict Trust Anchor database (i.e, the EST server certificate
must pass PKIX certification path validation) and match the
reference identifier against the EST server's identity according
to the rules specified in Section 6.4 of [RFC6125].
4. The endpoint learns the End-Entity certificates [RFC8295] from
the EST server. The certificate provisioned to the DNS server in
the local network will be treated as a End-Entity certificate.
As a reminder, the End-Entity certificates must be validated by
the endpoint using an authorized trust anchor (Section 3.2 of
[RFC8295]). The endpoint needs to identify the certificate
provisioned to the DNS server. The SRV-ID identifier type
[RFC6125] within subjectAltName entry MUST be used to identify
the DNS server certificate.
For example, DNS server certificate will include SRV-ID "_domain-
s.example.net" along with DNS-ID "example.net". The SRV service
label "domain-s" is defined in Section 6 of [RFC7858]. As a
reminder, the protocol component is not included in the SRV-ID
[RFC4985].
5. The endpoint configures the authentication domain name (ADN)
(defined in [RFC8310]) for the DNS server from the DNS-ID
identifier type within subjectAltName entry in the DNS server
certificate. The DNS server certificate is associated with the
ADN to be matched with the certificate given by the DNS server in
(D)TLS. To some extent, this approach is similar to certificate
usage PKIX-EE(1) defined in [RFC7671].
Reddy, et al. Expires November 8, 2019 [Page 6]
Internet-Draft DoT/DoH server discovery May 2019
Figure 1 illustrates a sequence diagram for bootstrapping an endpoint
with the local network's DNS server certificate.
+----------+ +--------+ +--------+
| Endpoint | | EST | | DNS |
| | | Server | | Server |
+----------+ +--------+ +--------+
| DNS-SD query to discover the EST server | |
|-------------------------------------------------------->|
| | |
| optional: mDNS query to | |
| discover the EST server | |
|--------------------------------------------->| |
| | |
| Establish provisional TLS connection | |
|<-------------------------------------------->| |
| | |
| PAKE scheme to authenticate the EST server | |
|<-------------------------------------------->| |
| | |
[Generate reference identifier for the EST server | |
to compare with the EST server certificate | |
in subsequent TLS connections] | |
| | |
| Get EE certificates | |
|--------------------------------------------->| |
| | |
[Identify the DNS server certificate in EE | |
certificates to match with the certificate | |
by the DNS server in (D)TLS handshake] | |
| |
[Configure ADN and associate DNS server certificate] | |
| | |
Figure 1: Bootstrapping Endpoint Devices
5. Bootstrapping IoT Devices
The following steps explain the mechanism to automatically bootstrap
IoT devices with local network's CA certificates and DNS server
certificate:
o Bootstrapping Remote Secure Key Infrastructures (BRSKI) discussed
in [I-D.ietf-anima-bootstrapping-keyinfra] provides a solution for
secure automated bootstrap of devices. BRSKI specifies means to
provision credentials on devices to be used to operationally
access networks. In addition, BRSKI provides an automated
mechanism for the bootstrap distribution of CA certificates from
Reddy, et al. Expires November 8, 2019 [Page 7]
Internet-Draft DoT/DoH server discovery May 2019
the EST server. The IoT device can use BRSKI to automatically
bootstrap the IoT device using the IoT manufacturer provisioned
X.509 certificate, in combination with a registrar provided by the
local network and IoT device manufacturer's authorizing service
(MASA):
1. The IoT device authenticates to the local network using the
IoT manufacturer provisioned X.509 certificate. The IoT
device can request and get a voucher from the MASA service via
the registrar. The voucher is signed by the MASA service and
includes the local network's CA public key.
2. The IoT device validates the signed voucher using the
manufacturer installed trust anchor associated with the MASA,
stores the CA's public key and validates the provisional TLS
connection to the registrar.
3. The IoT device requests the full EST distribution of current
CA certificates (Section 5.9.1 in
[I-D.ietf-anima-bootstrapping-keyinfra]) from the registrar
operating as a BRSKI-EST server. The IoT devices stores the
CA certificates as Explicit Trust Anchor database entries.
The IoT device uses the Explicit Trust Anchor database to
validate the DNS server certificate.
4. The IoT device learns the End-Entity certificates from the
BRSKI-EST server. The certificate provisioned to the DNS
server in the local network will be treated as an End-Entity
certificate. The IoT device needs to identify the certificate
provisioned to the DNS server. The SRV-ID identifier type
within subjectAltName entry MUST be used to identify the DNS
server certificate.
5. The endpoint configures the ADN for the DNS server from the
DNS-ID identifier type within subjectAltName entry in the DNS
server certificate. The DNS server certificate is associated
with the ADN to be matched with the certificate given by the
DNS server in (D)TLS.
6. DNS-over-(D)TLS and DNS-over-HTTPS Server Discovery Procedure
This specification defines "DPRIVE" as the application service tag
(Section 12.1.1) and "dns.tls" (Section 12.1.2), "dns.dtls"
(Section 12.1.3), and "dns.https" (Section 12.1.4) as application
protocol tags. A DNS client discovers the DNS server in the local
network supporting DNS-over-TLS, DNS-over-DTLS and DNS-over-HTTPS
protocols by using the following discovery mechanism:
Reddy, et al. Expires November 8, 2019 [Page 8]
Internet-Draft DoT/DoH server discovery May 2019
o The DNS client makes an S-NAPTR [RFC3958] lookup with the
authentication domain name and the 'DPRIVE' application service
tag to learn the protocols DNS-over-TLS, DNS-over-DTLS, and DNS-
over-HTTPS supported by the DNS server and the DNS privacy
protocol preferred by the DNS server administrators. The S-NAPTR
lookup is performed using an recursive DNS resolver discovered
from an untrusted source (such as DHCP).
o In the example depicted in Figure 2, for authentication domain
name 'example.net', the resolution algorithm will result in the
privacy-enabling protocols supported by the DNS server and usable
DNS server IP addresses and port numbers.
example.net.
IN NAPTR 100 10 "" DPRIVE:dns.tls "" dns1.example.net.
IN NAPTR 200 10 "" DPRIVE:dns.dtls "" dns2.example.net.
dns1.example.net.
IN NAPTR 100 10 S DPRIVE:dns.tls "" _domain-s._tcp.example.net.
dns2.example.net.
IN NAPTR 100 10 S DPRIVE:dns.dtls "" _domain-s._udp.example.net.
_domain-s._tcp.example.net.
IN SRV 0 0 853 a.example.net.
_domain-s._udp.example.net.
IN SRV 0 0 853 a.example.net.
a.example.net.
IN A 192.0.2.1
IN AAAA 2001:db8:8:4::2
Figure 2
o If DNS-over-HTTPS protocol is supported by the DNS server, the DNS
client finds the URI template of the DNS-over-HTTPS server using
one of the mechanisms discussed in
[I-D.ietf-doh-resolver-associated-doh] to use the https URI scheme
(Section 3 of [RFC8484]).
o If no DNS-specific S-NAPTR records can be retrieved, the discovery
procedure fails for this authentication domain name. However,
before retrying a lookup that has failed, a DNS client MUST wait a
time period that is appropriate for the encountered error (e.g.,
NXDOMAIN, timeout, etc.).
Reddy, et al. Expires November 8, 2019 [Page 9]
Internet-Draft DoT/DoH server discovery May 2019
7. Connection Handshake and Service Invocation
The DNS client initiates (D)TLS handshake with the DNS server, the
DNS server presents its certificate in ServerHello message, and the
DNS client MUST match the DNS server certificate downloaded in Step 4
in Section 4 or Section 5 with the certificate provided by the DNS
server in (D)TLS handshake. If the match is successful, the DNS
client MUST validate the server certificate using the Implicit Trust
Anchor database (i.e., the DNS server certificate must pass PKIX
certification path validation).
If the match is successful and server certificate is successfully
validated, the client continues with the connection as normal.
Otherwise, the client MUST treat the server certificate validation
failure as a non-recoverable error. If the DNS client cannot reach
or establish an authenticated and encrypted connection with the
privacy-enabling DNS server provided by the local network, the DNS
client can fallback to the privacy-enabling public DNS server.
8. EST Service Discovery Procedure
DNS-based Service Discovery (DNS-SD) [RFC6763] and Multicast DNS
(mDNS) [RFC6762] provide generic solutions for discovering services
available in a local network. DNS-SD/mDNS define a set of naming
rules for certain DNS record types that they use for advertising and
discovering services.
Section 4.1 of [RFC6763] specifies that a service instance name in
DNS-SD has the following structure:
<Instance> . <Service> . <Domain>
The <Domain> portion specifies the DNS sub-domain where the service
instance is registered. It may be "local.", indicating the mDNS
local domain, or it may be a conventional domain name such as
"example.com.". The <Service> portion of the EST service instance
name MUST be "_est._tcp".
8.1. mDNS
A EST client application can proactively discover an EST server being
advertised in the site by multicasting a PTR query to the following:
o "_est._tcp.local"
A EST server can send out gratuitous multicast DNS answer packets
whenever it starts up, wakes from sleep, or detects a change in EST
Reddy, et al. Expires November 8, 2019 [Page 10]
Internet-Draft DoT/DoH server discovery May 2019
server configuration. EST client application can receive these
gratuitous packets and cache information contained in them.
9. Network Reattachment
On subsequent attachments to the network, the endpoint discovers the
privacy-enabling DNS server using the authentication domain name
(configured in Step 5 of Section 4 or Section 5), initiates (D)TLS
handshake with the DNS server and follows the mechanism discussed in
Section 7 to validate the DNS server certificate.
If the DNS server certificate is invalid (e.g., revoked or expired)
or the procedure to discover the privacy-enabling DNS server fails
(e.g. the domain name of the privacy-enabling DNS server has changed
because the Enterprise network has switched to a public privacy-
enabling DNS server capable of blocking access to malicious domains),
the endpoint discovers and initiates TLS handshake with the EST
server, and uses the validation techniques described in [RFC6125] to
compare the reference identifier (created in Step 2 of Section 4 in
this document) to the EST server certificate and verifies the entire
certification path as per [RFC5280]. The endpoint then gets the DNS
server certificate from the EST server. If the DNS-ID identifier
type within subjectAltName entry in the DNS server certificate does
not match the configured ADN, the ADN is replaced with the DNS-ID
identifier type. The DNS server certificate associated with the ADN
is replaced with the one provided by the EST server. If the ADN has
changed, the endpoint discovers the privacy-enabling DNS server,
initiates (D)TLS handshake with the DNS server and follows the
mechanism discussed in Section 7 to validate the DNS server
certificate.
Figure 3 illustrates a sequence diagram for re-configuring an
endpoint with ADN and local network's DNS server certificate on
subsequent attachments to the network.
Reddy, et al. Expires November 8, 2019 [Page 11]
Internet-Draft DoT/DoH server discovery May 2019
+----------+ +--------+ +--------+
| Endpoint | | EST | | DNS |
| | | Server | | Server |
+----------+ +--------+ +--------+
| DNS-SD query to discover the EST server | |
|-------------------------------------------------------->|
| | |
| optional: mDNS query to | |
| discover the EST server | |
|--------------------------------------------->| |
| | |
| Establish TLS connection | |
| and validate EST server certificate | |
|<-------------------------------------------->| |
| | |
| Get EE certificates | |
|<-------------------------------------------->| |
| | |
[Identify the DNS server certificate in EE | |
certificates to match with the certificate | |
by the DNS server in (D)TLS handshake] | |
| |
[Re-configure ADN and associate DNS server certificate]| |
| | |
Figure 3: Bootstrapping Endpoint Devices on subsequent attachments to
the network
10. Privacy Considerations
[RFC7626] discusses DNS privacy considerations in both "on the wire"
(Section 2.4 of [RFC7626]) and "in the server" (Section 2.5 of
[RFC7626] contexts. The endpoint may not know if the DNS-over-(D)TLS
or DNS-over-HTTPS server in the local network has a privacy
preserving data policy. A new privacy certificate extension is
defined that identifies the privacy preserving data policy of the DNS
server.
10.1. Privacy Extension Format
Like all X.509 certificate extensions, the privacy certificate
extension is defined using ASN.1 [ASN1-88]. The non-critical privacy
extension is identified by id-pe-privacy.
Reddy, et al. Expires November 8, 2019 [Page 12]
Internet-Draft DoT/DoH server discovery May 2019
PKIX Object Identifier Registry
id-pkix OBJECT IDENTIFIER ::= { iso(1) identified-organization(3)
dod(6) internet(1) security(5) mechanisms(5) pkix(7) }
PKIX Arcs
id-mod OBJECT IDENTIFIER ::= { id-pkix 0 } -- modules
id-pe OBJECT IDENTIFIER ::= { id-pkix 1 } -- private
certificate extensions
PKIX modules
id-mod-privacy-extn OBJECT IDENTIFIER ::= { id-mod TBD2 }
id-pe-privacy OBJECT IDENTIFIER ::= { id-pe TBD1 }
A non-null privacy always includes a base privacy. The privacy
extension includes the following information:
o If the client IP address is Personally Identifiable Information
(PII) data or non PII-data.
o If the user identity that sent the DNS query is logged or not, and
if user identity address is indeed logged, the period for which
the user identity is logged. User identity such as username, IP
address, MAC address or personally identifiable data. Logging
duration is represented in hours. A negative one (-1) of logging
duration indicates indefinite duration.
o If the transaction data (e.g., DNS messages) is logged or not, and
if transaction data is logged, the period for which the
transaction data is stored.
o If the transaction data is logged to notify the user access to
certain domains (e.g., malicious domains) is blocked, the period
for which the transaction data is stored. If access to malicious
domains is logged, the period for which the transaction data is
stored. If the transaction data is logged for analytics (e.g. to
detect malicious domains), the period for which the transaction
data is stored.
o If the transaction data is shared with partners or not, and if the
transaction data is shared with partners, the names of the
partners. If anonymized data or client identifiable data is
shared with partners.
o If the transaction data is shared or sold to third parties.
o If the DNS server will block DNS resolution of certain domains
(e.g., malicious domains).
Reddy, et al. Expires November 8, 2019 [Page 13]
Internet-Draft DoT/DoH server discovery May 2019
o A URL that points to the privacy preserving data policy, and a URL
that points to the security assessment report of the DNS server by
a third party auditor.
10.2. Privacy Extension Syntax
The syntax for the privacy extension is as follows:
Privacy ::= CHOICE {
none NULL,
-- No privacy policy provided
pPolicy PrivacyPolicy
-- Privacy preserving data policy }
PrivacyPolicy ::= SEQUENCE {
base PrivacyInfo,
pURL [0] PrivacyURL OPTIONAL,
aURL [1] AuditURL OPTIONAL }
PrivacyInfo ::= SEQUENCE {
ipaddresspii BOOLEAN,
-- TRUE means client IP address is PII
log [0] Logging,
sdata [2] ShareData,
transferdata [3] BOOLEAN,
-- TRUE means share or sell data to third parties
blockdomains [4] BOOLEAN
-- TRUE means domains will be blocked }
LoggingTypes ::= BIT STRING {
none (0),
-- No logging
all (1),
-- Log all transaction data
useridentity (2),
-- Log user identity (e.g., username, IP address)
notifyuser (3),
-- Log to notify user access
-- to certain domains is blocked
knownmalware (4),
-- Log access to malicious domains
analytics (5)
-- Log transaction data for analytics
-- (e.g. to detect malicious domains) }
LoggingDuration ::= SEQUENCE {
all [0] INTEGER OPTIONAL,
Reddy, et al. Expires November 8, 2019 [Page 14]
Internet-Draft DoT/DoH server discovery May 2019
-- Number of Hours the
-- transcation data is stored
useridentity [1] INTEGER OPTIONAL,
notifyuser [2] INTEGER OPTIONAL,
knownmalware [3] INTEGER OPTIONAL,
analytics [4] INTEGER OPTIONAL }
Logging ::= SEQUENCE {
loggingTypes LoggingTypes DEFAULT {none},
loggingDuration LoggingDuration OPTIONAL
-- Transaction data is cleared
-- after logging duration,
-- Negative one (-1) indicates indefinite
-- duration }
ShareData ::= SEQUENCE {
sharepartners BOOLEAN,
-- TRUE means data is shared with partners
partners [1] SEQUENCE SIZE (1..MAX) OF UTF8String OPTIONAL,
-- Names of the partners
anonymizeddata [0] BOOLEAN OPTIONAL
-- TRUE means anonymized data
-- is shared with partners }
PrivacyURL ::= IA5String -- MUST use https scheme
AuditURL ::= IA5String -- MUST use https scheme
11. Security Considerations
The bootstrapping procedure to obtain the certificate of the local
networks DNS server uses a client identity and password to
authenticate the EST server using PAKE schemes. Security
considerations such as those discussed in [I-D.barnes-tls-pake] or
[RFC8120] and [RFC8121] need to be taken into consideration.
Users cannot be expected to enable or disable the bootstrapping or
the discovery procedure as they switch networks. Thus, it is
RECOMMENDED that users indicate to their system in some way that they
desire bootstrapping to be performed when connecting to a specific
network, similar to the way users disable VPN connection in specific
network (e.g., Enterprise network) and enable VPN connection by
default in other networks.
If an endpoint has enabled strict privacy profile, and the network
security service blocks the traffic to the privacy-enabling public
DNS server, a hard failure occurs and the user is notified. The user
has a choice to switch to another network or if the user trusts the
network, the user can enable strict privacy profile with the DNS-
Reddy, et al. Expires November 8, 2019 [Page 15]
Internet-Draft DoT/DoH server discovery May 2019
over-(D)TLS or DNS-over-HTTPS server discovered in the network
instead of downgrading to opportunistic privacy profile.
The primary attacks against the methods described in Section 6 are
the ones that would lead to impersonation of a DNS server and
spoofing the DNS response to indicate that the DNS server does not
support any privacy-enabling protocols. To protect against DNS-
vectored attacks, secured DNS (DNSSEC) can be used to ensure the
validity of the DNS records received. Impersonation of the DNS
server is prevented by validating the certificate presented by the
DNS server. If the EST server conveys the DNS server certificate,
but the S-NAPTR lookup indicates that the DNS server does not support
any privacy-enabling protocols, the client can detect the DNS
response is spoofed.
Security considerations in [I-D.ietf-anima-bootstrapping-keyinfra]
need to be taken into consideration for IoT devices.
12. IANA Considerations
IANA is requested to allocate the SRV service name of "est".
IANA is requested to add the following entry in the "SMI Security for
PKIX Certificate Extension" (1.3.6.1.5.5.7.1) registry:
Decimal Description References
------- ------------------------------ ---------------------
TBD1 id-pe-privacy this document
IANA is requested to add the following entry in the "SMI Security for
PKIX Module Identifier" (1.3.6.1.5.5.7.0) registry:
Decimal Description References
------- ------------------------------ ---------------------
TBD2 id-mod-privacy-extn this document
12.1. Application Service & Application Protocol Tags
This document requests IANA to make the following allocations from
the registry available at: https://www.iana.org/assignments/s-naptr-
parameters/s-naptr-parameters.xhtml.
Reddy, et al. Expires November 8, 2019 [Page 16]
Internet-Draft DoT/DoH server discovery May 2019
12.1.1. DNS Application Service Tag Registration
o Application Protocol Tag: DPRIVE
o Intended Usage: See Section 6
o Security Considerations: See Section 11
o Contact Information: <one of the authors>
12.1.2. dns.tls Application Protocol Tag Registration
o Application Protocol Tag: dns.tls
o Intended Usage: See Section 6
o Security Considerations: See Section 11
o Contact Information: <one of the authors>
12.1.3. dns.dtls Application Protocol Tag Registration
o Application Protocol Tag: dns.dtls
o Intended Usage: See Section 6
o Security Considerations: See Section 11
o Contact Information: <one of the authors>
12.1.4. dns.https Application Protocol Tag Registration
o Application Protocol Tag: dnshttps
o Intended Usage: See Section 6
o Security Considerations: See Section 11
o Contact Information: <one of the authors>
13. Acknowledgments
Thanks to Joe Hildebrand, Harsha Joshi, Shashank Jain, Patrick
McManus, Bob Harold, Livingood Jason, Eliot Lear and Sara Dickinson
for the discussion and comments.
Reddy, et al. Expires November 8, 2019 [Page 17]
Internet-Draft DoT/DoH server discovery May 2019
14. References
14.1. Normative References
[I-D.ietf-doh-resolver-associated-doh]
Hoffman, P., "Associating a DoH Server with a Resolver",
draft-ietf-doh-resolver-associated-doh-03 (work in
progress), March 2019.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>.
[RFC3958] Daigle, L. and A. Newton, "Domain-Based Application
Service Location Using SRV RRs and the Dynamic Delegation
Discovery Service (DDDS)", RFC 3958, DOI 10.17487/RFC3958,
January 2005, <https://www.rfc-editor.org/info/rfc3958>.
[RFC4985] Santesson, S., "Internet X.509 Public Key Infrastructure
Subject Alternative Name for Expression of Service Name",
RFC 4985, DOI 10.17487/RFC4985, August 2007,
<https://www.rfc-editor.org/info/rfc4985>.
[RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
Housley, R., and W. Polk, "Internet X.509 Public Key
Infrastructure Certificate and Certificate Revocation List
(CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008,
<https://www.rfc-editor.org/info/rfc5280>.
[RFC6125] Saint-Andre, P. and J. Hodges, "Representation and
Verification of Domain-Based Application Service Identity
within Internet Public Key Infrastructure Using X.509
(PKIX) Certificates in the Context of Transport Layer
Security (TLS)", RFC 6125, DOI 10.17487/RFC6125, March
2011, <https://www.rfc-editor.org/info/rfc6125>.
[RFC6347] Rescorla, E. and N. Modadugu, "Datagram Transport Layer
Security Version 1.2", RFC 6347, DOI 10.17487/RFC6347,
January 2012, <https://www.rfc-editor.org/info/rfc6347>.
[RFC6762] Cheshire, S. and M. Krochmal, "Multicast DNS", RFC 6762,
DOI 10.17487/RFC6762, February 2013,
<https://www.rfc-editor.org/info/rfc6762>.