draft-ietf-6man-rdnss-rfc6106bis-03.txt   draft-ietf-6man-rdnss-rfc6106bis-04.txt 
Network Working Group J. Jeong Network Working Group J. Jeong
Internet-Draft Sungkyunkwan Univ./ETRI Internet-Draft Sungkyunkwan University
Obsoletes: 6106 (if approved) S. Park Obsoletes: 6106 (if approved) S. Park
Intended status: Standards Track SAMSUNG Electronics Intended status: Standards Track SAMSUNG Electronics
Expires: April 7, 2016 L. Beloeil Expires: April 10, 2016 L. Beloeil
France Telecom R&D France Telecom R&D
S. Madanapalli S. Madanapalli
iRam Technologies iRam Technologies
October 5, 2015 October 8, 2015
IPv6 Router Advertisement Options for DNS Configuration IPv6 Router Advertisement Options for DNS Configuration
draft-ietf-6man-rdnss-rfc6106bis-03 draft-ietf-6man-rdnss-rfc6106bis-04
Abstract Abstract
This document specifies IPv6 Router Advertisement options to allow This document specifies IPv6 Router Advertisement options to allow
IPv6 routers to advertise a list of DNS recursive server addresses IPv6 routers to advertise a list of DNS recursive server addresses
and a DNS Search List to IPv6 hosts. and a DNS Search List to IPv6 hosts.
This document obsoletes RFC 6106 and allows a higher default value of This document obsoletes RFC 6106 and allows a higher default value of
the lifetime of the RA DNS options to avoid the frequent expiry of the lifetime of the RA DNS options to avoid the frequent expiry of
the options on links with a relatively high rate of packet loss. the options on links with a relatively high rate of packet loss.
skipping to change at page 1, line 47 skipping to change at page 1, line 47
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on April 7, 2016. This Internet-Draft will expire on April 10, 2016.
Copyright Notice Copyright Notice
Copyright (c) 2015 IETF Trust and the persons identified as the Copyright (c) 2015 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
skipping to change at page 2, line 27 skipping to change at page 2, line 27
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Applicability Statements . . . . . . . . . . . . . . . . . 3 1.1. Applicability Statements . . . . . . . . . . . . . . . . . 3
1.2. Coexistence of RA Options and DHCP Options for DNS 1.2. Coexistence of RA Options and DHCP Options for DNS
Configuration . . . . . . . . . . . . . . . . . . . . . . 4 Configuration . . . . . . . . . . . . . . . . . . . . . . 4
2. Requirements Language . . . . . . . . . . . . . . . . . . . . 4 2. Requirements Language . . . . . . . . . . . . . . . . . . . . 4
3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4
4. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 4. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
5. Neighbor Discovery Extension . . . . . . . . . . . . . . . . . 5 5. Neighbor Discovery Extension . . . . . . . . . . . . . . . . . 5
5.1. Recursive DNS Server Option . . . . . . . . . . . . . . . 5 5.1. Recursive DNS Server Option . . . . . . . . . . . . . . . 6
5.2. DNS Search List Option . . . . . . . . . . . . . . . . . . 7 5.2. DNS Search List Option . . . . . . . . . . . . . . . . . . 7
5.3. Procedure of DNS Configuration . . . . . . . . . . . . . . 8 5.3. Procedure of DNS Configuration . . . . . . . . . . . . . . 8
5.3.1. Procedure in IPv6 Host . . . . . . . . . . . . . . . . 8 5.3.1. Procedure in IPv6 Host . . . . . . . . . . . . . . . . 8
5.3.2. Warnings for DNS Options Configuration . . . . . . . . 9 5.3.2. Warnings for DNS Options Configuration . . . . . . . . 9
6. Implementation Considerations . . . . . . . . . . . . . . . . 9 6. Implementation Considerations . . . . . . . . . . . . . . . . 9
6.1. DNS Repository Management . . . . . . . . . . . . . . . . 10 6.1. DNS Repository Management . . . . . . . . . . . . . . . . 10
6.2. Synchronization between DNS Server List and Resolver 6.2. Synchronization between DNS Server List and Resolver
Repository . . . . . . . . . . . . . . . . . . . . . . . . 10 Repository . . . . . . . . . . . . . . . . . . . . . . . . 10
6.3. Synchronization between DNS Search List and Resolver 6.3. Synchronization between DNS Search List and Resolver
Repository . . . . . . . . . . . . . . . . . . . . . . . . 11 Repository . . . . . . . . . . . . . . . . . . . . . . . . 12
7. Security Considerations . . . . . . . . . . . . . . . . . . . 13 7. Security Considerations . . . . . . . . . . . . . . . . . . . 13
7.1. Security Threats . . . . . . . . . . . . . . . . . . . . . 13 7.1. Security Threats . . . . . . . . . . . . . . . . . . . . . 13
7.2. Recommendations . . . . . . . . . . . . . . . . . . . . . 13 7.2. Recommendations . . . . . . . . . . . . . . . . . . . . . 14
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 14 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 14
9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 14 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 15
10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 15 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 15
10.1. Normative References . . . . . . . . . . . . . . . . . . . 15 10.1. Normative References . . . . . . . . . . . . . . . . . . . 15
10.2. Informative References . . . . . . . . . . . . . . . . . . 15 10.2. Informative References . . . . . . . . . . . . . . . . . . 15
Appendix A. Changes from RFC 5006 . . . . . . . . . . . . . . . . 16 Appendix A. Changes from RFC 5006 . . . . . . . . . . . . . . . . 17
Appendix B. Changes from RFC 6106 . . . . . . . . . . . . . . . . 17 Appendix B. Changes from RFC 6106 . . . . . . . . . . . . . . . . 17
1. Introduction 1. Introduction
The purpose of this document is to standardize an IPv6 Router The purpose of this document is to standardize an IPv6 Router
Advertisement (RA) option for DNS Recursive Server Addresses used for Advertisement (RA) option for DNS Recursive Server Addresses used for
the DNS name resolution in IPv6 hosts. This RA option was specified the DNS name resolution in IPv6 hosts. This RA option was originally
in an earlier Experimental specification [RFC5006]. This document is specified in an earlier Experimental specification [RFC5006]. This
also to define a new RA option for Domain Name Search Lists for an document obsoletes [RFC6106], allowing a higher default value of the
enhanced DNS configuration. Thus, this document obsoletes [RFC5006], lifetime of the RA DNS options to avoid the frequent expiry of the
which only defines the RA option for DNS Recursive Server Addresses. options on links with a relatively high rate of packet loss, and also
making additional clarifications, see Appendix B for details.
Neighbor Discovery (ND) for IP version 6 and IPv6 stateless address Neighbor Discovery (ND) for IP version 6 and IPv6 stateless address
autoconfiguration provide ways to configure either fixed or mobile autoconfiguration provide ways to configure either fixed or mobile
nodes with one or more IPv6 addresses, default routers, and some nodes with one or more IPv6 addresses, default routers, and some
other parameters [RFC4861][RFC4862]. Most Internet services are other parameters [RFC4861][RFC4862]. Most Internet services are
identified by using a DNS name. The two RA options defined in this identified by using a DNS name. The two RA options defined in this
document provide the DNS information needed for an IPv6 host to reach document provide the DNS information needed for an IPv6 host to reach
Internet services. Internet services.
It is infeasible to manually configure nomadic hosts each time they It is infeasible to manually configure nomadic hosts each time they
skipping to change at page 6, line 50 skipping to change at page 7, line 9
Addresses of IPv6 Recursive DNS Servers Addresses of IPv6 Recursive DNS Servers
One or more 128-bit IPv6 addresses of the recursive One or more 128-bit IPv6 addresses of the recursive
DNS servers. The number of addresses is determined DNS servers. The number of addresses is determined
by the Length field. That is, the number of by the Length field. That is, the number of
addresses is equal to (Length - 1) / 2. addresses is equal to (Length - 1) / 2.
Note: The addresses for recursive DNS servers in the RDNSS option Note: The addresses for recursive DNS servers in the RDNSS option
MAY be link-local addresses. Such link-local addresses SHOULD be MAY be link-local addresses. Such link-local addresses SHOULD be
registered into the resolver repository along with the registered into the resolver repository along with the
corresponding interfaces (or zones) that received the RDNSS corresponding link zone indices of the links that receive the
option(s) for them. The interface names (or zone indices) SHOULD RDNSS option(s) for them. The link zone indices SHOULD be
be represented in the textual format for scoped addresses in represented in the textual format for scoped addresses as
described in [RFC4007]. When a resolver sends a DNS query message described in [RFC4007]. When a resolver sends a DNS query message
to an RDNSS with a link-local address, it MUST use the to an RDNSS with a link-local address, it MUST use the
corresponding interface. corresponding link.
5.2. DNS Search List Option 5.2. DNS Search List Option
The DNSSL option contains one or more domain names of DNS suffixes. The DNSSL option contains one or more domain names of DNS suffixes.
All of the domain names share the same Lifetime value. If it is All of the domain names share the same Lifetime value. If it is
desirable to have different Lifetime values, multiple DNSSL options desirable to have different Lifetime values, multiple DNSSL options
can be used. Figure 2 shows the format of the DNSSL option. can be used. Figure 2 shows the format of the DNSSL option.
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
skipping to change at page 14, line 18 skipping to change at page 14, line 30
defines the roles of routers (i.e., routers acting as proxy and defines the roles of routers (i.e., routers acting as proxy and
address owner) and explains the authorization of the roles. The address owner) and explains the authorization of the roles. The
mechanism in this document can be extended to verify which routers mechanism in this document can be extended to verify which routers
are authorized to insert RDNSS and DNSSL options. are authorized to insert RDNSS and DNSSL options.
It is common for network devices such as switches to include It is common for network devices such as switches to include
mechanisms to block unauthorized ports from running a DHCPv6 server mechanisms to block unauthorized ports from running a DHCPv6 server
to provide protection from rogue DHCP servers. That means that an to provide protection from rogue DHCP servers. That means that an
attacker on other ports cannot insert bogus DNS servers using DHCPv6. attacker on other ports cannot insert bogus DNS servers using DHCPv6.
The corresponding technique for network devices is RECOMMENDED to The corresponding technique for network devices is RECOMMENDED to
block rogue Router Advertisement messages including the RDNSS and block rogue Router Advertisement messages [RFC6104] including the
DNSSL options from unauthorized nodes. RDNSS and DNSSL options from unauthorized nodes.
An attacker may provide a bogus DNS Search List option in order to An attacker may provide a bogus DNS Search List option in order to
cause the victim to send DNS queries to a specific DNS server when cause the victim to send DNS queries to a specific DNS server when
the victim queries non-FQDNs (fully qualified domain names). For the victim queries non-FQDNs (fully qualified domain names). For
this attack, the DNS resolver in IPv6 hosts can mitigate the this attack, the DNS resolver in IPv6 hosts can mitigate the
vulnerability with the recommendations mentioned in [RFC1535], vulnerability with the recommendations mentioned in [RFC1535],
[RFC1536], and [RFC3646]. [RFC1536], and [RFC3646].
8. IANA Considerations 8. IANA Considerations
The RDNSS option defined in this document uses the IPv6 Neighbor The RDNSS option defined in this document uses the IPv6 Neighbor
Discovery Option type defined in RFC 5006 [RFC5006], which was Discovery Option type defined in RFC 5006 [RFC5006], which was
assigned by the IANA as follows: assigned by the IANA as follows:
Option Name Type Option Name Type
Recursive DNS Server Option 25 Recursive DNS Server Option 25
The IANA has assigned a new IPv6 Neighbor Discovery Option type for The DNSSL option defined in this document uses the IPv6 Neighbor
the DNSSL option defined in this document: Discovery Option type defined in RFC 6106 [RFC6106], which was
assigned by the IANA as follows:
Option Name Type Option Name Type
DNS Search List Option 31 DNS Search List Option 31
These options have been registered in the "Internet Control Message These options have been registered in the "Internet Control Message
Protocol version 6 (ICMPv6) Parameters" registry Protocol version 6 (ICMPv6) Parameters" registry (http://www.iana.
(http://www.iana.org). org/assignments/icmpv6-parameters/icmpv6-parameters.xhtml#icmpv6-
parameters-5).
9. Acknowledgements 9. Acknowledgements
This document has greatly benefited from inputs by Robert Hinden, This document has greatly benefited from inputs by Robert Hinden,
Pekka Savola, Iljitsch van Beijnum, Brian Haberman, Tim Chown, Erik Pekka Savola, Iljitsch van Beijnum, Brian Haberman, Tim Chown, Erik
Nordmark, Dan Wing, Jari Arkko, Ben Campbell, Vincent Roca, Tony Nordmark, Dan Wing, Jari Arkko, Ben Campbell, Vincent Roca, Tony
Cheneau, Fernando Gont and Jen Linkova. The authors sincerely Cheneau, Fernando Gont, Jen Linkova, Ole Troan, Mark Smith, Tatuya
appreciate their contributions. Jinmei, Lorenzo Colitti, Tore Anderson, and David Farmer. The
authors sincerely appreciate their contributions.
10. References 10. References
10.1. Normative References 10.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC4861] Narten, T., Nordmark, E., Simpson, W., and H. [RFC4861] Narten, T., Nordmark, E., Simpson, W., and H.
Soliman, "Neighbor Discovery for IP version 6 Soliman, "Neighbor Discovery for IP version 6
skipping to change at page 15, line 50 skipping to change at page 16, line 17
April 2004. April 2004.
[RFC3646] Droms, R., "DNS Configuration options for Dynamic [RFC3646] Droms, R., "DNS Configuration options for Dynamic
Host Configuration Protocol for IPv6 (DHCPv6)", Host Configuration Protocol for IPv6 (DHCPv6)",
RFC 3646, December 2003. RFC 3646, December 2003.
[RFC5006] Jeong, J., Park, S., Beloeil, L., and S. [RFC5006] Jeong, J., Park, S., Beloeil, L., and S.
Madanapalli, "IPv6 Router Advertisement Option for Madanapalli, "IPv6 Router Advertisement Option for
DNS Configuration", RFC 5006, September 2007. DNS Configuration", RFC 5006, September 2007.
[RFC6106] Jeong, J., Park, S., Beloeil, L., and S.
Madanapalli, "IPv6 Router Advertisement Options for
DNS Configuration", RFC 6106, November 2010.
[RFC4339] Jeong, J., "IPv6 Host Configuration of DNS Server [RFC4339] Jeong, J., "IPv6 Host Configuration of DNS Server
Information Approaches", RFC 4339, February 2006. Information Approaches", RFC 4339, February 2006.
[RFC3971] Arkko, J., Kempf, J., Zill, B., and P. Nikander, [RFC3971] Arkko, J., Kempf, J., Zill, B., and P. Nikander,
"SEcure Neighbor Discovery (SEND)", RFC 3971, "SEcure Neighbor Discovery (SEND)", RFC 3971,
March 2005. March 2005.
[RFC6104] Chown, T. and S. Venaas, "Rogue IPv6 Router
Advertisement Problem Statement", RFC 6104,
February 2011.
[RFC1535] Gavron, E., "A Security Problem and Proposed [RFC1535] Gavron, E., "A Security Problem and Proposed
Correction With Widely Deployed DNS Software", Correction With Widely Deployed DNS Software",
RFC 1535, October 1993. RFC 1535, October 1993.
[RFC1536] Kumar, A., Postel, J., Neuman, C., Danzig, P., and [RFC1536] Kumar, A., Postel, J., Neuman, C., Danzig, P., and
S. Miller, "Common DNS Implementation Errors and S. Miller, "Common DNS Implementation Errors and
Suggested Fixes", RFC 1536, October 1993. Suggested Fixes", RFC 1536, October 1993.
[MIF-PROBLEM] Blanchet, M. and P. Seite, "Multiple Interfaces [MIF-PROBLEM] Blanchet, M. and P. Seite, "Multiple Interfaces
Problem Statement", Work in Progress, August 2010. Problem Statement", Work in Progress, August 2010.
skipping to change at page 17, line 35 skipping to change at page 18, line 11
o The lifetimes of RDNSS and DNSSL options are decoupled from Router o The lifetimes of RDNSS and DNSSL options are decoupled from Router
Lifetime. An RA router lifetime of zero does not cause the RDNSS Lifetime. An RA router lifetime of zero does not cause the RDNSS
and DNSSL options to be considered invalid because these options and DNSSL options to be considered invalid because these options
have their own lifetime values. Thus, due to the expiry of the RA have their own lifetime values. Thus, due to the expiry of the RA
router lifetime, the lists in the RDNSS and DNSSL options are not router lifetime, the lists in the RDNSS and DNSSL options are not
guaranteed to be reachable at any point in time. guaranteed to be reachable at any point in time.
o The addresses for recursive DNS servers in the RDNSS option can be o The addresses for recursive DNS servers in the RDNSS option can be
not only global addresses, but also link-local addresses. The not only global addresses, but also link-local addresses. The
link-local addresses for RDNSSes should be specified in the link-local addresses for RDNSSes should be registered into the
resolver repository along with the corresponding interface names resolver repository along with the corresponding link zone
(or zone indices). indices.
o The recommendation that at most three RDNSS addresses to maintain o The recommendation that at most three RDNSS addresses to maintain
by RDNSS options should be limited is removed. By this removal, by RDNSS options should be limited is removed. By this removal,
the number of RDNSSes to maintain is up to an implementer's local the number of RDNSSes to maintain is up to an implementer's local
policy. policy.
o The recommendation that at most three DNS domains to maintain by o The recommendation that at most three DNS domains to maintain by
DNSSL options should be limited is removed. By this removal, when DNSSL options should be limited is removed. By this removal, when
the set of unique DNSSL values are not equivalent, none of them the set of unique DNSSL values are not equivalent, none of them
are ignored for hostname lookups. are ignored for hostname lookups.
Authors' Addresses Authors' Addresses
Jaehoon Paul Jeong Jaehoon Paul Jeong
Sungkyunkwan University/ETRI Department of Software
Sungkyunkwan University
2066 Seobu-Ro, Jangan-Gu 2066 Seobu-Ro, Jangan-Gu
Suwon, Gyeonggi-Do 440-746 Suwon, Gyeonggi-Do 440-746
Republic of Korea Republic of Korea
Phone: +82 31 299 4957 Phone: +82 31 299 4957
Fax: +82 31 299 7996 Fax: +82 31 290 7996
EMail: pauljeong@skku.edu EMail: pauljeong@skku.edu
URI: http://cpslab.skku.edu/people-jaehoon-jeong.php URI: http://cpslab.skku.edu/people-jaehoon-jeong.php
Soohong Daniel Park Soohong Daniel Park
Digital Media & Communications R&D Center Digital Media & Communications R&D Center
SAMSUNG Electronics SAMSUNG Electronics
416 Maetan-3dong, Yeongtong-Gu 416 Maetan-3dong, Yeongtong-Gu
Suwon, Gyeonggi-Do 443-742 Suwon, Gyeonggi-Do 443-742
Republic of Korea Republic of Korea
 End of changes. 22 change blocks. 
32 lines changed or deleted 45 lines changed or added

This html diff was produced by rfcdiff 1.42. The latest version is available from http://tools.ietf.org/tools/rfcdiff/