draft-ietf-6man-rdnss-rfc6106bis-12.txt   draft-ietf-6man-rdnss-rfc6106bis-13.txt 
Network Working Group J. Jeong Network Working Group J. Jeong
Internet-Draft Sungkyunkwan University Internet-Draft Sungkyunkwan University
Obsoletes: 6106 (if approved) S. Park Obsoletes: 6106 (if approved) S. Park
Intended status: Standards Track Samsung Electronics Intended status: Standards Track Samsung Electronics
Expires: October 9, 2016 L. Beloeil Expires: November 29, 2016 L. Beloeil
France Telecom R&D France Telecom R&D
S. Madanapalli S. Madanapalli
iRam Technologies iRam Technologies
April 7, 2016 May 28, 2016
IPv6 Router Advertisement Options for DNS Configuration IPv6 Router Advertisement Options for DNS Configuration
draft-ietf-6man-rdnss-rfc6106bis-12 draft-ietf-6man-rdnss-rfc6106bis-13
Abstract Abstract
This document specifies IPv6 Router Advertisement options to allow This document specifies IPv6 Router Advertisement (RA) options
IPv6 routers to advertise a list of DNS recursive server addresses (called DNS RA options) to allow IPv6 routers to advertise a list of
and a DNS Search List to IPv6 hosts. DNS recursive server addresses and a DNS Search List to IPv6 hosts.
This document obsoletes RFC 6106 and allows a higher default value of This document obsoletes RFC 6106 and allows a higher default value of
the lifetime of the RA DNS options to avoid the frequent expiry of the lifetime of the DNS RA options to avoid the frequent expiry of
the options on links with a relatively high rate of packet loss. the options on links with a relatively high rate of packet loss.
Status of This Memo Status of This Memo
This Internet-Draft is submitted to IETF in full conformance with the This Internet-Draft is submitted to IETF in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet- other groups may also distribute working documents as Internet-
skipping to change at page 1, line 47 skipping to change at page 1, line 47
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on October 9, 2016. This Internet-Draft will expire on November 29, 2016.
Copyright Notice Copyright Notice
Copyright (c) 2016 IETF Trust and the persons identified as the Copyright (c) 2016 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
skipping to change at page 2, line 27 skipping to change at page 2, line 27
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Applicability Statements . . . . . . . . . . . . . . . . . 3 1.1. Applicability Statements . . . . . . . . . . . . . . . . . 3
1.2. Coexistence of RA Options and DHCP Options for DNS 1.2. Coexistence of RA Options and DHCP Options for DNS
Configuration . . . . . . . . . . . . . . . . . . . . . . 4 Configuration . . . . . . . . . . . . . . . . . . . . . . 4
2. Requirements Language . . . . . . . . . . . . . . . . . . . . 4 2. Requirements Language . . . . . . . . . . . . . . . . . . . . 4
3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4
4. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 4. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
5. Neighbor Discovery Extension . . . . . . . . . . . . . . . . . 5 5. Neighbor Discovery Extension . . . . . . . . . . . . . . . . . 5
5.1. Recursive DNS Server Option . . . . . . . . . . . . . . . 6 5.1. Recursive DNS Server Option . . . . . . . . . . . . . . . 5
5.2. DNS Search List Option . . . . . . . . . . . . . . . . . . 7 5.2. DNS Search List Option . . . . . . . . . . . . . . . . . . 7
5.3. Procedure of DNS Configuration . . . . . . . . . . . . . . 8 5.3. Procedure of DNS Configuration . . . . . . . . . . . . . . 8
5.3.1. Procedure in IPv6 Host . . . . . . . . . . . . . . . . 8 5.3.1. Procedure in IPv6 Hosts . . . . . . . . . . . . . . . 8
5.3.2. Warnings for DNS Options Configuration . . . . . . . . 9 5.3.2. Warnings for DNS Options Configuration . . . . . . . . 9
6. Implementation Considerations . . . . . . . . . . . . . . . . 9 6. Implementation Considerations . . . . . . . . . . . . . . . . 9
6.1. DNS Repository Management . . . . . . . . . . . . . . . . 10 6.1. DNS Repository Management . . . . . . . . . . . . . . . . 10
6.2. Synchronization between DNS Server List and Resolver 6.2. Synchronization between DNS Server List and Resolver
Repository . . . . . . . . . . . . . . . . . . . . . . . . 10 Repository . . . . . . . . . . . . . . . . . . . . . . . . 10
6.3. Synchronization between DNS Search List and Resolver 6.3. Synchronization between DNS Search List and Resolver
Repository . . . . . . . . . . . . . . . . . . . . . . . . 11 Repository . . . . . . . . . . . . . . . . . . . . . . . . 11
7. Security Considerations . . . . . . . . . . . . . . . . . . . 12 7. Security Considerations . . . . . . . . . . . . . . . . . . . 12
7.1. Security Threats . . . . . . . . . . . . . . . . . . . . . 12 7.1. Security Threats . . . . . . . . . . . . . . . . . . . . . 12
7.2. Recommendations . . . . . . . . . . . . . . . . . . . . . 12 7.2. Recommendations . . . . . . . . . . . . . . . . . . . . . 12
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13
9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 13 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 13
10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 14 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 14
10.1. Normative References . . . . . . . . . . . . . . . . . . . 14 10.1. Normative References . . . . . . . . . . . . . . . . . . . 14
10.2. Informative References . . . . . . . . . . . . . . . . . . 14 10.2. Informative References . . . . . . . . . . . . . . . . . . 14
Appendix A. Changes from RFC 6106 . . . . . . . . . . . . . . . . 15 Appendix A. Changes from RFC 6106 . . . . . . . . . . . . . . . . 15
1. Introduction 1. Introduction
The purpose of this document is to standardize an IPv6 Router The purpose of this document is to standardize IPv6 Router
Advertisement (RA) option for DNS Recursive Server Addresses used for Advertisement (RA) options (DNS RA options) for DNS Recursive Server
the DNS name resolution in IPv6 hosts. This RA option was originally Addresses used for the DNS name resolution in IPv6 hosts, and also
specified in an earlier Experimental specification [RFC5006] and was for a DNS Search List of domain suffixes.
later published as a Standards Track in [RFC6106]. This document
obsoletes [RFC6106], allowing a higher default value of the lifetime
of the RA DNS options to avoid the frequent expiry of the options on
links with a relatively high rate of packet loss, and also making
additional clarifications, see Appendix A for details.
Neighbor Discovery (ND) for IP version 6 and IPv6 Stateless Address Neighbor Discovery (ND) for IP version 6 and IPv6 Stateless Address
Autoconfiguration (SLAAC) provide ways to configure either fixed or Autoconfiguration (SLAAC) provide ways to configure either fixed or
mobile nodes with one or more IPv6 addresses, default routers, and mobile nodes with one or more IPv6 addresses, default routers, and
some other parameters [RFC4861][RFC4862]. Most Internet names are some other parameters [RFC4861][RFC4862].
identified by using a DNS name. The two RA options defined in this
document provide the DNS information needed for an IPv6 host to reach
Internet names.
It is infeasible to manually configure nomadic hosts each time they It is infeasible to manually configure nomadic hosts each time they
connect to a different network. While a one-time static connect to a different network. While a one-time static
configuration is possible, it is generally not desirable on general- configuration is possible, it is generally not desirable on general-
purpose hosts such as laptops. For instance, locally defined name purpose hosts such as laptops. For instance, locally defined name
spaces would not be available to the host if it were to run its own spaces would not be available to the host if it were to run its own
recursive name server directly connected to the global DNS. recursive name server directly connected to the global DNS.
The DNS information can also be provided through DHCPv6 [RFC3315] The DNS information can also be provided through DHCPv6 [RFC3315]
[RFC3736][RFC3646]. However, the access to DNS is a fundamental [RFC3736][RFC3646]. However, the access to DNS is a fundamental
requirement for almost all hosts, so IPv6 stateless autoconfiguration requirement for almost all hosts, so IPv6 stateless autoconfiguration
cannot stand on its own as an alternative deployment model in any cannot stand on its own as an alternative deployment model in any
practical network without any support for DNS configuration. practical network without any support for DNS configuration.
These issues are not pressing in dual-stack networks as long as a DNS These issues are not pressing in dual-stack networks as long as a DNS
server is available on the IPv4 side, but they become more critical server is available on the IPv4 side, but they become more critical
with the deployment of IPv6-only networks. As a result, this with the deployment of IPv6-only networks. As a result, this
document defines a mechanism based on IPv6 RA options to allow IPv6 document defines a mechanism based on DNS RA options to allow IPv6
hosts to perform the automatic DNS configuration. hosts to perform the automatic DNS configuration.
1.1. Applicability Statements 1.1. Applicability Statements
RA-based DNS configuration is a useful alternative in networks where RA-based DNS configuration is a useful alternative in networks where
an IPv6 host's address is autoconfigured through IPv6 stateless an IPv6 host's address is autoconfigured through IPv6 stateless
address autoconfiguration and where there is either no DHCPv6 address autoconfiguration and where there is either no DHCPv6
infrastructure at all or some hosts do not have a DHCPv6 client. The infrastructure at all or some hosts do not have a DHCPv6 client. The
intention is to enable the full configuration of basic networking intention is to enable the full configuration of basic networking
information for hosts without requiring DHCPv6. However, for information for hosts without requiring DHCPv6. However, for
skipping to change at page 5, line 21 skipping to change at page 5, line 12
first data structure is the DNS Server List for RDNSS addresses first data structure is the DNS Server List for RDNSS addresses
and the second is the DNS Search List for DNS search domain names. and the second is the DNS Search List for DNS search domain names.
o Resolver Repository: Configuration repository with RDNSS addresses o Resolver Repository: Configuration repository with RDNSS addresses
and a DNS Search List that a DNS resolver on the host uses for DNS and a DNS Search List that a DNS resolver on the host uses for DNS
name resolution; for example, the Unix resolver file (i.e., /etc/ name resolution; for example, the Unix resolver file (i.e., /etc/
resolv.conf) and Windows registry. resolv.conf) and Windows registry.
4. Overview 4. Overview
This document standardizes the ND option called the RDNSS option This document standardizes the ND option called the RDNSS option that
defined in [RFC6106] that contains the addresses of recursive DNS contains the addresses of recursive DNS servers. This document also
servers. This document also standardizes the ND option called the standardizes the ND option called the DNSSL option that contains the
DNSSL option defined in [RFC6106] that contains the Domain Search Domain Search List. This is to maintain parity with the DHCPv6
List. This is to maintain parity with the DHCPv6 options and to options and to ensure that there is necessary functionality to
ensure that there is necessary functionality to determine the search determine the search domains.
domains.
The existing ND message (i.e., Router Advertisement) is used to carry The existing ND message (i.e., Router Advertisement) is used to carry
this information. An IPv6 host can configure the IPv6 addresses of this information. An IPv6 host can configure the IPv6 addresses of
one or more RDNSSes via RA messages. Through the RDNSS and DNSSL one or more RDNSSes via RA messages. Through the RDNSS and DNSSL
options, along with the prefix information option based on the ND options, along with the prefix information option based on the ND
protocol ([RFC4861] and [RFC4862]), an IPv6 host can perform the protocol ([RFC4861] and [RFC4862]), an IPv6 host can perform the
network configuration of its IPv6 address and the DNS information network configuration of its IPv6 address and the DNS information
simultaneously without needing DHCPv6 for the DNS configuration. The simultaneously without needing DHCPv6 for the DNS configuration. The
RA options for RDNSS and DNSSL can be used on the network that RA options for RDNSS and DNSSL can be used on networks that support
supports the use of ND. the use of ND.
This approach requires the manual configuration or other automatic This approach requires the manual configuration or other automatic
mechanisms (e.g., DHCPv6 or vendor proprietary configuration mechanisms (e.g., DHCPv6 or vendor proprietary configuration
mechanisms) to configure the DNS information in routers sending the mechanisms) to configure the DNS information in routers sending the
advertisements. The automatic configuration of RDNSS addresses and a advertisements. The automatic configuration of RDNSS addresses and a
DNS Search List in routers is out of scope for this document. DNS Search List in routers is out of scope for this document.
5. Neighbor Discovery Extension 5. Neighbor Discovery Extension
The IPv6 DNS configuration mechanism in this document needs two ND The IPv6 DNS configuration mechanism in this document needs two ND
skipping to change at page 7, line 14 skipping to change at page 7, line 7
addresses is equal to (Length - 1) / 2. addresses is equal to (Length - 1) / 2.
Note: The addresses for recursive DNS servers in the RDNSS option Note: The addresses for recursive DNS servers in the RDNSS option
MAY be link-local addresses. Such link-local addresses SHOULD be MAY be link-local addresses. Such link-local addresses SHOULD be
registered into the resolver repository along with the registered into the resolver repository along with the
corresponding link zone indices of the links that receive the corresponding link zone indices of the links that receive the
RDNSS option(s) for them. The link-local addresses MAY be RDNSS option(s) for them. The link-local addresses MAY be
represented in the resolver repository with their link zone represented in the resolver repository with their link zone
indices in the textual format for scoped addresses as described in indices in the textual format for scoped addresses as described in
[RFC4007]. When a resolver sends a DNS query message to an RDNSS [RFC4007]. When a resolver sends a DNS query message to an RDNSS
with a link-local address, it MUST use the corresponding link. identified by a link-local address, it MUST use the corresponding
link.
5.2. DNS Search List Option 5.2. DNS Search List Option
The DNSSL option contains one or more domain names of DNS suffixes. The DNSSL option contains one or more domain names of DNS suffixes.
All of the domain names share the same Lifetime value. If it is All of the domain names share the same Lifetime value. If it is
desirable to have different Lifetime values, multiple DNSSL options desirable to have different Lifetime values, multiple DNSSL options
can be used. Figure 2 shows the format of the DNSSL option. can be used. Figure 2 shows the format of the DNSSL option.
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
skipping to change at page 8, line 35 skipping to change at page 8, line 35
multiple including the domain name representations, multiple including the domain name representations,
the remaining octets other than the encoding parts of the remaining octets other than the encoding parts of
the domain name representations MUST be padded with the domain name representations MUST be padded with
zeros. zeros.
5.3. Procedure of DNS Configuration 5.3. Procedure of DNS Configuration
The procedure of DNS configuration through the RDNSS and DNSSL The procedure of DNS configuration through the RDNSS and DNSSL
options is the same as with any other ND option [RFC4861]. options is the same as with any other ND option [RFC4861].
5.3.1. Procedure in IPv6 Host 5.3.1. Procedure in IPv6 Hosts
When an IPv6 host receives DNS options (i.e., RDNSS option and DNSSL When an IPv6 host receives DNS options (i.e., RDNSS and DNSSL
option) through RA messages, it processes the options as follows: options) through RA messages, it processes the options as follows:
o The validity of DNS options is checked with the Length field; that o The validity of DNS options is checked with the Length field; that
is, the value of the Length field in the RDNSS option is greater is, the value of the Length field in the RDNSS option is greater
than or equal to the minimum value (3), and satisfies that (Length than or equal to the minimum value (3), and satisfies that (Length
- 1) % 2 == 0. The value of the Length field in the DNSSL option - 1) % 2 == 0. The value of the Length field in the DNSSL option
is greater than or equal to the minimum value (2). Also, the is greater than or equal to the minimum value (2). Also, the
validity of the RDNSS option is checked with the "Addresses of validity of the RDNSS option is checked with the "Addresses of
IPv6 Recursive DNS Servers" field; that is, the addresses should IPv6 Recursive DNS Servers" field; that is, the addresses should
be unicast addresses. be unicast addresses.
o If the DNS options are valid, the host SHOULD copy the values of o If the DNS options are valid, the host SHOULD copy the values of
the options into the DNS Repository and the Resolver Repository in the options into the DNS Repository and the Resolver Repository in
order. Otherwise, the host MUST discard the options. Refer to order. Otherwise, the host MUST discard the options. Refer to
Section 6 for the detailed procedure. Section 6 for the detailed procedure.
In the case where the DNS options of RDNSS and DNSSL can be obtained In the case where the DNS information of RDNSS and DNSSL can be
from multiple sources, such as RA and DHCP, the IPv6 host SHOULD keep obtained from multiple sources, such as RA and DHCP, the IPv6 host
some DNS options from all sources. Unless explicitly specified for SHOULD keep some DNS options from all sources. Unless explicitly
the discovery mechanism, the exact number of addresses and domain specified for the discovery mechanism, the exact number of addresses
names to keep is a matter of local policy and implementation choice and domain names to keep is a matter of local policy and
as a local configuration option. However, in the case of multiple implementation choice as a local configuration option. However, in
sources, the ability to store a total of at least three RDNSS the case of multiple sources, the ability to store a total of at
addresses (or DNSSL domain names) from the multiple sources is least three RDNSS addresses (or DNSSL domain names) from the multiple
RECOMMENDED. The DNS options from Router Advertisements and DHCP sources is RECOMMENDED. The DNS options from Router Advertisements
SHOULD be stored into the DNS Repository and Resolver Repository so and DHCP SHOULD be stored into the DNS Repository and Resolver
that information from DHCP appears there first and therefore takes Repository so that information from DHCP appears there first and
precedence. Thus, the DNS information from DHCP takes precedence therefore takes precedence. Thus, the DNS information from DHCP
over that from RA for DNS queries. On the other hand, for DNS takes precedence over that from RA for DNS queries. On the other
options announced by RA, if some RAs use the Secure Neighbor hand, for DNS options announced by RA, if some RAs use the Secure
Discovery (SEND) protocol [RFC3971] for RA security, they MUST be Neighbor Discovery (SEND) protocol [RFC3971] for RA security, they
preferred over those that do not use SEND. Refer to Section 7 for MUST be preferred over those that do not use SEND. Also, DNS options
the detailed discussion on SEND for RA DNS options. announced by RA via SEND MUST be preferred over those announced by
un-authenticated DHCP [RFC3118]. Refer to Section 7 for the detailed
discussion on SEND for DNS RA options.
5.3.2. Warnings for DNS Options Configuration 5.3.2. Warnings for DNS Options Configuration
There are two warnings for DNS options configuration: (i) warning for There are two warnings for DNS options configuration: (i) warning for
multiple sources of DNS options and (ii) warning for multiple network multiple sources of DNS options and (ii) warning for multiple network
interfaces. First, in the case of multiple sources for DNS options interfaces. First, in the case of multiple sources for DNS options
(e.g., RA and DHCP), an IPv6 host can configure its IP addresses from (e.g., RA and DHCP), an IPv6 host can configure its IP addresses from
these sources. In this case, it is not possible to control how the these sources. In this case, it is not possible to control how the
host uses DNS information and what source addresses it uses to send host uses DNS information and what source addresses it uses to send
DNS queries. As a result, configurations where different information DNS queries. As a result, configurations where different information
is provided by different sources may lead to problems. Therefore, is provided by different mechanisms for autoconfiguration may lead to
the network administrator needs to configure different DNS options in problems. Therefore, the network administrator needs to carefully
the multiple sources in order to minimize the impact of such problems configure different DNS options in the multiple mechanisms for
autoconfiguration in order to minimize the impact of such problems
[DHCPv6-SLAAC]. [DHCPv6-SLAAC].
Second, if different DNS information is provided on different network Second, if different DNS information is provided on different network
interfaces, this can lead to inconsistent behavior. The IETF worked interfaces, this can lead to inconsistent behavior. The IETF worked
on solving this problem for both DNS and other information obtained on solving this problem for both DNS and other information obtained
by multiple interfaces [RFC6418][RFC6419], and standardized the by multiple interfaces [RFC6418][RFC6419], and standardized the
solution for RDNSS selection for multi-interfaced nodes in [RFC6731], solution for RDNSS selection for multi-interfaced nodes in [RFC6731],
which is based on DHCP. which is based on DHCP.
6. Implementation Considerations 6. Implementation Considerations
The implementation considerations in this document include the The implementation considerations in this document include the
following three: (i) DNS repository management, (ii) synchronization following three: (i) DNS repository management, (ii) synchronization
between DNS server list and resolver repository, and (iii) between DNS server list and resolver repository, and (iii)
synchronization between DNS search list and resolver repository. synchronization between DNS search list and resolver repository.
6.1. DNS Repository Management 6.1. DNS Repository Management
For DNS repository management, the following two data structures For DNS repository management, the following two data structures
SHOULD be synchronized with each other: (i) DNS Server List that SHOULD be synchronized with the resolver repository: (i) DNS Server
keeps the list of RDNSS addresses and (ii) DNS Search List that keeps List that keeps the list of RDNSS addresses and (ii) DNS Search List
the list of DNS search domain names. Each entry in these two lists that keeps the list of DNS search domain names. Each entry in these
consists of a pair of an RDNSS address (or DNSSL domain name) and two lists consists of a pair of an RDNSS address (or DNSSL domain
Expiration-time as follows: name) and Expiration-time as follows:
o RDNSS address for DNS Server List: IPv6 address of the Recursive o RDNSS address for DNS Server List: IPv6 address of the Recursive
DNS Server, which is available for recursive DNS resolution DNS Server which is available for recursive DNS resolution service
service in the network advertising the RDNSS option. in the network advertising the RDNSS option.
o DNSSL domain name for DNS Search List: DNS suffix domain names, o DNSSL domain name for DNS Search List: DNS suffix domain name
which are used to perform DNS query searches for short, which is used to perform DNS query searches for short, unqualified
unqualified domain names for the RDNSS address, which is domain names.
advertised by the same RA message having the DNSSL option, in the
network advertising the DNSSL option.
o Expiration-time for DNS Server List or DNS Search List: The time o Expiration-time for DNS Server List or DNS Search List: The time
when this entry becomes invalid. Expiration-time is set to the when this entry becomes invalid. Expiration-time is set to the
value of the Lifetime field of the RDNSS option or DNSSL option value of the Lifetime field of the RDNSS option or DNSSL option
plus the current time. Whenever a new RDNSS option with the same plus the current time. Whenever a new RDNSS option with the same
address (or DNSSL option with the same domain name) is received on address (or DNSSL option with the same domain name) is received on
the same interface as a previous RDNSS option (or DNSSL option), the same interface as a previous RDNSS option (or DNSSL option),
this field is updated to have a new Expiration-time. When the this field is updated to have a new Expiration-time. When the
current time becomes larger than Expiration-time, this entry is current time becomes larger than Expiration-time, this entry is
regarded as expired. Note that the DNS information for the RDNSS regarded as expired. Note that the DNS information for the RDNSS
skipping to change at page 12, line 45 skipping to change at page 12, line 47
DNS information via the RA options cannot be worse than learning bad DNS information via the RA options cannot be worse than learning bad
router information via the RA options. Therefore, the vulnerability router information via the RA options. Therefore, the vulnerability
of ND is not worse and is a subset of the attacks that any node of ND is not worse and is a subset of the attacks that any node
attached to a LAN can do. attached to a LAN can do.
7.2. Recommendations 7.2. Recommendations
The Secure Neighbor Discovery (SEND) protocol [RFC3971] is designed The Secure Neighbor Discovery (SEND) protocol [RFC3971] is designed
as a security mechanism for ND. In this case, ND can use SEND to as a security mechanism for ND. In this case, ND can use SEND to
allow all the ND options including the RDNSS and DNSSL options to be allow all the ND options including the RDNSS and DNSSL options to be
automatically included in the signatures. Other approaches specified automatically signed with digital signatures.
in [RFC4861] can be used for securing the RA options for DNS
configuration.
It is common for network devices such as switches to include It is common for network devices such as switches to include
mechanisms to block unauthorized ports from running a DHCPv6 server mechanisms to block unauthorized ports from running a DHCPv6 server
to provide protection from rogue DHCPv6 servers [RFC7610]. That to provide protection from rogue DHCPv6 servers [RFC7610]. That
means that an attacker on other ports cannot insert bogus DNS servers means that an attacker on other ports cannot insert bogus DNS servers
using DHCPv6. The corresponding technique for network devices is using DHCPv6. The corresponding technique for network devices is
RECOMMENDED to block rogue Router Advertisement messages [RFC6104] RECOMMENDED to block rogue Router Advertisement messages [RFC6104]
including the RDNSS and DNSSL options from unauthorized nodes. including the RDNSS and DNSSL options from unauthorized nodes.
An attacker may provide a bogus DNS Search List option in order to An attacker may provide a bogus DNS Search List option in order to
skipping to change at page 13, line 33 skipping to change at page 13, line 33
Recursive DNS Server Option 25 Recursive DNS Server Option 25
The DNSSL option defined in this document uses the IPv6 Neighbor The DNSSL option defined in this document uses the IPv6 Neighbor
Discovery Option type defined in RFC 6106 [RFC6106], which was Discovery Option type defined in RFC 6106 [RFC6106], which was
assigned by the IANA as follows: assigned by the IANA as follows:
Option Name Type Option Name Type
DNS Search List Option 31 DNS Search List Option 31
These options have been registered in the "Internet Control Message These options have been registered in the "Internet Control Message
Protocol version 6 (ICMPv6) Parameters" registry (http:// Protocol version 6 (ICMPv6) Parameters" registry [ICMPv6].
www.iana.org/assignments/icmpv6-parameters/
icmpv6-parameters.xhtml#icmpv6-parameters-5).
9. Acknowledgements 9. Acknowledgements
This document has greatly benefited from inputs by Robert Hinden, This document has greatly benefited from inputs by Robert Hinden,
Pekka Savola, Iljitsch van Beijnum, Brian Haberman, Tim Chown, Erik Pekka Savola, Iljitsch van Beijnum, Brian Haberman, Tim Chown, Erik
Nordmark, Dan Wing, Jari Arkko, Ben Campbell, Vincent Roca, Tony Nordmark, Dan Wing, Jari Arkko, Ben Campbell, Vincent Roca, Tony
Cheneau, Fernando Gont, Jen Linkova, Ole Troan, Mark Smith, Tatuya Cheneau, Fernando Gont, Jen Linkova, Ole Troan, Mark Smith, Tatuya
Jinmei, Lorenzo Colitti, Tore Anderson, David Farmer, Bing Liu, and Jinmei, Lorenzo Colitti, Tore Anderson, David Farmer, Bing Liu, and
Tassos Chatzithomaoglou. The authors sincerely appreciate their Tassos Chatzithomaoglou. The authors sincerely appreciate their
contributions. contributions.
skipping to change at page 14, line 41 skipping to change at page 14, line 41
Protocol for IPv6 (DHCPv6)", RFC 3315, July 2003. Protocol for IPv6 (DHCPv6)", RFC 3315, July 2003.
[RFC3736] Droms, R., "Stateless Dynamic Host Configuration [RFC3736] Droms, R., "Stateless Dynamic Host Configuration
Protocol (DHCP) Service for IPv6", RFC 3736, Protocol (DHCP) Service for IPv6", RFC 3736,
April 2004. April 2004.
[RFC3646] Droms, R., "DNS Configuration options for Dynamic [RFC3646] Droms, R., "DNS Configuration options for Dynamic
Host Configuration Protocol for IPv6 (DHCPv6)", Host Configuration Protocol for IPv6 (DHCPv6)",
RFC 3646, December 2003. RFC 3646, December 2003.
[RFC5006] Jeong, J., Park, S., Beloeil, L., and S. Madanapalli,
"IPv6 Router Advertisement Option for DNS
Configuration", RFC 5006, September 2007.
[RFC6106] Jeong, J., Park, S., Beloeil, L., and S. Madanapalli, [RFC6106] Jeong, J., Park, S., Beloeil, L., and S. Madanapalli,
"IPv6 Router Advertisement Options for DNS "IPv6 Router Advertisement Options for DNS
Configuration", RFC 6106, November 2010. Configuration", RFC 6106, November 2010.
[RFC4339] Jeong, J., "IPv6 Host Configuration of DNS Server [RFC4339] Jeong, J., "IPv6 Host Configuration of DNS Server
Information Approaches", RFC 4339, February 2006. Information Approaches", RFC 4339, February 2006.
[RFC3971] Arkko, J., Kempf, J., Zill, B., and P. Nikander, [RFC3971] Arkko, J., Kempf, J., Zill, B., and P. Nikander,
"SEcure Neighbor Discovery (SEND)", RFC 3971, "SEcure Neighbor Discovery (SEND)", RFC 3971,
March 2005. March 2005.
[RFC3118] Droms, R. and W. Arbaugh, "", RFC 3118, June 2001.
[RFC6104] Chown, T. and S. Venaas, "Rogue IPv6 Router [RFC6104] Chown, T. and S. Venaas, "Rogue IPv6 Router
Advertisement Problem Statement", RFC 6104, Advertisement Problem Statement", RFC 6104,
February 2011. February 2011.
[RFC7610] Gont, F., Liu, W., and G. Van de Velde, "DHCPv6- [RFC7610] Gont, F., Liu, W., and G. Van de Velde, "DHCPv6-
Shield: Protecting against Rogue DHCPv6 Servers", Shield: Protecting against Rogue DHCPv6 Servers",
RFC 7610, August 2015. RFC 7610, August 2015.
[RFC1535] Gavron, E., "A Security Problem and Proposed [RFC1535] Gavron, E., "A Security Problem and Proposed
Correction With Widely Deployed DNS Software", Correction With Widely Deployed DNS Software",
skipping to change at page 15, line 40 skipping to change at page 15, line 38
Provisioning Domains Problem Statement", RFC 6418, Provisioning Domains Problem Statement", RFC 6418,
November 2011. November 2011.
[RFC6419] Wasserman, M. and P. Seite, "Current Practices for [RFC6419] Wasserman, M. and P. Seite, "Current Practices for
Multiple-Interface Hosts", RFC 6419, November 2011. Multiple-Interface Hosts", RFC 6419, November 2011.
[RFC6731] Savolainen, T., Kato, J., and T. Lemon, "Improved [RFC6731] Savolainen, T., Kato, J., and T. Lemon, "Improved
Recursive DNS Server Selection for Multi-Interfaced Recursive DNS Server Selection for Multi-Interfaced
Nodes", RFC 6731, December 2012. Nodes", RFC 6731, December 2012.
[ICMPv6] ICMPv6 Parameters Registry, http://www.iana.org/
assignments/icmpv6-parameters/icmpv6-parameters.
xhtml#icmpv6-parameters-5
Appendix A. Changes from RFC 6106 Appendix A. Changes from RFC 6106
The following changes were made from RFC 6106 "IPv6 Router The following changes were made from RFC 6106 "IPv6 Router
Advertisement Options for DNS Configuration": Advertisement Options for DNS Configuration":
o This document allows a higher default value of the lifetime of the
DNS RA options than RFC 6106 in order to avoid the frequent expiry
of the options on links with a relatively high rate of packet
loss, and also making additional clarifications. The lifetime's
lower bound of 2 * MaxRtrAdvInterval was shown to lead to the
expiry of these options on links with a relatively high rate of
packet loss. This revision relaxes the lower bound and sets a
higher default value of 3 * MaxRtrAdvInterval to avoid this
problem.
o The generation of Router Solicitation to ensure that the RDNSS o The generation of Router Solicitation to ensure that the RDNSS
information is fresh before the expiry of the RDNSS option is information is fresh before the expiry of the RDNSS option is
removed in order to prevent multicast traffic on the link from removed in order to prevent multicast traffic on the link from
increasing. increasing.
o The lifetime's upper bound of 2 * MaxRtrAdvInterval was shown to
lead to the expiry of these options on links with a relatively
high rate of packet loss. This revision relaxes the upper bound
and sets a higher default value to avoid this problem.
o The addresses for recursive DNS servers in the RDNSS option can be o The addresses for recursive DNS servers in the RDNSS option can be
not only global addresses, but also link-local addresses. The not only global addresses, but also link-local addresses. The
link-local addresses for RDNSSes should be registered into the link-local addresses for RDNSSes should be registered into the
resolver repository along with the corresponding link zone resolver repository along with the corresponding link zone
indices. indices.
o The recommendation that at most three RDNSS addresses to maintain o The recommendation that at most three RDNSS addresses to maintain
by RDNSS options should be limited is removed. By this removal, by RDNSS options should be limited is removed. By this removal,
the number of RDNSSes to maintain is up to an implementer's local the number of RDNSSes to maintain is up to an implementer's local
policy. policy.
 End of changes. 28 change blocks. 
84 lines changed or deleted 80 lines changed or added

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/