draft-ietf-dprive-unauth-to-authoritative-01.txt   draft-ietf-dprive-unauth-to-authoritative-02.txt 
Network Working Group P. Hoffman Network Working Group P. Hoffman
Internet-Draft ICANN Internet-Draft ICANN
Intended status: Experimental P. van Dijk Intended status: Experimental P. van Dijk
Expires: 20 November 2021 PowerDNS Expires: 18 December 2021 PowerDNS
19 May 2021 16 June 2021
Recursive to Authoritative DNS with Unauthenticated Encryption Recursive to Authoritative DNS with Unauthenticated Encryption
draft-ietf-dprive-unauth-to-authoritative-01 draft-ietf-dprive-unauth-to-authoritative-02
Abstract Abstract
This document describes a use case and a method for a DNS recursive This document describes a use case and a method for a DNS recursive
resolver to use unauthenticated encryption when communicating with resolver to use unauthenticated encryption when communicating with
authoritative servers. The motivating use case for this method is authoritative servers. The motivating use case for this method is
that more encryption on the Internet is better, and some resolver that more encryption on the Internet is better, and some resolver
operators believe that unauthenticated encryption is better than no operators believe that unauthenticated encryption is better than no
encryption at all. The method described here is optional for both encryption at all. The method described here is optional for both
the recursive resolver and the authoritative server. This method the recursive resolver and the authoritative server. This method
skipping to change at page 1, line 39 skipping to change at page 1, line 39
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on 20 November 2021. This Internet-Draft will expire on 18 December 2021.
Copyright Notice Copyright Notice
Copyright (c) 2021 IETF Trust and the persons identified as the Copyright (c) 2021 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/ Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document. license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights Please review these documents carefully, as they describe your rights
skipping to change at page 2, line 19 skipping to change at page 2, line 19
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Use Case for Unauthenticated Encryption . . . . . . . . . 3 1.1. Use Case for Unauthenticated Encryption . . . . . . . . . 3
1.2. Summary of Protocol . . . . . . . . . . . . . . . . . . . 3 1.2. Summary of Protocol . . . . . . . . . . . . . . . . . . . 3
1.3. Definitions . . . . . . . . . . . . . . . . . . . . . . . 4 1.3. Definitions . . . . . . . . . . . . . . . . . . . . . . . 4
2. Discovering Whether an Authoritative Server Uses 2. Discovering Whether an Authoritative Server Uses
Encryption . . . . . . . . . . . . . . . . . . . . . . . 4 Encryption . . . . . . . . . . . . . . . . . . . . . . . 4
3. Resolving with Encryption . . . . . . . . . . . . . . . . . . 5 3. Resolving with Encryption . . . . . . . . . . . . . . . . . . 5
3.1. Resolver Session Failures . . . . . . . . . . . . . . . . 5 3.1. Resolver Session Failures . . . . . . . . . . . . . . . . 5
4. Serving with Encryption . . . . . . . . . . . . . . . . . . . 5 4. Serving with Encryption . . . . . . . . . . . . . . . . . . . 6
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6
6. Security Considerations . . . . . . . . . . . . . . . . . . . 6 6. Security Considerations . . . . . . . . . . . . . . . . . . . 6
7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 6 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 6
8. References . . . . . . . . . . . . . . . . . . . . . . . . . 6 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 6
8.1. Normative References . . . . . . . . . . . . . . . . . . 6 8.1. Normative References . . . . . . . . . . . . . . . . . . 6
8.2. Informative References . . . . . . . . . . . . . . . . . 7 8.2. Informative References . . . . . . . . . . . . . . . . . 7
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 8 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 8
1. Introduction 1. Introduction
A recursive resolver using traditional DNS over port 53 may wish A recursive resolver using traditional DNS over port 53 may wish
skipping to change at page 4, line 41 skipping to change at page 4, line 41
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP "OPTIONAL" in this document are to be interpreted as described in BCP
14 [MUSTSHOULD1] [MUSTSHOULD2] when, and only when, they appear in 14 [MUSTSHOULD1] [MUSTSHOULD2] when, and only when, they appear in
all capitals, as shown here. all capitals, as shown here.
2. Discovering Whether an Authoritative Server Uses Encryption 2. Discovering Whether an Authoritative Server Uses Encryption
A recursive resolver discovers whether an authoritative server A recursive resolver discovers whether an authoritative server
supports DNS with encryption by using the discovery mechanism supports DNS with encryption by using the discovery mechanism
described in [COMMON]. A resolver MAY also use port probing, described in Section 2.1 of [COMMON]. A resolver MAY also use port
although the mechanism for that is not described here. probing, although the mechanism for that is not described here.
If the cache has no positive or negative answers for any SVCB record If the cache has no positive or negative answers for any SVCB record
for any of a zone's authoritative servers, the resolver MAY send for any of a zone's authoritative servers, the resolver MAY send
queries for the SVCB records for some or all of the zone's queries for the SVCB records (and for the A/AAAA records of names
mentioned in those SVCB records) for some or all of the zone's
authoritative servers and wait for a positive response so that the authoritative servers and wait for a positive response so that the
resolver can use DNS with encryption for the original query. In this resolver can use DNS with encryption for the original query. In this
situation, the resolver MAY instead just use classic DNS for the situation, the resolver MAY instead just use classic DNS for the
original query but simultaneously queue queries for the SVCB records original query but simultaneously queue queries for the SVCB (and
for some or all of the zone's authoritative servers so that future subsequent A/AAAA) records for some or all of the zone's
queries might be able to use DNS with encryption. authoritative servers so that future queries might be able to use DNS
with encryption.
DNSSEC validation of SVCB RRsets used strictly for this discovery DNSSEC validation of SVCB RRsets used strictly for this discovery
mechanism is not mandated. mechanism is not mandated.
3. Resolving with Encryption 3. Resolving with Encryption
A resolver following this protocol processes the discovery response A resolver following this protocol processes the discovery response
using the processing mechanism described in [COMMON]. using the processing mechanism described in [COMMON].
A resolver following this protocol does not need to authenticate TLS A resolver following this protocol does not need to authenticate TLS
skipping to change at page 6, line 30 skipping to change at page 6, line 39
The DPRIVE Working Group has contributed many ideas that keep The DPRIVE Working Group has contributed many ideas that keep
shifting the focus and content of this document. shifting the focus and content of this document.
8. References 8. References
8.1. Normative References 8.1. Normative References
[COMMON] Dijk, P. V. and P. Hoffman, "Common Features for Encrypted [COMMON] Dijk, P. V. and P. Hoffman, "Common Features for Encrypted
Recursive to Authoritative DNS", Work in Progress, Recursive to Authoritative DNS", Work in Progress,
Internet-Draft, draft-pp-dprive-common-features-00, 2 May Internet-Draft, draft-pp-dprive-common-features-01, 19 May
2021, <https://www.ietf.org/archive/id/draft-pp-dprive- 2021, <https://www.ietf.org/archive/id/draft-pp-dprive-
common-features-00.txt>. common-features-01.txt>.
[DNS-SVCB] Schwartz, B., "Service Binding Mapping for DNS Servers", [DNS-SVCB] Schwartz, B., "Service Binding Mapping for DNS Servers",
Work in Progress, Internet-Draft, draft-schwartz-svcb-dns- Work in Progress, Internet-Draft, draft-schwartz-svcb-dns-
03, 19 April 2021, <https://www.ietf.org/archive/id/draft- 03, 19 April 2021, <https://www.ietf.org/archive/id/draft-
schwartz-svcb-dns-03.txt>. schwartz-svcb-dns-03.txt>.
[DNS-TERM] Hoffman, P. and K. Fujiwara, "DNS Terminology", Work in [DNS-TERM] Hoffman, P. and K. Fujiwara, "DNS Terminology", Work in
Progress, Internet-Draft, draft-ietf-dnsop-rfc8499bis-01, Progress, Internet-Draft, draft-ietf-dnsop-rfc8499bis-01,
20 November 2020, <https://www.ietf.org/archive/id/draft- 20 November 2020, <https://www.ietf.org/archive/id/draft-
ietf-dnsop-rfc8499bis-01.txt>. ietf-dnsop-rfc8499bis-01.txt>.
skipping to change at page 7, line 23 skipping to change at page 7, line 31
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>. May 2017, <https://www.rfc-editor.org/info/rfc8174>.
[OPPORTUN] Dukhovni, V., "Opportunistic Security: Some Protection [OPPORTUN] Dukhovni, V., "Opportunistic Security: Some Protection
Most of the Time", RFC 7435, DOI 10.17487/RFC7435, Most of the Time", RFC 7435, DOI 10.17487/RFC7435,
December 2014, <https://www.rfc-editor.org/info/rfc7435>. December 2014, <https://www.rfc-editor.org/info/rfc7435>.
[SVCB] Schwartz, B., Bishop, M., and E. Nygren, "Service binding [SVCB] Schwartz, B., Bishop, M., and E. Nygren, "Service binding
and parameter specification via the DNS (DNS SVCB and and parameter specification via the DNS (DNS SVCB and
HTTPS RRs)", Work in Progress, Internet-Draft, draft-ietf- HTTPS RRs)", Work in Progress, Internet-Draft, draft-ietf-
dnsop-svcb-https-05, 21 April 2021, dnsop-svcb-https-06, 16 June 2021,
<https://www.ietf.org/archive/id/draft-ietf-dnsop-svcb- <https://www.ietf.org/archive/id/draft-ietf-dnsop-svcb-
https-05.txt>. https-06.txt>.
8.2. Informative References 8.2. Informative References
[DNSOHTTPS] [DNSOHTTPS]
Hoffman, P. and P. McManus, "DNS Queries over HTTPS Hoffman, P. and P. McManus, "DNS Queries over HTTPS
(DoH)", RFC 8484, DOI 10.17487/RFC8484, October 2018, (DoH)", RFC 8484, DOI 10.17487/RFC8484, October 2018,
<https://www.rfc-editor.org/info/rfc8484>. <https://www.rfc-editor.org/info/rfc8484>.
[DNSOQUIC] Huitema, C., Mankin, A., and S. Dickinson, "Specification [DNSOQUIC] Huitema, C., Mankin, A., and S. Dickinson, "Specification
of DNS over Dedicated QUIC Connections", Work in Progress, of DNS over Dedicated QUIC Connections", Work in Progress,
 End of changes. 11 change blocks. 
16 lines changed or deleted 18 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/