--- 1/draft-ietf-ipsecme-split-dns-00.txt 2017-07-19 07:13:17.798848145 -0700 +++ 2/draft-ietf-ipsecme-split-dns-01.txt 2017-07-19 07:13:17.834849000 -0700 @@ -1,19 +1,19 @@ Network T. Pauly Internet-Draft Apple Inc. Intended status: Standards Track P. Wouters -Expires: September 14, 2017 Red Hat - March 13, 2017 +Expires: January 20, 2018 Red Hat + July 19, 2017 Split DNS Configuration for IKEv2 - draft-ietf-ipsecme-split-dns-00 + draft-ietf-ipsecme-split-dns-01 Abstract This document defines two Configuration Payload Attribute Types for the IKEv2 protocol that add support for private DNS domains. These domains should be resolved using DNS servers reachable through an IPsec connection, while leaving all other DNS resolution unchanged. This approach of resolving a subset of domains using non-public DNS servers is referred to as "Split DNS". @@ -25,21 +25,21 @@ Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on September 14, 2017. + This Internet-Draft will expire on January 20, 2018. Copyright Notice Copyright (c) 2017 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents @@ -53,21 +53,21 @@ 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 2. Background . . . . . . . . . . . . . . . . . . . . . . . . . 3 3. Protocol Exchange . . . . . . . . . . . . . . . . . . . . . . 3 3.1. Configuration Request . . . . . . . . . . . . . . . . . . 4 3.2. Configuration Reply . . . . . . . . . . . . . . . . . . . 4 3.3. Mapping DNS Servers to Domains . . . . . . . . . . . . . 5 3.4. Example Exchanges . . . . . . . . . . . . . . . . . . . . 5 3.4.1. Simple Case . . . . . . . . . . . . . . . . . . . . . 5 - 3.4.2. Requesting Domains and DNSSEC trust anchors . . . . . 5 + 3.4.2. Requesting Domains and DNSSEC trust anchors . . . . . 6 4. Payload Formats . . . . . . . . . . . . . . . . . . . . . . . 6 4.1. INTERNAL_DNS_DOMAIN Configuration Attribute Type . . . . 6 4.2. INTERNAL_DNSSEC_TA Configuration Attribute . . . . . . . 7 5. Split DNS Usage Guidelines . . . . . . . . . . . . . . . . . 7 6. Security Considerations . . . . . . . . . . . . . . . . . . . 9 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 10 8.1. Normative References . . . . . . . . . . . . . . . . . . 10 8.2. Informative References . . . . . . . . . . . . . . . . . 10 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 11 @@ -103,21 +103,21 @@ For the purposes of this document, DNS resolution servers accessible through an IPsec connection will be referred to as "internal DNS servers", and other DNS servers will be referred to as "external DNS servers". A client using these configuration payloads will be able to request and receive Split DNS configurations using the INTERNAL_DNS_DOMAIN and INTERNAL_DNSSEC_TA configuration attributes. The client device can use the internal DNS server(s) for any DNS queries within the assigned domains. DNS queries for other domains should be send to - its regular external DNS server. + regular external DNS server. 1.1. Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119]. 2. Background Split DNS is a common configuration for enterprise VPN deployments, @@ -136,88 +136,89 @@ In order to negotiate which domains are considered internal to an IKEv2 tunnel, initiators indicate support for Split DNS in their CFG_REQUEST payloads, and responders assign internal domains (and DNSSEC trust anchors) in their CFG_REPLY payloads. When Split DNS has been negotiated, the existing DNS server configuration attributes will be interpreted as internal DNS servers that can resolve hostnames within the internal domains. 3.1. Configuration Request - To indicate support for Split DNS, an initiator sends a CFG_REQUEST - payload MAY with one INTERNAL_DNS_DOMAIN attributes as defined in - Section 4. If an INTERNAL_DNS_DOMAIN attribute is included in the - CFG_REQUEST, the initiator SHOULD also include one or more - INTERNAL_IP4_DNS and INTERNAL_IP6_DNS attributes in its CFG_REQUEST. + To indicate support for Split DNS, an initiator includes one more + more INTERNAL_DNS_DOMAIN attributes as defined in Section 4 as part + of the CFG_REQUEST payload. If an INTERNAL_DNS_DOMAIN attribute is + included in the CFG_REQUEST, the initiator SHOULD also include one or + more INTERNAL_IP4_DNS and INTERNAL_IP6_DNS attributes in the + CFG_REQUEST. - The length of the INTERNAL_DNS_DOMAIN attribute sent by the initiator - is zero. + The INTERNAL_DNS_DOMAIN attribute sent by the initiator is usually + empty but MAY contain a suggested domain name. The absence of INTERNAL_DNS_DOMAIN attributes in the CFG_REQUEST payload indicates that the initiator does not support or is unwilling to accept Split DNS configuration. - To indicate support for DNSSEC, an initiator sending a CFG_REQUEST - payload MAY include one INTERNAL_DNS_TA attributes as defined in - Section 4. + To indicate support for DNSSEC, an initiator includes one or more + INTERNAL_DNS_TA attributes as defined in Section 4 as part of the + CFG_REQUEST payload. If an INTERNAL_DNS_TA attriute is included in + the CFG_REQUEST, the initiator SHOULD also include one or more + INTERNAL_DNS_DOMAIN attributes in the CFG_REQUEST. An initiator MAY convey its current DNSSEC trust anchors for the domain specified in the INTERNAL_DNS_DOMAIN attribute. If it does not wish to convey this information, it MUST use a length of 0. The absence of INTERNAL_DNS_TA attributes in the CFG_REQUEST payload indicates that the initiator does not support or is unwilling to accept DNSSEC trust anchor configuration. 3.2. Configuration Reply Responders MAY send one or more INTERNAL_DNS_DOMAIN attributes in - their CFG_REPLY payload if the CFG_REQUEST contained at least one - INTERNAL_DNS_DOMAIN attribute. If the CFG_REQUEST did not contain an - INTERNAL_DNS_DOMAIN attribute, the responder MUST NOT include an - INTERNAL_DNS_DOMAIN attribute in the CFG_REPLY. If an - INTERNAL_DNS_DOMAIN attribute is included in the CFG_REPLY, the - responder SHOULD also include one or both of the INTERNAL_IP4_DNS and - INTERNAL_IP6_DNS attributes in its CFG_REPLY. These DNS server - configurations are necessary to define which servers should receive - queries for hostnames in internal domains. If the CFG_REQUEST - included an INTERNAL_DNS_DOMAIN attribute, but the CFG_REPLY does not - include an INTERNAL_DNS_DOMAIN attribute, the initiator should behave - as if Split DNS configurations are not supported by the server. + their CFG_REPLY payload. If an INTERNAL_DNS_DOMAIN attribute is + included in the CFG_REPLY, the responder MUST also include one or + both of the INTERNAL_IP4_DNS and INTERNAL_IP6_DNS attributes in the + CFG_REPLY. These DNS server configurations are necessary to define + which servers should receive queries for hostnames in internal + domains. If the CFG_REQUEST included an INTERNAL_DNS_DOMAIN + attribute, but the CFG_REPLY does not include an INTERNAL_DNS_DOMAIN + attribute, the initiator should behave as if Split DNS configurations + are not supported by the server. Each INTERNAL_DNS_DOMAIN represents a domain that the DNS servers address listed in INTERNAL_IP4_DNS and INTERNAL_IP6_DNS can resolve. If the CFG_REQUEST included INTERNAL_DNS_DOMAIN attributes with non- - zero lengths, the content MUST be ignored. + zero lengths, the content MAY be ignored or be interpreted as a + suggestion by the responder. For each DNS domain specified in an INTERNAL_DNS_DOMAIN attribute, one or more INTERNAL_DNSSEC_TA attributes MAY be included by the - responder. This attribute lists the corresponding DSSNEC trust - anchor in the DNS wire format of a DS record as specified in + responder. This attribute lists the corresponding internal DNSSEC + trust anchor in the DNS wire format of a DS record as specified in [RFC4034]. The INTERNAL_DNSSEC_TA attribute MUST immediately follow the INTERNAL_DNS_DOMAIN attribute that it applies to. 3.3. Mapping DNS Servers to Domains All DNS servers provided in the CFG_REPLY MUST support resolving hostnames within all INTERNAL_DNS_DOMAIN domains. In other words, the INTERNAL_DNS_DOMAIN attributes in a CFG_REPLY payload form a single list of Split DNS domains that applies to the entire list of INTERNAL_IP4_DNS and INTERNAL_IP6_DNS attributes. 3.4. Example Exchanges 3.4.1. Simple Case In this example exchange, the initiator requests INTERNAL_IP4_DNS and - INTERNAL_DNS_DOMAIN attributes in its CFG_REQUEST, but does not + INTERNAL_DNS_DOMAIN attributes in the CFG_REQUEST, but does not specify any value for either. This indicates that it supports Split DNS, but has no preference for which DNS requests should be routed through the tunnel. The responder replies with two DNS server addresses, and two internal domains, "example.com" and "city.other.com". Any subsequent DNS queries from the initiator for domains such as "www.example.com" should use 198.51.100.2 or 198.51.100.4 to resolve. @@ -229,22 +230,23 @@ CP(CFG_REPLY) = INTERNAL_IP4_ADDRESS(198.51.100.234) INTERNAL_IP4_DNS(198.51.100.2) INTERNAL_IP4_DNS(198.51.100.4) INTERNAL_DNS_DOMAIN(example.com) INTERNAL_DNS_DOMAIN(city.other.com) 3.4.2. Requesting Domains and DNSSEC trust anchors In this example exchange, the initiator requests INTERNAL_IP4_DNS, - INTERNAL_DNS_DOMAIN and INTERNAL_DNS_TA attributess in its + INTERNAL_DNS_DOMAIN and INTERNAL_DNS_TA attributess in the CFG_REQUEST + Any subsequent DNS queries from the initiator for domains such as "www.example.com" or "city.other.com" would be DNSSEC validated using the DNSSEC trust anchor received in the CFG_REPLY In this example, the initiator has no existing DNSSEC trust anchors would the requested domain. the "example.com" dommain has DNSSEC trust anchors that are returned, while the "other.com" domain has no DNSSEC trust anchors CP(CFG_REQUEST) = @@ -276,24 +278,21 @@ | | +---------------------------------------------------------------+ o Reserved (1 bit) - Defined in IKEv2 RFC [RFC7296]. o Attribute Type (15 bits) 25 - INTERNAL_DNS_DOMAIN. o Length (2 octets, unsigned integer) - Length of domain name. o Domain Name (0 or more octets) - A domain or subdomain used for - Split DNS rules, such as example.com. This is a string of ASCII - characters with labels separated by dots, with no trailing dot, - using IDNA [RFC5890] for non-ASCII DNS domains. The value is NOT - null-terminated. + Split DNS rules, such as example.com in DNS wire format. 4.2. INTERNAL_DNSSEC_TA Configuration Attribute 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-----------------------------+-------------------------------+ |R| Attribute Type | Length | +-+-----------------------------+---------------+---------------+ | Key Tag | Algorithm | Digest Type | +-------------------------------+---------------+---------------+ @@ -311,22 +310,22 @@ o Key Tag value (0 or 2 octets, unsigned integer) - Key Tag as specified in [RFC4034] Section 5.1 o DNSKEY algorithm (0 or 1 octet) - Value from the IANA DNS Security Algorithm Numbers Registry o DS algorithm (0 or 1 octet) - Value from the IANA Delegation Signer (DS) Resource Record (RR) Type Digest Algorithms Registry - o Digest (0 or more octets) - The raw digest as specified in - [RFC4034] Section 5.1 + o Digest (0 or more octets) - The digest as specified in [RFC4034] + Section 5.1 in wire format. 5. Split DNS Usage Guidelines If a CFG_REPLY payload contains no INTERNAL_DNS_DOMAIN attributes, the client MAY use the provided INTERNAL_IP4_DNS or INTERNAL_IP6_DNS servers as the default DNS server(s) for all queries. If a client is configured by local policy to only accept a limited number of INTERNAL_DNS_DOMAIN values, the client MUST ignore any other INTERNAL_DNS_DOMAIN values. @@ -334,22 +333,21 @@ For each INTERNAL_DNS_DOMAIN entry in a CFG_REPLY payload that is not prohibited by local policy, the client MUST use the provided INTERNAL_IP4_DNS or INTERNAL_IP6_DNS DNS servers as the only resolvers for the listed domains and its sub-domains and it MUST NOT attempt to resolve the provided DNS domains using its external DNS servers. If the initiator host is configured to block DNS answers containing IP addresses from special IP address ranges such as those of [RFC1918], the initiator SHOULD allow the DNS domains listed in the - INTERNAL_DNS_DOMAIN attributes to contain those Special IP addresses - that are covered by the Child SA's. + INTERNAL_DNS_DOMAIN attributes to contain those Special IP addresses. If a CFG_REPLY contains one or more INTERNAL_DNS_DOMAIN attributes and its local policy does not forbid these values, the client MUST configure its DNS resolver to resolve those domains and all their subdomains using only the DNS resolver(s) listed in that CFG_REPLY message. If those resolvers fail, those names MUST NOT be resolved using any other DNS resolvers. Other domain names SHOULD be resolved using some other external DNS resolver(s), configured independently from IKE. Queries for these other domains MAY be sent to the internal DNS resolver(s) listed in that CFG_REPLY message, but have @@ -358,21 +356,21 @@ "example.com", "www.example.com" and "mail.eng.example.com" MUST be resolved using the internal DNS resolver(s), but "anotherexample.com" and "ample.com" SHOULD NOT be resolved using the internal resolver and SHOULD use the system's external DNS resolver(s). An initiator SHOULD ignore INTERNAL_DNS_DOMAIN attributes containing domains that are designated Special Use Domain Names in [RFC6761], such as "local", "localhost", "invalid", etc. Although it may explicitly wish to support some Special Use Domain Names. - When an IPsec connection is terminated, the DNS forwarding must be + When an IKE SA is terminated, the DNS forwarding must be unconfigured. The DNS forwarding itself MUST be be deleted. All cached data of the INTERNAL_DNS_DOMAIN provided DNS domainis MUST be flushed. This includes negative cache entries. Obtained DNSSEC trust anchors MUST be removed from the list of trust anchors. The outstanding DNS request queue MUST be cleared. INTERNAL_DNS_DOMAIN and INTERNAL_DNSSEC_TA attributes SHOULD only be used on split tunnel configurations where only a subset of traffic is routed into a private remote network using the IPsec connection. If all traffic is routed over the IPsec connection, the existing global