| RFC 9462 | DDR | November 2023 |
| Pauly, et al. | Standards Track | [Page] |
This document defines Discovery of Designated Resolvers (DDR), aset of mechanisms for DNS clients to use DNS records to discover a resolver's encryptedDNS configuration. An Encrypted DNS Resolver discovered in this manner is referredto as a "Designated Resolver". These mechanisms can be used to move from unencryptedDNS to encrypted DNS when only the IP address of a resolver is known. These mechanisms aredesigned to be limited to cases where Unencrypted DNS Resolvers and their DesignatedResolvers are operated by the same entity or cooperating entities. It can also be usedto discover support for encrypted DNS protocols when the name of an Encrypted DNS Resolver is known.¶
This is an Internet Standards Track document.¶
This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 7841.¶
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained athttps://www.rfc-editor.org/info/rfc9462.¶
Copyright (c) 2023 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
When DNS clients wish to use encrypted DNS protocols such as DNS over TLS (DoT)[RFC7858], DNS over QUIC (DoQ)[RFC9250], or DNS over HTTPS (DoH)[RFC8484],they can require additional information beyond the IP address of the DNS server,such as the resolver's hostname, alternate IP addresses, non-standard ports, orURI Templates. However, common configuration mechanisms only provide the resolver'sIP address during configuration. Such mechanisms include network provisioning protocolslike DHCP[RFC2132][RFC8415] and IPv6 Router Advertisement (RA) options[RFC8106],as well as manual configuration.¶
This document defines two mechanisms for clients to discover DesignatedResolvers that support these encrypted protocols using DNS server ServiceBinding (SVCB) records[RFC9460]:¶
Both of these approaches allow clients to confirm that a discovered Encrypted DNSResolver is designated by the originally provisioned resolver. "Designated" inthis context means that the resolvers are operated by the same entity orcooperating entities; for example, the resolvers are accessible on the sameIP address, or there is a certificate that contains the IP address for theoriginal designating resolver.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14[RFC2119][RFC8174] when, and only when, they appear in all capitals, as shown here.¶
This document defines the following terms:¶
Discovery of Designated Resolvers. "DDR" refers to the mechanisms definedin this document.¶
A resolver, presumably an Encrypted DNS Resolver, designated by another resolverfor use in its own place. This designation can be verified with TLS certificates.¶
A DNS resolver using any encrypted DNS transport. This includes currentmechanisms such as DoH, DoT, and DoQ, as well as future mechanisms.¶
A DNS resolver using a transport without encryption, historicallyTCP or UDP port 53.¶
DNS resolvers can advertise one or more Designated Resolvers thatmay offer support over encrypted channels and are controlled by the sameentity.¶
When a client discovers Designated Resolvers, it learns information such asthe supported protocols and ports. This information is provided in ServiceModeSVCB records for DNS servers, although AliasMode SVCB recordscan be used to direct clients to the needed ServiceMode SVCB record per[RFC9460]. The formatting of these records, including theDNS-unique parameters such as "dohpath", are defined by[RFC9461].¶
The following is an example of a SVCB record describing a DoH server discoveredby querying for_dns.example.net:¶
_dns.example.net. 7200 IN SVCB 1 example.net. ( alpn=h2 dohpath=/dns-query{?dns} )¶The following is an example of a SVCB record describing a DoT server discoveredby querying for_dns.example.net:¶
_dns.example.net. 7200 IN SVCB 1 dot.example.net ( alpn=dot port=8530 )¶
The following is an example of a SVCB record describing a DoQ server discoveredby querying for_dns.example.net:¶
_dns.example.net. 7200 IN SVCB 1 doq.example.net ( alpn=doq port=8530 )¶
If multiple Designated Resolvers are available, using one or moreencrypted DNS protocols, the resolver deployment can indicate a preference usingthe priority fields in each SVCB record[RFC9460].¶
If the client encounters a mandatory parameter in a SVCB record it does notunderstand, itMUST NOT use that record to discover a Designated Resolver, in accordancewithSection 8 of [RFC9460]. Theclient can still use other records in the same response if the client can understandall of their mandatory parameters. This allows future encrypted deployments tosimultaneously support protocols even if a given client is not aware of all thoseprotocols. For example, if the Unencrypted DNS Resolver returns three SVCB records -- onefor DoH, one for DoT, and one for a yet-to-exist protocol -- a client that only supportsDoH and DoT should be able to use those records while safely ignoring the third record.¶
To avoid name lookup deadlock, clients that use Designated Resolvers need to ensurethat a specific Encrypted DNS Resolver is not used for any queries that are needed toresolve the name of the resolver itself or to perform certificate revocation checks forthe resolver, as described inSection 10 of [RFC8484]. Designated Resolvers need to ensure that this deadlock is avoidable, as also described inSection 10 of [RFC8484].¶
This document focuses on discovering DoH, DoT, and DoQ Designated Resolvers.Other protocols can also use the format defined by[RFC9461].However, if any such protocol does not involve some form of certificatevalidation, new validation mechanisms will need to be defined to supportvalidating designation as defined inSection 4.2.¶
When a DNS client is configured with an Unencrypted DNS Resolver IP address, itSHOULD query the resolver for SVCB records of a service with a scheme of "dns" andan authority of "resolver.arpa" before making other queries. This allows the clientto switch to using encrypted DNS for all other queries, if possible. Specifically,the client issues a query for_dns.resolver.arpa. with the SVCB resource record type(64)[RFC9460].¶
Responses to the SVCB query for the "resolver.arpa" SUDN describe Designated Resolvers.To ensure that different Designated Resolver configurations can be correctlydistinguished and associated with A and AAAA records for the resolver, ServiceModeSVCB responses to these queriesMUST NOT use the "." or "resolver.arpa" value forthe TargetName. Similarly, clientsMUST NOT perform A or AAAA queries for"resolver.arpa".¶
The following is an example of a SVCB record describing a DoH server discoveredby querying for_dns.resolver.arpa.:¶
_dns.resolver.arpa. 7200 IN SVCB 1 doh.example.net ( alpn=h2 dohpath=/dns-query{?dns} )¶The following is an example of a SVCB record describing a DoT server discoveredby querying for_dns.resolver.arpa.:¶
_dns.resolver.arpa. 7200 IN SVCB 1 dot.example.net ( alpn=dot port=8530 )¶
The following is an example of a SVCB record describing a DoQ server discoveredby querying for_dns.resolver.arpa.:¶
_dns.resolver.arpa. 7200 IN SVCB 1 doq.example.net ( alpn=doq port=8530 )¶
If the recursive resolver that receives this query has one or more DesignatedResolvers, it will return the corresponding SVCB records. When respondingto these special queries for "resolver.arpa", the recursive resolverSHOULD include the A and AAAA records for the name of the Designated Resolverin the Additional Answers section. This will save the DNS client an additionalround trip to retrieve the address of the Designated Resolver; seeSection 5 of [RFC9460].¶
Designated ResolversSHOULD be accessible using the IP address families thatare supported by their associated Unencrypted DNS Resolvers. If an Unencrypted DNS Resolveris accessible using an IPv4 address, it ought to provide an A record for anIPv4 address of the Designated Resolver; similarly, if it is accessible using anIPv6 address, it ought to provide a AAAA record for an IPv6 address of theDesignated Resolver. The Designated ResolverMAY support more address familiesthan the Unencrypted DNS Resolver, but itSHOULD NOT support fewer. If this isnot done, clients that only have connectivity over one address family might notbe able to access the Designated Resolver.¶
If the recursive resolver that receives this query has no Designated Resolvers,itSHOULD return NODATA for queries to the "resolver.arpa" zone, to providea consistent and accurate signal to clients that it does not have aDesignated Resolver.¶
When a client discovers Designated Resolvers from an Unencrypted DNS Resolver IPaddress, it can choose to use these Designated Resolvers either (1) automatically or (2) based on some other policy, heuristic, or user choice.¶
This document defines two preferred methods for automatically using DesignatedResolvers:¶
A clientMAY additionally use a discovered Designated Resolver withouteither of these methods, based on implementation-specific policy or user input.Details of such policy are out of scope for this document. ClientsMUST NOTautomatically use a Designated Resolver without some sort of validation,such as the two methods defined in this document or a future mechanism. Usewithout validation can allow an attacker to direct traffic to an Encrypted DNSResolver that is unrelated to the original Unencrypted DNS Resolver, asdescribed inSection 7.¶
A clientMUST NOT reuse a designation discovered using the IP address of oneUnencrypted DNS Resolver in place of any other Unencrypted DNS Resolver. Instead,the client needs to repeat the discovery process to discover the Designated Resolverof the other Unencrypted DNS Resolver. In other words, designations areper-resolver andMUST NOT be used to configure the client's universal DNSbehavior. This ensures in all cases that queries are being sent to a partydesignated by the resolver originally being used.¶
If a client is configured with the same Unencrypted DNS Resolver IP address onmultiple different networks, a Designated Resolver that has been discovered on onenetworkSHOULD NOT be reused on any of the other networks without repeating thediscovery process for each network, since the same IP address may be used fordifferent servers on the different networks.¶
Verified Discovery is a mechanism that allows the automatic use of aDesignated Resolver that supports DNS encryption that performs a TLS handshake.¶
In order to be considered a verified Designated Resolver, the TLS certificatepresented by the Designated Resolver needs to pass the following checks madeby the client:¶
If these checks pass, the clientSHOULD use the discovered Designated Resolverfor any cases in which it would have otherwise used the Unencrypted DNS Resolver,so as to prefer encrypted DNS whenever possible.¶
If these checks fail, the clientMUST NOT automatically use the discoveredDesignated Resolver if this designation was only discovered via a_dns.resolver.arpa. query (if the designation was advertised directlyby the network as described inSection 6.5, the server can stillbe used). Additionally, the clientSHOULD suppress any furtherqueries for Designated Resolvers using this Unencrypted DNS Resolver for thelength of time indicated by the SVCB record's Time to Live (TTL) in orderto avoid excessive queries that will lead to further failed validations.The clientMAY issue new queries if the SVCB record's TTL is excessivelylong (as determined by client policy) to minimize the length of time anintermittent attacker can prevent the use of encrypted DNS.¶
If the Designated Resolver and the Unencrypted DNS Resolver share an IPaddress, clientsMAY choose to opportunistically use the Designated Resolver evenwithout this certificate check (Section 4.3). If the IP address is not shared,opportunistic use allows for attackers to redirect queries to an unrelated Encrypted DNSResolver, as described inSection 7.¶
Connections to a Designated Resolver can use a different IP address thanthe IP address of the Unencrypted DNS Resolver -- for example, if the process ofresolving the SVCB service yields additional addresses. Even when a differentIP address is used for the connection, the TLS certificate checks describedin this section still apply for the original IP address of the UnencryptedDNS Resolver.¶
There are situations where Verified Discovery of encrypted DNSconfiguration over unencrypted DNS is not possible. For example, the identities of Unencrypted DNSResolvers on private IP addresses[RFC1918], Unique Local Addresses (ULAs)[RFC4193], and Link-Local addresses[RFC3927][RFC4291] cannot be safely confirmed using TLS certificates under most conditions.¶
An opportunistic privacy profile is defined for DoT inSection 4.1 of [RFC7858]as a mode in which clients do not validate the name of the resolver presented inthe certificate. This opportunistic privacy profile similarly applies toDoQ[RFC9250]. For this profile,Section 4.1 of [RFC7858] explains thatclients might or might not validate the resolver; however, even if clients chooseto perform some certificate validation checks, they will not be able to validatethe names presented in the SubjectAltName (SAN) field of the certificate forprivate and local IP addresses.¶
A clientMAY use information from the SVCB record for_dns.resolver.arpa. withthis opportunistic privacy profile as long as the IP address of the EncryptedDNS Resolver does not differ from the IP address of the UnencryptedDNS Resolver. ClientsSHOULD use this mode only for resolvers using private orlocal IP addresses, since resolvers that use other addresses are able to provisionTLS certificates for their addresses.¶
A DNS client that already knows the name of an Encrypted DNS Resolver can use DDRto discover details about all supported encrypted DNS protocols. This situationcan arise if a client has been configured to use a given Encrypted DNS Resolver, orif a network provisioning protocol (such as DHCP or IPv6 RAs)provides a name for an Encrypted DNS Resolver alongside the resolver IP address,such as by using Discovery of Network-designated Resolvers (DNR)[RFC9463].¶
For these cases, the client simply sends a DNS SVCB query using the known nameof the resolver. This query can be issued to the named Encrypted DNS Resolver itselfor to any other resolver. Unlike the case of bootstrapping from an Unencrypted DNSResolver (Section 4), these recordsSHOULD be available in the publicDNS if the same domain name's A or AAAA records are available in thepublic DNS to allow using any resolver to discover another resolver's DesignatedResolvers. When the name can only be resolved in private namespaces,these recordsSHOULD be available to the same audience as the A and AAAA records.¶
For example, if the client already knows about a DoT serverresolver.example.com, it can issue a SVCB query for_dns.resolver.example.com to discover if there are other encrypted DNSprotocols available. In the following example, the SVCB answers indicate thatresolver.example.com supports both DoH and DoT and that the DoH serverindicates a higher priority than the DoT server.¶
_dns.resolver.example.com. 7200 IN SVCB 1 resolver.example.com. ( alpn=h2 dohpath=/dns-query{?dns} )_dns.resolver.example.com. 7200 IN SVCB 2 resolver.example.com. ( alpn=dot )¶ClientsMUST validate that for any Encrypted DNS Resolver discovered using aknown resolver name, the TLS certificate of the resolver contains theknown name in a subjectAltName extension. In the example above,this means that both servers need to have certificates that coverthe nameresolver.example.com. Often, the various supported encryptedDNS protocols will be specified such that the SVCB TargetName matches theknown name, as is true in the example above. However, even when theTargetName is different (for example, if the DoH server had a TargetName ofdoh.example.com), the clients still check for the original known resolvername in the certificate.¶
Note that this resolver validation is not related to the DNS resolver thatprovided the SVCB answer.¶
As another example, being able to discover a Designated Resolver for a knownEncrypted DNS Resolver is useful when a client has a DoT configuration forfoo.resolver.example.com but is on a network that blocks DoT traffic. Theclient can still send a query to any other accessible resolver (either the localnetwork resolver or an accessible DoH server) to discover if there is a designatedDoH server forfoo.resolver.example.com.¶
Resolver deployments that support DDR are advised to consider the followingpoints.¶
A DNS forwarderSHOULD NOT forward queries for "resolver.arpa" (or any subdomains)upstream. This prevents a client from receiving a SVCB record that will fail toauthenticate because the forwarder's IP address is not in the SubjectAltName (SAN) field of the upstream resolver's Designated Resolver's TLS certificate. A DNS forwarder that already acts as acompletely transparent forwarderMAY choose to forward these queries when the operatorexpects that this does not apply, because the operator either knows that the upstreamresolver does have the forwarder's IP address in its TLS certificate's SAN fieldor expects clients to validate the connection via some future mechanism.¶
Operators who choose to forward queries for "resolver.arpa" upstream should notethat client behavior is never guaranteed and that the use of DDR by a resolver does notcommunicate a requirement for clients to use the SVCB record when it cannot beverified.¶
Resolver owners that support Verified Discovery will need to list validreferring IP addresses in their TLS certificates. This may pose challenges forresolvers with a large number of referring IP addresses.¶
ClientsMUST NOT use "resolver.arpa" as the server name in either (1) the TLSServer Name Indication (SNI)[RFC8446] for DoT, DoQ, or DoH connections or (2) the URI host for DoH requests.¶
When performing discovery using resolver IP addresses, clientsMUSTuse the original IP address of the Unencrypted DNS Resolver as the URIhost for DoH requests.¶
Note that since IP addresses are not supported by default in the TLS SNI,resolvers that support discovery using IP addresses will need to beconfigured to present the appropriate TLS certificate when no SNI is presentfor DoT, DoQ, and DoH.¶
DNS resolvers that support DDR by responding to queries for_dns.resolver.arpa. MUST treat resolver.arpa as a locally served zone per[RFC6303].In practice, this means that resolversSHOULD respond to queries of any typeother than SVCB for_dns.resolver.arpa. with NODATA and queries of anytype for any domain name under resolver.arpa with NODATA.¶
DNR[RFC9463] allowsa network to provide designation of resolvers directly through DHCP[RFC2132][RFC8415] and through IPv6 RA options[RFC8106]. When suchindications are present, clients can suppress queries for "resolver.arpa" to theunencrypted DNS server indicated by the network over DHCP or RAs, and the DNRindicationsSHOULD take precedence over those discovered using "resolver.arpa"for the same resolver if there is a conflict, since DNR is considered a morereliable source.¶
The Designated Resolver information in DNR might not contain a full set ofSvcParams needed to connect to an Encrypted DNS Resolver. In such a case, the clientcan use a SVCB query using a resolver name, as described inSection 5, to theAuthentication Domain Name (ADN).¶
Since clients can receive DNS SVCB answers over unencrypted DNS, on-pathattackers can prevent successful discovery by dropping SVCB queries or answersand thus can prevent clients from switching to using encrypted DNS.Clients should be aware that it might not be possible to distinguish betweenresolvers that do not have any Designated Resolver and such an active attack.To limit the impact of discovery queries being dropped either maliciously orunintentionally, clients can re-send their SVCB queries periodically.¶
Section 8.2 of [RFC9461] describes another type of downgrade attackwhere an attacker can block connections to the encrypted DNS server. For DDR,clients need to validate a Designated Resolver using a connection to theserver before trusting it, so attackers that can block these connections canprevent clients from switching to using encrypted DNS.¶
Encrypted DNS Resolvers that allow discovery using DNS SVCB answers over unencryptedDNSMUST NOT provide differentiated behavior based solely on metadata inthe SVCB record, such as the HTTP path or alternate port number, whichare parameters that an attacker could modify. For example, if aDoH resolver provides a filtering service for one URI path anda non-filtered service for another URI path, an attacker could selectwhich of these services is used by modifying the "dohpath" parameter.These attacks can be mitigated by providing separate resolver IPaddresses or hostnames.¶
While the IP address of the Unencrypted DNS Resolver is often provisioned overinsecure mechanisms, it can also be provisioned securely, such as via manualconfiguration, on a VPN, or on a network with protections like RA-Guard[RFC6105]. An attacker might try to direct encrypted DNS traffic to itself bycausing the client to think that a discovered Designated Resolver usesa different IP address from the Unencrypted DNS Resolver. Such a Designated Resolvermight have a valid certificate but might be operated by an attacker that is trying toobserve or modify user queries without the knowledge of the client or network.¶
If the IP address of a Designated Resolver differs from that of anUnencrypted DNS Resolver, clients applying Verified Discovery (Section 4.2)MUSTvalidate that the IP address of the Unencrypted DNS Resolver is covered by theSubjectAltName (SAN) of the Designated Resolver's TLS certificate. If thatvalidation fails, the clientMUST NOT automatically use the discovered DesignatedResolver.¶
Clients using Opportunistic Discovery (Section 4.3)MUST be limited to caseswhere the Unencrypted DNS Resolver and Designated Resolver have the same IP address,whichSHOULD be a private or local IP address.Clients that do not follow Opportunistic Discovery (Section 4.3) and insteadtry to connect without first checking for a designation run the possible risk ofbeing intercepted by an attacker hosting an Encrypted DNS Resolver on an IP address ofan Unencrypted DNS Resolver where the attacker has failed to gain control of theUnencrypted DNS Resolver.¶
The constraints on the use of Designated Resolvers specified here applyspecifically to the automatic discovery mechanisms defined in this document, which arereferred to as Verified Discovery and Opportunistic Discovery. ClientsMAY use some other mechanism to verify and use Designated Resolvers discoveredusing the DNS SVCB record. However, the use of such an alternate mechanism needsto take into account the attack scenarios detailed here.¶
IANA has registered "resolver.arpa" in the "Special-UseDomain Names" registry established by[RFC6761].¶
IANA has added an entry in the "Transport-Independent Locally-ServedDNS Zone Registry" for 'resolver.arpa.' with the description "DNS ResolverSpecial-Use Domain" and listed this document as the reference.¶
In accordance withSection 5 of [RFC6761], the answers to the followingquestions are provided relative to this document:¶
Are human users expected to recognize these names as special and use themdifferently? In what way?¶
No. This name is used automatically by DNS stub resolvers running on client devices on behalf of users, and users will never see this name directly.¶
Are writers of application software expected to make their softwarerecognize these names as special and treat them differently? In what way?¶
No. There is no use case where a non-DNS application (covered by the nextquestion) would need to use this name.¶
Are writers of name resolution APIs and libraries expected to make theirsoftware recognize these names as special and treat them differently? If so, how?¶
Yes. DNS client implementors are expected to use this name when querying fora resolver's properties instead of records for the name itself. DNS serversare expected to respond to queries for this name with their own propertiesinstead of checking the matching zone as it would for normal domain names.¶
Are developers of caching domain name servers expected to make theirimplementations recognize these names as special and treat them differently?If so, how?¶
Yes. Caching domain name servers should not forward queries for this name, toavoid causing validation failures due to IP address mismatch.¶
Are developers of authoritative domain name servers expected to make theirimplementations recognize these names as special and treat them differently?If so, how?¶
No. DDR is designed for use by recursive resolvers. Theoretically, an authoritativeserver could choose to support this name if it wants to advertise support forencrypted DNS protocols over plaintext DNS, but that scenario is coveredby other work in the IETF DNSOP Working Group.¶
Does this reserved Special-Use Domain Name have any potential impact onDNS server operators? If they try to configure their authoritative DNS serveras authoritative for this reserved name, will compliant name server softwarereject it as invalid? Do DNS server operators need to know about that andunderstand why? Even if the name server software doesn't prevent them fromusing this reserved name, are there other ways that it may not work as expected,of which the DNS server operator should be aware?¶
This name is locally served, and any resolver that supports this name shouldnever forward the query. DNS server operators should be aware that records forthis name will be used by clients to modify the way they connect to theirresolvers.¶
How should DNS Registries/Registrars treat requests to register this reserveddomain name? Should such requests be denied? Should such requests be allowed,but only to a specially designated entity?¶
IANA holds the registration for this name. Non-IANA requests to registerthis name should always be denied by DNS Registries/Registrars.¶
The "resolver.arpa" SUDN is similar to "ipv4only.arpa" in that the queryingclient is not interested in an answer from the authoritative "arpa" nameservers. The intent of the SUDN is to allow clients to communicate with theUnencrypted DNS Resolver much like "ipv4only.arpa" allows for client-to-middleboxcommunication. For more context, see[RFC8880] for the rationale behind "ipv4only.arpa".¶
These mechanisms use SVCB/HTTPS resource records[RFC9460]to communicate that a given domain designates a particular DesignatedResolver for clients to use in place of an Unencrypted DNS Resolver (using a SUDN)or another Encrypted DNS Resolver (using its domain name).¶
There are various other proposals for how to provide similar functionality.There are several reasons that these mechanisms have chosen SVCB records:¶