draft-reddy-dprive-bootstrap-dns-server-00.xml

<?xml version="1.0" encoding="US-ASCII"?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd">
<?rfc toc="yes"?>
<?rfc tocompact="yes"?>
<?rfc tocdepth="3"?>
<?rfc tocindent="yes"?>
<?rfc symrefs="yes"?>
<?rfc sortrefs="yes"?>
<?rfc comments="yes"?>
<?rfc inline="yes"?>
<?rfc compact="yes"?>
<?rfc subcompact="no"?>
<rfc category="std" docName="draft-reddy-dprive-bootstrap-dns-server-00"
     ipr="trust200902">
  <front>
    <title abbrev="DoT/DoH server discovery">A Bootstrapping Procedure to
    Discover and Authenticate DNS-over-(D)TLS and DNS-over-HTTPS
    Servers</title>

    <author fullname="Tirumaleswar Reddy" initials="T." surname="Reddy">
      <organization abbrev="McAfee">McAfee, Inc.</organization>

      <address>
        <postal>
          <street>Embassy Golf Link Business Park</street>

          <city>Bangalore</city>

          <region>Karnataka</region>

          <code>560071</code>

          <country>India</country>
        </postal>

        <email>TirumaleswarReddy_Konda@McAfee.com</email>
      </address>
    </author>

    <author fullname="Dan Wing" initials="D." surname="Wing">
      <organization></organization>

      <address>
        <postal>
          <street></street>

          <country>USA</country>
        </postal>

        <email>dan@danwing.org</email>
      </address>
    </author>

    <author fullname="Michael C. Richardson" initials="M."
            surname="Richardson">
      <organization>Sandelman Software Works</organization>

      <address>
        <postal>
          <street></street>

          <country>USA</country>
        </postal>

        <email>mcr+ietf@sandelman.ca</email>
      </address>
    </author>

    <author fullname="Mohamed Boucadair" initials="M." surname="Boucadair">
      <organization>Orange</organization>

      <address>
        <postal>
          <street></street>

          <city>Rennes</city>

          <region></region>

          <code>35000</code>

          <country>France</country>
        </postal>

        <email>mohamed.boucadair@orange.com</email>
      </address>
    </author>

    <date day="21" month="February" year="2019" />

    <workgroup>DPRIVE WG</workgroup>

    <abstract>
      <t>This document specifies mechanisms to automatically bootstrap
      endpoints (e.g., hosts, Customer Equipment) to discover and authenticate
      DNS-over-(D)TLS and DNS-over-HTTPS servers provided by a local
      network.</t>
    </abstract>
  </front>

  <middle>
    <section title="Introduction">
      <t>Various network security services are provided by Enterprise, secure
      home and wall-gardened networks to protect endpoints (e.g,. hosts, IoT
      devices). Some of these security services act on DNS requests from
      endpoints. However, if an endpoint is configured to use public
      DNS-over-(D)TLS <xref target="RFC7858"></xref> <xref
      target="RFC8094"></xref> or DNS-over-HTTPS <xref
      target="RFC8484"></xref> servers, network security services in the local
      network cannot act efficiently on DNS requests from the endpoints. In
      order to act on DNS requests from endpoints, network security services
      can block DNS-over-(D)TLS traffic by dropping outgoing packets to
      destination port 853, and by identifying the domains offering
      DNS-over-HTTPS servers, DNS-over-HTTPS traffic can be blocked by
      dropping outgoing packets to these domains. If the endpoint has enabled
      strict privacy profile (Section 5 of <xref target="RFC8310"></xref>),
      and the network security service blocks the traffic to the public DNS
      server, DNS service is not available to the endpoint and ultimately the
      endpoint cannot access Internet. If the endpoint has enabled
      opportunistic privacy profile (Section 5 of <xref
      target="RFC8310"></xref>), and the network security service blocks
      traffic to the public DNS server, the endpoint will either fallback to
      an encrypted connection without authenticating the DNS-over-(D)TLS and
      DNS-over-HTTPS servers provided by the local network or fallback to
      clear text DNS, and cannot exchange encrypted DNS messages. This can
      compromise the endpoint security and privacy; some of the potential
      security threats are listed below:</t>

      <t><list style="symbols">
          <t>Pervasive monitoring of DNS traffic.</t>

          <t>If the endpoint is an IoT device which is configured to use
          public DNS-over-(D)TLS or DNS-over-HTTPS servers, and if a policy
          enforcement point in the local network is programmed using a
          Manufacturer Usage Description (MUD) file <xref
          target="I-D.ietf-opsawg-mud"></xref> by a MUD manager to only allow
          intented communications to and from the IoT device, the policy
          enforcement point cannot enforce the Network Access Control List
          rules based on domain names (Section 8 of <xref
          target="I-D.ietf-opsawg-mud"></xref>).</t>

          <t>The network security service cannot prevent an endpoint from
          accessing malicious domains. Attacks like DNS cache poisoning can
          lead the user to visit malicious website to inject malware on the
          endpoint. For instance, malwares like DNSChanger can modify the
          endpoint's DNS entries to point toward its own rogue name servers
          which then injected its own advertising into Web pages.</t>
        </list></t>

      <t>The DPRIVE and DoH working groups have not defined an automated
      mechanism to securely bootstrap the endpoints to discover and
      authenticate DNS-over-(D)TLS and DNS-over-HTTPS servers in the local
      network. Some clients have hard-coded specific public DNS servers (such
      as Mozilla using Cloudflare's DNS-over-HTTPS server). If endpoints
      continue to use hard-coded public DNS servers, this has a risk of
      relying on few centralized DNS services. Further, Content Delivery
      Networks (CDNs) that map traffic based on DNS may lose the ability to
      direct end-user traffic to a nearby cluster in cases where a DNS service
      is being used that is not affiliated with the local network and which
      does not send "EDNS Client Subnet" (ECS) information to the CDN's DNS
      authorities <xref target="CDN"></xref>.</t>

      <t>The document proposes a mechanism to automatically bootstrap the
      endpoints to discover and authenticate the DNS-over-(D)TLS and
      DNS-over-HTTPS servers provided by the local network. The overall
      procedure can be structured into the following steps:<list
          style="symbols">
          <t>Bootstrapping phase (<xref target="bootstrap-iot"></xref> and
          <xref target="bootstrap-endpoint"> </xref>) is meant to
          automatically to automatically bootstrap endpoints with local
          network's CA certificates and DNS server certificate.</t>

          <t>Discovery phase (<xref target="discovery"></xref>) is meant to
          discover an authentication domain (defined in <xref
          target="RFC8310"></xref>) to authenticate the privacy-enabling DNS
          server, the privacy-enabling protocols supported by the DNS server
          and usable DNS server IP addresses. </t>

          <t>Connection handshake and service invocation: The DNS client
          initiates (D)TLS handshake with the DNS server learned in the
          discovery phase. Furthermore, DNS client uses the credentials
          discovered during the bootstrapping phase to validate the server
          certificate.</t>
        </list></t>

      <t>This document uses the terms defined in <xref
      target="RFC8499"></xref>.</t>
    </section>

    <section title="Requirements Language">
      <t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
      "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
      "OPTIONAL" in this document are to be interpreted as described in BCP 14
      <xref target="RFC2119"></xref><xref target="RFC8174"></xref> when, and
      only when, they appear in all capitals, as shown here.</t>
    </section>

    <section anchor="bootstrap-iot" title="Bootstrapping IoT Devices and CPE">
      <t>The following steps discuss the mechanism to automatically bootstrap
      IoT devices with local network's CA certificates and DNS server
      certificate. The below steps can also be used by CPE acting as DNS
      forwarders to discover and authenticate DNS-over-(D)TLS and
      DNS-over-HTTPS servers provided by the access networks.<list
          style="symbols">
          <t>The IoT device can use Bootstrapping Remote Secure Key
          Infrastructures (BRSKI) discussed in <xref
          target="I-D.ietf-anima-bootstrapping-keyinfra"></xref> to
          automatically bootstrap the IoT device using the IoT manufacturer
          provisioned X.509 certificate, in combination with a registrar
          provided by the local network and IoT device manufacturer's
          authorizing service (MASA). <list style="numbers">
              <t>The IoT device authenticates to the local network using the
              IoT manufacturer provisioned X.509 certificate. The IoT device
              can request and get a voucher from the MASA service via the
              registrar. The voucher is signed by the MASA service and
              includes the local network's CA public key.</t>

              <t>The IoT device validates the signed voucher using the
              manufacturer installed trust anchor associated with the MASA,
              stores the CA's public key and validates the provisional TLS
              connection to the registrar.</t>

              <t>The IoT device requests the full Enrollment over Secure
              Transport (EST) <xref target="RFC7030"></xref> distribution of
              current CA certificates (Section 5.9.1 in <xref
              target="I-D.ietf-anima-bootstrapping-keyinfra"></xref>) from the
              registrar operating as a BRSKI-EST server. The IoT device uses
              the Explicit Trust Anchor database to validate the DNS server
              certificate.</t>

              <t>TBD: The IoT device learns the End-Entity certificates <xref
              target="RFC8295"></xref> from the BRSKI-EST server. The
              certificate provisioned to the DNS server in the local network
              will be treated as a End-Entity certificate. The IoT device
              needs to identify the End-Entity certificate is provisioned to
              the DNS server, the key usage extension <xref
              target="RFC5280"></xref> can be used to restrict the use of the
              End-Entity certificate to authenticate the DNS server, a new bit
              will be added to the KeyUsage type to identify the DNS server
              certificate.</t>
            </list></t>
        </list></t>
    </section>

    <section anchor="bootstrap-endpoint"
             title="Bootstrapping Endpoint Devices">
      <t>The following steps explain the mechanism to automatically bootstrap
      an endpoint with the local network's CA certificates and DNS server
      certificate: <list style="numbers">
          <t>The endpoint authenticates to the local network and establishes
          provisional TLS connection with the registrar operating as the
          BRSKI-EST server. The endpoint discovers registrar using DNS-based
          Service Discovery <xref target="RFC6763"></xref>.</t>

          <t>The endpoint uses Salted Challenge Response Authentication
          Mechanism (SCRAM) <xref target="RFC7804"></xref> to perform mutual
          authentication with the discovered BRSKI-EST server.</t>

          <t>If the BRSKI-EST server authentication is successful, the
          endpoint requests the full EST distribution of current CA
          certificates and validates the provisional TLS connection to the
          BRSKI-EST server. If the BRSKI-EST server certificate cannot be
          verified using the CA certificates downloaded, the TLS connection is
          immediately discarded and the endpoint abandons the attempt to
          bootstrap from the BRSKI-EST server and discards the CA certificates
          conveyed by the BRSKI-EST server. The endpoint uses the Explicit
          Trust Anchor database to validate the DNS server certificate.</t>

          <t>TBD: The endpoint learns the End-Entity certificates <xref
          target="RFC8295"></xref> from the BRSKI-EST server. The certificate
          provisioned to the DNS server in the local network will be treated
          as a End-Entity certificate. The endpoint needs to identify the
          End-Entity certificate is provisioned to the DNS server, the key
          usage extension <xref target="RFC5280"></xref> can be used to
          restrict the use of the End-Entity certificate to authenticate the
          DNS server, a new bit will be added to the KeyUsage type to identify
          the DNS server certificate.</t>
        </list></t>
    </section>

    <section anchor="discovery" title="Discovery Procedure">
      <t>A DNS client discovers the DNS server in the local network supporting
      DNS-over-TLS, DNS-over-DTLS and DNS-over-HTTPS protocols by using the
      following discovery mechanism:</t>

      <t><list style="symbols">
          <t>The DNS client uses DHCP to discover the authentication domain
          name for the DNS server, as specified in <xref
          target="dhcp"></xref>.</t>

          <t>The DNS client then uses S-NAPTR <xref target="RFC3958"></xref>
          lookup to learn the protocols DNS-over-TLS, DNS-over-DTLS, and
          DNS-over-HTTPS supported by the DNS server and the DNS privacy
          protocol preferred by the DNS server administrators, as specified in
          <xref target="srvr"></xref> and <xref target="serviceT"> </xref>. If
          DNS-over-HTTPS protocol is supported by the DNS server, the DNS
          client queries for the URI resource record type <xref
          target="RFC7553"></xref> to use the https URI scheme (Section 3 of
          <xref target="RFC8484"></xref>). </t>

          <t>The DNS client initiates (D)TLS handshake with the DNS server,
          the server presents its certificate and the client validates the
          server certificate using the End-Entity certificate and Explicit
          Trust Anchor database downloaded in steps 3 and 4 in <xref
          target="bootstrap-iot"></xref> and <xref
          target="bootstrap-endpoint"></xref>. The DNS client uses validation
          techniques as described in <xref target="RFC6125"></xref> to compare
          the authentication domain name to the certificate provided by the
          DNS server.</t>

          <t>If the DNS client cannot reach or establish an authenticated and
          encrypted connection with the privacy-enabling DNS server provided
          by the local network, the DNS client can fallback to the
          privacy-enabling public DNS server.</t>
        </list></t>

      <section anchor="dhcp" title="DNS Reference Identifier DHCP Options">
        <t>As reported in Section 1.7.2 of <xref
        target="RFC6125"></xref>:<list style="empty">
            <t>"few certification authorities issue server certificates based
            on IP addresses, but preliminary evidence indicates that such
            certificates are a very small percentage (less than 1%) of issued
            certificates".</t>
          </list></t>

        <t>In order to allow for certificate authentication between a DNS
        client and server while accommodating for the current best practices
        for issuing certificates, this document allows for configuring
        authentication domain name to clients. This name can be used as a
        reference identifier for authentication purposes.</t>

        <section title="DHCPv6 DNS Reference Identifier Option">
          <section title="Option Format ">
            <t>The DHCPv6 DNS Reference Identifier option is used to configure
            an authentication domain name. The format of this option is shown
            in <xref target="ri_option1"></xref>.</t>

            <t><figure anchor="ri_option1"
                title="DHCPv6 DNS Reference Identifier option">
                <artwork><![CDATA[    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |     OPTION_V6_AUTH_DOMAIN     |         Option-length         |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                                                               |
   |            authentication-domain-name (FQDN)                  |
   |                                                               |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

]]></artwork>
              </figure>The fields of the option shown in <xref
            target="ri_option1"></xref> are as follows:<?rfc subcompact="yes" ?></t>

            <t><list style="symbols">
                <t>Option-code: OPTION_V6_AUTH_DOMAIN (TBA1, see <xref
                target="iana6"></xref>)</t>

                <t>Option-length: Length of the authentication-domain-name
                field in octets.</t>

                <t>authentication-domain-name: A fully qualified domain name
                of the DNS server. This field is formatted as specified in
                Section 10 of <xref target="RFC8415"></xref>.</t>
              </list></t>
          </section>

          <section title="DHCPv6 Client Behavior">
            <t>DHCP clients MAY request options OPTION_V6_AUTH_DOMAIN as
            defined in <xref target="RFC8415"></xref>, Sections 18.2.1,
            18.2.2, 18.2.4, 18.2.5, 18.2.6, and 21.7. As a convenience to the
            reader, it is mentioned here that the DHCP client includes the
            requested option code in the Option Request Option.</t>

            <t>If the DHCP client receives more than one instance of
            OPTION_V6_AUTH_DOMAIN option, it MUST use only the first instance
            of that option.</t>
          </section>
        </section>

        <section title="DHCPv4 DNS Reference Identifier Option">
          <section title="Option Format">
            <t>The DHCPv4 DNS Reference Identifier option is used to configure
            an authentication domain name. The format of this option is
            illustrated in <xref target="dhcpri_dots"></xref>.</t>

            <t><figure anchor="dhcpri_dots"
                title="DHCPv4 DNS Reference Identifier option">
                <artwork><![CDATA[
          Code  Length   authentication domain name
         +-----+-----+-----+-----+-----+-----+-----+--
         |TBA2 |  n  |  s1 |  s2 |  s3 |  s4 | s5  |  ...
         +-----+-----+-----+-----+-----+-----+-----+--

   The values s1, s2, s3, etc. represent the domain name labels in the
   domain name encoding.

]]></artwork>
              </figure></t>

            <t>The fields of the option shown in <xref
            target="dhcpri_dots"></xref> are as follows:<?rfc subcompact="yes" ?><list
                style="symbols">
                <t>Code: OPTION_V4_AUTH_DOMAIN (TBA2, see <xref
                target="iana4"></xref>);</t>

                <t>Length: Includes the length of the authentication domain
                name field in octets; the maximum length is 255 octets.</t>

                <t>Authentication domain name: The domain name of the DNS
                server. This field is formatted as specified in Section 10 of
                <xref target="RFC8415"></xref>.</t>
              </list></t>
          </section>

          <section title="DHCPv4 Client Behavior">
            <t>To discover a authentication domain name, the DHCPv4 client
            MUST include OPTION_V4_AUTH_DOMAIN in a Parameter Request List
            Option <xref target="RFC2132"></xref>.</t>

            <t>If the DHCP client receives more than one instance of
            OPTION_V4_AUTH_DOMAIN option, it MUST use only the first instance
            of that option. The content of OPTION_V4_AUTH_DOMAIN is used as
            reference identifier for authentication purposes.</t>
          </section>
        </section>
      </section>

      <section anchor="srvr" title="Resolution">
        <t>Once the DNS client has retrieved the authentication domain name
        for the DNS server, an S-NAPTR lookup with 'DPRIVE' application
        service and the desired protocol tag is made to obtain information
        necessary to securely connect to the DNS server. The S-NAPTR lookup is
        performed using an untrusted recursive DNS resolver from an untrusted
        source (such as DHCP). </t>

        <t>This specification defines "DPRIVE" as an application service tag
        (<xref target="serviceT"></xref>) and "dns.tls" (<xref
        target="dnstls"></xref>), "dns.dtls" (<xref target="dnsdtls"></xref>),
        and "dns.https" (<xref target="dnshttps"></xref>) as application
        protocol tags.</t>

        <t>If no DNS-specific S-NAPTR records can be retrieved, the discovery
        procedure fails for this authentication domain name. However, before
        retrying a lookup that has failed, a DNS client MUST wait a time
        period that is appropriate for the encountered error (e.g., NXDOMAIN,
        timeout, etc.).</t>
      </section>
    </section>

    <section anchor="Security" title="Security Considerations">
      <t>The bootstrapping procedure to discover and authenticate
      DNS-over-(D)TLS and DNS-over-HTTPS Servers MUST be enabled by the
      endpoint in a trusted network (e.g. Enterprise, Secure home networks)
      and disabled in a untrusted network (e.g. public WiFi network), similar
      to the way VPN connection from the endpoint to a VPN gateway is
      disconnected in a trusted network and VPN connection is established in a
      untrusted network. </t>

      <t>The primary attack against the methods described in <xref
      target="discovery"></xref> is one that would lead to impersonation of a
      DNS server. An attacker could attempt to compromise the DHCP discovery
      and S-NAPTR resolution. The attack is prevented by validating the
      certificate presented by the DNS server. DHCP-related security
      considerations are discussed in <xref target="RFC2131"></xref> and <xref
      target="RFC8415"></xref>.</t>

      <t>Security considerations in <xref
      target="I-D.ietf-anima-bootstrapping-keyinfra"></xref> and <xref
      target="RFC7804"></xref> need to be taken into consideration.</t>
    </section>

    <section anchor="IANA" title="IANA Considerations">
      <section anchor="iana6" title="DHCPv6 Option">
        <t>IANA is requested to assign the following new DHCPv6 Option Code in
        the registry maintained in
        http://www.iana.org/assignments/dhcpv6-parameters:</t>

        <texttable style="headers">
          <ttcol align="right">Option Name</ttcol>

          <ttcol>Value</ttcol>

          <c>OPTION_V6_AUTH_DOMAIN</c>

          <c>TBA1</c>
        </texttable>
      </section>

      <section anchor="iana4" title="DHCPv4 Option">
        <t>IANA is requested to assign the following new DHCPv4 Option Code in
        the registry maintained in
        http://www.iana.org/assignments/bootp-dhcp-parameters/:</t>

        <texttable style="headers">
          <ttcol align="right">Option Name</ttcol>

          <ttcol>Value</ttcol>

          <ttcol>Data length</ttcol>

          <ttcol>Meaning</ttcol>

          <c>OPTION_V4_AUTH_DOMAIN</c>

          <c>TBA2</c>

          <c>Variable; the maximum length is 255 octets.</c>

          <c>Includes the authentication domain name.</c>
        </texttable>
      </section>

      <section title="Application Service &amp; Application Protocol Tags">
        <t>This document requests IANA to make the following allocations from
        the registry available at:
        https://www.iana.org/assignments/s-naptr-parameters/s-naptr-parameters.xhtml.</t>

        <section anchor="serviceT"
                 title="DNS Application Service Tag Registration">
          <t><list style="symbols">
              <t>Application Protocol Tag: DPRIVE</t>

              <t>Intended Usage: See <xref target="srvr"></xref></t>

              <t>Security Considerations: See <xref
              target="Security"></xref></t>

              <t>Contact Information: &lt;one of the authors&gt;</t>
            </list></t>
        </section>

        <section anchor="dnstls"
                 title="dns.tls Application Protocol Tag Registration">
          <t><list style="symbols">
              <t>Application Protocol Tag: dns.tls</t>

              <t>Intended Usage: See <xref target="srvr"></xref></t>

              <t>Security Considerations: See <xref
              target="Security"></xref></t>

              <t>Contact Information: &lt;one of the authors&gt;</t>
            </list></t>
        </section>

        <section anchor="dnsdtls"
                 title="dns.dtls Application Protocol Tag Registration">
          <t><list style="symbols">
              <t>Application Protocol Tag: dns.dtls</t>

              <t>Intended Usage: See <xref target="srvr"></xref></t>

              <t>Security Considerations: See <xref
              target="Security"></xref></t>

              <t>Contact Information: &lt;one of the authors&gt;</t>
            </list></t>
        </section>

        <section anchor="dnshttps"
                 title="dns.https Application Protocol Tag Registration">
          <t><list style="symbols">
              <t>Application Protocol Tag: dnshttps</t>

              <t>Intended Usage: See <xref target="srvr"></xref></t>

              <t>Security Considerations: See <xref
              target="Security"></xref></t>

              <t>Contact Information: &lt;one of the authors&gt;</t>
            </list></t>
        </section>
      </section>
    </section>

    <section anchor="acknowledgments" title="Acknowledgments">
      <t>Thanks to Joe Hildebrand for his comments and suggestions.</t>
    </section>
  </middle>

  <back>
    <references title="Normative References">
      <?rfc include="reference.RFC.8415"?>

      <?rfc include="reference.RFC.2119"?>

      <?rfc include='reference.RFC.8174'?>

      <?rfc include="reference.RFC.6125"?>

      <?rfc include="reference.RFC.2132"?>

      <?rfc include='reference.RFC.2131'?>

      <?rfc include="reference.RFC.7030"?>

      <?rfc include="reference.RFC.8295"?>

      <?rfc include="reference.RFC.5280"?>

      <?rfc include="reference.RFC.7804"?>

      <?rfc include="reference.RFC.8484"?>

      <?rfc include="reference.RFC.7858"?>

      <?rfc include="reference.RFC.8094"?>

      <?rfc include="reference.RFC.3958"?>

      <?rfc include="reference.RFC.6763"?>

      <?rfc include="reference.RFC.7553"?>

      <?rfc include='reference.I-D.ietf-anima-bootstrapping-keyinfra'?>
    </references>

    <references title="Informative References">
      <?rfc include="reference.RFC.8310"?>

      <?rfc include='reference.I-D.ietf-opsawg-mud'?>

      <?rfc include='reference.RFC.8499'?>

      <reference anchor="CDN"
                 target="https://conferences.sigcomm.org/sigcomm/2015/pdf/papers/p167.pdf">
        <front>
          <title>End-User Mapping: Next Generation Request Routing for Content
          Delivery</title>

          <author>
            <organization></organization>
          </author>

          <date year="2015" />
        </front>
      </reference>
    </references>
  </back>
</rfc>