DNS Privacy (dprive) Working Group S. Bortzmeyer Internet-Draft AFNIC Intended status: Standards Track March 20, 2018 Expires: September 21, 2018 Encryption and authentication of the DNS resolver-to-authoritative communication draft-bortzmeyer-dprive-resolver-to-auth-01 Abstract This document proposes a mechanism for securing (privacy-wise) the communication between the DNS resolver and the authoritative name server. REMOVE BEFORE PUBLICATION: this document should be discussed in the IETF DPRIVE group, through its mailing list. The source of the document, as well as a list of open issues, is currently kept at Github [1]. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on September 21, 2018. Copyright Notice Copyright (c) 2018 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect Bortzmeyer Expires September 21, 2018 [Page 1] Internet-Draft DPRIVE resolver to authoritative March 2018 to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction and background . . . . . . . . . . . . . . . . . 2 2. Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 3. Operational considerations . . . . . . . . . . . . . . . . . 4 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5 5. Security Considerations . . . . . . . . . . . . . . . . . . . 5 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 5 6.1. Normative References . . . . . . . . . . . . . . . . . . 5 6.2. Informative References . . . . . . . . . . . . . . . . . 6 6.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . 7 Appendix B. Alternatives . . . . . . . . . . . . . . . . . . . . 7 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 7 1. Introduction and background To improve the privacy of the DNS user ([RFC7626]), the standard solution is to encrypt the requests with TLS ([RFC7858]). We use this DNS-over-TLS solution as well here, since it is standardized, already implemented in many programs, and relies on a well-known security protocol (inventing a new security protocol is quite dangerous). But just encrypting, without authenticating the remote server, leaves the user's privacy vulnerable to active man-in-the- middle attacks. [RFC7858] and [I-D.ietf-dprive-dtls-and-tls-profiles] describe how to authenticate the DNS resolver, in the stub-to-resolver link. We describe here authentication of the authoritative name server, in the resolver-to- authoritative link. A stub DNS resolver has only a few resolvers, and there is typically a pre-existing relationship. But a resolver speaks to many authoritative name servers, without any prior relationship. This means that, for instance, having a static key for the resolver makes sense while it would be clearly unrealistic for the authoritative server. Instead, we rely on DANE ([RFC6698]). Authoritative name servers are known by name (obtained from zone delegation). The manager of the ns1.example.net name server adds a TLSA record under example.net. The client establishes the TLS session, then authenticate in the normal DANE way. Bortzmeyer Expires September 21, 2018 [Page 2] Internet-Draft DPRIVE resolver to authoritative March 2018 The original charter of the DPRIVE working group, in force at the time of this draft, says "The primary focus of this Working Group is to develop mechanisms that provide confidentiality between DNS Clients and Iterative Resolvers" and adds "but it may also later consider mechanisms that provide confidentiality between Iterative Resolvers and Authoritative Servers". This document is here for this second step, "between Iterative Resolvers and Authoritative Servers". It will probably require a rechartering of the group. 2. Rules A DNS full-service resolver who needs to query an authoritative name server establishes a TLS-over-TCP session with this authoritative name server. If the DNS material to perform DANE authentication is sent in the TLS session ([I-D.ietf-tls-dnssec-chain-extension]), it uses it. Otherwise, the resolver queries TLSA records ([RFC6698]) for this name server and authenticates the key or certificate of the server this way. If the name server is ns1.example.net, the TLSA record to query is _853._tcp.ns1.example.net. Note that the server MAY use raw public keys ([RFC7250]) and so there is not always a certificate. If the server uses raw public keys, the TLSA record's Selector field must be 1 (SPKI, SubjectPublicKeyInfo). The recommended order is to try TLS before querying the TLSA records. True, DANE signals if the server is willing to make DNS-over-TLS (and can therefore save a TLS attempt) but cannot guarantee that it will work (for instance if a middlebox blocks port 853). Also, the DANE records may be transferred in the TLS session, not through the DNS. If the TLS session establishement fails, or if the DANE authentication fails, the result depends on whether the resolver runs in strict or opportunistic mode ([I-D.ietf-dprive-dtls-and-tls-profiles]). In strict mode, the resolver MUST stop using this authoritative name server, and MUST try other servers of the DNS zone. In opportunistic mode, the resolver MUST use the authoritative name server despite the failure. It MAY try other name servers of the zone before, in the hope they will accept TLS and be authenticated. To avoid a chicken-and-egg problem, the resolver, even in strict mode, MAY use unsecure servers for the meta-queries (getting the TLSA records). More specifically: (0)The resolver remembers the keys of the authoritative name servers (in the same way it remembers the lowest RTT among an NS RRset), Bortzmeyer Expires September 21, 2018 [Page 3] Internet-Draft DPRIVE resolver to authoritative March 2018 (1)When the resolver needs to talk to a server (say ns2.example.net) for which it does not know the key, it does a TLSA request for _853._tcp.ns2.example.net, (2)If the resolution of this request requires that we talk to the same server for which we're searching for the TLSA record, the resolver connects to this server with TLS to port 853, does not bother to authenticate, and sends the query. This step offers no authentication. (See also [I-D.ietf-dprive-dtls-and-tls-profiles], section 5.) A resolver MAY use the knowledge of TLS authentication it has to choose an authoritative name server among a NS RRset. As of this revision, we do not expect resolvers to use strict mode, since the encryption and authentication modes described in this document are not yet supported in authoritative name servers. 3. Operational considerations DNS-over-TLS depends on TCP, and the resolver and the authoritative name server must therefore support persistent TCP connections ([RFC7766], specially section 6.2.1). A resolver may have a lot of client-side state, when managing hundreds of connections to remote authoritative servers ([tdns]). The latency when connecting to a authoritative name server is certainly an issue. TLS 1.3 and TCP Fast Open ([RFC7413]) may help. Open question: do we require a minimum TLS version of 1.3? ([I-D.ietf-tls-tls13]) Because the resolver cannot know in advance if the TLS connection will work (even if there is a DANE record), using parallel attempts ("happy eyeballs", [RFC8305]) is important. A resolver working in opportunistic mode should try ports 53 and 853 in parallel. An authoritative name server cannot know if the resolver authenticated it, nor how. In the future, it may be interesting to have an EDNS option to signal a successful authentication, or a failure, but this is out of scope currently. If it is a concern that the same authoritative name servers are used for ordinary DNS and for encrypted DNS, there are several ways to address this concern. A server operator may use front-end systems dispatching requests to ports 53 and 853 to different servers. Bortzmeyer Expires September 21, 2018 [Page 4] Internet-Draft DPRIVE resolver to authoritative March 2018 A resolver must be configurable to operate in strict or opportunistic modes. Until the features described herein are widely supported, opportunistic mode should not be the default since strict mode would yield frequent failures. A resolver may have a configuration mechanism to be in strict mode only for some domains. 4. IANA Considerations No action for IANA. This section can be deleted. 5. Security Considerations The state to be kept in both the client and the server may make some denial-of-service attacks easier. Following the advice contained in section 10 of [RFC7766] is recommended. In opportunistic mode, there is no guarantee to have a secure use of the DNS, or even a guarantee to be informed of a problem. Opportunistic mode is a "best effort" privacy service. Even in strict mode, some leaks may occur, through the DANE meta-queries, and through SNI indication ([I-D.ietf-tls-sni-encryption]) in the TLS session. Neither transport encryption nor authentication protect DNS users from authentic servers which nonetheless abuse users' privacy once they've received their queries. These techniques must therefore be combined with data minimization techniques ([RFC7816]). 6. References 6.1. Normative References [I-D.ietf-dprive-dtls-and-tls-profiles] Dickinson, S., Gillmor, D., and T. Reddy, "Usage and (D)TLS Profiles for DNS-over-(D)TLS", draft-ietf-dprive- dtls-and-tls-profiles-11 (work in progress), September 2017. [RFC6698] Hoffman, P. and J. Schlyter, "The DNS-Based Authentication of Named Entities (DANE) Transport Layer Security (TLS) Protocol: TLSA", RFC 6698, DOI 10.17487/RFC6698, August 2012, . [RFC7858] Hu, Z., Zhu, L., Heidemann, J., Mankin, A., Wessels, D., and P. Hoffman, "Specification for DNS over Transport Layer Security (TLS)", RFC 7858, DOI 10.17487/RFC7858, May 2016, . Bortzmeyer Expires September 21, 2018 [Page 5] Internet-Draft DPRIVE resolver to authoritative March 2018 6.2. Informative References [I-D.bortzmeyer-dprive-step-2] Bortzmeyer, S., "Next step for DPRIVE: resolver-to-auth link", draft-bortzmeyer-dprive-step-2-05 (work in progress), December 2016. [I-D.ietf-tls-dnssec-chain-extension] Shore, M., Barnes, R., Huque, S., and W. Toorop, "A DANE Record and DNSSEC Authentication Chain Extension for TLS", draft-ietf-tls-dnssec-chain-extension-06 (work in progress), January 2018. [I-D.ietf-tls-sni-encryption] Huitema, C. and E. Rescorla, "SNI Encryption in TLS Through Tunneling", draft-ietf-tls-sni-encryption-02 (work in progress), March 2018. [I-D.ietf-tls-tls13] Rescorla, E., "The Transport Layer Security (TLS) Protocol Version 1.3", draft-ietf-tls-tls13-27 (work in progress), March 2018. [RFC7250] Wouters, P., Ed., Tschofenig, H., Ed., Gilmore, J., Weiler, S., and T. Kivinen, "Using Raw Public Keys in Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)", RFC 7250, DOI 10.17487/RFC7250, June 2014, . [RFC7413] Cheng, Y., Chu, J., Radhakrishnan, S., and A. Jain, "TCP Fast Open", RFC 7413, DOI 10.17487/RFC7413, December 2014, . [RFC7626] Bortzmeyer, S., "DNS Privacy Considerations", RFC 7626, DOI 10.17487/RFC7626, August 2015, . [RFC7766] Dickinson, J., Dickinson, S., Bellis, R., Mankin, A., and D. Wessels, "DNS Transport over TCP - Implementation Requirements", RFC 7766, DOI 10.17487/RFC7766, March 2016, . [RFC7816] Bortzmeyer, S., "DNS Query Name Minimisation to Improve Privacy", RFC 7816, DOI 10.17487/RFC7816, March 2016, . Bortzmeyer Expires September 21, 2018 [Page 6] Internet-Draft DPRIVE resolver to authoritative March 2018 [RFC8305] Schinazi, D. and T. Pauly, "Happy Eyeballs Version 2: Better Connectivity Using Concurrency", RFC 8305, DOI 10.17487/RFC8305, December 2017, . [tdns] Liang, Z., Wessels, D., Zi, H., Heidemann, J., Mankin, A., and N. Somaiya, "T-DNS: Connection-Oriented DNS to Improve Privacy and Security; USC/ISI Technical Report ISI-TR- 706", August 2014, . 6.3. URIs [1] https://github.com/bortzmeyer/ietf-dprive-step-2 Appendix A. Acknowledgments Thanks to Bill Woodcock for a detailed review. Appendix B. Alternatives A number of other possible solutions to this problem may be found in in [I-D.bortzmeyer-dprive-step-2]. Author's Address Stephane Bortzmeyer AFNIC 1, rue Stephenson Montigny-le-Bretonneux 78180 France Phone: +33 1 39 30 83 46 Email: bortzmeyer+ietf@nic.fr URI: http://www.afnic.fr/ Bortzmeyer Expires September 21, 2018 [Page 7]