Internet DRAFT - draft-dickinson-bcp-op

draft-dickinson-bcp-op







dprive                                                      S. Dickinson
Internet-Draft                                                Sinodun IT
Intended status: Best Current Practice              R. van Rijswijk-Deij
Expires: September 6, 2018                                    SURFnet bv
                                                               A. Mankin
                                                              Salesforce
                                                           March 5, 2018


           Recommendations for DNS Privacy Service Operators
                       draft-dickinson-bcp-op-00

Abstract

   This document presents operational, policy and security
   considerations for DNS operators who choose to offer DNS Privacy
   services including, but not limited to, DNS-over-TLS [RFC7858].

   This document also presents a framework to assist writers of DNS
   Privacy Policy and Practices Statements (analogous to DNS Security
   Extensions (DNSSEC) Policies and DNSSEC Practice Statements described
   in [RFC6841]).

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on September 6, 2018.

Copyright Notice

   Copyright (c) 2018 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of



Dickinson, et al.       Expires September 6, 2018               [Page 1]

Internet-Draft     DNS Privacy Service Recommendations        March 2018


   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Terminology . . . . . . . . . . . . . . . . . . . . . . . . .   4
   3.  Server capabilities to maximise DNS privacy . . . . . . . . .   5
     3.1.  General capabilities  . . . . . . . . . . . . . . . . . .   5
     3.2.  Client query obfuscation  . . . . . . . . . . . . . . . .   5
     3.3.  Availability  . . . . . . . . . . . . . . . . . . . . . .   6
     3.4.  Authentication of DNS privacy services  . . . . . . . . .   6
       3.4.1.  Generation and publication of certificates  . . . . .   6
       3.4.2.  Management of SPKI pins . . . . . . . . . . . . . . .   6
       3.4.3.  TLSA records  . . . . . . . . . . . . . . . . . . . .   6
   4.  Operational management  . . . . . . . . . . . . . . . . . . .   7
     4.1.  Limitations of using a pure TLS proxy . . . . . . . . . .   7
     4.2.  Anycast deployments . . . . . . . . . . . . . . . . . . .   7
   5.  Server data handling  . . . . . . . . . . . . . . . . . . . .   7
     5.1.  Psuedo-anonymisation and de-identification methods  . . .   8
       5.1.1.  ipcipher  . . . . . . . . . . . . . . . . . . . . . .   8
       5.1.2.  Bloom filters . . . . . . . . . . . . . . . . . . . .   8
   6.  DNS privacy policy and practice statement . . . . . . . . . .   8
     6.1.  Current privacy statements  . . . . . . . . . . . . . . .   8
     6.2.  Recommended contents of a DPPPS . . . . . . . . . . . . .   8
     6.3.  Enforcement/accountability  . . . . . . . . . . . . . . .   9
   7.  IANA considerations . . . . . . . . . . . . . . . . . . . . .   9
   8.  Security considerations . . . . . . . . . . . . . . . . . . .   9
   9.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .   9
   10. Changelog . . . . . . . . . . . . . . . . . . . . . . . . . .  10
   11. References  . . . . . . . . . . . . . . . . . . . . . . . . .  10
     11.1.  Normative References . . . . . . . . . . . . . . . . . .  10
     11.2.  Informative References . . . . . . . . . . . . . . . . .  11
     11.3.  URIs . . . . . . . . . . . . . . . . . . . . . . . . . .  12
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  12

1.  Introduction

   [NOTE: This document is submitted to the IETF for initial review and
   for feedback on the best forum for future versions of this document.]

   The Domain Name System (DNS) was not originally designed with strong
   security or privacy mechanisms.  [RFC7626] describes the privacy
   issues associated with the use of the DNS by Internet users including



Dickinson, et al.       Expires September 6, 2018               [Page 2]

Internet-Draft     DNS Privacy Service Recommendations        March 2018


   those related to un-encrypted DNS messages on the wire and DNS 'query
   log' data maintained on DNS servers.

   Two documents that provide ways to increase DNS privacy between DNS
   clients and DNS servers are:

   o  Specification for DNS over Transport Layer Security (TLS)
      [RFC7858], referred to here as simply 'DNS-over-TLS'

   o  DNS over Datagram Transport Layer Security (DTLS) [RFC8094],
      referred to here simply as 'DNS-over-DTLS'.  Note that this
      document has the Category of Experimental.

   Both documents are limited in scope to communications between stub
   clients and recursive resolvers and the same scope is applied to this
   document.  Other documents that provide further specifications
   related to DNS privacy include
   [I-D.ietf-dprive-dtls-and-tls-profiles], [RFC7830] and
   [I-D.ietf-dprive-padding-policy].

   Note that [I-D.ietf-dnsop-dns-tcp-requirements] discusses operational
   requirements for DNS-over-TCP but does not provide specific guidance
   on DNS privacy protocols.

   This document includes operational guidance related to [RFC7858] and
   [RFC8094].

   In recent years there has been an increase in the availability of
   "open" resolvers.  Operators of some open resolvers choose to enable
   protocols which encrypt DNS on the wire to cater for users who are
   privacy conscious.  Whilst protocols that encrypt DNS messages on the
   wire provide protection against certain attacks, the resolver
   operator still has (in principle) full visibility of the query data
   for each user and therefore a trust relationship exists.  The ability
   of the operator to provide a transparent, well documented, and secure
   privacy service will likely serve as a major differentiating factor
   for privacy conscious users.

   More recently the global legislative landscape with regard to
   personal data collection, retention, and psuedo-anonymisation has
   seen significant activity with differing requirements active in
   different jurisdictions.  The impact of these changes on data
   pertaining to the users of Internet Service Providers and
   specifically DNS open resolvers is not fully understood at the time
   of writing.  It may be in certain cases that these requirement may
   well conflict with the IETF's end-to-end encryption principles.





Dickinson, et al.       Expires September 6, 2018               [Page 3]

Internet-Draft     DNS Privacy Service Recommendations        March 2018


   This document also attempts to outline options for data handling for
   operators of DNS privacy services.

   TODO/QUESTION: Discuss alternative (non-standard) schemes not covered
   by this document e.g.  DNSCrypt, IPsec, VPNs.  For example, should
   the data handling practices be recommended for any service that
   encrypts DNS/makes claims about DNS data privacy or is that outside
   the scope of this document?

   This document also presents a framework to assist writers of DNS
   Privacy Policy and Practice Statements (DPPPS).  These are documents
   an operator can publish outlining their operational practices and
   commitments with regard to privacy providing a means for clients to
   evaluate the privacy properties of a given DNS privacy service.  In
   particular, the framework identifies the elements that should be
   considered in formulating a DPPPS.  It does not, however, define a
   particular Policy or Practice Statement, nor does it seek to provide
   legal advice or recommendations as to the contents.

   Community knowledge about operational practices can change quickly,
   and experience shows that a Best Current Practice (BCP) document
   about privacy and security is a point-in-time statement.  Readers are
   advised to seek out any errata or updates that apply to this
   document.

2.  Terminology

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [RFC8174].

   o  Privacy-enabling DNS server: A DNS server that implements DNS-
      over-TLS [RFC7858] and may optionally implement DNS-over-DTLS
      [RFC8094].  The server should also offer at least one of the
      credentials described in Section 8 of
      [I-D.ietf-dprive-dtls-and-tls-profiles] and implement the (D)TLS
      profile described in Section 9 of
      [I-D.ietf-dprive-dtls-and-tls-profiles].

   o  DPPPS: DNS Privacy Policy and Practice Statement, see Section 6.

   o  DNS privacy service: The service that is offered via a privacy-
      enabling DNS server and is documented either in an informal
      statement of policy and practice with regard to users privacy or a
      formal DPPPS.






Dickinson, et al.       Expires September 6, 2018               [Page 4]

Internet-Draft     DNS Privacy Service Recommendations        March 2018


3.  Server capabilities to maximise DNS privacy

3.1.  General capabilities

   In addition to Sections 9 and 11.1 of
   [I-D.ietf-dprive-dtls-and-tls-profiles] DNS privacy services SHOULD
   offer the following capabilities/options:

   o  QNAME minimisation [RFC7816]

   o  Management of TLS connections to optimise performance for clients
      using either

      *  [RFC7766] and EDNS(0) Keepalive [RFC7828] and/or

      *  DNS Stateful Operations [I-D.ietf-dnsop-session-signal]

   o  No requirement that clients must use TLS session resumption
      [RFC5077] (or Domain Name System (DNS) Cookies [RFC7873])

   DNS privacy services MAY offer the following capabilities:

   o  DNS privacy service on both port 853 and 443 (to circumvent
      blocking of port 853)

   o  A .onion [RFC7686] service endpoint

   o  Aggressive Use of DNSSEC-Validated Cache [RFC8198] to reduce the
      number of queries to authoritative servers to increase privacy.

   o  Run a copy of the root zone on loopback [RFC7706] to avoid making
      queries to the root servers that might leak information.

   QUESTION: Should we say anything here about filtering responses or
   DNSSEC validation e.g. operators SHOULD provide an unfiltered service
   on an alternative IP address if the 'main' DNS privacy address
   filters responses?  Or simply just to say that the DNS privacy
   service should not differ from the 'normal' DNS service in terms of
   such options.

3.2.  Client query obfuscation

   Since queries from recursive resolvers to authoritative servers are
   performed using cleartext (at the time of writing), resolver services
   need to consider the extent to which they may be directly leaking
   information about their client community via these upstream queries
   and what they can do to mitigate this further.  Note, that even when
   all the relevant techniques described above are employed there may



Dickinson, et al.       Expires September 6, 2018               [Page 5]

Internet-Draft     DNS Privacy Service Recommendations        March 2018


   still be attacks possible, e.g.  [Pitfalls-of-DNS-Encryption].  For
   example, a resolver with a very small community of users risks
   exposing data in this way and MAY want to obfuscate this traffic by
   mixing it with 'generated' traffic to make client characterisation
   harder.

3.3.  Availability

   As a general model of trust between users and service providers DNS
   privacy services should have high availability.  Denying access to an
   encrypted protocol for DNS queries forces the user to switch
   providers, fallback to cleartext or accept no DNS service for the
   outage.

3.4.  Authentication of DNS privacy services

   To enable users to select a 'Strict Privacy' usage profile
   [I-D.ietf-dprive-dtls-and-tls-profiles] DNS privacy services should
   provide credentials in the form of either X.509 certificates, SPKI
   pinsets or TLSA records.  This in effect commits the DNS privacy
   service to a public identity users will trust.

   Anecdotal evidence to date highlights this requirement as one of the
   more challenging aspects of running a DNS privacy service as
   management of such credentials is new to DNS operators.

3.4.1.  Generation and publication of certificates

   It is RECOMMENDED that operators:

   o  Choose a short, memorable authentication name for their service

   o  Automate the generation and publication of certificates

   o  Monitor certificates to prevent accidental expiration of
      certificates

3.4.2.  Management of SPKI pins

   TODO

3.4.3.  TLSA records

   TODO







Dickinson, et al.       Expires September 6, 2018               [Page 6]

Internet-Draft     DNS Privacy Service Recommendations        March 2018


4.  Operational management

4.1.  Limitations of using a pure TLS proxy

   Some operators may choose to implement DNS-over-TLS using a TLS proxy
   (e.g.  nginx [1] or haproxy [2]) in front of a DNS nameserver because
   of proven robustness and capacity when handling large numbers of
   client connections, load balancing capabilities and good tooling.
   Currently, however, because such proxies typically have no specific
   handling of DNS as a protocol over TLS or DTLS using them can
   restrict traffic management at the proxy layer and at the DNS server.
   For example, all traffic received by a nameserver behind such a proxy
   will appear to originate from the proxy and DNS techniques such as
   ACLs or RRL will be hard or impossible to implement in the
   nameserver.

4.2.  Anycast deployments

   TODO:

5.  Server data handling

   The following are common activities for DNS service operators and in
   all cases should be minimised or completely avoided if possible for
   DNS privacy services.  If data is retained it should be encrypted and
   either aggregated, psuedo-anonymised or de-identified whenever
   possible.

   o  Logging and Monitoring: Only that required to sustain operation of
      the service and meet regulatory requirements.

   o  Data retention: Data SHOULD be retained for the shortest period
      deemed operationally feasible.

   o  User tracking: DNS privacy services SHOULD not track users.  An
      exception may be malicious or anomalous use of the service.

   o  Providing data to third-parties (sharing, selling or renting):
      Operators SHOULD not provide data to third-parties without
      explicit consent from users (simply using the resolution service
      itself does not constitute consent).

   o  Access to stored personal data: Access SHOULD be minimised to only
      those personal who require access to perform operational duties.







Dickinson, et al.       Expires September 6, 2018               [Page 7]

Internet-Draft     DNS Privacy Service Recommendations        March 2018


5.1.  Psuedo-anonymisation and de-identification methods

   There is active discussion in the space of effective psuedo-
   anonymisation of personal data in DNS query logs.  To-date this has
   focussed on psuedo-anonymisation of client IP addresses, however
   there are as yet no standards for this that are unencumbered by
   patents.  This section briefly references some know methods in this
   space at the time of writing.

5.1.1.  ipcipher

   [ipcipher-spec] is a psuedo-anonymisation technique which encrypts
   IPv4 and IPv6 addresses such that any address encrypts to a valid
   address.  At the time of writing the specification is under review
   and may be the subject of a future IETF draft.

5.1.2.  Bloom filters

   There is also on-going work in the area of using Bloom filters as a
   privacy-enhancing technology for DNS monitoring [DNS-bloom-filter].
   The goal of this work is to allow operators to identify so-called
   Indicators of Compromise (IOCs) originating from specific subnets
   without storing information about, or be able to monitor the DNS
   queries of an individual user.

6.  DNS privacy policy and practice statement

6.1.  Current privacy statements

   TODO: Compare main elements of Google vs Quad9 vs OpenDNS policies

6.2.  Recommended contents of a DPPPS

   o  Policy: This section should explain the policy for gathering and
      disseminating information collected by the DNS privacy service.

      *  Specify clearly what data (including whether it is aggregated,
         psuedo-anonymised or de-identified) is

      *  Collected and retained by the operator (and for how long)

      *  Shared with, sold or rented to third-parties

      *  Specify any exceptions to the above, for example malicious or
         anomalous behaviour

      *  Declare any third-party affiliations or funding




Dickinson, et al.       Expires September 6, 2018               [Page 8]

Internet-Draft     DNS Privacy Service Recommendations        March 2018


      *  Whether user DNS data is correlated or combined with any other
         personal information held by the operator

   o  Practice: This section should explain the current operational
      practices of the service.

      *  Specify any temporary or permanent deviations from the policy
         for operational reasons

      *  Provide specific details of which capabilities are provided on
         which address and ports

      *  Specify the authentication name to be used (if any)

      *  Specify the SPKI pinsets to be used (if any) and policy for
         rolling keys

      *  Provide a contact email address for the service

6.3.  Enforcement/accountability

   Transparency reports may help with building user trust that operators
   adhere to their policies and practices.

   Independent monitoring should be performed where possible of:

   o  ECS, QNAME minimisation, EDNS(0) padding, etc.

   o  Filtering

   o  Uptime

7.  IANA considerations

   None

8.  Security considerations

   TODO: e.g.  New issues for DoS defence, server admin policies

9.  Acknowledgements

   Many thanks to John Dickinson for review of and input to the first
   draft of this document.

   Thanks to Benno Overeinder and John Todd for discussions on this
   topic.




Dickinson, et al.       Expires September 6, 2018               [Page 9]

Internet-Draft     DNS Privacy Service Recommendations        March 2018


10.  Changelog

   draft-dickinson-dprive-bcp-op-00

   o  Initial commit

11.  References

11.1.  Normative References

   [I-D.ietf-dnsop-session-signal]
              Bellis, R., Cheshire, S., Dickinson, J., Dickinson, S.,
              Mankin, A., and T. Pusateri, "DNS Stateful Operations",
              draft-ietf-dnsop-session-signal-05 (work in progress),
              January 2018.

   [I-D.ietf-dprive-dtls-and-tls-profiles]
              Dickinson, S., Gillmor, D., and T. Reddy, "Usage and
              (D)TLS Profiles for DNS-over-(D)TLS", draft-ietf-dprive-
              dtls-and-tls-profiles-11 (work in progress), September
              2017.

   [I-D.ietf-dprive-padding-policy]
              Mayrhofer, A., "Padding Policy for EDNS(0)", draft-ietf-
              dprive-padding-policy-04 (work in progress), February
              2018.

   [RFC5077]  Salowey, J., Zhou, H., Eronen, P., and H. Tschofenig,
              "Transport Layer Security (TLS) Session Resumption without
              Server-Side State", RFC 5077, DOI 10.17487/RFC5077,
              January 2008, <https://www.rfc-editor.org/info/rfc5077>.

   [RFC7626]  Bortzmeyer, S., "DNS Privacy Considerations", RFC 7626,
              DOI 10.17487/RFC7626, August 2015, <https://www.rfc-
              editor.org/info/rfc7626>.

   [RFC7766]  Dickinson, J., Dickinson, S., Bellis, R., Mankin, A., and
              D. Wessels, "DNS Transport over TCP - Implementation
              Requirements", RFC 7766, DOI 10.17487/RFC7766, March 2016,
              <https://www.rfc-editor.org/info/rfc7766>.

   [RFC7816]  Bortzmeyer, S., "DNS Query Name Minimisation to Improve
              Privacy", RFC 7816, DOI 10.17487/RFC7816, March 2016,
              <https://www.rfc-editor.org/info/rfc7816>.







Dickinson, et al.       Expires September 6, 2018              [Page 10]

Internet-Draft     DNS Privacy Service Recommendations        March 2018


   [RFC7828]  Wouters, P., Abley, J., Dickinson, S., and R. Bellis, "The
              edns-tcp-keepalive EDNS0 Option", RFC 7828,
              DOI 10.17487/RFC7828, April 2016, <https://www.rfc-
              editor.org/info/rfc7828>.

   [RFC7830]  Mayrhofer, A., "The EDNS(0) Padding Option", RFC 7830,
              DOI 10.17487/RFC7830, May 2016, <https://www.rfc-
              editor.org/info/rfc7830>.

   [RFC7858]  Hu, Z., Zhu, L., Heidemann, J., Mankin, A., Wessels, D.,
              and P. Hoffman, "Specification for DNS over Transport
              Layer Security (TLS)", RFC 7858, DOI 10.17487/RFC7858, May
              2016, <https://www.rfc-editor.org/info/rfc7858>.

   [RFC7873]  Eastlake 3rd, D. and M. Andrews, "Domain Name System (DNS)
              Cookies", RFC 7873, DOI 10.17487/RFC7873, May 2016,
              <https://www.rfc-editor.org/info/rfc7873>.

   [RFC8094]  Reddy, T., Wing, D., and P. Patil, "DNS over Datagram
              Transport Layer Security (DTLS)", RFC 8094,
              DOI 10.17487/RFC8094, February 2017, <https://www.rfc-
              editor.org/info/rfc8094>.

   [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
              2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
              May 2017, <https://www.rfc-editor.org/info/rfc8174>.

11.2.  Informative References

   [DNS-bloom-filter]
              van Rijswijk-Deij, R., Bomhoff, M., and R. Dolmans, "Let a
              Thousand Filters Bloom. DNS-Based Threat Monitoring That
              Respects User Privacy", 2018, < https://tnc18.geant.org/
              getfile/3823>.

   [I-D.ietf-dnsop-dns-tcp-requirements]
              Kristoff, J. and D. Wessels, "DNS Transport over TCP -
              Operational Requirements", draft-ietf-dnsop-dns-tcp-
              requirements-01 (work in progress), November 2017.

   [ipcipher-spec]
              Hubert, B., "ipcipher: encrypting IP addresses", 2018,
              <https://powerdns.org/ipcipher/>.

   [Pitfalls-of-DNS-Encryption]
              Shulman, H., "Pretty Bad Privacy: Pitfalls of DNS
              Encryption", 2014, <https://www.ietf.org/mail-archive/web/
              dns-privacy/current/pdfWqAIUmEl47.pdf>.



Dickinson, et al.       Expires September 6, 2018              [Page 11]

Internet-Draft     DNS Privacy Service Recommendations        March 2018


   [RFC6841]  Ljunggren, F., Eklund Lowinder, AM., and T. Okubo, "A
              Framework for DNSSEC Policies and DNSSEC Practice
              Statements", RFC 6841, DOI 10.17487/RFC6841, January 2013,
              <https://www.rfc-editor.org/info/rfc6841>.

   [RFC7686]  Appelbaum, J. and A. Muffett, "The ".onion" Special-Use
              Domain Name", RFC 7686, DOI 10.17487/RFC7686, October
              2015, <https://www.rfc-editor.org/info/rfc7686>.

   [RFC7706]  Kumari, W. and P. Hoffman, "Decreasing Access Time to Root
              Servers by Running One on Loopback", RFC 7706,
              DOI 10.17487/RFC7706, November 2015, <https://www.rfc-
              editor.org/info/rfc7706>.

   [RFC8198]  Fujiwara, K., Kato, A., and W. Kumari, "Aggressive Use of
              DNSSEC-Validated Cache", RFC 8198, DOI 10.17487/RFC8198,
              July 2017, <https://www.rfc-editor.org/info/rfc8198>.

11.3.  URIs

   [1] https://nginx.org/

   [2] https://www.haproxy.org/

Authors' Addresses

   Sara Dickinson
   Sinodun IT
   Magdalen Centre
   Oxford Science Park
   Oxford  OX4 4GA
   United Kingdom

   Email: sara@sinodun.com


   Roland M. van Rijswijk-Deij
   SURFnet bv
   PO Box 19035
   Utrecht  3501 DA Utrecht
   The Netherlands

   Email: roland.vanrijswijk@surfnet.nl








Dickinson, et al.       Expires September 6, 2018              [Page 12]

Internet-Draft     DNS Privacy Service Recommendations        March 2018


   Allison Mankin
   Salesforce

   Email: allison.mankin@gmail.com















































Dickinson, et al.       Expires September 6, 2018              [Page 13]