DNS Privacy (dprive) Working Group S. Bortzmeyer
Internet-Draft AFNIC
Intended status: Standards Track March 20, 2018
Expires: September 21, 2018

Encryption and authentication of the DNS resolver-to-authoritative communication
draft-bortzmeyer-dprive-resolver-to-auth-01

Abstract

This document proposes a mechanism for securing (privacy-wise) the communication between the DNS resolver and the authoritative name server.

REMOVE BEFORE PUBLICATION: this document should be discussed in the IETF DPRIVE group, through its mailing list. The source of the document, as well as a list of open issues, is currently kept at Github.

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

This Internet-Draft will expire on September 21, 2018.

Copyright Notice

Copyright (c) 2018 IETF Trust and the persons identified as the document authors. All rights reserved.

This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.


Table of Contents

1. Introduction and background

To improve the privacy of the DNS user ([RFC7626]), the standard solution is to encrypt the requests with TLS ([RFC7858]). We use this DNS-over-TLS solution as well here, since it is standardized, already implemented in many programs, and relies on a well-known security protocol (inventing a new security protocol is quite dangerous). But just encrypting, without authenticating the remote server, leaves the user's privacy vulnerable to active man-in-the-middle attacks. [RFC7858] and [I-D.ietf-dprive-dtls-and-tls-profiles] describe how to authenticate the DNS resolver, in the stub-to-resolver link. We describe here authentication of the authoritative name server, in the resolver-to-authoritative link.

A stub DNS resolver has only a few resolvers, and there is typically a pre-existing relationship. But a resolver speaks to many authoritative name servers, without any prior relationship. This means that, for instance, having a static key for the resolver makes sense while it would be clearly unrealistic for the authoritative server.

Instead, we rely on DANE ([RFC6698]). Authoritative name servers are known by name (obtained from zone delegation). The manager of the ns1.example.net name server adds a TLSA record under example.net. The client establishes the TLS session, then authenticate in the normal DANE way.

The original charter of the DPRIVE working group, in force at the time of this draft, says "The primary focus of this Working Group is to develop mechanisms that provide confidentiality between DNS Clients and Iterative Resolvers" and adds "but it may also later consider mechanisms that provide confidentiality between Iterative Resolvers and Authoritative Servers". This document is here for this second step, "between Iterative Resolvers and Authoritative Servers". It will probably require a rechartering of the group.

2. Rules

A DNS full-service resolver who needs to query an authoritative name server establishes a TLS-over-TCP session with this authoritative name server. If the DNS material to perform DANE authentication is sent in the TLS session ([I-D.ietf-tls-dnssec-chain-extension]), it uses it. Otherwise, the resolver queries TLSA records ([RFC6698]) for this name server and authenticates the key or certificate of the server this way. If the name server is ns1.example.net, the TLSA record to query is _853._tcp.ns1.example.net.

Note that the server MAY use raw public keys ([RFC7250]) and so there is not always a certificate. If the server uses raw public keys, the TLSA record's Selector field must be 1 (SPKI, SubjectPublicKeyInfo).

The recommended order is to try TLS before querying the TLSA records. True, DANE signals if the server is willing to make DNS-over-TLS (and can therefore save a TLS attempt) but cannot guarantee that it will work (for instance if a middlebox blocks port 853). Also, the DANE records may be transferred in the TLS session, not through the DNS.

If the TLS session establishement fails, or if the DANE authentication fails, the result depends on whether the resolver runs in strict or opportunistic mode ([I-D.ietf-dprive-dtls-and-tls-profiles]). In strict mode, the resolver MUST stop using this authoritative name server, and MUST try other servers of the DNS zone. In opportunistic mode, the resolver MUST use the authoritative name server despite the failure. It MAY try other name servers of the zone before, in the hope they will accept TLS and be authenticated. To avoid a chicken-and-egg problem, the resolver, even in strict mode, MAY use unsecure servers for the meta-queries (getting the TLSA records). More specifically: [I-D.ietf-dprive-dtls-and-tls-profiles], section 5.) A resolver MAY use the knowledge of TLS authentication it has to choose an authoritative name server among a NS RRset.

(See also

As of this revision, we do not expect resolvers to use strict mode, since the encryption and authentication modes described in this document are not yet supported in authoritative name servers.

3. Operational considerations

DNS-over-TLS depends on TCP, and the resolver and the authoritative name server must therefore support persistent TCP connections ([RFC7766], specially section 6.2.1).

A resolver may have a lot of client-side state, when managing hundreds of connections to remote authoritative servers ([tdns]).

The latency when connecting to a authoritative name server is certainly an issue. TLS 1.3 and TCP Fast Open ([RFC7413]) may help.

Open question: do we require a minimum TLS version of 1.3? ([I-D.ietf-tls-tls13])

Because the resolver cannot know in advance if the TLS connection will work (even if there is a DANE record), using parallel attempts ("happy eyeballs", [RFC8305]) is important. A resolver working in opportunistic mode should try ports 53 and 853 in parallel.

An authoritative name server cannot know if the resolver authenticated it, nor how. In the future, it may be interesting to have an EDNS option to signal a successful authentication, or a failure, but this is out of scope currently.

If it is a concern that the same authoritative name servers are used for ordinary DNS and for encrypted DNS, there are several ways to address this concern. A server operator may use front-end systems dispatching requests to ports 53 and 853 to different servers.

A resolver must be configurable to operate in strict or opportunistic modes. Until the features described herein are widely supported, opportunistic mode should not be the default since strict mode would yield frequent failures. A resolver may have a configuration mechanism to be in strict mode only for some domains.

4. IANA Considerations

No action for IANA. This section can be deleted.

5. Security Considerations

The state to be kept in both the client and the server may make some denial-of-service attacks easier. Following the advice contained in section 10 of [RFC7766] is recommended.

In opportunistic mode, there is no guarantee to have a secure use of the DNS, or even a guarantee to be informed of a problem. Opportunistic mode is a "best effort" privacy service. Even in strict mode, some leaks may occur, through the DANE meta-queries, and through SNI indication ([I-D.ietf-tls-sni-encryption]) in the TLS session.

Neither transport encryption nor authentication protect DNS users from authentic servers which nonetheless abuse users’ privacy once they’ve received their queries. These techniques must therefore be combined with data minimization techniques ([RFC7816]).

6. References

6.1. Normative References

[I-D.ietf-dprive-dtls-and-tls-profiles] Dickinson, S., Gillmor, D. and T. Reddy, "Usage and (D)TLS Profiles for DNS-over-(D)TLS", Internet-Draft draft-ietf-dprive-dtls-and-tls-profiles-11, September 2017.
[RFC6698] Hoffman, P. and J. Schlyter, "The DNS-Based Authentication of Named Entities (DANE) Transport Layer Security (TLS) Protocol: TLSA", RFC 6698, DOI 10.17487/RFC6698, August 2012.
[RFC7858] Hu, Z., Zhu, L., Heidemann, J., Mankin, A., Wessels, D. and P. Hoffman, "Specification for DNS over Transport Layer Security (TLS)", RFC 7858, DOI 10.17487/RFC7858, May 2016.

6.2. Informative References

[I-D.bortzmeyer-dprive-step-2] Bortzmeyer, S., "Next step for DPRIVE: resolver-to-auth link", Internet-Draft draft-bortzmeyer-dprive-step-2-05, December 2016.
[I-D.ietf-tls-dnssec-chain-extension] Shore, M., Barnes, R., Huque, S. and W. Toorop, "A DANE Record and DNSSEC Authentication Chain Extension for TLS", Internet-Draft draft-ietf-tls-dnssec-chain-extension-06, January 2018.
[I-D.ietf-tls-sni-encryption] Huitema, C. and E. Rescorla, "SNI Encryption in TLS Through Tunneling", Internet-Draft draft-ietf-tls-sni-encryption-02, March 2018.
[I-D.ietf-tls-tls13] Rescorla, E., "The Transport Layer Security (TLS) Protocol Version 1.3", Internet-Draft draft-ietf-tls-tls13-27, March 2018.
[RFC7250] Wouters, P., Tschofenig, H., Gilmore, J., Weiler, S. and T. Kivinen, "Using Raw Public Keys in Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)", RFC 7250, DOI 10.17487/RFC7250, June 2014.
[RFC7413] Cheng, Y., Chu, J., Radhakrishnan, S. and A. Jain, "TCP Fast Open", RFC 7413, DOI 10.17487/RFC7413, December 2014.
[RFC7626] Bortzmeyer, S., "DNS Privacy Considerations", RFC 7626, DOI 10.17487/RFC7626, August 2015.
[RFC7766] Dickinson, J., Dickinson, S., Bellis, R., Mankin, A. and D. Wessels, "DNS Transport over TCP - Implementation Requirements", RFC 7766, DOI 10.17487/RFC7766, March 2016.
[RFC7816] Bortzmeyer, S., "DNS Query Name Minimisation to Improve Privacy", RFC 7816, DOI 10.17487/RFC7816, March 2016.
[RFC8305] Schinazi, D. and T. Pauly, "Happy Eyeballs Version 2: Better Connectivity Using Concurrency", RFC 8305, DOI 10.17487/RFC8305, December 2017.
[tdns] Liang, Z., Wessels, D., Zi, H., Heidemann, J., Mankin, A. and N. Somaiya, "T-DNS: Connection-Oriented DNS to Improve Privacy and Security; USC/ISI Technical Report ISI-TR-706", August 2014.

Appendix A. Acknowledgments

Thanks to Bill Woodcock for a detailed review.

Appendix B. Alternatives

A number of other possible solutions to this problem may be found in in [I-D.bortzmeyer-dprive-step-2].

Author's Address

Stephane Bortzmeyer AFNIC 1, rue Stephenson Montigny-le-Bretonneux, 78180 France Phone: +33 1 39 30 83 46 EMail: bortzmeyer+ietf@nic.fr URI: http://www.afnic.fr/