Network Working Group P. Hoffman Internet-Draft ICANN Intended status: Standards Track P. Sood Expires: March 12, 2021 Google September 08, 2020 Reporting Information from DNS Authoritative Servers draft-pp-dnsop-authinfo-00 Abstract This document defines a new DNS RRtype, AUTHINFO, that is used by authoritative servers to publish information about themselves. This information can be useful because a recursive resolver can determine an authoritative server's capabilities, such as whether an authoritative server supports the EDNS(0) client subnet extension. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on March 12, 2021. Copyright Notice Copyright (c) 2020 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of Hoffman & Sood Expires March 12, 2021 [Page 1] Internet-Draft DNS AUTHINFO September 2020 the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1.1. Definitions . . . . . . . . . . . . . . . . . . . . . . . 2 2. Authoritative Server Information . . . . . . . . . . . . . . 2 3. Contents of the Returned I-JSON Object . . . . . . . . . . . 3 3.1. Example . . . . . . . . . . . . . . . . . . . . . . . . . 4 4. Using AUTHINFO Responses for Detecting Client Subnet Support 4 4.1. Example . . . . . . . . . . . . . . . . . . . . . . . . . 4 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 4 5.1. AUTHINFO RRtype . . . . . . . . . . . . . . . . . . . . . 4 5.2. Registry for DNS Authoritative Server Information . . . . 5 5.3. Registration for ecs-supported in the IANA DNS Authoritative Server Information Registry . . . . . . . . 5 6. Security Considerations . . . . . . . . . . . . . . . . . . . 5 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 5 7.1. Normative References . . . . . . . . . . . . . . . . . . 5 7.2. Informative References . . . . . . . . . . . . . . . . . 6 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 6 1. Introduction It is sometimes useful for a DNS recursive resolver to know the capabilities of an authoritative server before sending queries. Because the record with this information can be signed with DNSSEC, it can be used to help a recursive resolver know whether to expect particular EDNS(0) [RFC6891] options in responses. Other uses for the information may be developed in the future. 1.1. Definitions The term "authoritative server" is defined in [RFC8499]. The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here. 2. Authoritative Server Information A recursive resolver that wants to use the DNS to get information about an authoritative server sends a query of /IN/ AUTHINFO to the authoritative server. The name is a placeholder for any zone for which the authoritative server is Hoffman & Sood Expires March 12, 2021 [Page 2] Internet-Draft DNS AUTHINFO September 2020 authoritative. For example, if an authoritative server is authoritative for example.com, the query could be example.com/IN/ AUTHINFO, or the QNAME could be any other name for which the server is authoritative. If the QNAME in the request is for a zone for which the authoritative server is not authoritative, the response MUST be an NXDOMAIN response. The RRtype "AUTHINFO" is defined in this document, and the IANA assignment is given in Section 5.1. The contents of the Rdata in the response to this query is defined in Section 3. If the authoritative server understands the AUTHINFO RRtype, the RRset in the Answer section MUST have exactly one record. Most zone typically have multiple authoritative servers. Thus, the AUTHINFO Rdata returned from different authoritative servers for the same zone might differ. 3. Contents of the Returned I-JSON Object The response from a DNS query for the AUTHINFO RRtype is a JSON object. The JSON object MUST use the I-JSON message format defined in [RFC7493]. Note that [RFC7493] was based on RFC 7159, but RFC 7159 was replaced by [RFC8259]. Requiring the use of I-JSON instead of more general JSON format greatly increases the likelihood of interoperability. The JSON object MAY contain any name/value pairs. All names in the returned object MUST either be defined in the IANA registry or, if for local use only, begin with the substring "temp-". The IANA registry (Section 5.1) will never register names that begin with "temp-". All names MUST consist only of lower-case ASCII characters, digits, and hyphens (that is, Unicode characters U+0061 through 007A, U+0030 through U+0039, and U+002D), and MUST be 63 characters or shorter. As defined in Section 5.1, the IANA registry will not register names that begin with "temp-", so these names can be used freely by any implementer. Note that the message returned by the authoritative server MUST be in I-JSON format. I-JSON requires that the message MUST be encoded in UTF8. Hoffman & Sood Expires March 12, 2021 [Page 3] Internet-Draft DNS AUTHINFO September 2020 3.1. Example The I-JSON object that a authoritative server returns might look like the following: { "temp-field2": 42 } As specified in [RFC7493], the I-JSON object is encoded as UTF8. [RFC7493] explicitly allows the returned objects to be in any order. 4. Using AUTHINFO Responses for Detecting Client Subnet Support This document defines an entry for the IANA DNS Authoritative Server Information Registry that is defined in Section 5.1. The "ecs-supported" name is used to specify whether the authoritative server supports the EDNS(0) client subnet extension defined in [RFC7871]. The value MUST be a boolean. 4.1. Example An authoritative server can be reached at "ns32.example.com" and the IP address 192.0.2.222. It supports EDNS(0) client subnet extension. It's response to the AUTHINFO query might be: { "ecs-supported": true } 5. IANA Considerations 5.1. AUTHINFO RRtype This document defines a new DNS RR type, AUTHINFO, whose value TBD will be allocated by IANA from the "Resource Record (RR) TYPEs" sub- registry of the "Domain Name System (DNS) Parameters" registry: Type: AUTHINFO Value: TBD Meaning: Information self-published by an authoritative server as an I-JSON (RFC 7493) object Reference: This document Hoffman & Sood Expires March 12, 2021 [Page 4] Internet-Draft DNS AUTHINFO September 2020 5.2. Registry for DNS Authoritative Server Information IANA will create a new registry titled "DNS Authoritative Server Information" that will contain definitions of the names that can be used with the protocols defined in this document. The registration procedure is by Expert Review and Specification Required, as defined in [RFC8126]. The specification that is required for registration can be either an Internet-Draft or an RFC. The reviewer for this registry is instructed to generally be liberal in what they accept into the registry: as long as the specification that comes with the registration request is reasonably understandable, the registration should be accepted. The registry has the following fields for each element: Name: The name to be used in the JSON object. This name MUST NOT begin with "temp-". This name MUST conform to the definition of "string" in I-JSON [RFC7493] message format. Value type: The type of data to be used in the JSON object. Specification: The name of the specification for the registered element. 5.3. Registration for ecs-supported in the IANA DNS Authoritative Server Information Registry Name: ecs-supported Value type: Boolean Specification: This document 6. Security Considerations The values in the AUTHINFO response will be protected by DNSSEC signature if the zone in which the record resides is signed. 7. References 7.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . Hoffman & Sood Expires March 12, 2021 [Page 5] Internet-Draft DNS AUTHINFO September 2020 [RFC7493] Bray, T., Ed., "The I-JSON Message Format", RFC 7493, DOI 10.17487/RFC7493, March 2015, . [RFC7871] Contavalli, C., van der Gaast, W., Lawrence, D., and W. Kumari, "Client Subnet in DNS Queries", RFC 7871, DOI 10.17487/RFC7871, May 2016, . [RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for Writing an IANA Considerations Section in RFCs", BCP 26, RFC 8126, DOI 10.17487/RFC8126, June 2017, . [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, . [RFC8259] Bray, T., Ed., "The JavaScript Object Notation (JSON) Data Interchange Format", STD 90, RFC 8259, DOI 10.17487/RFC8259, December 2017, . [RFC8499] Hoffman, P., Sullivan, A., and K. Fujiwara, "DNS Terminology", BCP 219, RFC 8499, DOI 10.17487/RFC8499, January 2019, . 7.2. Informative References [RFC6891] Damas, J., Graff, M., and P. Vixie, "Extension Mechanisms for DNS (EDNS(0))", STD 75, RFC 6891, DOI 10.17487/RFC6891, April 2013, . Authors' Addresses Paul Hoffman ICANN Email: paul.hoffman@icann.org Puneet Sood Google Email: puneets@google.com Hoffman & Sood Expires March 12, 2021 [Page 6]