DNS Resolver InformationMcAfee, Inc.Embassy Golf Link Business ParkBangaloreKarnataka560071Indiakondtir@gmail.comOrangeRennes35000Francemohamed.boucadair@orange.comADD WGThis document describes methods for DNS resolvers to publish
information about themselves. Applications and operating systems can use
the resolver information to identify the capabilities of the
resolver.Historically, DNS stub resolvers typically communicated with the
recursive resolvers without needing to know anything about the features
of the recursive resolvers. More recently, recursive resolvers have
different features that may help the stub resolvers identify the
capabilities of the resolver. Thus stub resolvers can discover and
authenticate encrypted DNS servers provided by a local network, for
example using the techniques proposed in [I-D.ietf-add-dnr] and
[I-D.ietf-add-ddr]. Thus stub resolvers need a way to get information
from the discovered recursive resolvers about its capabilities.This document specifies a method for stub resolvers to ask recursive
resolvers for such information. In short, a new RRtype is defined for
stub resolvers to query the recursive resolvers. The information that a
resolver might want to give is defined in .The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP 14
when, and
only when, they appear in all capitals, as shown here.This document makes use of the terms defined in and .'Encrypted DNS' refers to a DNS protocol that provides an encrypted
channel between a DNS client and server (e.g., DoT, DoH, or DoQ).A stub resolver that wants to get information about a resolver can
use the RRtype "RESINFO" defined in this document, and the IANA
assignment is given in . The contents of
the RDATA in the response to this query are defined in . If the resolver understands the RESINFO
RRtype, the RRset in the Answer section MUST have exactly one
record.The client can retrieve the resolver information using the RESINFO
RRtype and QNAME of the domain name that is used to authenticate the DNS
server (referred to as ADN in [I-D.ietf-add-dnr]). If the special use
domain name "resolver.arpa" defined in [I-D.ietf-add-ddr] is used to
discover the Encrypted DNS server, the client can first retrieve a CNAME
that aliases `_dns.resolver.arpa` to `_dns.$HOSTNAME` and then retrieve
the resolver information using the RESINFO RRtype and QNAME of the
`$HOSTNAME`.The resolver information is returned as a JSON object. The JSON
object MUST use the I-JSON message format defined in . Note that was
based on , but was replaced by .
Requiring the use of I-JSON instead of more general JSON format greatly
increases the likelihood of interoperability.The names in this object are defined in an IANA registry. The JSON
object returned by a DNS query MAY contain any name/value pairs. All
names in the returned object MUST either be defined in the IANA registry
or, if for local use only, begin with the substring "temp-".The IANA registry will
never register names that begin with "temp-". All names MUST consist
only of lower-case ASCII characters, digits, and hyphens (that is,
Unicode characters U+0061 through 007A, U+0030 through U+0039, and
U+002D), and MUST be 63 characters or shorter. The IANA registry will
not register names that begin with "temp-", so these names can be used
freely by any implementer. Note that the message returned by the
resolver MUST be in I-JSON format. I-JSON requires that the message MUST
be encoded in UTF8.The resolver information includes the following attributes:If the DNS server supports QNAME
minimisation to improve DNS privacy,
the parameter value is set to true. This is a mandatory
attribute.If the DNS server supports extended
DNS error (EDE) to return additional
information about the cause of DNS errors, the parameter lists the
possible extended DNS error codes that can be returned by the DNS
server. This is an optional attribute. Note that the extended error code "Blocked" defined in
Section 4.16 of identifies access
to domains is blocked due to an policy by the operator of the
DNS server, extended error code "Censored" defined in Section
4.17 of identifies access to
domains is blocked based on a requirement from an external
entity and the extended error code "Filtered" defined in Section
4.18 of identifies access to
domains is blocked based on the request from the client to
blacklist domains.If the DNS server requires client
authentication, the parameter value is set to true. For example,
when not on the enterprise network (e.g., at home or coffee shop)
yet needing to access the enterprise Encrypted DNS server, roaming
users can use client authentication to access the Enterprise
provided Encrypted DNS server. This is an optional attribute.A URL that points to the generic
unstructured resolver information (e.g., DoH APIs supported,
possible HTTP status codes returned by the DoH server, how to report
a problem, etc.) for troubleshooting purpose. This is an optional
attribute.A URL that points to a human-friendly
description of the resolver identity to display to the end-user. shows an example of resolver
information.As specified in , the I-JSON object is
encoded as UTF8. explicitly allows the
returned objects to be in any order.Unless a DNS request to retrieve the resolver information is sent
over DNS-over-TLS (DoT) or DNS-over-
HTTPS (DoH) , the response is susceptible
to forgery. The DNS resolver information can be retrieved after the
encrypted connection is established to the DNS server. If the client
wishes to retrieve the resolver information before the encryption
connection is established to the DNS resolver, the client MUST use local
DNSSEC validation.This document defines a new DNS RR type, RESINFO, whose value TBD
will be allocated by IANA from the "Resource Record (RR) TYPEs"
sub-registry of the "Domain Name System (DNS) Parameters"
registry:IANA will create a new registry titled "DNS Resolver Information"
that will contain definitions of the names that can be used to provide
the resolver information. The registration procedure is by
Specification Required, as defined in .
The registry has the following fields for each element:IANA will add the names "resinfourl", "identityurl",
"extendeddnserror" and "qnameminimization" to the DNS Resolver
Information registry.This specification leverages the work that has been done in . Thanks to Tommy Jensen, Vittorio
Bertola, Vinny Parla, Chris Box, Ben Schwartz and Shashank Jain for the
discussion and comments.