DPRIVE WG T. Reddy
Internet-Draft McAfee
Intended status: Standards Track D. Wing
Expires: September 27, 2019
M. Richardson
Sandelman Software Works
M. Boucadair
Orange
March 26, 2019

A Bootstrapping Procedure to Discover and Authenticate DNS-over-(D)TLS and DNS-over-HTTPS Servers
draft-reddy-dprive-bootstrap-dns-server-02

Abstract

This document specifies mechanisms to automatically bootstrap endpoints (e.g., hosts, Customer Equipment) to discover and authenticate DNS-over-(D)TLS and DNS-over-HTTPS servers provided by a local network.

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

This Internet-Draft will expire on September 27, 2019.

Copyright Notice

Copyright (c) 2019 IETF Trust and the persons identified as the document authors. All rights reserved.

This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.


Table of Contents

1. Introduction

Traditionally a caching DNS server has been provided by the local network. This provides benefits like low latency to that DNS server (due to its network proximity to the endpoint). However, if an endpoint is configured to use Internet-hosted or public DNS-over-(D)TLS [RFC7858] [RFC8094] or DNS-over-HTTPS [RFC8484] servers, the local DNS server cannot serve the DNS requests from the endpoints. If public DNS servers are used instead of using local DNS servers, the operational problems are listed below:

If public DNS servers are used instead of using local DNS servers, the following paragraph discusses the impact on Network-based security:

Various network security services are provided by Enterprise, secure home and wall-gardened networks to protect endpoints (e.g,. Hosts, IoT devices). [I-D.camwinget-tls-use-cases] discusses some of the Network-based security use cases. These network security services act on DNS requests from endpoints. However, if an endpoint is configured to use public DNS-over-(D)TLS or DNS-over-HTTPS servers, network security services cannot act efficiently on DNS requests from the endpoints. In order to act on DNS requests from endpoints, network security services can block DNS-over-(D)TLS traffic by dropping outgoing packets to destination port 853. Identifying DNS-over-HTTPS traffic is far more challenging than DNS-over-(D)TLS traffic. Network security services can try to identify the domains offering DNS-over-HTTPS servers, and DNS-over-HTTPS traffic can be blocked by dropping outgoing packets to these domains. If the endpoint has enabled strict privacy profile (Section 5 of [RFC8310]), and the network security service blocks the traffic to the public DNS server, DNS service is not available to the endpoint and ultimately the endpoint cannot access Internet. If the endpoint has enabled opportunistic privacy profile (Section 5 of [RFC8310]), and the network security service blocks traffic to the public DNS server, the endpoint will either fallback to an encrypted connection without authenticating the DNS server provided by the local network or fallback to clear text DNS, and cannot exchange encrypted DNS messages.

If the network security service fails to block DNS-over-(D)TLS or DNS-over-HTTPS traffic, this can compromise the endpoint security; some of the potential security threats are listed below:

If the network security service sucessfully blocks DNS-over-(D)TLS and DNS-over-HTTPS traffic, this can still compromise the endpoint security and privacy; some of the potential security threats are listed below:

To overcome the above threats, the document proposes a mechanism to automatically bootstrap the endpoints to discover and authenticate the DNS-over-(D)TLS and DNS-over-HTTPS servers provided by the local network. The overall procedure can be structured into the following steps:

Note: The strict and opportunistic privacy profiles as defined in [RFC8310] only applies to DNS-over-(D)TLS protocols, there has been no such distinction made for DNS-over-HTTPS protocol.

2. Terminology

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119][RFC8174] when, and only when, they appear in all capitals, as shown here.

(D)TLS is used for statements that apply to both Transport Layer Security [RFC8446] and Datagram Transport Layer Security [RFC6347]. Specific terms are used for any statement that applies to either protocol alone.

This document uses the terms defined in [RFC8499].

3. Bootstrapping Endpoint Devices

The following steps explain the mechanism to automatically bootstrap an endpoint with the local network's CA certificates and DNS server certificate:

  1. The endpoint authenticates to the local network and discovers the EST server using DNS-based Service Discovery [RFC6763].
  2. The endpoint establishes provisional TLS connection with the EST server, i.e. the endpoint provisionally accepts the unverified TLS server certificate. However, the endpoint MUST authenticate the EST server before it can accept the CA certificates. The endpoint either uses Secure Remote Password protocol (SRP) [SRP-6] as an authentication method for the Transport Layer Security protocol [RFC5054] or uses the mutual authentication scheme discussed in [RFC8120] to authenticate the discovered EST server. SRP is an authentication method that allows the use of usernames and passwords over unencrypted channels without revealing the password to an eavesdropper. Similarty, the mutual authentication scheme is based on password-based authenticated key exchange (PAKE) and provides mutual authentication between a HTTP client and an HTTP server using username and password as credentials.
  3. If the EST server authentication is successful, the endpoint requests the full EST distribution of current CA certificates and validates the EST server certificate. If the EST server certificate cannot be verified using the CA certificates downloaded, the TLS connection is immediately discarded and the endpoint abandons the attempt to bootstrap from the EST server and discards the CA certificates conveyed by the EST server. If the EST server certificate is verified using the CA certificates downloaded, the endpoint stores the CA certificates as Explicit Trust Anchor database entries. The endpoint uses the Explicit Trust Anchor database to validate the DNS server certificate. The endpoint needs to perform SCRAM authentication the first time it connects EST server. On subsequent connections to the EST server, the endpoint can validate the EST server certificate using the Explicit Trust Anchor database.
  4. The endpoint learns the End-Entity certificates [RFC8295] from the EST server. The certificate provisioned to the DNS server in the local network will be treated as a End-Entity certificate. The endpoint needs to identify the certificate provisioned to the DNS server. The SRV-ID identifier type [RFC6125] within subjectAltName entry can be used to identify the DNS server certificate. For example, DNS server certificate will include SRV-ID "_domain-s.example.net" along with DNS-ID "example.net". This specification defines SRV service label "domain-s" in Section 9. As a reminder, the protocol component is not included in the SRV-ID [RFC4985].

4. Bootstrapping IoT Devices and CPE

The following steps explain the mechanism to automatically bootstrap IoT devices with local network's CA certificates and DNS server certificate. The below steps can also be used by CPE acting as DNS forwarder to discover and authenticate DNS-over-(D)TLS and DNS-over-HTTPS servers provided by the access network.

5. Discovery Procedure

A DNS client discovers the DNS server in the local network supporting DNS-over-TLS, DNS-over-DTLS and DNS-over-HTTPS protocols by using the following discovery mechanism:

   example.net.
   IN NAPTR 100 10 "" DPRIVE:dns.tls  "" dns1.example.net.
   IN NAPTR 200 10 "" DPRIVE:dns.dtls "" dns2.example.net.

   dns1.example.net.
   IN NAPTR 100 10 S DPRIVE:dns.tls "" _domain-s._tcp.example.net.

   dns2.example.net.
   IN NAPTR 100 10 S DPRIVE:dns.dtls "" _domain-s._udp.example.net.

   _domain-s._tcp.example.net.
   IN SRV   0 0 853 a.example.net.

   _domain-s._udp.example.net.
   IN SRV   0 0 853 a.example.net.

   a.example.net.
   IN A        192.0.2.1
   IN AAAA     2001:db8:8:4::2

Figure 1

5.1. Resolution

Once the DNS client has retrieved the authentication domain name for the DNS server, an S-NAPTR lookup with 'DPRIVE' application service and the desired protocol tag is made to obtain information necessary to securely connect to the DNS server. The S-NAPTR lookup is performed using an recursive DNS resolver discovered from an untrusted source (such as DHCP).

This specification defines "DPRIVE" as an application service tag (Section 9.1.1) and "dns.tls" (Section 9.1.2), "dns.dtls" (Section 9.1.3), and "dns.https" (Section 9.1.4) as application protocol tags.

If no DNS-specific S-NAPTR records can be retrieved, the discovery procedure fails for this authentication domain name. However, before retrying a lookup that has failed, a DNS client MUST wait a time period that is appropriate for the encountered error (e.g., NXDOMAIN, timeout, etc.).

6. Connection handshake and service invocation

The DNS client initiates (D)TLS handshake with the DNS server, the server presents its certificate in ServerHello message, and the DNS client matches the DNS server certificate downloaded in step 4 in Section 3 and Section 4 with the certificate provided by the DNS server in (D)TLS handshake. If the match is successful, the DNS client validates the server certificate using the Explicit Trust Anchor database entries downloaded in step 3 in Section 3 and Section 4.

If the match is successful and server certificate is successfully validated, the client continues with the connection as normal. Otherwise, the client MUST treat the server certificate validation failure as a non-recoverable error. If the DNS client cannot reach or establish an authenticated and encrypted connection with the privacy-enabling DNS server provided by the local network, the DNS client can fallback to the privacy-enabling public DNS server.

7. Security Considerations

The bootstrapping procedure to discover and authenticate DNS-over-(D)TLS and DNS-over-HTTPS Servers MUST be enabled by the endpoint in a trusted network (e.g. Enterprise, Secure home networks) and disabled in a untrusted network (e.g. Public WiFi network), similar to the way VPN connection from the endpoint to a VPN gateway is disconnected in a trusted network and VPN connection is established in a untrusted network.

If the endpoint has enabled strict privacy profile, and the network security service blocks the traffic to the privacy-enabling public DNS server, a hard failure occurs and the user is notified. The user has a choice to switch to another network or if the user trusts the network, the user can enable strict privacy profile with the DNS-over-(D)TLS or DNS-over-HTTPS server discovered in the network instead of downgrading to opportunistic privacy profile.

The primary attacks against the methods described in Section 5 are the ones that would lead to impersonation of a DNS server and spoofing the DNS response to indicate that the DNS server does not support any privacy-enabling protocols. To protect against DNS-vectored attacks, secured DNS (DNSSEC) can be used to ensure the validity of the DNS records received. The explicit trust anchor database entries downloaded in step 3 in Section 3 and Section 4 can be used by the endpoint to validate the DNSSEC signature. Impersonation of the DNS server is prevented by validating the certificate presented by the DNS server. If the BRSKI-EST server conveys the DNS server certificate, but the S-NAPTR lookup indicates that the DNS server does not support any privacy-enabling protocols, the client can detect the DNS response is spoofed.

Security considerations in [I-D.ietf-anima-bootstrapping-keyinfra], [RFC5054] and [RFC8120] need to be taken into consideration.

8. Privacy Considerations

[RFC7626] discusses DNS privacy considerations in both "on the wire" (Section 2.4 of [RFC7626]) and "in the server" (Section 2.5 of [RFC7626] contexts. The endpoint may not know if the DNS-over-(D)TLS or DNS-over-HTTPS server in the local network has a privacy preserving data policy. A new privacy certificate extension is defined that identifies the privacy preserving data policy of the DNS server. The extension contains a URL that points to the privacy preserving data policy.

8.1. Privacy Extension Syntax

The syntax for the privacy extension is:

   Privacy ::=  CHOICE  {
     none                 NULL,          -- No privacy policy provided
     pURL                 PrivacyURL  }  -- Privacy preserving data policy

   PrivacyURL  ::=  IA5String  -- MUST use https scheme

9. IANA Considerations

IANA is requested to allocate the SRV service name of "domain-s" for DNS-over-(D)TLS and DNS-over-HTTPS.

9.1. Application Service & Application Protocol Tags

This document requests IANA to make the following allocations from the registry available at: https://www.iana.org/assignments/s-naptr-parameters/s-naptr-parameters.xhtml.

9.1.1. DNS Application Service Tag Registration

9.1.2. dns.tls Application Protocol Tag Registration

9.1.3. dns.dtls Application Protocol Tag Registration

9.1.4. dns.https Application Protocol Tag Registration

10. Acknowledgments

Thanks to Joe Hildebrand, Harsha Joshi, Shashank Jain, Patrick McManus, Eliot Lear and Sara Dickinson for the discussion and comments.

11. References

11.1. Normative References

[I-D.ietf-anima-bootstrapping-keyinfra] Pritikin, M., Richardson, M., Behringer, M., Bjarnason, S. and K. Watsen, "Bootstrapping Remote Secure Key Infrastructures (BRSKI)", Internet-Draft draft-ietf-anima-bootstrapping-keyinfra-19, March 2019.
[I-D.ietf-doh-resolver-associated-doh] Hoffman, P., "Associating a DoH Server with a Resolver", Internet-Draft draft-ietf-doh-resolver-associated-doh-03, March 2019.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997.
[RFC3958] Daigle, L. and A. Newton, "Domain-Based Application Service Location Using SRV RRs and the Dynamic Delegation Discovery Service (DDDS)", RFC 3958, DOI 10.17487/RFC3958, January 2005.
[RFC4985] Santesson, S., "Internet X.509 Public Key Infrastructure Subject Alternative Name for Expression of Service Name", RFC 4985, DOI 10.17487/RFC4985, August 2007.
[RFC5054] Taylor, D., Wu, T., Mavrogiannopoulos, N. and T. Perrin, "Using the Secure Remote Password (SRP) Protocol for TLS Authentication", RFC 5054, DOI 10.17487/RFC5054, November 2007.
[RFC6125] Saint-Andre, P. and J. Hodges, "Representation and Verification of Domain-Based Application Service Identity within Internet Public Key Infrastructure Using X.509 (PKIX) Certificates in the Context of Transport Layer Security (TLS)", RFC 6125, DOI 10.17487/RFC6125, March 2011.
[RFC6347] Rescorla, E. and N. Modadugu, "Datagram Transport Layer Security Version 1.2", RFC 6347, DOI 10.17487/RFC6347, January 2012.
[RFC6763] Cheshire, S. and M. Krochmal, "DNS-Based Service Discovery", RFC 6763, DOI 10.17487/RFC6763, February 2013.
[RFC7030] Pritikin, M., Yee, P. and D. Harkins, "Enrollment over Secure Transport", RFC 7030, DOI 10.17487/RFC7030, October 2013.
[RFC7858] Hu, Z., Zhu, L., Heidemann, J., Mankin, A., Wessels, D. and P. Hoffman, "Specification for DNS over Transport Layer Security (TLS)", RFC 7858, DOI 10.17487/RFC7858, May 2016.
[RFC8094] Reddy, T., Wing, D. and P. Patil, "DNS over Datagram Transport Layer Security (DTLS)", RFC 8094, DOI 10.17487/RFC8094, February 2017.
[RFC8120] Oiwa, Y., Watanabe, H., Takagi, H., Maeda, K., Hayashi, T. and Y. Ioku, "Mutual Authentication Protocol for HTTP", RFC 8120, DOI 10.17487/RFC8120, April 2017.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017.
[RFC8295] Turner, S., "EST (Enrollment over Secure Transport) Extensions", RFC 8295, DOI 10.17487/RFC8295, January 2018.
[RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018.
[RFC8484] Hoffman, P. and P. McManus, "DNS Queries over HTTPS (DoH)", RFC 8484, DOI 10.17487/RFC8484, October 2018.
[RFC8499] Hoffman, P., Sullivan, A. and K. Fujiwara, "DNS Terminology", BCP 219, RFC 8499, DOI 10.17487/RFC8499, January 2019.

11.2. Informative References

[CDN] "End-User Mapping: Next Generation Request Routing for Content Delivery", 2015.
[I-D.camwinget-tls-use-cases] Andreasen, F., Cam-Winget, N. and E. Wang, "TLS 1.3 Impact on Network-Based Security", Internet-Draft draft-camwinget-tls-use-cases-04, March 2019.
[I-D.ietf-opsawg-mud] Lear, E., Droms, R. and D. Romascanu, "Manufacturer Usage Description Specification", Internet-Draft draft-ietf-opsawg-mud-25, June 2018.
[RFC2775] Carpenter, B., "Internet Transparency", RFC 2775, DOI 10.17487/RFC2775, February 2000.
[RFC7626] Bortzmeyer, S., "DNS Privacy Considerations", RFC 7626, DOI 10.17487/RFC7626, August 2015.
[RFC7871] Contavalli, C., van der Gaast, W., Lawrence, D. and W. Kumari, "Client Subnet in DNS Queries", RFC 7871, DOI 10.17487/RFC7871, May 2016.
[RFC8310] Dickinson, S., Gillmor, D. and T. Reddy, "Usage Profiles for DNS over TLS and DNS over DTLS", RFC 8310, DOI 10.17487/RFC8310, March 2018.
[SRP-6] "SRP-6: Improvements and Refinements to the Secure Remote Password Protocol", October 2002.

Authors' Addresses

Tirumaleswar Reddy McAfee, Inc. Embassy Golf Link Business Park Bangalore, Karnataka 560071 India EMail: kondtir@gmail.com
Dan Wing USA EMail: dan@danwing.org
Michael C. Richardson Sandelman Software Works USA EMail: mcr+ietf@sandelman.ca
Mohamed Boucadair Orange Rennes, 35000 France EMail: mohamed.boucadair@orange.com