Internet-Draft Extensions for DNS Public Resolvers November 2024
Nottingham Expires 9 May 2025 [Page]
Workgroup:
Network Working Group
Internet-Draft:
draft-nottingham-public-resolver-errors-00
Published:
Intended Status:
Standards Track
Expires:
Author:
M. Nottingham
Cloudflare

Extensions for DNS Public Resolvers

Abstract

[I-D.ietf-dnsop-structured-dns-error] introduces structured error data for DNS responses that have been filtered. This draft suggests additions to that mechanism.

Discussion Venues

This note is to be removed before publishing as an RFC.

Source for this draft and an issue tracker can be found at https://github.com/mnot/public-resolver-errors.

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

This Internet-Draft will expire on 9 May 2025.

Table of Contents

1. Introduction

[I-D.ietf-dnsop-structured-dns-error] introduces structured error data for DNS responses that have been filtered. This draft suggests additions to that mechanism.

These additions are informed by specific concerns that Web browsers have about providing information about DNS filtering events to end users. In particular, they are intended to address the risks associated with trusting information inserted by DNS resolvers into responses. Presenting information sourced from unauthenticated network elements to end users opens a variety of attacks. Given the variety of network deployments on the Internet, such information needs to be considered as attacker-controlled.

This proposal mitigates these risks by minimising the amount and type of information carried into the DNS response to a "DNS Resolver Operator ID" and a "Filtering Incident ID." Neither is presented to end users: instead, they can be used to obtain (using HTTPS) a document that carries details of the specific filtering incident, for presentation to end users.

This mechanism is not intended to scale to large numbers of DNS operators. Instead, it is expected that in typical use, the DNS Resolver Operator ID will be used to selectively present information from DNS resolvers operators that clients deem to be serving a public good role (e.g., publicly available open resolvers), to aid those parties in serving the public interest by making their operation more transparent.

1.1. Notational Conventions

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.

2. DNS Resolver Operator ID

A DNS Resolver Operator ID is a short, textual string that uniquely identifies the operator of a DNS resolver. It is carried in the EXTRA-TEXT field of the Extended DNS Error with the JSON field name "ro". For example:

{
  "ro": "exampleResolver"
}

The value of the "ro" field MUST be registered in the DNS Resolver Operator registry; see Section 6.2. Unregistered values MUST be ignored, and registered values MAY be ignored.

3. Filtering Incident ID

A Filtering Incident ID is an opaque, string identifier for a particular filtering incident. It might be specific to a particular request, but need not be. It is carried in the EXTRA-TEXT field of the Extended DNS Error with the JSON field name "inc". For example:

{
  "inc": "abc123"
}

4. Incident Resolution Templates

An Incident Resolution Template is a URI Template [RFC6570] that, upon expansion, provides a URI that can be dereferenced to obtain a Filtering Incident Description document (see Section 5).

It MUST be a Level 1 or Level 2 template (see Section 1.2 of [RFC6570]). It has the following variables available to it:

For example:

~~ https://resolver.example.com/filtering-incidents/{inc} ~~

When dereferencing this URL, HTTP content negotiation for language SHOULD be used; see Section 12 of [RFC9110].

5. The Filtering Incident Description Format

The Filtering Incident Description Format is a JSON [RFC8259] document format for returning information about a particular filtering incident. Its root is an Object, with the following members:

All members above are mandatory. New members can be added by updating this specification.

6. IANA Considerations

6.1. EXTRA-TEXT JSON Names

IANA will register the following fields in the "EXTRA-TEXT JSON Names" sub-registry established by [I-D.ietf-dnsop-structured-dns-error]:

  • JSON Name: "ro"

  • Short Description: a short, textual string that uniquely identifies the operator of a DNS resolver

  • Mandatory: no

  • Specification: [this document]

  • JSON Name: "inc"

  • Short Description: an opaque, string identifier for a particular filtering incident

  • Mandatory: no

  • Specification: [this document]

6.2. The DNS Resolver Identifier Registry

IANA will establish a new registry, the "DNS Resolver Identifier Registry." Its registration policy is first-come, first-served (FCFS), although IANA may refuse registrations that are deemed to be deceptive or spurious.

It contains the following fields:

  • Name: The name of the DNS resolver operator

  • Contact: an e-mail address or other appropriate contact mechanism

  • DNS Resolver Operator ID: see Section 2

  • Incident Resolution Template: see Section 4

7. Security Considerations

This specification does not provide a way to authenticate that a particular filtering incident as experienced by a client was actually associated with the DNS resolver operator claimed. This means that an attacker (for example, one controlling a DNS resolver) can claim that a filtering incident is associated with an operator when it in fact was not.

However, to be successful an attacker would need to reuse an existing incident identifier that is supported by a DNS resolver operator recognised by the client. It is not currently thought to be particularly advantageous to an attacker to do so.

8. Normative References

[I-D.ietf-dnsop-structured-dns-error]
Wing, D., Reddy.K, T., Cook, N., and M. Boucadair, "Structured Error Data for Filtered DNS", Work in Progress, Internet-Draft, draft-ietf-dnsop-structured-dns-error-09, , <https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-structured-dns-error-09>.
[RFC2119]
Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, , <https://www.rfc-editor.org/rfc/rfc2119>.
[RFC6570]
Gregorio, J., Fielding, R., Hadley, M., Nottingham, M., and D. Orchard, "URI Template", RFC 6570, DOI 10.17487/RFC6570, , <https://www.rfc-editor.org/rfc/rfc6570>.
[RFC8174]
Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, , <https://www.rfc-editor.org/rfc/rfc8174>.
[RFC8259]
Bray, T., Ed., "The JavaScript Object Notation (JSON) Data Interchange Format", STD 90, RFC 8259, DOI 10.17487/RFC8259, , <https://www.rfc-editor.org/rfc/rfc8259>.
[RFC9110]
Fielding, R., Ed., Nottingham, M., Ed., and J. Reschke, Ed., "HTTP Semantics", STD 97, RFC 9110, DOI 10.17487/RFC9110, , <https://www.rfc-editor.org/rfc/rfc9110>.

Author's Address

Mark Nottingham
Cloudflare
Prahran
Australia