DNS Privacy (dprive) Working Group S. Bortzmeyer Internet-Draft AFNIC Intended status: Standards Track August 23, 2016 Expires: February 24, 2017 Next step for DPRIVE: resolver-to-auth link draft-bortzmeyer-dprive-step-2-02 Abstract This document examines the possible future work for the DPRIVE (DNS privacy) working group, specially in securing the resolver-to- authoritative name server link with TLS under DNS. It is not intended to be published as a RFC. REMOVE BEFORE PUBLICATION: this document should be discussed in the IETF DPRIVE group, through its mailing list. The source of the document, as well as a list of open issues, is currently kept at Github [1]. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on February 24, 2017. Copyright Notice Copyright (c) 2016 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents Bortzmeyer Expires February 24, 2017 [Page 1] Internet-Draft DPRIVE step 2 August 2016 carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction and background . . . . . . . . . . . . . . . . . 2 2. Possible solutions . . . . . . . . . . . . . . . . . . . . . 3 2.1. Encode key in name . . . . . . . . . . . . . . . . . . . 3 2.2. Key in DNS . . . . . . . . . . . . . . . . . . . . . . . 4 2.3. PKIX . . . . . . . . . . . . . . . . . . . . . . . . . . 4 2.4. "reverse" DNS . . . . . . . . . . . . . . . . . . . . . . 5 2.5. CGA . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 2.6. Lax security . . . . . . . . . . . . . . . . . . . . . . 5 3. Miscellaneous . . . . . . . . . . . . . . . . . . . . . . . . 5 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6 5. Security Considerations . . . . . . . . . . . . . . . . . . . 6 6. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 6 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 6 7.1. Normative References . . . . . . . . . . . . . . . . . . 6 7.2. Informative References . . . . . . . . . . . . . . . . . 6 7.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 7 1. Introduction and background To improve the privacy of the DNS user ([RFC7626]), the standard solution is to encrypt the requests with TLS ([RFC7858]). Just encrypting, without authenticating the remote server, leaves the user's privacy vulnerable to active man-in-the-middle attacks. [RFC7858] and [I-D.ietf-dprive-dtls-and-tls-profiles] describe how to authenticate the DNS resolver, in the stub-to-resolver link. We have currently no standard way to authenticate the authoritative name server, in the resolver-to-auth link. The two cases are quite different: a stub resolver has only a few resolvers, and there is typically a pre-existing relationship. But a resolver speaks to many authoritative name servers, without any prior relationship. This means that, for instance, having a static key for the resolver makes sense while it would be clearly unrealistic for the authoritative server. Another difference is that resolvers are typically known by IP address (obtained by DHCP or manual configuration) while authoritative name servers are known by name (obtained from zone delegation). This makes things easier for techniques similar to Bortzmeyer Expires February 24, 2017 [Page 2] Internet-Draft DPRIVE step 2 August 2016 DANE: the manager of the ns1.example.net name server can always add a TLSA record under example.net while she may have problems modifying the zone under in-addr.arpa or ip6.arpa. (On the other hand, the resolver knows also the IP address of the authoritative server, so it can authenticate based on this, the fourth and fifth solutions in Section 2.) The original charter of the DPRIVE working group, in force at the time of this draft, says "The primary focus of this Working Group is to develop mechanisms that provide confidentiality between DNS Clients and Iterative Resolvers" and adds "but it may also later consider mechanisms that provide confidentiality between Iterative Resolvers and Authoritative Servers". This document is here for this second step, "between Iterative Resolvers and Authoritative Servers". It will probably require a rechartering of the group. 2. Possible solutions We can express the problem this way: if we want to use TLS-over-DNS to secure the link between the resolver and the authoritative server, it would be important to have a standard way to authenticate the authoritative server. Basically, the client will get the public key of the server in the TLS session, how will it know that this key is the right one? Here is a comprehensive list of the six possible solutions to this problem. First, the two where the key (or a hash of it) is available somewhere else than in the TLS session. 2.1. Encode key in name We could encode the key in the authoritative server name (as in DNScurve [dnscurve] [I-D.dempsky-dnscurve]). Here is an example of a domain using DNScurve: the names of the authoritative name servers are a Base-32 encoded form of the server's Curve25519 public key. % dig +short NS yp.to uz5dz39x8xk8wyq3dzn7vpt670qmvzx0zd9zg4ldwldkv6kx9ft090.ns.yp.to. uz5hjgptn63q5qlch6xlrw63tf6vhvvu6mjwn0s31buw1lhmlk14kd.ns.yp.to. uz5uu2c7j228ujjccp3ustnfmr4pgcg5ylvt16kmd0qzw7bbjgd5xq.ns.yp.to. Securely transmitting the key would therefore be a by-product of delegation. Among the limits of this solution, the length of these names limit the number of possible name servers, if we want to keep the delegation short. Also, it requires a cryptographic algorithm where keys are short (which means no RSA). Bortzmeyer Expires February 24, 2017 [Page 3] Internet-Draft DPRIVE step 2 August 2016 2.2. Key in DNS We could publish keys in the DNS, secured with DNSSEC (as in DANE [RFC6698]). This raises an interesting bootstrap problem: we need the key to get information privately with the DNS but we need the DNS to do so. A possible solution is to have an "unsecure" mode to retrieve the initial key material. The algorithm could be: (0)The resolver remembers the keys of the authoritative name servers (in the same way it remembers the lowest RTT among a NS RRset), (1)When the resolver needs to talk to a server (say ns1.example.net) for which it does not know the key, it does a TLSA request for _853._tcp.ns1.example.net, (2)If the resolution of this request requires to talk to the very server we search the key for, the resolver connects to this server with TLS to port 853, does not authenticate, and sends the query. This step offers no authentication ("opportunistic"?). (See also [I-D.ietf-dprive-dtls-and-tls-profiles], section 9.2.) The real algorithm will need to be more complicated since there are several servers per zone. A resolver may use the knowledge of TLS authentication it has to choose an authoritative name server among a NS RRset. Another solution is for the authoritative name server to use [I-D.ietf-tls-dnssec-chain-extension] to send all the necessary DNSSEC records over TLS. 2.3. PKIX We could use the X.509 security model [RFC5280]). The certificates for authoritative name servers would be signed by regular CAs, with the name of the server in the Subject Alternative Name (or may be its IP address in this field, but, as far as the author knows, few CAs issue certificats for IP addresses). One of the problems is that resolvers will probably have different sets of trusted CA so an authoritative name server will not know in advance what percentage of the resolvers may authenticate it. Of course, this technique would not work if the server used raw public keys ([RFC7250]. Bortzmeyer Expires February 24, 2017 [Page 4] Internet-Draft DPRIVE step 2 August 2016 2.4. "reverse" DNS The resolver could start from the IP address of the authoritative name server, and get a key from the name in the in-addr.arpa or ip6.arpa zone. For instance, if the authoritative server will be queried at 2001:db8:42:cafe::1:53, the request will be done for 3.5.0 .0.1.0.0.0.0.0.0.0.0.0.0.0.e.f.a.c.2.4.0.0.8.b.d.0.1.0.0.2.ip6.arpa. There is also a boostrapping problem here too, but since there are only five RIR that manage the reverse DNS some sort of hard-coded or semi-hard-coded setup might be possible. Unfortunately the operators for the space are often different from the operators of the DNS, so this is often not a reasonable solution administratively. 2.5. CGA Another solution starting from the IP address of the authoritative name server would be to use CGA ([RFC3972]). The IPv6 address encodes the public key in the lower 64-bits of the address. So we could use the IPv6 address as the public key of the servers. This only works for IPv6, doesn't have (much) cryptographic agility, and raises serious layering violation issues. 2.6. Lax security Finally, we could simply not check the keys at all, accepting anything. This would break privacy promises, when there is an active attacker, able to pose as the authoritative name server. But it is still better, privacy-wise, than the current situation where DNS requests are sent in clear text. 3. Miscellaneous A resolver may use a combination of these solutions. For instance, trying PKIX authentication (it does not require an extra lookup, except may be OCSP), if it fails, search a TLSA record, if there is none, depending on the resolver's policy, accept anyway. Clearly, trying all six solutions is unrealistic so some guidance on how to combine them will be necessary. All these solutions can be improved by things like automatic key pinning ([RFC6797]). An authoritative name server cannot know if the resolver authentified it, and how. In the future, it may be interesting to have a EDNS Bortzmeyer Expires February 24, 2017 [Page 5] Internet-Draft DPRIVE step 2 August 2016 option to signal a successful authentication, or a failure, but this is out of scope currently. 4. IANA Considerations There is currently nothing to do for IANA. The future chosen solution may require some IANA action, such as a registry. 5. Security Considerations For the time being, refer to each subsection under Section 2 to have an analysis of its security. 6. Acknowledgments Shane Kerr for the ideas on authentication by IP address. 7. References 7.1. Normative References [RFC7858] Hu, Z., Zhu, L., Heidemann, J., Mankin, A., Wessels, D., and P. Hoffman, "Specification for DNS over Transport Layer Security (TLS)", RFC 7858, DOI 10.17487/RFC7858, May 2016, . [I-D.ietf-dprive-dtls-and-tls-profiles] Dickinson, S., Gillmor, D., and T. Reddy, "Authentication and (D)TLS Profile for DNS-over-(D)TLS", draft-ietf- dprive-dtls-and-tls-profiles-03 (work in progress), July 2016. 7.2. Informative References [RFC3972] Aura, T., "Cryptographically Generated Addresses (CGA)", RFC 3972, DOI 10.17487/RFC3972, March 2005, . [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., Housley, R., and W. Polk, "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008, . [RFC6698] Hoffman, P. and J. Schlyter, "The DNS-Based Authentication of Named Entities (DANE) Transport Layer Security (TLS) Protocol: TLSA", RFC 6698, DOI 10.17487/RFC6698, August 2012, . Bortzmeyer Expires February 24, 2017 [Page 6] Internet-Draft DPRIVE step 2 August 2016 [RFC6797] Hodges, J., Jackson, C., and A. Barth, "HTTP Strict Transport Security (HSTS)", RFC 6797, DOI 10.17487/RFC6797, November 2012, . [RFC7250] Wouters, P., Ed., Tschofenig, H., Ed., Gilmore, J., Weiler, S., and T. Kivinen, "Using Raw Public Keys in Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)", RFC 7250, DOI 10.17487/RFC7250, June 2014, . [RFC7626] Bortzmeyer, S., "DNS Privacy Considerations", RFC 7626, DOI 10.17487/RFC7626, August 2015, . [I-D.dempsky-dnscurve] Dempsky, M., "DNSCurve: Link-Level Security for the Domain Name System", draft-dempsky-dnscurve-01 (work in progress), February 2010. [I-D.ietf-tls-dnssec-chain-extension] Shore, M., Barnes, R., Huque, S., and W. Toorop, "A DANE Record and DNSSEC Authentication Chain Extension for TLS", draft-ietf-tls-dnssec-chain-extension-01 (work in progress), July 2016. [dnscurve] Bernstein, D., "DNSCurve: Usable security for DNS", June 2009, . 7.3. URIs [1] https://github.com/bortzmeyer/ietf-dprive-step-2 Author's Address Stephane Bortzmeyer AFNIC 1, rue Stephenson Montigny-le-Bretonneux 78180 France Phone: +33 1 39 30 83 46 Email: bortzmeyer+ietf@nic.fr URI: http://www.afnic.fr/ Bortzmeyer Expires February 24, 2017 [Page 7]