]> Google LLC

bemasc@google.com

General add Internet-Draft The SVCB DNS record type expresses a bound collection of endpoint metadata, for use when establishing a connection to a named service. DNS itself can be such a service, when the server is identified by a domain name. This document provides the SVCB mapping for named DNS servers, allowing them to indicate support for new transport protocols. Discussion Venues Discussion of this document takes place on the ADD Working Group mailing list (add@ietf.org), which is archived at . Source for this draft and an issue tracker can be found at .

Introduction The SVCB record type provides clients with information about how to reach alternative endpoints for a service, which may have improved performance or privacy properties. The service is identified by a "scheme" indicating the service type, a hostname, and optionally other information such as a port number. A DNS server is often identified only by its IP address (e.g. in DHCP), but in some contexts it can also be identified by a hostname (e.g. "NS" records, manual resolver configuration) and sometimes also a non-default port number. Use of the SVCB record type requires a mapping document for each service type, indicating how a client for that service can interpret the contents of the SVCB SvcParams. This document provides the mapping for the "dns" service type, allowing DNS servers to offer alternative endpoints and transports, including encrypted transports like DNS over TLS and DNS over HTTPS.

Conventions and Definitions The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.

Identities and Names SVCB record names (i.e. QNAMEs) are formed using Port-Prefix Naming (), with a scheme of "dns". For example, SVCB records for a DNS service identified as "dns1.example.com" would be queried at "_dns.dns1.example.com". In some use cases, the name used for retrieving these DNS records is different from the server identity used to authenticate the secure transport. To distinguish them, we use the following terms:

• Binding authority - The service name () and optional port number used as input to Port-Prefix Naming.
• Authentication name - The name used for secure transport authentication. It must be a DNS hostname or a literal IP address. Unless otherwise specified, it is the service name from the binding authority.

Special case: non-default ports Normally, a DNS service is identified by an IP address or a domain name. When connecting to the service using unencrypted DNS over UDP or TCP, clients use the default port number for DNS (53). However, in rare cases, a DNS service might be identified by both a name and a port number. For example, the dns: URI scheme optionally includes an authority, comprised of a host and a port number (with a default of 53). DNS URIs normally omit the authority, or specify an IP address, but a hostname and non-default port number are allowed. When the binding authority specifies a non-default port number, Port-Prefix Naming places the port number in an additional a prefix on the name. For example, if the binding authority is "dns1.example.com:9953", the client would query for SVCB records at "_9953._dns.dns1.example.com". If two DNS services operating on different port numbers provide different behaviors, this arrangement allows them to preserve the distinction when specifying alternative endpoints.

Applicable existing SvcParamKeys

alpn This key indicates the set of supported protocols (). There is no default protocol, so the no-default-alpn key does not apply, and the alpn key MUST be present. If the protocol set contains any HTTP versions (e.g. "h2", "h3"), then the record indicates support for DNS over HTTPS , and the "dohpath" key MUST be present (). All keys specified for use with the HTTPS record are also permissible, and apply to the resulting HTTP connection. If the protocol set contains protocols with different default ports, and no port key is specified, then protocols are contacted separately on their default ports. Note that in this configuration, ALPN negotiation does not defend against cross-protocol downgrade attacks.

port This key is used to indicate the target port for connection (). If omitted, the client SHALL use the default port for each transport protocol (853 for DNS over TLS , 443 for DNS over HTTPS). This key is automatically mandatory if present. (See for the definition of "automatically mandatory".)

Other applicable SvcParamKeys These SvcParamKeys from apply to the "dns" scheme without modification:

• ech
• ipv4hint
• ipv6hint

Future SvcParamKeys may also be applicable.

New SvcParamKeys

dohpath "dohpath" is a single-valued SvcParamKey whose value (both in presentation and wire format) MUST be a URI Template encoded in UTF-8 . If the "alpn" SvcParamKey indicates support for HTTP, "dohpath" MUST be present, and clients MAY construct a DNS over HTTPS URI Template as follows:

1. Let $HOST be the authentication name encoded as a "host" value ().
2. Let $PORT be the port from the "port" key if present, otherwise 443. (The binding authority's port number MUST NOT be used.)
3. Let $DOHPATH be the "dohpath" value, decoded from UTF-8.
4. The DNS over HTTPS URI Template is "https://$HOST:$PORT$DOHPATH".

The "dohpath" value MUST be chosen such that the resulting URI Template is valid for use with DNS over HTTPS. For example, DNS over HTTPS servers are required to support requests using GET and POST methods. The GET method relies on the "dns" URI Template parameter, and the POST method does not use it. Therefore, the URI Template is required to make use of a "dns" variable, and result in a valid URI whether or not "dns" is defined. Clients SHOULD NOT query for any "HTTPS" RRs when using the constructed URI Template. Instead, the SvcParams and address records associated with this SVCB record SHOULD be used for the HTTPS connection, with the same semantics as an HTTPS RR. However, for consistency, service operators SHOULD publish an equivalent HTTPS RR, especially if clients might learn this URI Template through a different channel.

Limitations This document is concerned exclusively with the DNS transport, and does not affect or inform the construction or interpretation of DNS messages. For example, nothing in this document indicates whether the service is intended for use as a recursive or authoritative DNS server. Clients must know the intended use in their context.

Examples

• A resolver at "simple.example" that supports DNS over TLS on port 853 (implicitly, as this is its default port):
• A resolver at "doh.example" that supports only DNS over HTTPS (DNS over TLS is not supported):
• A resolver at "resolver.example" that supports:
  • DNS over TLS on "resolver.example" ports 853 (implicit in record 1) and 8530 (explicit in record 2), with "resolver.example" as the Authentication Domain Name,
  • DNS over HTTPS at https://resolver.example/dns-query{?dns} (record 1), and
  • an experimental protocol on fooexp.resolver.example:5353 (record 3):
• A nameserver at "ns.example" whose service configuration is published on a different domain:

Security Considerations

Adversary on the query path This section considers an adversary who can add or remove responses to the SVCB query. During secure transport establishment, clients MUST authenticate the server to its authentication name, which is not influenced by the SVCB record contents. Accordingly, this draft does not mandate the use of DNSSEC. This draft also does not specify how clients authenticate the name (e.g. selection of roots of trust), which might vary according to the context.

Downgrade attacks This attacker cannot impersonate the secure endpoint, but it can forge a response indicating that the requested SVCB records do not exist. For a SVCB-reliant client () this only results in a denial of service. However, SVCB-optional clients will generally fall back to insecure DNS in this case, exposing all DNS traffic to attacks.

Redirection attacks SVCB-reliant clients always enforce the authentication domain name, but they are still subject to attacks using the transport, port number, and "dohpath" value, which are controlled by this adversary. By changing these values in the SVCB answers, the adversary can direct DNS queries for $HOSTNAME to any port on $HOSTNAME, and any path on "https://$HOSTNAME". If the DNS client uses shared TLS or HTTP state, the client could be correctly authenticated (e.g. using a TLS client certificate or HTTP cookie). This behavior creates a number of possible attacks for certain server configurations. For example, if "https://$HOSTNAME/upload" accepts any POST request as a public file upload, the adversary could forge a SVCB record containing dohpath=/upload. This would cause the client to upload and publish every query, resulting in unexpected storage costs for the server and privacy loss for the client. Similarly, if two DoH endpoints are available on the same origin, and the service has designated one of them for use with this specification, this adversary can cause clients to use the other endpoint instead. To mitigate redirection attacks, a client of this SVCB mapping MUST NOT provide client authentication for DNS queries, except to servers that it specifically knows are not vulnerable to such attacks. If an endpoint sends an invalid response to a DNS query, the client SHOULD NOT send more queries to that endpoint. DNS services that are identified by a hostname () MUST ensure that all unauthenticated DNS requests to that name receive any promised privacy and security guarantees, regardless of transport, port number, or HTTP path.

Adversary on the transport path This section considers an adversary who can modify network traffic between the client and the alternative service (identified by the TargetName). For a SVCB-reliant client, this adversary can only cause a denial of service. However, because DNS is unencrypted by default, this adversary can execute a downgrade attack against SVCB-optional clients. Accordingly, when use of this specification is optional, clients SHOULD switch to SVCB-reliant behavior if SVCB resolution succeeds. Specifications making using of this mapping MAY adjust this fallback behavior to suit their requirements.

IANA Considerations Per IANA is directed to add the following entry to the SVCB Service Parameters registry.

Number	Name	Meaning	Reference
7	dohpath	DNS over HTTPS path template	(This document)

Per , IANA is directed to add the following entry to the DNS Underscore Global Scoped Entry Registry:

RR TYPE	_NODE NAME	Meaning	Reference
SVCB	_dns	DNS SVCB info	(This document)

References Normative References In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. Google Akamai Technologies Akamai Technologies This document specifies the "SVCB" and "HTTPS" DNS resource record (RR) types to facilitate the lookup of information needed to make connections to network services, such as for HTTP origins. SVCB records allow a service to be provided from multiple alternative endpoints, each with associated parameters (such as transport protocol configuration and keys for encrypting the TLS ClientHello). They also enable aliasing of apex domains, which is not possible with CNAME. The HTTPS RR is a variation of SVCB for use with HTTP [HTTP]. By providing more information to the client before it attempts to establish a connection, these records offer potential benefits to both performance and privacy. TO BE REMOVED: This document is being collaborated on in Github at: https://github.com/MikeBishop/dns-alt-svc (https://github.com/MikeBishop/dns-alt-svc). The most recent working version of the document, open issues, etc. should all be available there. The authors (gratefully) accept pull requests. RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings. This document defines a protocol for sending DNS queries and getting DNS responses over HTTPS. Each DNS query-response pair is mapped into an HTTP exchange. This document describes the use of Transport Layer Security (TLS) to provide privacy for DNS. Encryption provided by TLS eliminates opportunities for eavesdropping and on-path tampering with DNS queries in the network, such as discussed in RFC 7626. In addition, this document specifies two usage profiles for DNS over TLS and provides advice on performance considerations to minimize overhead from using TCP and TLS with DNS. This document focuses on securing stub-to-recursive traffic, as per the charter of the DPRIVE Working Group. It does not prevent future applications of the protocol to recursive-to-authoritative traffic. A URI Template is a compact sequence of characters for describing a range of Uniform Resource Identifiers through variable expansion. This specification defines the URI Template syntax and the process for expanding a URI Template into a URI reference, along with guidelines for the use of URI Templates on the Internet. [STANDARDS-TRACK] ISO/IEC 10646-1 defines a large character set called the Universal Character Set (UCS) which encompasses most of the world's writing systems. The originally proposed encodings of the UCS, however, were not compatible with many current applications and protocols, and this has led to the development of UTF-8, the object of this memo. UTF-8 has the characteristic of preserving the full US-ASCII range, providing compatibility with file systems, parsers and other software that rely on US-ASCII values but are transparent to other values. This memo obsoletes and replaces RFC 2279. A Uniform Resource Identifier (URI) is a compact sequence of characters that identifies an abstract or physical resource. This specification defines the generic URI syntax and a process for resolving URI references that might be in relative form, along with guidelines and security considerations for the use of URIs on the Internet. The URI syntax defines a grammar that is a superset of all valid URIs, allowing an implementation to parse the common components of a URI reference without knowing the scheme-specific requirements of every possible identifier. This specification does not define a generative grammar for URIs; that task is performed by the individual specifications of each URI scheme. [STANDARDS-TRACK] Informative References This document defines Uniform Resource Identifiers for Domain Name System resources. [STANDARDS-TRACK] Formally, any DNS Resource Record (RR) may occur under any domain name. However, some services use an operational convention for defining specific interpretations of an RRset by locating the records in a DNS branch under the parent domain to which the RRset actually applies. The top of this subordinate branch is defined by a naming convention that uses a reserved node name, which begins with the underscore character (e.g., "_name"). The underscored naming construct defines a semantic scope for DNS record types that are associated with the parent domain above the underscored branch. This specification explores the nature of this DNS usage and defines the "Underscored and Globally Scoped DNS Node Names" registry with IANA. The purpose of this registry is to avoid collisions resulting from the use of the same underscored name for different services.

Mapping Summary This table serves as a non-normative summary of the DNS mapping for SVCB.

Mapped scheme	"dns"
RR type	SVCB (64)
Name prefix	_dns for port 53, else _$PORT._dns
Required keys	alpn
Automatically Mandatory Keys	port
Special behaviors	Supports all HTTPS RR SvcParamKeys
	Overrides the HTTPS RR for DoH
	Default port is per-transport
	No encrypted -> cleartext fallback

Acknowledgments Thanks to the many reviewers and contributors, including Daniel Migault, Paul Hoffman, Matt Norhoff, Peter van Dijk, Eric Rescorla, and Andreas Schulze.