]> Nokia

India kondtir@gmail.com

Orange

Rennes 35000 France mohamed.boucadair@orange.com

Internet ADD Transparency User Experience DNS server selection This document specifies a method for DNS resolvers to publish information about themselves. DNS clients can use the resolver information to identify the capabilities of DNS resolvers. How such an information is then used by DNS clients is out of the scope of the document. Discussion Venues Discussion of this document takes place on the Adaptive DNS Discovery Working Group mailing list (add@ietf.org), which is archived at . Source for this draft and an issue tracker can be found at .

Introduction Historically, DNS stub resolvers communicated with recursive resolvers without needing to know anything about the features supported by these recursive resolvers. As more and more recursive resolvers expose different features that may impact delivered DNS services, means to help stub resolvers to identify the capabilities of resolvers are valuable. Typically, stub resolvers can discover and authenticate encrypted DNS servers provided by a local network, for example, using the techniques specified in and . However, these stub resolvers need a mechanism to retrieve information from the discovered recursive resolvers about their capabilities. This document fills that void by specifying a method for stub resolvers to retrieve such information. To that aim, a new resource record (RR) type is defined for stub resolvers to query the recursive resolvers. The information that a resolver might want to expose is defined in . Retrieved information can be used to feed the server selection procedure. However, that selection procedure is out of scope.

Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here. This document makes use of the terms defined in . 'Encrypted DNS' refers to a DNS scheme where DNS exchanges are transported over an encrypted channel between a DNS client and server (e.g., DNS- over-HTTPS (DoH) , DNS-over-TLS (DoT) , or DNS- over-QUIC (DoQ) ).

Retrieving Resolver Information A stub resolver that wants to retrieve the resolver information may use the RR type "RESINFO" defined in this document. The content of the RDATA in a response to RR type query is defined in . If the resolver understands the RESINFO RR type, the RRSet in the Answer section MUST have exactly one record. A DNS client can retrieve the resolver information using the RESINFO RR type and QNAME of the domain name that is used to authenticate the DNS server (referred to as ADN in ). If the special use domain name "resolver.arpa" defined in is used to discover the encrypted DNS server, the client can retrieve the resolver information using the RESINFO RR type and QNAME of the designated resolver.

Format of the Resolver Information The resolver information uses the same format as DNS TXT records. The intention of using the same format as TXT records is to convey a small amount of useful information about a DNS resolver. As a reminder, the format rules for TXT records are defined in Section 3.3.14 of the DNS specification and further elaborated in Section 6.1 of the DNS-based Service Discovery (DNS-SD) . The recommendations to limit the TXT record size are discussed in Section 6.2 of . Similar to DNS-SD, the RESINFO RR type uses "key/value" pairs to convey the resolver information. Each "key/value" pair is encoded using the format rules defined in Section 6.3 of . Using standardized "key/value" syntax within the RESINFO RR type makes it easier for future keys to be defined. If a DNS client sees unknown keys in a RESINFO RR type, it MUST silently ignore them. The same rules for the keys as those defined in Section 6.4 of MUST be followed for RESINFO. Keys MUST either be defined in the IANA registry () or begin with the substring "temp-" for names defined for local use only.

Resolver Information Keys/Values The following resolver information keys are defined:

qnamemin:

If the DNS resolver supports QNAME minimisation to improve DNS privacy, the key is present. Note that, as per the rules for the keys defined in Section 6.4 of , if there is no '=' in a key, then it is a boolean attribute, simply identified as being present, with no value. This is an optional attribute.

exterr:

If the DNS resolver supports extended DNS errors (EDE) to return additional information about the cause of DNS errors, the value of this key lists the possible extended DNS error codes that can be returned by this DNS resolver. When multiple values are present, these values MUST be comma-separated. This is an optional attribute.

infourl:

An URL that points to the generic unstructured resolver information (e.g., DoH APIs supported, possible HTTP status codes returned by the DoH server, how to report a problem) for troubleshooting purpose. The server MUST support the content-type 'text/html'. The DNS client MUST reject the URL if the scheme is not "https". The URL SHOULD be treated only as diagnostic information for IT staff. It is not intended for end user consumption as the URL can possibily provide misleading information. A DNS client MAY choose to display the URL to the end user, if and only if the encrypted resolver has sufficient reputation, according to some local policy (e.g., user configuration, administrative configuration, or a built-in list of respectable resolvers). This is a an optional attribute. For example, a DoT server may not want to host an HTTPS server.

New keys can be defined as per the procedure defined in . shows an example of a published resolver information record:

An Example of Resolver Information Record

Security Considerations Unless a DNS request to retrieve the resolver information is encrypted (e.g., sent over DoT or DoH), the response is susceptible to forgery. The DNS resolver information can be retrieved before or after the encrypted connection is established to the DNS server by using local DNSSEC validation.

IANA Considerations

• Note to the RFC Editor: Please update "[RFCXXXX]" occurences with the RFC number to be assigned to this document.

RESINFO RR Type This document requests IANA to register a new value from the "Resource Record (RR) TYPEs" subregistry of the "Domain Name System (DNS) Parameters" registry available at :

DNS Resolver Information Key Registration This document requests IANA to create a new sub-registry entitled "DNS Resolver Information Keys" under the "Domain Name System (DNS) Parameters" registry (). This new registry contains definitions of the keys that can be used to provide the resolver information. The registration procedure is Specification Required (Section 4.6 of ). The structure of the registry is as follows:

Name:

The key name. The name MUST conform to the definition in of this document. The IANA registry MUST NOT register names that begin with "temp-", so these names can be used freely by any implementer.

Value Type:

The type of the value to be used in the key.

Description:

A description of the registered key.

Specification:

The reference specification for the registered element.

The initial content of this registry is provided in . Initial RESINFO Registry

Name	Value Type	Description	Specification
qnamemin	boolean	Indicates whether 'qnameminimization' is enabled or not	[RFCXXXX]
exterr	number	Lists the set of extended DNS errors	[RFCXXXX]
infourl	string	Provides an unstructured resolver information that is used for troubleshooting	[RFCXXXX]

References Normative References In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings. This RFC is the revised specification of the protocol and format used in the implementation of the Domain Name System. It obsoletes RFC-883. This memo documents the details of the domain name client - server communication. This document specifies how DNS resource records are named and structured to facilitate service discovery. Given a type of service that a client is looking for, and a domain in which the client is looking for that service, this mechanism allows clients to discover a list of named instances of that desired service, using standard DNS queries. This mechanism is referred to as DNS-based Service Discovery, or DNS-SD. This document describes a technique called "QNAME minimisation" to improve DNS privacy, where the DNS resolver no longer always sends the full original QNAME and original QTYPE to the upstream name server. This document obsoletes RFC 7816. This document defines an extensible method to return additional information about the cause of DNS errors. Though created primarily to extend SERVFAIL to provide additional information about the cause of DNS and DNSSEC failures, the Extended DNS Errors option defined in this document allows all response types to contain extended error information. Extended DNS Error information does not change the processing of RCODEs. Many protocols make use of points of extensibility that use constants to identify various protocol parameters. To ensure that the values in these fields do not have conflicting uses and to promote interoperability, their allocations are often coordinated by a central record keeper. For IETF protocols, that role is filled by the Internet Assigned Numbers Authority (IANA). To make assignments in a given registry prudently, guidance describing the conditions under which new values should be assigned, as well as when and how modifications to existing values can be made, is needed. This document defines a framework for the documentation of these guidelines by specification authors, in order to assure that the provided guidance for the IANA Considerations is clear and addresses the various issues that are likely in the operation of a registry. This is the third edition of this document; it obsoletes RFC 5226. Informative References IANA n.d. IANA n.d. Orange Nokia Citrix Systems, Inc. Open-Xchange Microsoft The document specifies new DHCP and IPv6 Router Advertisement options to discover encrypted DNS resolvers (e.g., DNS-over-HTTPS, DNS-over- TLS, DNS-over-QUIC). Particularly, it allows a host to learn an authentication domain name together with a list of IP addresses and a set of service parameters to reach such encrypted DNS resolvers. Apple Inc. Apple Inc. Cloudflare Fastly Microsoft This document defines Discovery of Designated Resolvers (DDR), a mechanism for DNS clients to use DNS records to discover a resolver's encrypted DNS configuration. An encrypted DNS resolver discovered in this manner is referred to as a "Designated Resolver". This mechanism can be used to move from unencrypted DNS to encrypted DNS when only the IP address of a resolver is known. This mechanism is designed to be limited to cases where unencrypted DNS resolvers and their designated resolvers are operated by the same entity or cooperating entities. It can also be used to discover support for encrypted DNS protocols when the name of an encrypted DNS resolver is known. The Domain Name System (DNS) is defined in literally dozens of different RFCs. The terminology used by implementers and developers of DNS protocols, and by operators of DNS systems, has sometimes changed in the decades since the DNS was first defined. This document gives current definitions for many of the terms used in the DNS in a single document. This document obsoletes RFC 7719 and updates RFC 2308. This document defines a protocol for sending DNS queries and getting DNS responses over HTTPS. Each DNS query-response pair is mapped into an HTTP exchange. This document describes the use of Transport Layer Security (TLS) to provide privacy for DNS. Encryption provided by TLS eliminates opportunities for eavesdropping and on-path tampering with DNS queries in the network, such as discussed in RFC 7626. In addition, this document specifies two usage profiles for DNS over TLS and provides advice on performance considerations to minimize overhead from using TCP and TLS with DNS. This document focuses on securing stub-to-recursive traffic, as per the charter of the DPRIVE Working Group. It does not prevent future applications of the protocol to recursive-to-authoritative traffic. This document describes the use of QUIC to provide transport confidentiality for DNS. The encryption provided by QUIC has similar properties to those provided by TLS, while QUIC transport eliminates the head-of-line blocking issues inherent with TCP and provides more efficient packet-loss recovery than UDP. DNS over QUIC (DoQ) has privacy properties similar to DNS over TLS (DoT) specified in RFC 7858, and latency characteristics similar to classic DNS over UDP. This specification describes the use of DoQ as a general-purpose transport for DNS and includes the use of DoQ for stub to recursive, recursive to authoritative, and zone transfer scenarios. Google ICANN This document describes methods for DNS resolvers to self-publish information about themselves. The information is returned as a JSON object. The names in this object are defined in an IANA registry that allows for light-weight registration. Applications and operating systems can use the methods defined here to get the information from resolvers in order to make choices about how to send future queries to those resolvers.

Acknowledgments This specification leverages the work that has been documented in . Thanks to Tommy Jensen, Vittorio Bertola, Vinny Parla, Chris Box, Ben Schwartz, Tony Finch, Daniel Kahn Gillmor, Eric Rescorla, Shashank Jain, Florian Obser, and Richard Baldry for the discussion and comments. Thanks to Mark Andrews, Joe Abley, Paul Wouters, Tim Wicinski, and Steffen Nurpmeso for the discussion on the RR formatting rules.