DNS Resolver Information Nokia
India kondtir@gmail.com
Orange
Rennes 35000 France mohamed.boucadair@orange.com
INT add Transparency User Experience DNS server selection This document specifies a method for DNS resolvers to publish information about themselves. DNS clients can use the resolver information to identify the capabilities of DNS resolvers. How DNS clients use such information is beyond the scope of this document.
Status of This Memo This is an Internet Standards Track document. This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 7841. Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at .
Copyright Notice Copyright (c) 2024 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents () in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.
Table of Contents
  • .  Introduction
  • .  Terminology
  • .  Retrieving Resolver Information
  • .  Format of the Resolver Information
  • .  Resolver Information Keys/Values
  • .  An Example
  • .  Security Considerations
  • .  IANA Considerations
    • .  RESINFO RR Type
    • .  DNS Resolver Information Keys Registration
    • .  Guidelines for the Designated Experts
  • .  References
    • .  Normative References
    • .  Informative References
  • Acknowledgments
  • Authors' Addresses
Introduction Historically, DNS clients communicated with recursive resolvers without needing to know anything about the features supported by these resolvers. However, more and more recursive resolvers expose different features that may impact delivered DNS services (privacy preservation, filtering, transparent behavior, etc.). DNS clients can discover and authenticate encrypted DNS resolvers provided by a local network, for example, using the Discovery of Network-designated Resolvers (DNR) and the Discovery of Designated Resolvers (DDR) . However, these DNS clients can't retrieve information from the discovered recursive resolvers about their capabilities to feed the resolver selection process. Instead of depending on opportunistic approaches, DNS clients need a more reliable mechanism to discover the features that are configured on these resolvers. This document fills that void by specifying a mechanism that allows communication of DNS resolver information to DNS clients for use in resolver selection decisions. For example, the resolver selection procedure may use the retrieved resolver information to prioritize privacy-preserving resolvers over those that don't enable QNAME minimisation . Another example is when a DNS client selects a resolver based on its filtering capability. For instance, a DNS client can choose a resolver that filters domains according to a security policy using the Blocked (15) Extended DNS Error (EDE) . Alternatively, the client may have a policy not to select a resolver that forges responses using the Forged Answer (4) EDE. However, it is out of the scope of this document to define the selection procedure and policies. Once a resolver is selected by a DNS client, and unless explicitly mentioned, this document does not interfere with that resolver's DNS operations. Specifically, this document defines a new resource record (RR) type for DNS clients to query the recursive resolvers. The initial information that a resolver might want to expose is defined in . That information is scoped to cover properties that are used to infer privacy and transparency policies of a resolver. Other information can be registered in the future per the guidance in . The information is not intended for end-user consumption.
Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here. This document makes use of the terms defined in . The following additional terms are used:
Encrypted DNS:
Refers to a DNS scheme where DNS exchanges are transported over an encrypted channel between a DNS client and server (e.g., DNS over HTTPS (DoH) , DNS over TLS (DoT) , or DNS over QUIC (DoQ) ).
Encrypted DNS resolver:
Refers to a DNS resolver that supports any encrypted DNS scheme.
Reputation:
Defined as "the estimation in which an identifiable actor is held, especially by the community or the Internet public generally" per .
Retrieving Resolver Information A DNS client that wants to retrieve the resolver information may use the RR type "RESINFO" defined in this document. The content of the RDATA in a response to a query for RESINFO RR QTYPE is defined in . If the resolver understands the RESINFO RR type, the RRset MUST have exactly one record. Invalid records MUST be silently ignored by DNS clients. RESINFO is a property of the resolver and is not subject to recursive resolution. A DNS client can retrieve the resolver information using the RESINFO RR type and the QNAME of the domain name that is used to authenticate the DNS resolver (referred to as the Authentication Domain Name (ADN) in DNR ). If the Special-Use Domain Name "resolver.arpa", defined in , is used to discover an encrypted DNS resolver, the client can retrieve the resolver information using the RESINFO RR type and QNAME of "resolver.arpa". In this case, a client has to contend with the risk that a resolver does not support RESINFO. The resolver might pass the query upstream, and then the client can receive a positive RESINFO response from either a legitimate DNS resolver or an attacker. The DNS client MUST set the Recursion Desired (RD) bit of the query to 0. The DNS client MUST discard the response if the AA flag in the response is set to 0, indicating that the DNS resolver is not authoritative for the response. If a group of resolvers is sharing the same ADN and/or anycast address, then these instances SHOULD expose a consistent RESINFO.
Format of the Resolver Information The resolver information record uses the same format as DNS TXT records. The format rules for TXT records are defined in the base DNS specification () and are further elaborated in the DNS-based Service Discovery (DNS-SD) specification (). The recommendations to limit the TXT record size are discussed in . Similar to DNS-SD, the RESINFO RR type uses "key/value" pairs to convey the resolver information. Each key/value pair is encoded using the format rules defined in . Using standardized key/value syntax within the RESINFO RR type makes it easier for future keys to be defined. If a DNS client sees unknown keys in a RESINFO RR type, it MUST silently ignore them. The same rules for the keys, as defined in , MUST be followed for RESINFO. Resolver information keys MUST either be defined in the IANA registry () or begin with the substring "temp-" for names defined for local use only.
Resolver Information Keys/Values The following resolver information keys are defined:
qnamemin:
The presence of this key indicates that the DNS resolver supports QNAME minimisation to improve DNS privacy. Note that, per the rules for the keys defined in , if there is no '=' in a key, then it is a boolean attribute, simply identified as being present, with no value. The presence of this key indicates that the DNS resolver is configured to minimise the amount of privacy-sensitive data sent to an authoritative name server. This is an optional attribute.
exterr:
If the DNS resolver supports the EDE option defined in to return additional information about the cause of DNS errors, the value of this key lists the possible EDE codes that can be returned by this DNS resolver. A value can be an individual EDE or a range of EDEs. Range values MUST be identified by "-". When multiple non-contiguous values are present, these values MUST be comma-separated. Returned EDEs (e.g., Blocked (15), Censored (16), and Filtered (17)) indicate whether the DNS resolver is configured to reveal the reason why a query was filtered/blocked when such an event happens. If the resolver's capabilities are updated to include new similar error codes, the resolver can terminate the TLS session, prompting the client to initiate a new TLS connection and retrieve the resolver information again. This allows the client to become aware of the resolver's updated capabilities. Alternatively, if the client receives an EDE for a DNS request, but that EDE was not listed in the "exterr", the client can query the resolver again to learn about the updated resolver's capabilities to return new error codes. If a mismatch still exists, the client can identify that the resolver information is inaccurate and discard it. This is an optional attribute.
infourl:
A URL that points to the generic unstructured resolver information (e.g., DoH APIs supported, possible HTTP status codes returned by the DoH server, or how to report a problem) for troubleshooting purposes. The server that exposes such information is called "resolver information server". The resolver information server MUST support only the content-type "text/html" for the resolver information. The DNS client MUST reject the URL as invalid if the scheme is not "https". Invalid URLs MUST be ignored. The URL MUST be treated only as diagnostic information for IT staff. It is not intended for end-user consumption as the URL can possibly provide misleading information. This key can be used by IT staff to retrieve other useful information about the resolver and also the procedure to report problems (e.g., invalid filtering). This is an optional attribute.
New keys can be defined as per the procedure defined in .
An Example shows an example of a published resolver information record.
An Example of a Resolver Information Record resolver.example.net. 7200 IN RESINFO qnamemin exterr=15-17 infourl=https://resolver.example.com/guide
As mentioned in , a DNS client that discovers the ADN "resolver.example.net" of its resolver using DNR will issue a query for RESINFO RR QTYPE for that ADN and will learn that:
  • the resolver enables QNAME minimisation,
  • the resolver can return Blocked (15), Censored (16), and Filtered (17) EDEs, and
  • more information can be retrieved from "https://resolver.example.com/guide".
Security Considerations DNS clients communicating with discovered DNS resolvers MUST use one of the following measures to prevent DNS response forgery attacks:
  1. Establish an authenticated secure connection to the DNS resolver.
  2. Implement local DNSSEC validation () to verify the authenticity of the resolver information.
It is important to note that, of these two measures, only the first one can apply to queries for "resolver.arpa". An encrypted resolver may return incorrect information in RESINFO. If the client cannot validate the attributes received from the resolver, which will be used for resolver selection or displayed to the end user, the client should process those attributes only if the encrypted resolver has sufficient reputation according to local policy (e.g., user configuration, administrative configuration, or a built-in list of reputable resolvers). This approach limits the ability of a malicious encrypted resolver to cause harm with false claims.
IANA Considerations
RESINFO RR Type IANA has updated the "Resource Record (RR) TYPEs" registry under the "Domain Name System (DNS) Parameters" registry group as follows:
Type:
RESINFO
Value:
261
Meaning:
Resolver Information as Key/Value Pairs
Reference:
RFC 9606
DNS Resolver Information Keys Registration IANA has created a new registry called "DNS Resolver Information Keys" under the "Domain Name System (DNS) Parameters" registry group . This new registry contains definitions of the keys that can be used to provide the resolver information. The registration procedure is Specification Required (). Designated experts should carefully consider the security implications of allowing a resolver to include new keys in this registry. Additional considerations are provided in . The structure of the registry is as follows:
Name:
The key name. The name MUST conform to the definition in of this document. The IANA registry MUST NOT register names that begin with "temp-" so that these names can be used freely by any implementer.
Description:
A description of the registered key.
Reference:
The reference specification for the registered element.
The initial contents of this registry are provided in . Initial Contents of the DNS Resolver Information Keys Registry
Name Description Reference
qnamemin The presence of the key name indicates that QNAME minimisation is enabled. RFC 9606
exterr Lists the set of enabled extended DNS errors. It must be an INFO-CODE decimal value in the "Extended DNS Error Codes" registry . RFC 9606
infourl Provides a URL that points to unstructured resolver information that is used for troubleshooting. RFC 9606
Guidelines for the Designated Experts It is suggested that multiple designated experts be appointed for registry change requests. Criteria that should be applied by the designated experts include determining whether the proposed registration duplicates existing entries and whether the registration description is clear and fits the purpose of this registry. Registration requests are evaluated within a two-week review period on the advice of one or more designated experts. Within the review period, the designated experts will either approve or deny the registration request, communicating this decision to IANA. Denials should include an explanation and, if applicable, suggestions as to how to make the request successful.
References Normative References Domain names - implementation and specification This RFC is the revised specification of the protocol and format used in the implementation of the Domain Name System. It obsoletes RFC-883. This memo documents the details of the domain name client - server communication. Key words for use in RFCs to Indicate Requirement Levels In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. DNS-Based Service Discovery This document specifies how DNS resource records are named and structured to facilitate service discovery. Given a type of service that a client is looking for, and a domain in which the client is looking for that service, this mechanism allows clients to discover a list of named instances of that desired service, using standard DNS queries. This mechanism is referred to as DNS-based Service Discovery, or DNS-SD. Guidelines for Writing an IANA Considerations Section in RFCs Many protocols make use of points of extensibility that use constants to identify various protocol parameters. To ensure that the values in these fields do not have conflicting uses and to promote interoperability, their allocations are often coordinated by a central record keeper. For IETF protocols, that role is filled by the Internet Assigned Numbers Authority (IANA). To make assignments in a given registry prudently, guidance describing the conditions under which new values should be assigned, as well as when and how modifications to existing values can be made, is needed. This document defines a framework for the documentation of these guidelines by specification authors, in order to assure that the provided guidance for the IANA Considerations is clear and addresses the various issues that are likely in the operation of a registry. This is the third edition of this document; it obsoletes RFC 5226. Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings. Extended DNS Errors This document defines an extensible method to return additional information about the cause of DNS errors. Though created primarily to extend SERVFAIL to provide additional information about the cause of DNS and DNSSEC failures, the Extended DNS Errors option defined in this document allows all response types to contain extended error information. Extended DNS Error information does not change the processing of RCODEs. DNS Query Name Minimisation to Improve Privacy This document describes a technique called "QNAME minimisation" to improve DNS privacy, where the DNS resolver no longer always sends the full original QNAME and original QTYPE to the upstream name server. This document obsoletes RFC 7816. Discovery of Designated Resolvers This document defines Discovery of Designated Resolvers (DDR), a set of mechanisms for DNS clients to use DNS records to discover a resolver's encrypted DNS configuration. An Encrypted DNS Resolver discovered in this manner is referred to as a "Designated Resolver". These mechanisms can be used to move from unencrypted DNS to encrypted DNS when only the IP address of a resolver is known. These mechanisms are designed to be limited to cases where Unencrypted DNS Resolvers and their Designated Resolvers are operated by the same entity or cooperating entities. It can also be used to discover support for encrypted DNS protocols when the name of an Encrypted DNS Resolver is known. DHCP and Router Advertisement Options for the Discovery of Network-designated Resolvers (DNR) This document specifies new DHCP and IPv6 Router Advertisement options to discover encrypted DNS resolvers (e.g., DNS over HTTPS, DNS over TLS, and DNS over QUIC). Particularly, it allows a host to learn an Authentication Domain Name together with a list of IP addresses and a set of service parameters to reach such encrypted DNS resolvers. Informative References Domain Name System (DNS) Parameters IANA DNS Resolver Information Self-publication Google ICANN Work in Progress An Architecture for Reputation Reporting This document describes a general architecture for a reputation-based service, allowing one to request reputation-related data over the Internet, where "reputation" refers to predictions or expectations about an entity or an identifier such as a domain name. The document roughly follows the recommendations of RFC 4101 for describing a protocol model. Specification for DNS over Transport Layer Security (TLS) This document describes the use of Transport Layer Security (TLS) to provide privacy for DNS. Encryption provided by TLS eliminates opportunities for eavesdropping and on-path tampering with DNS queries in the network, such as discussed in RFC 7626. In addition, this document specifies two usage profiles for DNS over TLS and provides advice on performance considerations to minimize overhead from using TCP and TLS with DNS. This document focuses on securing stub-to-recursive traffic, as per the charter of the DPRIVE Working Group. It does not prevent future applications of the protocol to recursive-to-authoritative traffic. DNS Queries over HTTPS (DoH) This document defines a protocol for sending DNS queries and getting DNS responses over HTTPS. Each DNS query-response pair is mapped into an HTTP exchange. DNS over Dedicated QUIC Connections This document describes the use of QUIC to provide transport confidentiality for DNS. The encryption provided by QUIC has similar properties to those provided by TLS, while QUIC transport eliminates the head-of-line blocking issues inherent with TCP and provides more efficient packet-loss recovery than UDP. DNS over QUIC (DoQ) has privacy properties similar to DNS over TLS (DoT) specified in RFC 7858, and latency characteristics similar to classic DNS over UDP. This specification describes the use of DoQ as a general-purpose transport for DNS and includes the use of DoQ for stub to recursive, recursive to authoritative, and zone transfer scenarios. DNS Terminology The Domain Name System (DNS) is defined in literally dozens of different RFCs. The terminology used by implementers and developers of DNS protocols, and by operators of DNS systems, has changed in the decades since the DNS was first defined. This document gives current definitions for many of the terms used in the DNS in a single document. This document updates RFC 2308 by clarifying the definitions of "forwarder" and "QNAME". It obsoletes RFC 8499 by adding multiple terms and clarifications. Comprehensive lists of changed and new definitions can be found in Appendices A and B. Resource Record (RR) TYPEs IANA
Acknowledgments This specification leverages the work that has been documented in . Thanks to , , , , , , , , , , , and for the discussion and comments. Thanks to , , , and for the discussion on RR formatting rules. Special thanks to for the careful and thoughtful Shepherd review. Thanks to and for the dns-dir reviews, for the RRTYPE allocation review, for the ART review, and for the gen-art review. Thanks to for the AD review. Thanks to , , , , , , and for the IESG review.
Authors' Addresses Nokia
India kondtir@gmail.com
Orange
Rennes 35000 France mohamed.boucadair@orange.com