| draft-ietf-dnssd-push-03.txt | draft-ietf-dnssd-push-04.txt | |||
|---|---|---|---|---|
| Internet Engineering Task Force T. Pusateri | Internet Engineering Task Force T. Pusateri | |||
| Internet-Draft Seeking affiliation | Internet-Draft Seeking affiliation | |||
| Intended status: Standards Track S. Cheshire | Intended status: Standards Track S. Cheshire | |||
| Expires: May 8, 2016 Apple Inc. | Expires: July 14, 2016 Apple Inc. | |||
| November 5, 2015 | January 11, 2016 | |||
| DNS Push Notifications | DNS Push Notifications | |||
| draft-ietf-dnssd-push-03 | draft-ietf-dnssd-push-04 | |||
| Abstract | Abstract | |||
| The Domain Name System (DNS) was designed to return matching records | The Domain Name System (DNS) was designed to return matching records | |||
| efficiently for queries for data that is relatively static. When | efficiently for queries for data that is relatively static. When | |||
| those records change frequently, DNS is still efficient at returning | those records change frequently, DNS is still efficient at returning | |||
| the updated results when polled. But there exists no mechanism for a | the updated results when polled. But there exists no mechanism for a | |||
| client to be asynchronously notified when these changes occur. This | client to be asynchronously notified when these changes occur. This | |||
| document defines a mechanism for a client to be notified of such | document defines a mechanism for a client to be notified of such | |||
| changes to DNS records, called DNS Push Notifications. | changes to DNS records, called DNS Push Notifications. | |||
| skipping to change at page 1, line 37 | skipping to change at page 1, line 37 | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on May 8, 2016. | This Internet-Draft will expire on July 14, 2016. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2015 IETF Trust and the persons identified as the | Copyright (c) 2016 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| skipping to change at page 2, line 17 | skipping to change at page 2, line 17 | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
| 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 | 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 | |||
| 2. Motivation . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 2. Motivation . . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 3. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 4 | 3. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 4. Transport . . . . . . . . . . . . . . . . . . . . . . . . . . 5 | 4. Transport . . . . . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 5. State Considerations . . . . . . . . . . . . . . . . . . . . 6 | 5. State Considerations . . . . . . . . . . . . . . . . . . . . 6 | |||
| 6. Protocol Operation . . . . . . . . . . . . . . . . . . . . . 7 | 6. Protocol Operation . . . . . . . . . . . . . . . . . . . . . 7 | |||
| 6.1. Discovery . . . . . . . . . . . . . . . . . . . . . . . . 7 | 6.1. Discovery . . . . . . . . . . . . . . . . . . . . . . . . 8 | |||
| 6.2. DNS Push Notification SUBSCRIBE . . . . . . . . . . . . . 9 | 6.2. DNS Push Notification SUBSCRIBE . . . . . . . . . . . . . 9 | |||
| 6.3. DNS Push Notification UNSUBSCRIBE . . . . . . . . . . . . 12 | 6.3. DNS Push Notification UNSUBSCRIBE . . . . . . . . . . . . 12 | |||
| 6.4. DNS Push Notification Update Messages . . . . . . . . . . 13 | 6.4. DNS Push Notification Update Messages . . . . . . . . . . 13 | |||
| 6.5. DNS RECONFIRM . . . . . . . . . . . . . . . . . . . . . . 16 | 6.5. DNS RECONFIRM . . . . . . . . . . . . . . . . . . . . . . 16 | |||
| 6.6. DNS Push Notification Termination Message . . . . . . . . 18 | 6.6. DNS Push Notification Termination Message . . . . . . . . 17 | |||
| 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 19 | 7. Security Considerations . . . . . . . . . . . . . . . . . . . 18 | |||
| 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 19 | 7.1. Security Services . . . . . . . . . . . . . . . . . . . . 18 | |||
| 9. Security Considerations . . . . . . . . . . . . . . . . . . . 19 | 7.2. TLS Name Authentication . . . . . . . . . . . . . . . . . 19 | |||
| 9.1. Security Services . . . . . . . . . . . . . . . . . . . . 19 | 7.3. TLS Compression . . . . . . . . . . . . . . . . . . . . . 19 | |||
| 9.2. TLS Name Authentication . . . . . . . . . . . . . . . . . 20 | 7.4. TLS Session Resumption . . . . . . . . . . . . . . . . . 19 | |||
| 9.3. TLS Compression . . . . . . . . . . . . . . . . . . . . . 20 | 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 20 | |||
| 9.4. TLS Session Resumption . . . . . . . . . . . . . . . . . 20 | 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 20 | |||
| 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 21 | 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 20 | |||
| 10.1. Normative References . . . . . . . . . . . . . . . . . . 21 | 10.1. Normative References . . . . . . . . . . . . . . . . . . 20 | |||
| 10.2. Informative References . . . . . . . . . . . . . . . . . 22 | 10.2. Informative References . . . . . . . . . . . . . . . . . 22 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 23 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 23 | |||
| 1. Introduction | 1. Introduction | |||
| DNS records may be updated using DNS Update [RFC2136]. Other | DNS records may be updated using DNS Update [RFC2136]. Other | |||
| mechanisms such as a Hybrid Proxy [I-D.ietf-dnssd-hybrid] can also | mechanisms such as a Hybrid Proxy [I-D.ietf-dnssd-hybrid] can also | |||
| generate changes to a DNS zone. This document specifies a protocol | generate changes to a DNS zone. This document specifies a protocol | |||
| for Unicast DNS clients to subscribe to receive asynchronous | for Unicast DNS clients to subscribe to receive asynchronous | |||
| notifications of changes to RRSets of interest. It is immediately | notifications of changes to RRSets of interest. It is immediately | |||
| skipping to change at page 3, line 48 | skipping to change at page 3, line 48 | |||
| based protocol, and as such it defines its own equivalents of | based protocol, and as such it defines its own equivalents of | |||
| existing TCP features like the three-way handshake. This document | existing TCP features like the three-way handshake. This document | |||
| builds on experience gained with the LLQ protocol, with an improved | builds on experience gained with the LLQ protocol, with an improved | |||
| design that uses long-lived TCP connections instead of UDP (and | design that uses long-lived TCP connections instead of UDP (and | |||
| therefore doesn't need to duplicate existing TCP functionality), and | therefore doesn't need to duplicate existing TCP functionality), and | |||
| adopts the syntax and semantics of DNS Update messages [RFC2136] | adopts the syntax and semantics of DNS Update messages [RFC2136] | |||
| instead of inventing a new vocabulary of messages to communicate DNS | instead of inventing a new vocabulary of messages to communicate DNS | |||
| zone changes. | zone changes. | |||
| Because DNS Push Notifications impose a certain load on the | Because DNS Push Notifications impose a certain load on the | |||
| responding server (though less load that rapid polling of that | responding server (though less load than rapid polling of that | |||
| server) DNS Push Notification clients SHOULD exercise restraint in | server) DNS Push Notification clients SHOULD exercise restraint in | |||
| issuing DNS Push Notification subscriptions. A subscription SHOULD | issuing DNS Push Notification subscriptions. A subscription SHOULD | |||
| only be active when there is a valid reason to need live data (for | only be active when there is a valid reason to need live data (for | |||
| example, an on-screen display is currently showing the results of | example, an on-screen display is currently showing the results of | |||
| that subscription to the user) and the subscription SHOULD be | that subscription to the user) and the subscription SHOULD be | |||
| cancelled as soon as the need for that data ends (for example, when | cancelled as soon as the need for that data ends (for example, when | |||
| the user dismisses that display). | the user dismisses that display). | |||
| A DNS Push Notification client MUST not routinely keep a DNS Push | A DNS Push Notification client MUST NOT routinely keep a DNS Push | |||
| Notification subscription active 24 hours a day 7 days a week just to | Notification subscription active 24 hours a day 7 days a week just to | |||
| keep a list in memory up to date so that it will be really fast if | keep a list in memory up to date so that it will be really fast if | |||
| the user does choose to bring up an on-screen display of that data. | the user does choose to bring up an on-screen display of that data. | |||
| DNS Push Notifications are designed to be fast enough that there is | DNS Push Notifications are designed to be fast enough that there is | |||
| no need to pre-load a "warm" list in memory just in case it might be | no need to pre-load a "warm" list in memory just in case it might be | |||
| needed later. | needed later. | |||
| 3. Overview | 3. Overview | |||
| The existing DNS Update protocol [RFC2136] provides a mechanism for | The existing DNS Update protocol [RFC2136] provides a mechanism for | |||
| skipping to change at page 6, line 8 | skipping to change at page 6, line 8 | |||
| Transport Layer Security (TLS) [RFC5246] is well understood and | Transport Layer Security (TLS) [RFC5246] is well understood and | |||
| deployed across many protocols running over TCP. It is designed to | deployed across many protocols running over TCP. It is designed to | |||
| prevent eavesdropping, tampering, or message forgery. TLS is | prevent eavesdropping, tampering, or message forgery. TLS is | |||
| REQUIRED for every connection between a client subscriber and server | REQUIRED for every connection between a client subscriber and server | |||
| in this protocol specification. Additional security measures such as | in this protocol specification. Additional security measures such as | |||
| client authentication during TLS negotiation MAY also be employed to | client authentication during TLS negotiation MAY also be employed to | |||
| increase the trust relationship between client and server. | increase the trust relationship between client and server. | |||
| Additional authentication of the SRV target using DNSSEC verification | Additional authentication of the SRV target using DNSSEC verification | |||
| and DANE TLSA records [RFC7673] is strongly encouraged. See below in | and DANE TLSA records [RFC7673] is strongly encouraged. See below in | |||
| Section 9.2 for details. | Section 7.2 for details. | |||
| 5. State Considerations | 5. State Considerations | |||
| Each DNS Push Notification server is capable and handling some finite | Each DNS Push Notification server is capable of handling some finite | |||
| number of Push Notification subscriptions. This number will vary | number of Push Notification subscriptions. This number will vary | |||
| from server to server and is based on physical machine | from server to server and is based on physical machine | |||
| characteristics, network bandwidth, and operating system resource | characteristics, network bandwidth, and operating system resource | |||
| allocation. After a client establishes a connection to a DNS server, | allocation. After a client establishes a connection to a DNS server, | |||
| each record subscription is individually accepted or rejected. | each record subscription is individually accepted or rejected. | |||
| Servers may employ various techniques to limit subscriptions to a | Servers may employ various techniques to limit subscriptions to a | |||
| manageable level. Correspondingly, the client is free to establish | manageable level. Correspondingly, the client is free to establish | |||
| simultaneous connections to alternate DNS servers that support DNS | simultaneous connections to alternate DNS servers that support DNS | |||
| Push Notifications for the zone and distribute record subscriptions | Push Notifications for the zone and distribute record subscriptions | |||
| at its discretion. In this way, both clients and servers can react | at its discretion. In this way, both clients and servers can react | |||
| skipping to change at page 7, line 12 | skipping to change at page 7, line 12 | |||
| effective in providing fairness by a server across numerous client | effective in providing fairness by a server across numerous client | |||
| requests. | requests. | |||
| 6. Protocol Operation | 6. Protocol Operation | |||
| A DNS Push Notification exchange begins with the client discovering | A DNS Push Notification exchange begins with the client discovering | |||
| the appropriate server, and then making a TLS/TCP connection to it. | the appropriate server, and then making a TLS/TCP connection to it. | |||
| The client may then add and remove Push Notification subscriptions | The client may then add and remove Push Notification subscriptions | |||
| over this connection. In accordance with the current set of active | over this connection. In accordance with the current set of active | |||
| subscriptions the server sends relevant asynchronous Push | subscriptions the server sends relevant asynchronous Push | |||
| Notifications to the client. The exchange terminates when either end | Notifications to the client. Note that a client MUST be prepared to | |||
| receive (and silently discard) Push Notifications for subscriptions | ||||
| it has previously removed, since there is no way to prevent the | ||||
| situation where a Push Notification is in flight from server to | ||||
| client while the client's UNSUBSCRIBE message cancelling that | ||||
| subscription is simultaneously in flight from client to server. | ||||
| The exchange between client and server terminates when either end | ||||
| closes the TCP connection with a TCP FIN or RST. | closes the TCP connection with a TCP FIN or RST. | |||
| A client SHOULD NOT make multiple TLS/TCP connections to the same DNS | A client SHOULD NOT make multiple TLS/TCP connections to the same DNS | |||
| Push Notification server. A client SHOULD share a single TLS/TCP | Push Notification server. A client SHOULD share a single TLS/TCP | |||
| connection for all requests to the same DNS Push Notification server. | connection for all requests to the same DNS Push Notification server. | |||
| This shared connection should be used for all DNS Queries and DNS | This shared connection should be used for all DNS Queries and DNS | |||
| Push Notification Queries queries to that server, and for DNS Update | Push Notification Queries queries to that server, and for DNS Update | |||
| requests too when the "_dns-update-tls._tcp.<zone>" SRV record | requests too when the "_dns-update-tls._tcp.<zone>" SRV record | |||
| indicates that the same server also handles DNS Update requests. | indicates that the same server also handles DNS Update requests. | |||
| This is to reduce unnecessary load on the DNS Push Notification | This is to reduce unnecessary load on the DNS Push Notification | |||
| server. | server. | |||
| For the purposes here, the determination of "same server" is made by | ||||
| inspecting the target host and port, regardless of the name being | ||||
| queried, or what zone if falls within. A given server may support | ||||
| Push Notifications (and possibly DNS Updates too) for multiple DNS | ||||
| zones. When a client discovers that the DNS Push Notification server | ||||
| (and/or DNS Update server) for several different names (including | ||||
| names that fall within different zones) is the same target host and | ||||
| port, the client SHOULD use a single shared TCP connection for all | ||||
| relevant operations on those names. A client SHOULD NOT open | ||||
| multiple TCP connections to the same target host and port just | ||||
| because the names being queried (or updated) happen to fall within | ||||
| different zones. | ||||
| However, a single client device may be home to multiple independent | However, a single client device may be home to multiple independent | |||
| client software instances that don't know about each other, so a DNS | client software instances that don't know about each other, so a DNS | |||
| Push Notification server MUST be prepared to accept multiple | Push Notification server MUST be prepared to accept multiple | |||
| connections from the same client IP address. This is undesirable | connections from the same client IP address. This is undesirable | |||
| from an efficiency stanpoint, but may be unavoidable in some | from an efficiency stanpoint, but may be unavoidable in some | |||
| situations, so a DNS Push Notification server MUST be prepared to | situations, so a DNS Push Notification server MUST be prepared to | |||
| accept multiple connections from the same client IP address. | accept multiple connections from the same client IP address. | |||
| 6.1. Discovery | 6.1. Discovery | |||
| skipping to change at page 8, line 24 | skipping to change at page 8, line 45 | |||
| then SRV record MUST NOT exist and the SRV query will return a | then SRV record MUST NOT exist and the SRV query will return a | |||
| negative answer. | negative answer. | |||
| 6. If the zone in question is set up to offer DNS Push Notifications | 6. If the zone in question is set up to offer DNS Push Notifications | |||
| then this SRV record MUST exist. The SRV "target" contains the | then this SRV record MUST exist. The SRV "target" contains the | |||
| name of the server providing DNS Push Notifications for the zone. | name of the server providing DNS Push Notifications for the zone. | |||
| The port number on which to contact the server is in the SRV | The port number on which to contact the server is in the SRV | |||
| record "port" field. The address(es) of the target host MAY be | record "port" field. The address(es) of the target host MAY be | |||
| included in the Additional Section, however, the address records | included in the Additional Section, however, the address records | |||
| SHOULD be authenticated before use as described below in | SHOULD be authenticated before use as described below in | |||
| Section 9.2 [RFC7673]. | Section 7.2 [RFC7673]. | |||
| 7. More than one SRV record may be returned. In this case, the | 7. More than one SRV record may be returned. In this case, the | |||
| "priority" and "weight" values in the returned SRV records are | "priority" and "weight" values in the returned SRV records are | |||
| used to determine the order in which to contact the servers for | used to determine the order in which to contact the servers for | |||
| subscription requests. As described in the SRV specification | subscription requests. As described in the SRV specification | |||
| [RFC2782], the server with the lowest "priority" is first | [RFC2782], the server with the lowest "priority" is first | |||
| contacted. If more than one server has the same "priority", the | contacted. If more than one server has the same "priority", the | |||
| "weight" is indicates the weighted probability that the client | "weight" is indicates the weighted probability that the client | |||
| should contact that server. Higher weights have higher | should contact that server. Higher weights have higher | |||
| probabilities of being selected. If a server is not reachable or | probabilities of being selected. If a server is not reachable or | |||
| skipping to change at page 11, line 28 | skipping to change at page 11, line 28 | |||
| close the TCP connection. | close the TCP connection. | |||
| DNS wildcarding is not supported. That is, a wildcard ("*") in a | DNS wildcarding is not supported. That is, a wildcard ("*") in a | |||
| SUBSCRIBE message matches only a wildcard ("*") in the zone, and | SUBSCRIBE message matches only a wildcard ("*") in the zone, and | |||
| nothing else. | nothing else. | |||
| Aliasing is not supported. That is, a CNAME in a SUBSCRIBE message | Aliasing is not supported. That is, a CNAME in a SUBSCRIBE message | |||
| matches only a CNAME in the zone, and nothing else. | matches only a CNAME in the zone, and nothing else. | |||
| A client may SUBSCRIBE to records that are unknown to the server at | A client may SUBSCRIBE to records that are unknown to the server at | |||
| the time of the request and this is not an error. The server MUST | the time of the request (providing that the name falls within one of | |||
| accept these requests and send Push Notifications if and when matches | the zone(s) the server is responsible for) and this is not an error. | |||
| are found in the future. | The server MUST accept these requests and send Push Notifications if | |||
| and when matches are found in the future. | ||||
| Since all SUBSCRIBE operations are implicitly long-lived operations, | Since all SUBSCRIBE operations are implicitly long-lived operations, | |||
| the server MUST interpret a SUBSCRIBE request as if it contained an | the server MUST interpret a SUBSCRIBE request as if it contained an | |||
| EDNS0 TCP Keepalive option [I-D.ietf-dnsop-edns-tcp-keepalive]. A | EDNS0 TCP Keepalive option [I-D.ietf-dnsop-edns-tcp-keepalive]. A | |||
| client MUST NOT include an actual EDNS0 TCP Keepalive option in the | client MUST NOT include an actual EDNS0 TCP Keepalive option in the | |||
| request, since it is automatic, and implied by the semantics of | request, since it is automatic, and implied by the semantics of | |||
| SUBSCRIBE. If a server receives a SUBSCRIBE request this is an error | SUBSCRIBE. If a server receives a SUBSCRIBE request that does | |||
| and the server MUST immediately close the TCP connection. In a | contain an actual EDNS0 TCP Keepalive option this is an error and the | |||
| SUBSCRIBE response the server MUST include an EDNS0 TCP Keepalive | server MUST immediately close the TCP connection. In a SUBSCRIBE | |||
| option specifying the idle timeout so that the client knows the | response the server MUST include an EDNS0 TCP Keepalive option | |||
| frequency of keepalives it must generate to keep the connection | specifying the idle timeout so that the client knows the frequency of | |||
| alive. If the client receives a SUBSCRIBE response that does not | keepalives it must generate to keep the connection alive. If the | |||
| contain an EDNS0 TCP Keepalive option this is an error and the client | client receives a SUBSCRIBE response that does not contain an EDNS0 | |||
| MUST immediately close the TCP connection. | TCP Keepalive option this is an error and the client MUST immediately | |||
| close the TCP connection. | ||||
| 6.3. DNS Push Notification UNSUBSCRIBE | 6.3. DNS Push Notification UNSUBSCRIBE | |||
| To cancel an individual subscription without closing the entire | To cancel an individual subscription without closing the entire | |||
| connection, the client sends an UNSUBSCRIBE message over the | connection, the client sends an UNSUBSCRIBE message over the | |||
| established TCP connection to the server. The UNSUBSCRIBE message is | established TCP connection to the server. The UNSUBSCRIBE message is | |||
| formatted identically to the SUBSCRIBE message which created the | formatted identically to the SUBSCRIBE message which created the | |||
| subscription, with the exact same name, type and class, except that | subscription, with the exact same name, type and class, except that | |||
| the opcode is UNSUBSCRIBE (7) instead of SUBSCRIBE (6). | the opcode is UNSUBSCRIBE (7) instead of SUBSCRIBE (6). | |||
| skipping to change at page 19, line 17 | skipping to change at page 18, line 23 | |||
| ADCOUNT MUST be zero, and the Additional Data Section MUST be empty. | ADCOUNT MUST be zero, and the Additional Data Section MUST be empty. | |||
| Any records in the Additional Data Section MUST be silently ignored. | Any records in the Additional Data Section MUST be silently ignored. | |||
| The RCODE MUST contain a code giving the reason for termination. | The RCODE MUST contain a code giving the reason for termination. | |||
| [Codes to be determined.] The Termination Message MUST contain an | [Codes to be determined.] The Termination Message MUST contain an | |||
| EDNS0 TCP Keepalive option [I-D.ietf-dnsop-edns-tcp-keepalive] where | EDNS0 TCP Keepalive option [I-D.ietf-dnsop-edns-tcp-keepalive] where | |||
| the idle timeout indicates the time the client SHOULD wait before | the idle timeout indicates the time the client SHOULD wait before | |||
| attempting to reconnect. | attempting to reconnect. | |||
| 7. Acknowledgements | 7. Security Considerations | |||
| The authors would like to thank Kiren Sekar and Marc Krochmal for | ||||
| previous work completed in this field. This draft has been improved | ||||
| due to comments from Ran Atkinson. | ||||
| 8. IANA Considerations | ||||
| This document defines the service name: "_dns-push-tls._tcp". | ||||
| It is only applicable for the TCP protocol. | ||||
| This name is to be published in the IANA Service Name Registry. | ||||
| This document defines two DNS OpCodes: SUBSCRIBE with (tentative) | ||||
| value 6 and UNSUBSCRIBE with (tentative) value 7. | ||||
| 9. Security Considerations | ||||
| TLS support is mandatory in DNS Push Notifications. There is no | TLS support is REQUIRED in DNS Push Notifications. There is no | |||
| provision for opportunistic encryption using a mechanism like | provision for opportunistic encryption using a mechanism like | |||
| "STARTTLS". | "STARTTLS". | |||
| 9.1. Security Services | DNSSEC is RECOMMENDED for DNS Push Notifications. TLS alone does not | |||
| provide complete security. TLS certificate verification can provide | ||||
| reasonable assurance that the client is really talking to the server | ||||
| associated with the desired host name, but since the desired host | ||||
| name is learned via a DNS SRV query, if the SRV query is subverted | ||||
| then the client may have a secure connection to a rogue server. | ||||
| DNSSEC can provided added confidence that the SRV query has not been | ||||
| subverted. | ||||
| 7.1. Security Services | ||||
| It is the goal of using TLS to provide the following security | It is the goal of using TLS to provide the following security | |||
| services: | services: | |||
| Confidentiality All application-layer communication is encrypted | Confidentiality All application-layer communication is encrypted | |||
| with the goal that no party should be able to decrypt it except | with the goal that no party should be able to decrypt it except | |||
| the intended receiver. | the intended receiver. | |||
| Data integrity protection Any changes made to the communication in | Data integrity protection Any changes made to the communication in | |||
| transit are detectable by the receiver. | transit are detectable by the receiver. | |||
| skipping to change at page 20, line 12 | skipping to change at page 19, line 12 | |||
| Authentication An end-point of the TLS communication is | Authentication An end-point of the TLS communication is | |||
| authenticated as the intended entity to communicate with. | authenticated as the intended entity to communicate with. | |||
| Deployment recommendations on the appropriate key lengths and cypher | Deployment recommendations on the appropriate key lengths and cypher | |||
| suites are beyond the scope of this document. Please refer to TLS | suites are beyond the scope of this document. Please refer to TLS | |||
| Recommendations [RFC7525] for the best current practices. Keep in | Recommendations [RFC7525] for the best current practices. Keep in | |||
| mind that best practices only exist for a snapshot in time and | mind that best practices only exist for a snapshot in time and | |||
| recommendations will continue to change. Updated versions or errata | recommendations will continue to change. Updated versions or errata | |||
| may exist for these recommendations. | may exist for these recommendations. | |||
| 9.2. TLS Name Authentication | 7.2. TLS Name Authentication | |||
| As described in Section 6.1, the client discovers the DNS Push | As described in Section 6.1, the client discovers the DNS Push | |||
| Notification server using an SRV lookup for the record name | Notification server using an SRV lookup for the record name | |||
| "_dns-push-tls._tcp.<zone>". The server connection endpoint SHOULD | "_dns-push-tls._tcp.<zone>". The server connection endpoint SHOULD | |||
| then be authenticated using DANE TLSA records for the associated SRV | then be authenticated using DANE TLSA records for the associated SRV | |||
| record. This associates the target's name and port number with a | record. This associates the target's name and port number with a | |||
| trusted TLS certificate [RFC7673]. This procedure uses the TLS Sever | trusted TLS certificate [RFC7673]. This procedure uses the TLS Sever | |||
| Name Indication (SNI) extension [RFC6066] to inform the server of the | Name Indication (SNI) extension [RFC6066] to inform the server of the | |||
| name the client has authenticated through the use of TLSA records. | name the client has authenticated through the use of TLSA records. | |||
| Therefore, if the SRV record passes DNSSEC validation and a TLSA | Therefore, if the SRV record passes DNSSEC validation and a TLSA | |||
| record matching the target name is useable, an SNI extension MUST be | record matching the target name is useable, an SNI extension MUST be | |||
| used for the target name to ensure the client is connecting to the | used for the target name to ensure the client is connecting to the | |||
| server it has authenticated. If the target name does not have a | server it has authenticated. If the target name does not have a | |||
| usable TLSA record, then the use of the SNI extension is optional. | usable TLSA record, then the use of the SNI extension is optional. | |||
| 9.3. TLS Compression | 7.3. TLS Compression | |||
| In order to reduce the chances of compression related attacks, TLS- | In order to reduce the chances of compression related attacks, TLS- | |||
| level compression SHOULD be disabled when using TLS versions 1.2 and | level compression SHOULD be disabled when using TLS versions 1.2 and | |||
| earlier. In the draft version of TLS 1.3 [I-D.ietf-tls-tls13], TLS- | earlier. In the draft version of TLS 1.3 [I-D.ietf-tls-tls13], TLS- | |||
| level compression has been removed completely. | level compression has been removed completely. | |||
| 9.4. TLS Session Resumption | 7.4. TLS Session Resumption | |||
| TLS Session Resumption is permissible on DNS Push Notification | TLS Session Resumption is permissible on DNS Push Notification | |||
| servers. The server may keep TLS state with Session IDs [RFC5246] or | servers. The server may keep TLS state with Session IDs [RFC5246] or | |||
| operate in stateless mode by sending a Session Ticket [RFC5077] to | operate in stateless mode by sending a Session Ticket [RFC5077] to | |||
| the client for it to store. However, once the connection is closed, | the client for it to store. However, once the connection is closed, | |||
| any existing subscriptions will be dropped. When the TLS session is | any existing subscriptions will be dropped. When the TLS session is | |||
| resumed, the DNS Push Notification server will not have any | resumed, the DNS Push Notification server will not have any | |||
| subscription state and will proceed as with any other new connection. | subscription state and will proceed as with any other new connection. | |||
| Use of TLS Session Resumption allows a new TLS connection to be set | ||||
| up more quickly, but the client will still have to recreate any | ||||
| desired subscriptions. | ||||
| 8. IANA Considerations | ||||
| This document defines the service name: "_dns-push-tls._tcp". | ||||
| It is only applicable for the TCP protocol. | ||||
| This name is to be published in the IANA Service Name Registry. | ||||
| This document defines three DNS OpCodes: SUBSCRIBE with (tentative) | ||||
| value 6, UNSUBSCRIBE with (tentative) value 7, and RECONFIRM with | ||||
| (tentative) value 8. | ||||
| 9. Acknowledgements | ||||
| The authors would like to thank Kiren Sekar and Marc Krochmal for | ||||
| previous work completed in this field. | ||||
| This draft has been improved due to comments from Ran Atkinson, Mark | ||||
| Delany, and Markus Stenberg. | ||||
| 10. References | 10. References | |||
| 10.1. Normative References | 10.1. Normative References | |||
| [I-D.ietf-dnsop-5966bis] | [I-D.ietf-dnsop-5966bis] | |||
| Dickinson, J., Dickinson, S., Bellis, R., Mankin, A., and | Dickinson, J., Dickinson, S., Bellis, R., Mankin, A., and | |||
| D. Wessels, "DNS Transport over TCP - Implementation | D. Wessels, "DNS Transport over TCP - Implementation | |||
| Requirements", draft-ietf-dnsop-5966bis-04 (work in | Requirements", draft-ietf-dnsop-5966bis-05 (work in | |||
| progress), November 2015. | progress), December 2015. | |||
| [I-D.ietf-dnsop-edns-tcp-keepalive] | [I-D.ietf-dnsop-edns-tcp-keepalive] | |||
| Wouters, P., Abley, J., Dickinson, S., and R. Bellis, "The | Wouters, P., Abley, J., Dickinson, S., and R. Bellis, "The | |||
| edns-tcp-keepalive EDNS0 Option", draft-ietf-dnsop-edns- | edns-tcp-keepalive EDNS0 Option", draft-ietf-dnsop-edns- | |||
| tcp-keepalive-04 (work in progress), October 2015. | tcp-keepalive-05 (work in progress), January 2016. | |||
| [I-D.ietf-tls-tls13] | [I-D.ietf-tls-tls13] | |||
| Rescorla, E., "The Transport Layer Security (TLS) Protocol | Rescorla, E., "The Transport Layer Security (TLS) Protocol | |||
| Version 1.3", draft-ietf-tls-tls13-10 (work in progress), | Version 1.3", draft-ietf-tls-tls13-11 (work in progress), | |||
| October 2015. | December 2015. | |||
| [RFC0768] Postel, J., "User Datagram Protocol", STD 6, RFC 768, DOI | [RFC0768] Postel, J., "User Datagram Protocol", STD 6, RFC 768, DOI | |||
| 10.17487/RFC0768, August 1980, | 10.17487/RFC0768, August 1980, | |||
| <http://www.rfc-editor.org/info/rfc768>. | <http://www.rfc-editor.org/info/rfc768>. | |||
| [RFC0793] Postel, J., "Transmission Control Protocol", STD 7, RFC | [RFC0793] Postel, J., "Transmission Control Protocol", STD 7, RFC | |||
| 793, DOI 10.17487/RFC0793, September 1981, | 793, DOI 10.17487/RFC0793, September 1981, | |||
| <http://www.rfc-editor.org/info/rfc793>. | <http://www.rfc-editor.org/info/rfc793>. | |||
| [RFC1034] Mockapetris, P., "Domain names - concepts and facilities", | [RFC1034] Mockapetris, P., "Domain names - concepts and facilities", | |||
| End of changes. 25 change blocks. | ||||
| 59 lines changed or deleted | 96 lines changed or added | |||
This html diff was produced by rfcdiff 1.42. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||