Extensible Delegation for DNS

Extensible Delegation for DNS Google, LLC

ietf@tapril.net

ISC

pspacek@isc.org

Akamai Technologies

rweber@akamai.com

Salesforce

tale@dd.org

Internet deleg Internet-Draft DNS delegation A delegation in the Domain Name System (DNS) is a mechanism that enables efficient and distributed management of the DNS namespace. It involves delegating authority over subdomains to specific DNS servers via NS records, allowing for a hierarchical structure and distributing the responsibility for maintaining DNS records. An NS record contains the hostname of the nameserver for the delegated namespace. Any facilities of that nameserver must be discovered through other mechanisms. This document proposes a new extensible DNS record type, DELEG, for delegation of the authority for a domain. Future documents then can use this mechanism to use additional information about the delegated namespace and the capabilities of authoritative nameservers for the delegated namespace. About This Document The latest revision of this draft can be found at . Status information for this document may be found at . Discussion of this document takes place on the deleg Working Group mailing list (), which is archived at . Subscribe at . Source for this draft and an issue tracker can be found at .

Introduction In the Domain Name System , subdomains within the domain name hierarchy are indicated by delegations to servers which are authoritative for their portion of the namespace. The DNS records that do this, called NS records, contain hostnames of nameservers, which resolve to addresses. No other information is available to the resolver. It is limited to connect to the authoritative servers over UDP and TCP port 53. This limitation is a barrier for efficient introduction of new DNS technology. The proposed DELEG record type remedies this problem by providing extensible parameters to indicate capabilities and additional information, such as glue that a resolver may use for the delegated authority. It is authoritative and thus signed in the parent side of the delegation making it possible to validate all delegation parameters (names and glue records) with DNSSEC. This document only shows how DELEG can be used instead of or along side a NS record to create a delegation. Future documents can use the extensible mechanism for more advanced features like connecting to a name server with an encrypted transport.

Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in
BCP 14 when, and only when, they appear in all capitals, as shown here. Terminology regarding the Domain Name System comes from , with addition terms defined here:

legacy name servers: An authoritative server that does not support the DELEG record.
legacy resolvers: A resolver that does not support the DELEG record.

DELEG Record Type The DELEG record uses a new resource record type, whose contents are identical to the SVCB record defined in . For extensions SVCB and DELEG use Service Parameter Keys (SvcParamKeys) and new SvcParamKeys that might be needed also will use the existing IANA Registry.

Differences from SVCB

DELEG can only have two priorities 0 indicating INCLUDE and 1 indicating a DIRECT delegation. These terms MUST be used in the presentation format of the DELEG record.
INCLUDE and DIRECT delegation can be mixed within an RRSet.
The final INCLUDE target is an SVCB record, though there can be further indirection using CNAME or AliasMode SVCB records.
There can be multiple INCLUDE DELEG records, but further indirections through SVCB records have to comply with in that there can be only one AliasMode SVCB record per name.
In order to not allow unbounded indirection of DELEG records the maximum number of indirections, CNAME or AliasMode SVCB is 4.
The SVCB IPv4hint and IPv6hint parameters keep their key values of 4 and 6, but the presentation format with DELEG MUST be Glue4 and Glue6.
Glue4 and Glue6 records when present MUST be used to connect to the delegated name server.
The target of any DELEG record MUST NOT be '.'
The target of a DELEG INCLUDE record MUST be outside of the delegated domain.
The target of a DELEG DIRECT record MUST be a domain below the delegated domain.

Use of DELEG record A DELEG RRset MAY be present at a delegation point. The DELEG RRset MAY contain multiple records. DELEG RRsets MUST NOT appear at a zone's apex. A DELEG RRset MAY be present with or without NS or DS RRsets at the delegation point.

Resolvers

Signaling DELEG support A resolver that is DELEG aware MUST signal its support by sending the DE bit when iterating. This bit is referred to as the "DELEG" (DE) bit. In the context of the EDNS0 OPT meta-RR, the DE bit is the TBD of the "extended RCODE and flags" portion of the EDNS0 OPT meta-RR, structured as follows (to be updated when assigned): Setting the DE bit to one in a query indicates the resolver understands new DELEG semantics and does not need NS RR to follow a referral. The DE bit cleared (set to zero) indicates the resolver is unprepared to handle DELEG and hence can only be served NS, DS and glue in a delegation response. Motivation: For a long time there will be both DELEG and NS needed for delegation. As both methods should be configured to get to a proper resolution it is not necessary to send both in a referral response. We therefore purpose an EDNS flag to be use similar to the DO Bit for DNSSEC to be used to signal that the sender understands DELEG and does not need NS or glue information in the referral.

Referral The DELEG record creates a zone cut similar to the NS record. If a DELEG record exists on a given delegation point, all record types defined as authoritative in the child zone MUST be resolved using the name servers defined in the DELEG record. In such case resolver MUST NOT use NS records even if they happen to be present in cache, even if resolution using DELEG records have failed for some reason. Such fallback from DELEG to NS would invalidate security guarantees of DELEG protocol. If no DELEG record exists on a given delegation point resolver MUST use NS records as specified by RFC1034.

Parent-side types, QTYPE=DELEG Record types defined as authoritative on the parent side of zone cut (currently DS and DELEG types) retain the same special handling as before, i.e. section 2.6 applies. DELEG unaware recursive resolvers will not be able to determine correct NS set for QTYPE=DELEG queries. This is not a bug.

Algorithm This section updates instructions for step "2. Find the best servers to ask." of RFC1034 section 5.3.3 and section 3.4.1. There are two important details:

The algorithm description should explicitly describe RR types authoritative at the parent side of a zone cut. This is implied by section 3.1.4.1 for DS RR type but the text in the algorithm description was not updated. DELEG specification simply extends this existing behavior to DELEG RR type as well, and makes this special case explicit.
When DELEG RRset exists, NS RRset is ignored on that particular zone cut by DELEG aware resolvers.
DELEG and NS RR types can be used differently at each delegation level and resolver MUST be able follow chain of delegations which combines them in arbitrary ways.

Example of a valid delegation tree: Terms SNAME and SLIST used in the rest of this section are defined in RFC 1034 section 5.3.2.: SNAME the domain name we are searching for. SLIST a structure which describes the name servers and the zone which the resolver is currently trying to query. Modified description of Step 2. Find the best servers to ask follows: Step 2 looks for a name server to ask for the required data. First determine deepest possible zone cut which can potentially hold the answer for given (query name, type, class) combination:

Start with SNAME equal to QNAME.
If QTYPE is a type authoritative at the parent side of a zone cut (DS or DELEG), remove leftmost label from SNAME. E.g. if QNAME is Test.Example. and QTYPE is DELEG or DS, set SNAME to Example.
TODO: what to do about ". DELEG" (or DS) query? That leaves zero labels left. That by definition does not exist ...

Further general strategy is to look for locally-available DELEG and NS RRsets, starting at current SNAME. If none are found, shorten SNAME by removing leftmost label and check again. This effectivelly finds the deepest known delegation point on the path between SNAME and the root:

For given SNAME first check existence of DELEG RRset. If it exists, resolver MUST use it's content to populate SLIST. If the DELEG RRset is known to exist but is unusable (e.g. it is found in DNSSEC BAD cache), resolver MUST NOT fallback to NS RRset, even if it is locally available. Resolver MUST treat this case as if no servers were available/reachable.
If a given SNAME is proven to not have a DELEG RRset but has NS RRset, resolver MUST copy it into SLIST.
If SLIST is populated, terminate walk up the DNS tree.
If SLIST is not populated, remove leftmost label from SNAME and inspect RR types for this new SNAME.

Rest of the Step 2's description is not affected by this document. Please note the instructions to "Bound the amount of work" further down in the original text to apply. Suitable limits MUST be enforced to limit damage EVEN IF SOMEONE HAS INCORRECTLY CONFIGURED SOME DATA.

Authoritative Servers DELEG-aware authoritative servers act differently when handling queries from DELEG-unaware clients (those with DE=0) and queries from DELEG-aware clients (those with DE=1). The server MUST copy the value of the DE bit from the query into the response. (TODO: not really necessary protocol-wise, but might be nice for monitoring the deployment?)

DELEG-unaware Clients DELEG-unaware clients do not use DELEG records for delegation. When a DELEG-aware authoritative server responds to a DELEG-unaware client, any DELEG RR in the response does not create zone cut, is not returned in referral responses, and is not considered authoritative on the parent side of a zone cut. Because of this, DELEG-aware authoritative servers MUST answer as if they are DELEG-unaware. Please note this instruction does not affect DNSSEC signing, i.e. no special handling for NSEC type bitmap is necessary and DELEG RR type is accuratelly represented even for DELEG-unaware clients. Two surprising narrow cases of DELEG-aware authoritative responding in DELEG-unaware manner are described here.

DELEG-unaware Clients Requesting QTYPE=DELEG In DELEG-unaware clients, records with the DELEG RRtype are not authoritative on the parent side. Thus, queries with DE=0 and QTYPE=DELEG MUST result in a legacy referral response.

DELEG-unaware Clients with DELEG RRs Present but No NS RRs DELEG-unaware clients might ask for a name which belongs to a zone delegated only with DELEG RRs (that is, without any NS RRs). Such zone is, by definition, not resolvable for DELEG-unaware clients. In this case the DELEG RR itself cannot create a zone cut, and the DELEG-aware authoritative server MUST return a legacy response. The legacy response might be confusing for subdomains of zones which actually exist because DELEG-aware clients would get a different answer, namely a delegation. Example of a legacy response is in . The authoritative server is RECOMMENDED to supplement DELEG unaware response with Extended DNS Error "New Delegation Only". TODO: debate if WG wants to do explicit SERVFAIL for this case instead of 'just' EDE.

DELEG-aware Clients When the client indicates that it is DELEG-aware by setting DE=1 in the query, DELEG-aware authoritative servers treat DELEG records as zone cuts, and the servers are authoritative on parent side of zone cut. This new zone cut has priority over legacy delegation with NS RRset.

DELEG-aware Clients Requesting QTYPE=DELEG An explicit query for DELEG RR type at a delegation point behaves much like query for DS RR type: the server answers authortiatively from the parent zone. All previous specifications for special handling QTYPE=DS apply equally to QTYPE=DELEG. In summary, server either provides authoritative DELEG RRset or proves its non-existence.

Delegation with DELEG If the delegation has a DELEG RRset, the authoritative server MUST put the DELEG RRset into the Authority section of the referral. In this case, the server MUST NOT include the NS RRset into the Authority section. Presence of the covering RRSIG follows the normal DNSSEC specification for answers with authoritative zone data. Similarly, rules for DS RRset inclusion into referrals apply as specified by DNSSEC protocol.

DELEG-aware Clients with NS RRs Present but No DELEG RRs If the delegation does not have a DELEG RRset, the authoritative server MUST put the NS RRset into the authority section of the referral. Absence of DELEG RRset must be proven as specified by DNSSEC protocol for authoritative data. Similarly, rules for DS RRset inclusion into referrals apply as specified by the DNSSEC protocol. Please note in practice the same process and records are used to prove non-existence of DELEG and DS RRsets.

DNSSEC Signers The DELEG record is authoritative on the parent side of a zone cut and needs to be signed as such. Existing rules from DNSSEC specification apply. In summary: For DNSSEC signing, treat DELEG RR type the same way as DS RR type. In order to protect validators from downgrade attacks this draft introduces a new DNSKEY flag ADT (Authoritative Delegation Types). In zones which contain a DELEG RRset this flag MUST be set to one in at least one DNSKEYs published in the zone.

DNSSEC Validators DELEG awareness introduces additional requirements on validators.

Clarifications on Nonexistence Proofs This document updates section 4.1 to include "NS or DELEG" types in type bitmap as indication of a delegation point and generalizes applicability of Ancestor delegation proof to all types authoritative at parent (i.e. DS and DELEG). Updated text follows: An "ancestor delegation" NSEC RR (or NSEC3 RR) is one with:

the NS and/or DELEG bit set,
the Start of Authority (SOA) bit clear, and
a signer field that is shorter than the owner name of the NSEC RR, or the original owner name for the NSEC3 RR.

Ancestor delegation NSEC or NSEC3 RRs MUST NOT be used to assume nonexistence of any RRs below that zone cut, which include all RRs at that (original) owner name other types authoritative at the parent-side of zone cut (DS and DELEG), and all RRs below that owner name regardless of type.

Insecure Delegation Proofs This document updates section 4.4 to include secure DELEG support and explicitly states Opt-Out is not applicable to DELEG. Updated text follows: Section 5.2 of specifies that a validator, when proving a delegation is not secure, needs to check for the absence of the DS and SOA bits in the NSEC (or NSEC3) type bitmap. The validator also MUST check for the presence of the NS or DELEG bit in the matching NSEC (or NSEC3) RR (proving that there is, indeed, a delegation). Alternately make sure that the delegation with NS record is covered by an NSEC3 RR with the Opt-Out flag set. Opt-Out is not applicable to DELEG RR type because this it is authoritative at the parent side of a zone cut in the same say as DS RR type.

Referral downgrade protection When DNSKEY flag ADT is set to one, the DELEG aware validator MUST prove absence of a DELEG RRset in referral responses from this zone. Without this check, an attacker could strip DELEG RRset from a referral response and replace it with an unsigned (and potentially malicious) NS RRset. A referral response with an unsigned NS and signed DS RRsets does not require additional proofs of nonexistance according to pre-DELEG DNSSEC specification and it would have been accepted as a delegation without DELEG RRset.

Chaining A Validating Stub Resolver that is DELEG aware has to use a Security-Aware Resolver that is DELEG aware and if it is behind a forwarder this has to be security and DELEG aware as well.

IANA Considerations IANA is requested to allocate the DELEG RR in the Resource Record (RR) TYPEs registry, with the meaning of "enhanced delegation information" and referencing this document. IANA is requested to assign a new bit in the DNSKEY RR Flags registry () for the ADT bit (N), with the description "Authoritative Delegation Types" and referencing this document. For compatibility reasons we request the bit 14 to be used. This value has been proven to work whereas bit 0 was proven to break in practical deployments (because of bugs). IANA is requested to assign a bit from the EDNS Header Flags registry (), with the abbreviation DE, the description "DELEG enabled" and referencing this document. IANA is requested to assign a value from the Extended DNS Error Codes (), with the Purpose "New Delegation Only" and referencing this document. For the RDATA parameters to a DELEG RR, the DNS Service Bindings (SVCB) registry () is used. This document requests no new assignments to that registry, though it is expected that future DELEG work will.

References Normative References Domain names - concepts and facilities This RFC is the revised basic definition of The Domain Name System. It obsoletes RFC-882. This memo describes the domain style names and their used for host address look up and electronic mail forwarding. It discusses the clients and servers in the domain name system and the protocol used between them. Domain names - implementation and specification This RFC is the revised specification of the protocol and format used in the implementation of the Domain Name System. It obsoletes RFC-883. This memo documents the details of the domain name client - server communication. Service Binding and Parameter Specification via the DNS (SVCB and HTTPS Resource Records) This document specifies the "SVCB" ("Service Binding") and "HTTPS" DNS resource record (RR) types to facilitate the lookup of information needed to make connections to network services, such as for HTTP origins. SVCB records allow a service to be provided from multiple alternative endpoints, each with associated parameters (such as transport protocol configuration), and are extensible to support future uses (such as keys for encrypting the TLS ClientHello). They also enable aliasing of apex domains, which is not possible with CNAME. The HTTPS RR is a variation of SVCB for use with HTTP (see RFC 9110, "HTTP Semantics"). By providing more information to the client before it attempts to establish a connection, these records offer potential benefits to both performance and privacy. Protocol Modifications for the DNS Security Extensions This document is part of a family of documents that describe the DNS Security Extensions (DNSSEC). The DNS Security Extensions are a collection of new resource records and protocol modifications that add data origin authentication and data integrity to the DNS. This document describes the DNSSEC protocol modifications. This document defines the concept of a signed zone, along with the requirements for serving and resolving by using DNSSEC. These techniques allow a security-aware resolver to authenticate both DNS resource records and authoritative DNS error indications. This document obsoletes RFC 2535 and incorporates changes from all updates to RFC 2535. [STANDARDS-TRACK] DNAME Redirection in the DNS The DNAME record provides redirection for a subtree of the domain name tree in the DNS. That is, all names that end with a particular suffix are redirected to another part of the DNS. This document obsoletes the original specification in RFC 2672 as well as updates the document on representing IPv6 addresses in DNS (RFC 3363). [STANDARDS-TRACK] Clarifications and Implementation Notes for DNS Security (DNSSEC) This document is a collection of technical clarifications to the DNS Security (DNSSEC) document set. It is meant to serve as a resource to implementors as well as a collection of DNSSEC errata that existed at the time of writing. This document updates the core DNSSEC documents (RFC 4033, RFC 4034, and RFC 4035) as well as the NSEC3 specification (RFC 5155). It also defines NSEC3 and SHA-2 (RFC 4509 and RFC 5702) as core parts of the DNSSEC specification. Resource Records for the DNS Security Extensions This document is part of a family of documents that describe the DNS Security Extensions (DNSSEC). The DNS Security Extensions are a collection of resource records and protocol modifications that provide source authentication for the DNS. This document defines the public key (DNSKEY), delegation signer (DS), resource record digital signature (RRSIG), and authenticated denial of existence (NSEC) resource records. The purpose and format of each resource record is described in detail, and an example of each resource record is given. This document obsoletes RFC 2535 and incorporates changes from all updates to RFC 2535. [STANDARDS-TRACK] Extension Mechanisms for DNS (EDNS(0)) The Domain Name System's wire protocol includes a number of fixed fields whose range has been or soon will be exhausted and does not allow requestors to advertise their capabilities to responders. This document describes backward-compatible mechanisms for allowing the protocol to grow. This document updates the Extension Mechanisms for DNS (EDNS(0)) specification (and obsoletes RFC 2671) based on feedback from deployment experience in several implementations. It also obsoletes RFC 2673 ("Binary Labels in the Domain Name System") and adds considerations on the use of extended labels in the DNS. Extended DNS Errors This document defines an extensible method to return additional information about the cause of DNS errors. Though created primarily to extend SERVFAIL to provide additional information about the cause of DNS and DNSSEC failures, the Extended DNS Errors option defined in this document allows all response types to contain extended error information. Extended DNS Error information does not change the processing of RCODEs. Informative References Key words for use in RFCs to Indicate Requirement Levels In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings. DNS Terminology The Domain Name System (DNS) is defined in literally dozens of different RFCs. The terminology used by implementers and developers of DNS protocols, and by operators of DNS systems, has changed in the decades since the DNS was first defined. This document gives current definitions for many of the terms used in the DNS in a single document. This document updates RFC 2308 by clarifying the definitions of "forwarder" and "QNAME". It obsoletes RFC 8499 by adding multiple terms and clarifications. Comprehensive lists of changed and new definitions can be found in Appendices A and B. Parameterized Nameserver Delegation with NS2 and NS2T Akamai Technologies Within the DNS, there is no mechanism for authoritative servers to advertise which transport methods they are capable of. If secure transport methods are adopted by authoritative operators, transport signaling would be required to negotiate how authoritative servers would be contacted by resolvers. This document provides two new Resource Record Types, NS2 and NS2T, to facilitate this negotiation by allowing zone owners to signal how the authoritative nameserver(s) for their zone(s) may accept queries.

Examples The following example shows an excerpt from a signed root zone. It shows the delegation point for "example." and "test." The "example." delegation has DELEG and NS records. The "test." delegation has DELEG but no NS records. The "test." delegation point has a DELEG record and no NS record.

Responses The following sections show referral examples:

DO bit clear, DE bit clear

Query for foo.example ;; Header: QR RCODE=0 ;; ;; Question foo.example. IN MX ;; Answer ;; (empty) ;; Authority example. 300 IN NS a.example. example. 300 IN NS b.example.net. example. 300 IN NS c.example.org. ;; Additional a.example. 300 IN A 192.0.2.1 a.example. 300 IN AAAA 2001:DB8::1

Query for foo.test ;; Header: QR AA RCODE=3 ;; ;; Question foo.test. IN MX ;; Answer ;; (empty) ;; Authority . 300 IN SOA ... ;; Additional ;; OPT with Extended DNS Error: New Delegation Only

DO bit set, DE bit clear

Query for foo.example

Query for foo.test

DO bit clear, DE bit set

Query for foo.example

Query for foo.test

DO bit set, DE bit set

Query for foo.example

Query for foo.test

Acknowledgments {:unnumbered} This document is heavily based on past work done by Tim April in and thus extends the thanks to the people helping on this which are: John Levine, Erik Nygren, Jon Reed, Ben Kaduk, Mashooq Muhaimen, Jason Moreau, Jerrod Wiesman, Billy Tiemann, Gordon Marx and Brian Wellington.

TODO

RFC EDITOR:: PLEASE REMOVE THE THIS SECTION PRIOR TO PUBLICATION.

Write a security considerations section
Change the parameters form temporary to permanent once IANA assigned. Temporary use:
- DELEG QType code is 65432
- DELEG EDNS Flag Bit is 3
- DELEG DNSKEY Flag Bit is 0

Change Log

RFC EDITOR:: PLEASE REMOVE THE THIS SECTION PRIOR TO PUBLICATION.

since draft-wesplaap-deleg-00

Clarified SVCB priority behavior
Added section on differences to draft-homburg-deleg-incremental-deleg

since draft-wesplaap-deleg-01

Reorganised and streamlined the draft to the bare minimum for DELEG as an NS replacement
Defined codepoints for temporary testing
Added examples

Contributors Cloudflare

christian@elmerot.se

ICANN

edward.lewis@icann.org

ICANN

roy.arends@icann.org

Salesforce

shuque@gmail.com

nic.at

klaus.darilion@nic.at

CZ.nic

libor.peltan@nic.cz

CZ.nic

vladimir.cunat@nic.cz

NS1

shane@time-travellers.org

Verisign

davidb@verisign.com

APNIC

ggm@algebras.org