Diff: rfc9461v2.txt - rfc9461.txt

	rfc9461v2.txt	rfc9461.txt

	Internet Engineering Task Force (IETF) B. Schwartz	Internet Engineering Task Force (IETF) B. Schwartz
	Request for Comments: 9461 Meta Platforms, Inc.	Request for Comments: 9461 Meta Platforms, Inc.

	Category: Standards Track September 2023	Category: Standards Track November 2023
	ISSN: 2070-1721	ISSN: 2070-1721

	Service Binding Mapping for DNS Servers	Service Binding Mapping for DNS Servers

	Abstract	Abstract

	The SVCB DNS resource record type expresses a bound collection of	The SVCB DNS resource record type expresses a bound collection of
	endpoint metadata, for use when establishing a connection to a named	endpoint metadata, for use when establishing a connection to a named
	service. DNS itself can be such a service, when the server is	service. DNS itself can be such a service, when the server is
	identified by a domain name. This document provides the SVCB mapping	identified by a domain name. This document provides the SVCB mapping

	skipping to change at line 328 ¶	skipping to change at line 328 ¶

	This attacker cannot impersonate the secure endpoint, but it can	This attacker cannot impersonate the secure endpoint, but it can
	forge a response indicating that the requested SVCB records do not	forge a response indicating that the requested SVCB records do not
	exist. For a SVCB-reliant client ([SVCB], Section 3), this only	exist. For a SVCB-reliant client ([SVCB], Section 3), this only
	results in a denial of service. However, SVCB-optional clients will	results in a denial of service. However, SVCB-optional clients will
	generally fall back to insecure DNS in this case, exposing all DNS	generally fall back to insecure DNS in this case, exposing all DNS
	traffic to attacks.	traffic to attacks.

	8.1.2. Redirection Attacks	8.1.2. Redirection Attacks


	SVCB-reliant clients always enforce the authentication domain name,	SVCB-reliant clients always enforce the Authentication Domain Name,
	but they are still subject to attacks using the transport, port	but they are still subject to attacks using the transport, port
	number, and "dohpath" value, which are controlled by this adversary.	number, and "dohpath" value, which are controlled by this adversary.
	By changing these values in the SVCB answers, the adversary can	By changing these values in the SVCB answers, the adversary can
	direct DNS queries for $HOSTNAME to any port on $HOSTNAME and any	direct DNS queries for $HOSTNAME to any port on $HOSTNAME and any
	path on "https://$HOSTNAME". If the DNS client uses shared TLS or	path on "https://$HOSTNAME". If the DNS client uses shared TLS or
	HTTP state, the client could be correctly authenticated (e.g., using	HTTP state, the client could be correctly authenticated (e.g., using
	a TLS client certificate or HTTP cookie).	a TLS client certificate or HTTP cookie).

	This behavior creates a number of possible attacks for certain server	This behavior creates a number of possible attacks for certain server
	configurations. For example, if https://$HOSTNAME/upload accepts any	configurations. For example, if https://$HOSTNAME/upload accepts any

	skipping to change at line 380 ¶	skipping to change at line 380 ¶

	9. IANA Considerations	9. IANA Considerations

	Per [SVCB], IANA has added the following entry to the "Service	Per [SVCB], IANA has added the following entry to the "Service
	Parameter Keys (SvcParamKeys)" registry.	Parameter Keys (SvcParamKeys)" registry.

	+======+=======+================+=========+============+===========+	+======+=======+================+=========+============+===========+
	\|Number\|Name \| Meaning \|Format \| Change \| Reference \|	\|Number\|Name \| Meaning \|Format \| Change \| Reference \|
	\| \| \| \|Reference\| Controller \| \|	\| \| \| \|Reference\| Controller \| \|
	+======+=======+================+=========+============+===========+	+======+=======+================+=========+============+===========+

	\|7 \|dohpath\| DNS-over-HTTPS \|RFC 9461 \| IETF \| RFC 9461 \|	\| 7 \|dohpath\| DNS-over-HTTPS \|RFC 9461 \| IETF \| RFC 9461 \|
	\| \| \| path template \| \| \| \|	\| \| \| path template \| \| \| \|
	+------+-------+----------------+---------+------------+-----------+	+------+-------+----------------+---------+------------+-----------+

	Table 1	Table 1

	Per [Attrleaf], IANA has added the following entry to the DNS	Per [Attrleaf], IANA has added the following entry to the DNS
	"Underscored and Globally Scoped DNS Node Names" registry:	"Underscored and Globally Scoped DNS Node Names" registry:

	+=========+============+===========+	+=========+============+===========+
	\| RR Type \| _NODE NAME \| Reference \|	\| RR Type \| _NODE NAME \| Reference \|

	skipping to change at line 428 ¶	skipping to change at line 428 ¶

	[RFC8484] Hoffman, P. and P. McManus, "DNS Queries over HTTPS	[RFC8484] Hoffman, P. and P. McManus, "DNS Queries over HTTPS
	(DoH)", RFC 8484, DOI 10.17487/RFC8484, October 2018,	(DoH)", RFC 8484, DOI 10.17487/RFC8484, October 2018,
	<https://www.rfc-editor.org/info/rfc8484>.	<https://www.rfc-editor.org/info/rfc8484>.

	[RFC9113] Thomson, M., Ed. and C. Benfield, Ed., "HTTP/2", RFC 9113,	[RFC9113] Thomson, M., Ed. and C. Benfield, Ed., "HTTP/2", RFC 9113,
	DOI 10.17487/RFC9113, June 2022,	DOI 10.17487/RFC9113, June 2022,
	<https://www.rfc-editor.org/info/rfc9113>.	<https://www.rfc-editor.org/info/rfc9113>.

	[SVCB] Schwartz, B., Bishop, M., and E. Nygren, "Service Binding	[SVCB] Schwartz, B., Bishop, M., and E. Nygren, "Service Binding

	and Parameter Specification via the DNS (DNS SVCB and	and Parameter Specification via the DNS (SVCB and HTTPS
	HTTPS Resource Records (RRs))", RFC 9460,	Resource Records)", RFC 9460, DOI 10.17487/RFC9460,
	DOI 10.17487/RFC9460, September 2023,	November 2023, <https://www.rfc-editor.org/info/rfc9460>.
	<https://www.rfc-editor.org/info/rfc9460>.

	10.2. Informative References	10.2. Informative References

	[Attrleaf] Crocker, D., "Scoped Interpretation of DNS Resource	[Attrleaf] Crocker, D., "Scoped Interpretation of DNS Resource
	Records through "Underscored" Naming of Attribute Leaves",	Records through "Underscored" Naming of Attribute Leaves",
	BCP 222, RFC 8552, DOI 10.17487/RFC8552, March 2019,	BCP 222, RFC 8552, DOI 10.17487/RFC8552, March 2019,
	<https://www.rfc-editor.org/info/rfc8552>.	<https://www.rfc-editor.org/info/rfc8552>.

	[DNSURI] Josefsson, S., "Domain Name System Uniform Resource	[DNSURI] Josefsson, S., "Domain Name System Uniform Resource
	Identifiers", RFC 4501, DOI 10.17487/RFC4501, May 2006,	Identifiers", RFC 4501, DOI 10.17487/RFC4501, May 2006,
	<https://www.rfc-editor.org/info/rfc4501>.	<https://www.rfc-editor.org/info/rfc4501>.


	[FETCH] WHATWG, "Fetch Living Standard", June 2023,	[FETCH] WHATWG, "Fetch Living Standard", October 2023,
	<https://fetch.spec.whatwg.org/>.	<https://fetch.spec.whatwg.org/>.

	[RFC7858] Hu, Z., Zhu, L., Heidemann, J., Mankin, A., Wessels, D.,	[RFC7858] Hu, Z., Zhu, L., Heidemann, J., Mankin, A., Wessels, D.,
	and P. Hoffman, "Specification for DNS over Transport	and P. Hoffman, "Specification for DNS over Transport
	Layer Security (TLS)", RFC 7858, DOI 10.17487/RFC7858, May	Layer Security (TLS)", RFC 7858, DOI 10.17487/RFC7858, May
	2016, <https://www.rfc-editor.org/info/rfc7858>.	2016, <https://www.rfc-editor.org/info/rfc7858>.

	[RFC9250] Huitema, C., Dickinson, S., and A. Mankin, "DNS over	[RFC9250] Huitema, C., Dickinson, S., and A. Mankin, "DNS over
	Dedicated QUIC Connections", RFC 9250,	Dedicated QUIC Connections", RFC 9250,
	DOI 10.17487/RFC9250, May 2022,	DOI 10.17487/RFC9250, May 2022,

End of changes. 5 change blocks.
	8 lines changed or deleted	7 lines changed or added
This html diff was produced by rfcdiff 1.48.