rfc9461.original   rfc9461.txt 
add B. Schwartz Internet Engineering Task Force (IETF) B. Schwartz
Internet-Draft Meta Platforms, Inc. Request for Comments: 9461 Meta Platforms, Inc.
Intended status: Standards Track 26 June 2023 Category: Standards Track November 2023
Expires: 28 December 2023 ISSN: 2070-1721
Service Binding Mapping for DNS Servers Service Binding Mapping for DNS Servers
draft-ietf-add-svcb-dns-09
Abstract Abstract
The SVCB DNS resource record type expresses a bound collection of The SVCB DNS resource record type expresses a bound collection of
endpoint metadata, for use when establishing a connection to a named endpoint metadata, for use when establishing a connection to a named
service. DNS itself can be such a service, when the server is service. DNS itself can be such a service, when the server is
identified by a domain name. This document provides the SVCB mapping identified by a domain name. This document provides the SVCB mapping
for named DNS servers, allowing them to indicate support for for named DNS servers, allowing them to indicate support for
encrypted transport protocols. encrypted transport protocols.
Discussion Venues
This note is to be removed before publishing as an RFC.
Discussion of this document takes place on the ADD Working Group
mailing list (add@ietf.org), which is archived at
https://mailarchive.ietf.org/arch/browse/add/.
Source for this draft and an issue tracker can be found at
https://github.com/bemasc/svcb-dns.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This is an Internet Standards Track document.
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months This document is a product of the Internet Engineering Task Force
and may be updated, replaced, or obsoleted by other documents at any (IETF). It represents the consensus of the IETF community. It has
time. It is inappropriate to use Internet-Drafts as reference received public review and has been approved for publication by the
material or to cite them other than as "work in progress." Internet Engineering Steering Group (IESG). Further information on
Internet Standards is available in Section 2 of RFC 7841.
This Internet-Draft will expire on 28 December 2023. Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
https://www.rfc-editor.org/info/rfc9461.
Copyright Notice Copyright Notice
Copyright (c) 2023 IETF Trust and the persons identified as the Copyright (c) 2023 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/ Provisions Relating to IETF Documents
license-info) in effect on the date of publication of this document. (https://trustee.ietf.org/license-info) in effect on the date of
Please review these documents carefully, as they describe your rights publication of this document. Please review these documents
and restrictions with respect to this document. Code Components carefully, as they describe your rights and restrictions with respect
extracted from this document must include Revised BSD License text as to this document. Code Components extracted from this document must
described in Section 4.e of the Trust Legal Provisions and are include Revised BSD License text as described in Section 4.e of the
provided without warranty as described in the Revised BSD License. Trust Legal Provisions and are provided without warranty as described
in the Revised BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction
2. Conventions and Definitions . . . . . . . . . . . . . . . . . 3 2. Conventions and Definitions
3. Identities and Names . . . . . . . . . . . . . . . . . . . . 3 3. Identities and Names
3.1. Special case: non-default ports . . . . . . . . . . . . . 4 3.1. Special Case: Non-default Ports
4. Applicable existing SvcParamKeys . . . . . . . . . . . . . . 4 4. Applicable Existing SvcParamKeys
4.1. alpn . . . . . . . . . . . . . . . . . . . . . . . . . . 4 4.1. "alpn"
4.2. port . . . . . . . . . . . . . . . . . . . . . . . . . . 5 4.2. "port"
4.3. Other applicable SvcParamKeys . . . . . . . . . . . . . . 5 4.3. Other Applicable SvcParamKeys
5. New SvcParamKeys . . . . . . . . . . . . . . . . . . . . . . 5 5. New SvcParamKey: "dohpath"
5.1. dohpath . . . . . . . . . . . . . . . . . . . . . . . . . 6 6. Limitations
6. Limitations . . . . . . . . . . . . . . . . . . . . . . . . . 6 7. Examples
7. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 7 8. Security Considerations
8. Security Considerations . . . . . . . . . . . . . . . . . . . 7 8.1. Adversary on the Query Path
8.1. Adversary on the query path . . . . . . . . . . . . . . . 7 8.1.1. Downgrade Attacks
8.1.1. Downgrade attacks . . . . . . . . . . . . . . . . . . 8 8.1.2. Redirection Attacks
8.1.2. Redirection attacks . . . . . . . . . . . . . . . . . 8 8.2. Adversary on the Transport Path
8.2. Adversary on the transport path . . . . . . . . . . . . . 9 9. IANA Considerations
9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 10. References
10. References . . . . . . . . . . . . . . . . . . . . . . . . . 9 10.1. Normative References
10.1. Normative References . . . . . . . . . . . . . . . . . . 9 10.2. Informative References
10.2. Informative References . . . . . . . . . . . . . . . . . 10 Appendix A. Mapping Summary
Appendix A. Mapping Summary . . . . . . . . . . . . . . . . . . 11 Acknowledgments
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 12 Author's Address
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 12
1. Introduction 1. Introduction
The SVCB resource record type [SVCB] provides clients with The SVCB resource record (RR) type [SVCB] provides clients with
information about how to reach alternative endpoints for a service, information about how to reach alternative endpoints for a service.
which may have improved performance or privacy properties. The These endpoints may offer improved performance or privacy properties.
service is identified by a "scheme" indicating the service type, a The service is identified by a "scheme" indicating the service type,
hostname, and optionally other information such as a port number. A a hostname, and, optionally, other information such as a port number.
DNS server is often identified only by its IP address (e.g., in A DNS server is often identified only by its IP address (e.g., in
DHCP), but in some contexts it can also be identified by a hostname DHCP), but in some contexts it can also be identified by a hostname
(e.g., "NS" records, manual resolver configuration) and sometimes (e.g., "NS" records, manual resolver configuration) and sometimes
also a non-default port number. also a non-default port number.
Use of the SVCB resource record type requires a mapping document for The use of the SVCB RR type requires a mapping document for each
each service type (Section 2.4.3 of [SVCB]), indicating how a client service type (Section 2.4.3 of [SVCB]), indicating how a client for
for that service can interpret the contents of the SVCB SvcParams. that service can interpret the contents of the SVCB SvcParams. This
This document provides the mapping for the "dns" service type, document provides the mapping for the "dns" service type, allowing
allowing DNS servers to offer alternative endpoints and transports, DNS servers to offer alternative endpoints and transports, including
including encrypted transports like DNS over TLS (DoT) [RFC7858], DNS encrypted transports like DNS over TLS (DoT) [RFC7858], DNS over
over HTTPS (DoH) [RFC8484], and DNS over QUIC (DoQ) [RFC9250]. HTTPS (DoH) [RFC8484], and DNS over QUIC (DoQ) [RFC9250].
The SVCB mapping described in this document is intended as a general- The SVCB mapping described in this document is intended as a general-
purpose baseline. Subsequent specifications will adapt this purpose baseline. Subsequent specifications will adapt this
mechanism as needed to support specific configurations (e.g., for mechanism as needed to support specific configurations (e.g., for
communication between stub and recursive resolvers). communication between stub resolvers and recursive resolvers).
2. Conventions and Definitions 2. Conventions and Definitions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP "OPTIONAL" in this document are to be interpreted as described in
14 [RFC2119] [RFC8174] when, and only when, they appear in all BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here. capitals, as shown here.
3. Identities and Names 3. Identities and Names
SVCB record names (i.e., QNAMEs) for DNS services are formed using SVCB record names (i.e., QNAMEs) for DNS services are formed using
Port-Prefix Naming (Section 2.3 of [SVCB]), with a scheme of "dns". Port Prefix Naming (Section 2.3 of [SVCB]), with a scheme of "dns".
For example, SVCB records for a DNS service identified as For example, SVCB records for a DNS service identified as
dns1.example.com would be queried at _dns.dns1.example.com. dns1.example.com would be queried at _dns.dns1.example.com.
In some use cases, the name used for retrieving these DNS records is In some use cases, the name used for retrieving these DNS records is
different from the server identity used to authenticate the secure different from the server identity used to authenticate the secure
transport. To distinguish between these, this document uses the transport. To distinguish between these, this document uses the
following terms: following terms:
* Binding authority - The service name (Section 1.4 of [SVCB]) and Binding authority: The service name (Section 1.3 of [SVCB]) and
optional port number used as input to Port-Prefix Naming. optional port number used as input to Port Prefix Naming.
* Authentication name - The name used for secure transport Authentication name: The name used for secure transport
authentication. This MUST be a DNS hostname or a literal IP authentication. This MUST be a DNS hostname or a literal IP
address. Unless otherwise specified, this is the service name address. Unless otherwise specified, this is the service name
from the binding authority. from the binding authority.
3.1. Special case: non-default ports 3.1. Special Case: Non-default Ports
Normally, a DNS service is identified by an IP address or a domain Normally, a DNS service is identified by an IP address or a domain
name. When connecting to the service using unencrypted DNS over UDP name. When connecting to the service using unencrypted DNS over UDP
or TCP, clients use the default port number for DNS (53). However, or TCP, clients use the default port number for DNS (53). However,
in rare cases, a DNS service might be identified by both a name and a in rare cases, a DNS service might be identified by both a name and a
port number. For example, the "dns:" URI scheme [DNSURI] optionally port number. For example, the DNS URI scheme [DNSURI] optionally
includes an authority, comprised of a host and a port number (with a includes an authority, comprised of a host and a port number (with a
default of 53). DNS URIs normally omit the authority, or specify an default of 53). DNS URIs normally omit the authority or specify an
IP address, but a hostname and non-default port number are allowed. IP address, but a hostname and non-default port number are allowed.
When the binding authority specifies a non-default port number, Port- When the binding authority specifies a non-default port number, Port
Prefix Naming places the port number in an additional prefix on the Prefix Naming places the port number in an additional prefix on the
name. For example, if the binding authority is name. For example, if the binding authority is
"dns1.example.com:9953", the client would query for SVCB records at "dns1.example.com:9953", the client would query for SVCB records at
_9953._dns.dns1.example.com. If two DNS services operating on _9953._dns.dns1.example.com. If two DNS services operating on
different port numbers provide different behaviors, this arrangement different port numbers provide different behaviors, this arrangement
allows them to preserve the distinction when specifying alternative allows them to preserve the distinction when specifying alternative
endpoints. endpoints.
4. Applicable existing SvcParamKeys 4. Applicable Existing SvcParamKeys
4.1. alpn 4.1. "alpn"
This key indicates the set of supported protocols (Section 7.1 of This key indicates the set of supported protocols (Section 7.1 of
[SVCB]). There is no default protocol, so the "no-default-alpn" key [SVCB]). There is no default protocol, so the "no-default-alpn" key
does not apply. If the "alpn" SvcParamKey is absent, the client MUST does not apply. If the "alpn" SvcParamKey is absent, the client MUST
treat the SVCB record as "incompatible" (see Section 8 of treat the SVCB record as "incompatible" (as defined in Section 8 of
[I-D.draft-ietf-dnsop-svcb-https]) unless some other recognized [SVCB]) unless some other recognized SvcParam indicates a supported
SvcParam indicates a supported protocol. protocol.
If the protocol set contains any HTTP versions (e.g., "h2", "h3"), If the protocol set contains any HTTP versions (e.g., "h2", "h3"),
then the record indicates support for DoH, and the "dohpath" key MUST then the record indicates support for DoH and the "dohpath" key MUST
be present (Section 5.1). All keys specified for use with the HTTPS be present (Section 5). All keys specified for use with the HTTPS
record are also permissible, and apply to the resulting HTTP record are also permissible and apply to the resulting HTTP
connection. connection.
If the protocol set contains protocols with different default ports, If the protocol set contains protocols with different default ports
and no port key is specified, then protocols are contacted separately and no "port" key is specified, then protocols are contacted
on their default ports. Note that in this configuration, ALPN separately on their default ports. Note that in this configuration,
negotiation does not defend against cross-protocol downgrade attacks. Application-Layer Protocol Negotiation (ALPN) negotiation does not
defend against cross-protocol downgrade attacks.
4.2. port 4.2. "port"
This key is used to indicate the target port for connection This key is used to indicate the target port for connection
(Section 7.2 of [SVCB]). If omitted, the client SHALL use the (Section 7.2 of [SVCB]). If omitted, the client SHALL use the
default port number for each transport protocol (853 for DoT and DoQ, default port number for each transport protocol (853 for DoT and DoQ,
443 for DoH). 443 for DoH).
This key is automatically mandatory for this binding. This means This key is automatically mandatory for this binding. This means
that a client that does not respect the "port" key MUST ignore any that a client that does not respect the "port" key MUST ignore any
SVCB record that contains this key. (See Section 8 of [SVCB] for the SVCB record that contains this key. (See Section 8 of [SVCB] for the
definition of "automatically mandatory".) definition of "automatically mandatory".)
Support for the "port" key can be unsafe if the client has implicit Support for the "port" key can be unsafe if the client has implicit
elevated access to some network service (e.g., a local service that elevated access to some network service (e.g., a local service that
is inaccessible to remote parties) and that service uses a TCP-based is inaccessible to remote parties) and that service uses a TCP-based
protocol other than TLS. A hostile DNS server might be able to protocol other than TLS. A hostile DNS server might be able to
manipulate this service by causing the client to send a specially manipulate this service by causing the client to send a specially
crafted TLS SNI or session ticket that can be misparsed as a command crafted TLS Server Name Indication (SNI) or session ticket that can
or exploit. To avoid such attacks, clients SHOULD NOT support the be misparsed as a command or exploit. To avoid such attacks, clients
"port" key unless one of the following conditions applies: SHOULD NOT support the "port" key unless one of the following
conditions applies:
* The client is being used with a DNS server that it trusts not to * The client is being used with a DNS server that it trusts not to
attempt this attack. attempt this attack.
* The client is being used in a context where implicit elevated * The client is being used in a context where implicit elevated
access cannot apply. access cannot apply.
* The client restricts the set of allowed TCP port values to exclude * The client restricts the set of allowed TCP port values to exclude
any ports where a confusion attack is likely to be possible (e.g., any ports where a confusion attack is likely to be possible (e.g.,
the "bad ports" list from the "Port blocking" section of [FETCH]). the "bad ports" list from Section 2.9 ("Port blocking") of
[FETCH]).
4.3. Other applicable SvcParamKeys 4.3. Other Applicable SvcParamKeys
These SvcParamKeys from [SVCB] apply to the "dns" scheme without These SvcParamKeys from [SVCB] apply to the "dns" scheme without
modification: modification:
* mandatory * mandatory
* ipv4hint * ipv4hint
* ipv6hint * ipv6hint
Future SvcParamKeys might also be applicable. Future SvcParamKeys might also be applicable.
5. New SvcParamKeys 5. New SvcParamKey: "dohpath"
5.1. dohpath
"dohpath" is a single-valued SvcParamKey whose value (both in "dohpath" is a single-valued SvcParamKey whose value (in both
presentation and wire format) MUST be a URI Template in relative form presentation format and wire format) MUST be a URI Template in
([RFC6570], Section 1.1) encoded in UTF-8 [RFC3629]. If the "alpn" relative form ([RFC6570], Section 1.1) encoded in UTF-8 [RFC3629].
SvcParam indicates support for HTTP, "dohpath" MUST be present. The If the "alpn" SvcParam indicates support for HTTP, "dohpath" MUST be
URI Template MUST contain a "dns" variable, and MUST be chosen such present. The URI Template MUST contain a "dns" variable, and MUST be
that the result after DoH template expansion (Section 6 of [RFC8484]) chosen such that the result after DoH URI Template expansion
is always a valid and functional ":path" value ([RFC9113], (Section 6 of [RFC8484]) is always a valid and functional ":path"
Section 8.3.1). value ([RFC9113], Section 8.3.1).
When using this SVCB record, the client MUST send any DoH requests to When using this SVCB record, the client MUST send any DoH requests to
the HTTP origin identified by the "https" scheme, the authentication the HTTP origin identified by the "https" scheme, the authentication
name, and the port from the "port" SvcParam (if present). HTTP name, and the port from the "port" SvcParam (if present). HTTP
requests MUST be directed to the resource resulting from DoH template requests MUST be directed to the resource resulting from DoH URI
expansion of the "dohpath" value. Template expansion of the "dohpath" value.
Clients SHOULD NOT query for any "HTTPS" RRs when using "dohpath". Clients SHOULD NOT query for any HTTPS RRs when using "dohpath".
Instead, the SvcParams and address records associated with this SVCB Instead, the SvcParams and address records associated with this SVCB
record SHOULD be used for the HTTPS connection, with the same record SHOULD be used for the HTTPS connection, with the same
semantics as an HTTPS RR. However, for consistency, service semantics as an HTTPS RR. However, for consistency, service
operators SHOULD publish an equivalent HTTPS RR, especially if operators SHOULD publish an equivalent HTTPS RR, especially if
clients might learn about this DoH service through a different clients might learn about this DoH service through a different
channel. channel.
6. Limitations 6. Limitations
This document is concerned exclusively with the DNS transport, and This document is concerned exclusively with the DNS transport and
does not affect or inform the construction or interpretation of DNS does not affect or inform the construction or interpretation of DNS
messages. For example, nothing in this document indicates whether messages. For example, nothing in this document indicates whether
the service is intended for use as a recursive or authoritative DNS the service is intended for use as a recursive or authoritative DNS
server. Clients need to know the intended use of services based on server. Clients need to know the intended use of services based on
their context. their context.
Not all features of this specification will be applicable or Not all features of this specification will be applicable or
effective in all contexts: effective in all contexts:
* If the authentication name is received over an insecure channel * If the authentication name is received over an insecure channel
skipping to change at page 7, line 36 skipping to change at line 293
8530 (explicit in record 2), with "resolver.example" as the 8530 (explicit in record 2), with "resolver.example" as the
Authentication Domain Name, Authentication Domain Name,
- DoQ on resolver.example port 853 (record 1), - DoQ on resolver.example port 853 (record 1),
- DoH at https://resolver.example/q{?dns} (record 1), and - DoH at https://resolver.example/q{?dns} (record 1), and
- an experimental protocol on fooexp.resolver.example:5353 - an experimental protocol on fooexp.resolver.example:5353
(record 3): (record 3):
_dns.resolver.example. 7200 IN \ _dns.resolver.example. 7200 IN \
SVCB 1 resolver.example. alpn=dot,doq,h2,h3 dohpath=/q{?dns} SVCB 1 resolver.example. alpn=dot,doq,h2,h3 dohpath=/q{?dns}
SVCB 2 resolver.example. alpn=dot port=8530 SVCB 2 resolver.example. alpn=dot port=8530
SVCB 3 fooexp.resolver.example. port=5353 alpn=foo foo-info=... SVCB 3 fooexp.resolver.example. port=5353 alpn=foo foo-info=...
* A nameserver named ns.example. whose service configuration is * A name server named ns.example. whose service configuration is
published on a different domain: published on a different domain:
_dns.ns.example. 7200 IN SVCB 0 _dns.ns.nic.example. _dns.ns.example. 7200 IN SVCB 0 _dns.ns.nic.example.
8. Security Considerations 8. Security Considerations
8.1. Adversary on the query path 8.1. Adversary on the Query Path
This section considers an adversary who can add or remove responses This section considers an adversary who can add or remove responses
to the SVCB query. to the SVCB query.
During secure transport establishment, clients MUST authenticate the During secure transport establishment, clients MUST authenticate the
server to its authentication name, which is not influenced by the server to its authentication name, which is not influenced by the
SVCB record contents. Accordingly, this draft does not mandate the SVCB record contents. Accordingly, this document does not mandate
use of DNSSEC. This draft also does not specify how clients the use of DNSSEC. This document also does not specify how clients
authenticate the name (e.g., selection of roots of trust), which authenticate the name (e.g., selection of roots of trust), as this
might vary according to the context. procedure might vary according to the context.
8.1.1. Downgrade attacks 8.1.1. Downgrade Attacks
This attacker cannot impersonate the secure endpoint, but it can This attacker cannot impersonate the secure endpoint, but it can
forge a response indicating that the requested SVCB records do not forge a response indicating that the requested SVCB records do not
exist. For a SVCB-reliant client ([SVCB], Section 3) this only exist. For a SVCB-reliant client ([SVCB], Section 3), this only
results in a denial of service. However, SVCB-optional clients will results in a denial of service. However, SVCB-optional clients will
generally fall back to insecure DNS in this case, exposing all DNS generally fall back to insecure DNS in this case, exposing all DNS
traffic to attacks. traffic to attacks.
8.1.2. Redirection attacks 8.1.2. Redirection Attacks
SVCB-reliant clients always enforce the authentication domain name, SVCB-reliant clients always enforce the Authentication Domain Name,
but they are still subject to attacks using the transport, port but they are still subject to attacks using the transport, port
number, and "dohpath" value, which are controlled by this adversary. number, and "dohpath" value, which are controlled by this adversary.
By changing these values in the SVCB answers, the adversary can By changing these values in the SVCB answers, the adversary can
direct DNS queries for $HOSTNAME to any port on $HOSTNAME, and any direct DNS queries for $HOSTNAME to any port on $HOSTNAME and any
path on "https://$HOSTNAME". If the DNS client uses shared TLS or path on "https://$HOSTNAME". If the DNS client uses shared TLS or
HTTP state, the client could be correctly authenticated (e.g., using HTTP state, the client could be correctly authenticated (e.g., using
a TLS client certificate or HTTP cookie). a TLS client certificate or HTTP cookie).
This behavior creates a number of possible attacks for certain server This behavior creates a number of possible attacks for certain server
configurations. For example, if https://$HOSTNAME/upload accepts any configurations. For example, if https://$HOSTNAME/upload accepts any
POST request as a public file upload, the adversary could forge a POST request as a public file upload, the adversary could forge a
SVCB record containing dohpath=/upload{?dns}. This would cause the SVCB record containing dohpath=/upload{?dns}. This would cause the
client to upload and publish every query, resulting in unexpected client to upload and publish every query, resulting in unexpected
storage costs for the server and privacy loss for the client. storage costs for the server and privacy loss for the client.
Similarly, if two DoH endpoints are available on the same origin, and Similarly, if two DoH endpoints are available on the same origin and
the service has designated one of them for use with this the service has designated one of them for use with this
specification, this adversary can cause clients to use the other specification, this adversary can cause clients to use the other
endpoint instead. endpoint instead.
To mitigate redirection attacks, a client of this SVCB mapping MUST To mitigate redirection attacks, a client of this SVCB mapping MUST
NOT identify or authenticate itself when performing DNS queries, NOT identify or authenticate itself when performing DNS queries,
except to servers that it specifically knows are not vulnerable to except to servers that it specifically knows are not vulnerable to
such attacks. If an endpoint sends an invalid response to a DNS such attacks. If an endpoint sends an invalid response to a DNS
query, the client SHOULD NOT send more queries to that endpoint and query, the client SHOULD NOT send more queries to that endpoint and
MAY log this error. Multiple DNS services MUST NOT share a hostname MAY log this error. Multiple DNS services MUST NOT share a hostname
identifier (Section 3) unless they are so similar that it is safe to identifier (Section 3) unless they are so similar that it is safe to
allow an attacker to choose which one is used. allow an attacker to choose which one is used.
8.2. Adversary on the transport path 8.2. Adversary on the Transport Path
This section considers an adversary who can modify network traffic This section considers an adversary who can modify network traffic
between the client and the alternative service (identified by the between the client and the alternative service (identified by the
TargetName). TargetName).
For a SVCB-reliant client, this adversary can only cause a denial of For a SVCB-reliant client, this adversary can only cause a denial of
service. However, because DNS is unencrypted by default, this service. However, because DNS is unencrypted by default, this
adversary can execute a downgrade attack against SVCB-optional adversary can execute a downgrade attack against SVCB-optional
clients. Accordingly, when use of this specification is optional, clients. Accordingly, when the use of this specification is
clients SHOULD switch to SVCB-reliant behavior if SVCB resolution optional, clients SHOULD switch to SVCB-reliant behavior if SVCB
succeeds. Specifications making using of this mapping MAY adjust resolution succeeds. Specifications making use of this mapping MAY
this fallback behavior to suit their requirements. adjust this fallback behavior to suit their requirements.
9. IANA Considerations 9. IANA Considerations
Per [SVCB] IANA is directed to add the following entry to the SVCB Per [SVCB], IANA has added the following entry to the "Service
Service Parameters registry. Parameter Keys (SvcParamKeys)" registry.
+========+=========+==============================+=================+ +======+=======+================+=========+============+===========+
| Number | Name | Meaning | Reference | |Number|Name | Meaning |Format | Change | Reference |
+========+=========+==============================+=================+ | | | |Reference| Controller | |
| 7 | dohpath | DNS over HTTPS path template | (This | +======+=======+================+=========+============+===========+
| | | | document) | | 7 |dohpath| DNS-over-HTTPS |RFC 9461 | IETF | RFC 9461 |
+--------+---------+------------------------------+-----------------+ | | | path template | | | |
+------+-------+----------------+---------+------------+-----------+
Table 1 Table 1
Per [Attrleaf], IANA is directed to add the following entry to the Per [Attrleaf], IANA has added the following entry to the DNS
DNS Underscore Global Scoped Entry Registry: "Underscored and Globally Scoped DNS Node Names" registry:
+=========+============+=================+ +=========+============+===========+
| RR TYPE | _NODE NAME | Reference | | RR Type | _NODE NAME | Reference |
+=========+============+=================+ +=========+============+===========+
| SVCB | _dns | (This document) | | SVCB | _dns | RFC 9461 |
+---------+------------+-----------------+ +---------+------------+-----------+
Table 2 Table 2
10. References 10. References
10.1. Normative References 10.1. Normative References
[I-D.draft-ietf-dnsop-svcb-https]
Schwartz, B. M., Bishop, M., and E. Nygren, "Service
binding and parameter specification via the DNS (DNS SVCB
and HTTPS RRs)", Work in Progress, Internet-Draft, draft-
ietf-dnsop-svcb-https-12, 11 March 2023,
<https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-
svcb-https-12>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/rfc/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
[RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO
10646", STD 63, RFC 3629, DOI 10.17487/RFC3629, November 10646", STD 63, RFC 3629, DOI 10.17487/RFC3629, November
2003, <https://www.rfc-editor.org/rfc/rfc3629>. 2003, <https://www.rfc-editor.org/info/rfc3629>.
[RFC6570] Gregorio, J., Fielding, R., Hadley, M., Nottingham, M., [RFC6570] Gregorio, J., Fielding, R., Hadley, M., Nottingham, M.,
and D. Orchard, "URI Template", RFC 6570, and D. Orchard, "URI Template", RFC 6570,
DOI 10.17487/RFC6570, March 2012, DOI 10.17487/RFC6570, March 2012,
<https://www.rfc-editor.org/rfc/rfc6570>. <https://www.rfc-editor.org/info/rfc6570>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/rfc/rfc8174>. May 2017, <https://www.rfc-editor.org/info/rfc8174>.
[RFC8484] Hoffman, P. and P. McManus, "DNS Queries over HTTPS [RFC8484] Hoffman, P. and P. McManus, "DNS Queries over HTTPS
(DoH)", RFC 8484, DOI 10.17487/RFC8484, October 2018, (DoH)", RFC 8484, DOI 10.17487/RFC8484, October 2018,
<https://www.rfc-editor.org/rfc/rfc8484>. <https://www.rfc-editor.org/info/rfc8484>.
[RFC9113] Thomson, M., Ed. and C. Benfield, Ed., "HTTP/2", RFC 9113, [RFC9113] Thomson, M., Ed. and C. Benfield, Ed., "HTTP/2", RFC 9113,
DOI 10.17487/RFC9113, June 2022, DOI 10.17487/RFC9113, June 2022,
<https://www.rfc-editor.org/rfc/rfc9113>. <https://www.rfc-editor.org/info/rfc9113>.
[SVCB] Schwartz, B. M., Bishop, M., and E. Nygren, "Service [SVCB] Schwartz, B., Bishop, M., and E. Nygren, "Service Binding
binding and parameter specification via the DNS (DNS SVCB and Parameter Specification via the DNS (SVCB and HTTPS
and HTTPS RRs)", Work in Progress, Internet-Draft, draft- Resource Records)", RFC 9460, DOI 10.17487/RFC9460,
ietf-dnsop-svcb-https-12, 11 March 2023, November 2023, <https://www.rfc-editor.org/info/rfc9460>.
<https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-
svcb-https-12>.
10.2. Informative References 10.2. Informative References
[Attrleaf] Crocker, D., "Scoped Interpretation of DNS Resource [Attrleaf] Crocker, D., "Scoped Interpretation of DNS Resource
Records through "Underscored" Naming of Attribute Leaves", Records through "Underscored" Naming of Attribute Leaves",
BCP 222, RFC 8552, DOI 10.17487/RFC8552, March 2019, BCP 222, RFC 8552, DOI 10.17487/RFC8552, March 2019,
<https://www.rfc-editor.org/rfc/rfc8552>. <https://www.rfc-editor.org/info/rfc8552>.
[DNSURI] Josefsson, S., "Domain Name System Uniform Resource [DNSURI] Josefsson, S., "Domain Name System Uniform Resource
Identifiers", RFC 4501, DOI 10.17487/RFC4501, May 2006, Identifiers", RFC 4501, DOI 10.17487/RFC4501, May 2006,
<https://www.rfc-editor.org/rfc/rfc4501>. <https://www.rfc-editor.org/info/rfc4501>.
[FETCH] "Fetch Living Standard", February 2022, [FETCH] WHATWG, "Fetch Living Standard", October 2023,
<https://fetch.spec.whatwg.org/>. <https://fetch.spec.whatwg.org/>.
[RFC7858] Hu, Z., Zhu, L., Heidemann, J., Mankin, A., Wessels, D., [RFC7858] Hu, Z., Zhu, L., Heidemann, J., Mankin, A., Wessels, D.,
and P. Hoffman, "Specification for DNS over Transport and P. Hoffman, "Specification for DNS over Transport
Layer Security (TLS)", RFC 7858, DOI 10.17487/RFC7858, May Layer Security (TLS)", RFC 7858, DOI 10.17487/RFC7858, May
2016, <https://www.rfc-editor.org/rfc/rfc7858>. 2016, <https://www.rfc-editor.org/info/rfc7858>.
[RFC9250] Huitema, C., Dickinson, S., and A. Mankin, "DNS over [RFC9250] Huitema, C., Dickinson, S., and A. Mankin, "DNS over
Dedicated QUIC Connections", RFC 9250, Dedicated QUIC Connections", RFC 9250,
DOI 10.17487/RFC9250, May 2022, DOI 10.17487/RFC9250, May 2022,
<https://www.rfc-editor.org/rfc/rfc9250>. <https://www.rfc-editor.org/info/rfc9250>.
Appendix A. Mapping Summary Appendix A. Mapping Summary
This table serves as a non-normative summary of the DNS mapping for This table serves as a non-normative summary of the DNS mapping for
SVCB. SVCB.
+=================+====================================+ +-----------------+------------------------------------+
+=================+====================================+
| *Mapped scheme* | "dns" | | *Mapped scheme* | "dns" |
+-----------------+------------------------------------+ +-----------------+------------------------------------+
| *RR type* | SVCB (64) | | *RR type* | SVCB (64) |
+-----------------+------------------------------------+ +-----------------+------------------------------------+
| *Name prefix* | _dns for port 53, else _$PORT._dns | | *Name prefix* | _dns for port 53, else _$PORT._dns |
+-----------------+------------------------------------+ +-----------------+------------------------------------+
| *Required keys* | alpn or equivalent | | *Required keys* | alpn or equivalent |
+-----------------+------------------------------------+ +-----------------+------------------------------------+
| *Automatically | port | | *Automatically | port |
| Mandatory Keys* | | | mandatory keys* | |
+-----------------+------------------------------------+ +-----------------+------------------------------------+
| *Special | Supports all HTTPS RR SvcParamKeys | | *Special | Supports all HTTPS RR SvcParamKeys |
| behaviors* | | | behaviors* | |
+-----------------+------------------------------------+ +-----------------+------------------------------------+
| | Overrides the HTTPS RR for DoH | | | Overrides the HTTPS RR for DoH |
+-----------------+------------------------------------+ +-----------------+------------------------------------+
| | Default port is per-transport | | | Default port is per-transport |
+-----------------+------------------------------------+ +-----------------+------------------------------------+
| | No encrypted -> cleartext fallback | | | Cleartext fallback is discouraged |
+-----------------+------------------------------------+ +-----------------+------------------------------------+
Table 3 Table 3
Acknowledgments Acknowledgments
Thanks to the many reviewers and contributors, including Andrew Thanks to the many reviewers and contributors, including Andrew
Campling, Peter van Dijk, Paul Hoffman, Daniel Migault, Matt Norhoff, Campling, Peter van Dijk, Paul Hoffman, Daniel Migault, Matt
Eric Rescorla, Andreas Schulze, and Éric Vyncke. Nordhoff, Eric Rescorla, Andreas Schulze, and Éric Vyncke.
Author's Address Author's Address
Benjamin Schwartz Benjamin Schwartz
Meta Platforms, Inc. Meta Platforms, Inc.
Email: ietf@bemasc.net Email: ietf@bemasc.net
 End of changes. 67 change blocks. 
183 lines changed or deleted 160 lines changed or added

This html diff was produced by rfcdiff 1.48.