HOMENET W. Cloetens Internet-Draft SoftAtHome Intended status: Standards Track P. Lemordant Expires: January 4, 2013 D. Migault (Ed) Francetelecom - Orange July 3, 2012 Home Network Front End Naming Delegation draft-mglt-front-end-naming-delegation-00.txt Abstract This document proposes a Naming Delegation Architecture that makes possible End Users to reach the hosts or services of their Home Network using Names instead of IP addresses. This document shows how the Naming Delegation between the CPE and the ISP can be set so the CPE is not exposed on the Internet. This document describes an Naming Architecture where ISPs provide Front End Delegating DNS Servers whereas the CPEs constitute a Back End Network of Delegated DNS Servers. All DNS queries for any Home Network are addressed to the Delegating Front End Server. The response is expected to be stored on a CPE, and the Front End Delegating DNS Server sends a DNS Query to that CPE before answering to the initial DNS query. The negotiation between the CPE and the ISP is using DHCP Options. This document provides options so Front End Delegating and the Delegated DNS Servers configure their respective Zone files and so that CPEs restrict access and protect themselves from unauthorized DNS Queries. Status of this Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." Cloetens, et al. Expires January 4, 2013 [Page 1] Internet-Draft Home Network Front End Naming Delegation July 2012 This Internet-Draft will expire on January 4, 2013. Copyright Notice Copyright (c) 2012 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Cloetens, et al. Expires January 4, 2013 [Page 2] Internet-Draft Home Network Front End Naming Delegation July 2012 Table of Contents 1. Requirements notation . . . . . . . . . . . . . . . . . . . . 4 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 5 4. Front End Naming Delegation Architecture Overview . . . . . . 5 4.1. Home Network Naming Architecture Requirements . . . . . . 5 4.2. Front End Naming Delegation Architecture Description . . . 7 4.3. Front End Naming Delegation Configuration . . . . . . . . 8 4.4. Difference between the Front End Delegating DNS Server and traditional DNS Recursive DNS Server . . . . . . . . . 10 4.5. How the Front End Configuration impacts the CPE . . . . . 11 5. Protocol Exchange . . . . . . . . . . . . . . . . . . . . . . 11 5.1. CPE Request Creation and Transmission for the Front End Naming Delegation Architecture . . . . . . . . . . . . 11 5.2. ISP DHCP Server Responding to the CPE Request for the Front End Naming Delegation Architecture . . . . . . . . . 12 5.3. CPE Receiving the ISP DHCP Response for the Front End Naming Delegation Architecture . . . . . . . . . . . . . . 12 6. DHCP Options . . . . . . . . . . . . . . . . . . . . . . . . . 13 6.1. Delegated DNS Architecture Option . . . . . . . . . . . . 13 6.2. Front End Delegating Information Option . . . . . . . . . 14 6.3. Delegating Authorized Resolvers Option . . . . . . . . . . 15 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 15 8. Security Considerations . . . . . . . . . . . . . . . . . . . 15 9. Acknowledgment . . . . . . . . . . . . . . . . . . . . . . . . 16 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 16 10.1. Normative References . . . . . . . . . . . . . . . . . . . 16 10.2. Informational References . . . . . . . . . . . . . . . . . 16 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 16 Cloetens, et al. Expires January 4, 2013 [Page 3] Internet-Draft Home Network Front End Naming Delegation July 2012 1. Requirements notation The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. 2. Introduction [I-D.mglt-naming-delegation] describes the Naming Delegation Architecture that makes possible Services and Objects of a Home Network to be globally reachable with Names on the Internet. For that purpose, the Costumer Premise Equipment (CPE) hosts the authoritative DNS Server of the Home Network. The zone associated to the Home Network ("my-homenet") is a subzone of a zone managed by the ISP ("example."). This zone is attached to the global DNS Architecture. Because the ISP delegates the Naming service to the CPE, we call the DNS server responsible for "example." the Delegating DNS Server, and the DNS server responsible for "my-homenet.example." the Delegated DNS Server. The Delegated DNS Server runs on the CPE, and [I-D.mglt-naming-delegation] describes how the CPE can automatically set the Naming Delegation between the Delegated and the Delegating DNS Server. Necessary pieces of information to configure the respective DNS Zones are exchanged between the DHCP client of the CPE and the ISP DHCP Server through DHCP Options. The resulting Naming Delegation Architecture [I-D.mglt-naming-delegation] results in a CPE hosting a Service on the Internet. CPEs have not been designed for heavy load, and, as a result, the Delegating exposes the Home Network to potential Deny of Service attacks. The Front End Naming Delegation Architecture proposed in this document is an alternative to the Naming Delegation Architecture [I-D.mglt-naming-delegation] where the ISP provides Front End Delegating Servers that handles the whole DNS traffic. The CPE remains responsible for the zone "my-homenet.example.", but only responds to DNS queries sent by the Front End Delegating Servers. For this reason we call the CPE Delegated DNS Server the Back End Delegated DNS Server. The Front End Naming Delegation Architecture can be seen as providing a Authoritative DNS Server for all the Home Networks: the Front End Delegating DNS Server. However this Authoritative Server distributes the Zone between multiple nodes (the CPE). The CPE constitutes the Back End Network. The Front End Delegating DNS Server receives DNS query from the Internet, and to respond requires to retrieve this information on the CPE hosting this information. In this document, the Front End Delegating DNS Server uses the DNS protocol to retrieve this information from the CPE. Other protocols may have been chosen. Cloetens, et al. Expires January 4, 2013 [Page 4] Internet-Draft Home Network Front End Naming Delegation July 2012 The Front End Naming Delegation Architecture is based on the Naming Delegation Architecture [I-D.mglt-naming-delegation] and addresses the same requirements. It addresses the Deny of Service Security issue. On the other hand, it requires the ISP to provide an adapted infrastructure, and that all DNS traffic is (partly) handled by the ISP. The document shows how the CPE can be configured automatically and be part of the Front End Naming Delegation Architecture. In this document we only considered IPv6 and DHCP. As such DHCP MUST be understood as DHCPv6. We also assume the reader has read [I-D.mglt-naming-delegation] 3. Terminology This document uses the terminology defined in [I-D.mglt-naming-delegation], and introduces the following terminology: - Front End Delegating DNS Server or Delegating DNS Server: The DNS Server of the ISP that handles with the DNS queries addressed to the Home Network. - Back End Delegated DNS Server or Delegated DNS Server: CPE are hosting a DNS Service - Front End Delegating Information: Information like FQDNs and IP addresses of the Front End Delegating DNS Servers. These pieces of information are provided from the ISP DHCP Server to the CPE so it can properly configure its DNS zone file. - Delegating Authorized Resolvers: The hosts that are authorized to send DNS queries to the CPE. These Resolvers can be the Front End Delegating DNS Servers, but we keep these functions independent since some ISP may use dedicated Interfaces for the Front End Delegating DNS Server and for the Delegating Authorized Resolvers. 4. Front End Naming Delegation Architecture Overview 4.1. Home Network Naming Architecture Requirements The Home Network Naming Requirements for the Naming Delegation listed in [I-D.mglt-naming-delegation] are: Cloetens, et al. Expires January 4, 2013 [Page 5] Internet-Draft Home Network Front End Naming Delegation July 2012 - 1: Centralized Naming Configuration: The CPE is responsible to bind Names and IP addresses for the whole Home Network. - 2: Automatic Configuration: The CPE MUST be able to set the Naming architecture when plugged, with minimum configuration from the End User. - 3: Advanced Configuration enable: The CPE enables advanced specific configurations. - 4: Privacy Protection By Design: The Names and the Home Network IP address plan is administrated by the CPE and are not communicated to the ISP. This prevents the ISP to be aware of the hosts, Services and Objects that compose the Home Network. - 5: Make the Home Network Naming Architecture Scalable: The Naming Architecture MUST be scalable and designed to handle a large increase of Objects, Services and hosts in each Home Networks. The Naming Delegation Architecture fulfills these requirements, and we consider this architecture as the base architecture. However, this architecture major drawback is that the CPE hosts the Delegated DNS Server. CPE are usually not designed to handle heavy traffic, and thus are sensitive to DoS attacks. The Front End Naming Delegation Architecture adds one requirement to the currently designed Naming Delegation Architecture [I-D.mglt-naming-delegation]: - 6: the Naming Architecture MUST be protected by the ISP Infrastructure: The CPE MUST NOT expose the Home Network Naming service to DoS attacks. The ISP MUST be able to provide the necessary infrastructure that handle DoS attacks, or heavy loads. In order to match Requirement 6, the Front End Naming delegation Architecture introduces Front End DNS Delegating Server that handles with all DNS traffic. This means that all DNS queries that concern the Home Network are addressed to the Front End DNS Delegating Server of the ISP and are not addressed to the CPE. CPEs belong to the Back End DNS Network. The Front End DNS Naming Delegation Architecture fulfills all the above Requirements. However, Requirement 4 needs to be balanced against Requirement 6. Requirement 6 requires the ISP to handle all DNS queries that concern the Home Network. This makes the ISP aware of all queried Services, Objects and hosts in the Home Network. This may, in that sense, reduces the Privacy of the Home Network compared to the Naming Delegation Architecture. In fact with the Naming Delegation Architecture, the DNS query is directly sent to the CPE Cloetens, et al. Expires January 4, 2013 [Page 6] Internet-Draft Home Network Front End Naming Delegation July 2012 when the DNS client has the IP address of the CPE in its cache. In that case, the ISP is not aware of the existence of the queried FQDN. However, if the DNS client does not have the IP address of the CPE, then the DNS query is sent first to the ISP Delegating Server. In this latter case, the Front End DNS Naming Delegation Architecture does not provide less privacy. 4.2. Front End Naming Delegation Architecture Description Figure 1 shows how the Resolution is performed. In [1], the Resolver sends a DNS query to the Front End Delegated Server for the host "hots1.my-homenet.example.". The Front End Delegated Server does not have the response in its cache or in its zone file. The Front End Delegating DNS Server MUST send a query to the Back End Delegated DNS Sever. The IP address of the Back End Delegated DNS Sever MUST NOT be revealed to the Resolver, for example by setting the NS field in the DNS Zone File. In Figure 1, we mentioned the Delegated Server Information Database where this IP address is stored. The Front End Delegating Server sends the DNS(SEC) query to the Back End Delegated Server hosting the zone "my-homenet.example.". The source IP address used is one the Delegating Authorized Resolvers IP addresses. This query is represented in [2]. The Back End Delegated Server responds in [3] with the DNS(SEC) Response. Note that the "AUTHORITY" and "ADDITIONAL SECTION" of the DNS response MUST indicate the FQDN and the IP addresses of the Front End Delegated DNS Server. These pieces of information have been provided by the ISP DHCP Server with the Front End Delegating Information DHCP Option. The CPE can also be configured to respond without these fields. Finally in [4], the Front End Delegating Server forwards the DNS(SEC) response to the Resolver. "AUTHORITY" and "ADDITIONAL SECTION" fields MUST be filled in appropriately. Cloetens, et al. Expires January 4, 2013 [Page 7] Internet-Draft Home Network Front End Naming Delegation July 2012 +-----------------------------+ [1] DNS Query +---+ | ZONE "example.": | hots1.my-homenet.example. AAAA | R | | Front End Delegating Servers| <------------------------------- | E | | | [4] DNS Response: | S | +-------------------------+ | my-homenet.example. AAAA IP6 | O | | Delegated Server Info | | [my-homenet.example. RRSIG [...] ] | L | | Database | | -------------------------------> | V | +-------------------------+---+ | E | | [2] DNS Query ^ | R | | hots1.my-homenet.example. AAAA +---+ | | [3] DNS Response: | | my-homenet.example. AAAA IP6 v | [my-homenet.example. RRSIG [...] ] +-----------------------------+ | CPE | | Back End Delegated Server | | ZONE "my-homenet.example." | | IP6 DELEGATED_DNS_ADDR_INFO | +-----------------------------+ | | +------------+ +------------+ | Host 1 | | Host n | +------------+ +------------+ Figure 1: DNS Resolution with the Home Network Delegating Architecture 4.3. Front End Naming Delegation Configuration Figure 2 describes the Interactions between the CPE and the ISP DHCP Server. Similarly to [I-D.mglt-naming-delegation], the CPE hosts a DHCP Server (DHCP_SRV) that is used to assign IP addresses and FQDNs to the Hosts of the Home Network. In this document we considered DHCP, but other protocols can also be used in combination with DHCP or instead of DHCP. The CPE also has a DHCP Client (DHCP_CLT) that is used to exchange information with the ISP DHCP Server. This document describes how these exchanges properly configure the Front End Naming Delegation Architecture. The CPE also hosts a Authoritative DNS Server (DNS_SRV) that is responsible of the subzone associated to the Home Network. This Authoritative DNS Server is called the Back End Delegated Server. At last the CPE also has a Firewall (FIREWALL), that can be configured with security Policies. In this document, the CPE is not expected to received DNS queries from any other peer but the Front End Delegation DNS Servers, that are in the ISP Network. In Figure 2. the CPE sends a DHCP Request for a Front End Naming Delegation Architecture (DELEGATED_DNS_ARCHITECTURE). Similarly to Cloetens, et al. Expires January 4, 2013 [Page 8] Internet-Draft Home Network Front End Naming Delegation July 2012 the Naming Delegation Architecture, the CPE provides the necessary information so the ISP can derive the IP address of the Back End Delegated DNS Server (DELEGATED_DNS_ADDR_INFO). If the CPE wants a DNSSEC Delegation to be set it also provides the Delegation of Signing Information (DS). In our case, the CPE also sends a request for a Prefix Delegation (IA_PD). To the difference with [I-D.mglt-naming-delegation], the IP address of the Back End Delegated DNS Server is not mentioned in the Zone file of the Front End Delegating DNS Server. In this document, the Back End Delegated DNS Server is not expected to receive any DNS query from anyone but the Front End Delegating DNS Server. For DNS Resolvers, the only Authoritative DNS Server they are aware of is the Front End Delegating DNS Server. Similarly to [I-D.mglt-naming-delegation], the ISP DHCP Server provides the CPE the IP Prefix so the CPE can configure its Prefix Delegation. To set the DNS(SEC) Naming Delegation the ISP DHCP Server indicates the type of Naming Delegation Architecture agreed between the CPE and the ISP DHCP Server (DELEGATED_DNS_ARCHITECTURE). In addition, the ISP DHCP Server, provides the Delegated Domain (DELEGATED_DOMAIN) as well as the IP addresses and FQDNs of the Front End Delegating DNS Servers (FRONT_END_DELEGATING_INFO). These pieces of information are necessary to configure the zone file of the Home Network. In fact the zone file MUST be configured with the Front End Delegating Server as the authoritative servers. In addition, the ISP DHCP Server may also provide the IP addresses or subnet prefix of the Delegating Authorized Resolvers (DELEGATING_AUTH_RESOLVERS). These Resolvers are the only hosts supposed to send DNS queries to the CPE. DNS queries from any other IP address MUST be discarded. Upon receiving these pieces of information, the Front End Delegating Server and the Back End Delegated Server configure their Zones. In addition the CPE also configures its Firewall, so to discard any DNS queries but those emitted from the Delegating Authorized Resolvers. Cloetens, et al. Expires January 4, 2013 [Page 9] Internet-Draft Home Network Front End Naming Delegation July 2012 <--------- Home Network ----------> <--------- ISP ---------> +--------+ +---------------------+ +-----------------------+ | Host 1 +--+ CPE | | ISP DHCP | +--------+ +----------+----------+ +-----------------------+ . | DHCP_SRV | DHCP_CLT | | | . | v | | | | . | v | DHCP Request ----------------------> | . | v | DELEGATED_DNS_ARCHITECTURE, | . +----------| DELEGATED_DNS_ADDR_INFO, | . | DNS_SRV | ORO(IA_PD) [DS] | . +----------| | | | . | ^ | <---------------------- DHCP Reply | . | ^ | DELEGATED_DNS_ARCHITECTURE, | . | < < < DHCP_CLT DELEGATED_DOMAIN, IA_PD, | . | v | FRONT_END_DELEGATING_INFO, | +--------+ +----------+ DELEGATING_AUTH_RESOLVERS, | | Host n +--| FIREWALL | | | | +--------+ +----------+--------- + +-----------------------+ Figure 2: Front End Naming Delegation Architecture 4.4. Difference between the Front End Delegating DNS Server and traditional DNS Recursive DNS Server From Figure 1, one may assimilate the Front End Delegating DNS Server to a Recursive DNS Resolver. The main differences are: - 1. The Front End Delegating DNS Server only proceeds to Resolution for the FQDNs that are hosted in one of the Back End Delegated DNS Servers. - 2. The Back End Delegated DNS Servers are not Public DNS. More especially, the Delegated DNS Server may have a public IP address, but the DNS Service is not provided for any Resolver but the authorized Resolvers. As a result, the Front End Delegating DNS Server is a mixed mode between Authoritative and Recursive DNS Server. As an Authoritative Server, the Response [4] in figure 1 MUST have a Authoritative Answer (AA) bit set, which indicates the Response is from an Authoritative Server. Then the Resolution [2] and [3] in figure 1 MUST be processed even if the Recursion Desired (RD) bit is not set in the DNS query [1]. It is also recommended that the Front End Delegating DNS Server provides the Authoritative and Additional Section of the Response in [4], without considering the sections of [3]. In other word, it is recommended not to forward these section from [3], and the CPE should Cloetens, et al. Expires January 4, 2013 [Page 10] Internet-Draft Home Network Front End Naming Delegation July 2012 be configured not to provide these sections in [3]. 4.5. How the Front End Configuration impacts the CPE Figure 2 shows that the ISP DHCP Server provides the IP addresses of the Front End Delegating DNS Server as well as the Name of the Front End Delegating DNS Server. These are the information the Back End Delegated DNS Server MUST put in its Zone file. More especially in the NS fields. Figure 2 also shows that the ISP DHCP Server provides the CPE the IP addresses or subnet prefix of the Authorized Delegating Resolvers. These are the IP addresses authorized to send DNS queries that should not be discarded on the WAN Interface. Any other DNS query on the WAN should be discarded. These rules are set by the Firewall as represented in Figure 2. The Firewall rules does not prevent the CPE to be a DNS forwarder or a DNS Resolver for the hosts of the Home Network. In fact the CPE can still receive DNS queries from the LAN Interface. The issue is that the CPE may provide Multiple DNS Services. In this document, we consider the CPE provides at least a DNS Authoritative servers on its WAN Interface for the Authorized Delegating Resolvers. For the LAN Interface, the CPE may be configured in various ways, depending on the ISP DNS Infrastructure. A first configuration consists in configuring the CPE LAN DNS Service into a DNS forwarder. In that case, the CPE DHCP server of the Home Network provides an IP address of the CPE for the DNS Resolver. DNS queries for the Home Network are answered by the CPE, others are forwarded to the Resolver of the ISP. This resolver is provided via DHCP. Another alternative consists in configuring the CPE as a Recursive DNS Server. Without any specific configurations, DNS queries for the Home Network are sent to the Front End Delegating DNS Server. Optimization may be done to bypass the Front End Delegating DNS Server for the Home Network Zone and are CPE or software implementation specific. 5. Protocol Exchange 5.1. CPE Request Creation and Transmission for the Front End Naming Delegation Architecture When the CPE wants to set a Front End Naming Delegation Architecture, it requests this set up to the ISP DHCP Server. For that purpose, we consider two new naming-delegation-action: SET_FRONT_END_NAMING_DELEGATION_WITH_DNS when the delegation is only performed with DNS or SET_FRONT_END_NAMING_DELEGATION_WITH_DNSSEC if the CPE wants a DNSSEC delegation. These naming-delegation-actions Cloetens, et al. Expires January 4, 2013 [Page 11] Internet-Draft Home Network Front End Naming Delegation July 2012 are proposed in the Delegated DNS Architecture DHCP Option (OPTION_DELEGATED_DNS_ARCHITECTURE). Then, the CPE proceeds as described in [I-D.mglt-naming-delegation]. 5.2. ISP DHCP Server Responding to the CPE Request for the Front End Naming Delegation Architecture When the DHCP Server receives a Delegated DNS Architecture DHCP Option (OPTION_DELEGATED_DNS_ARCHITECTURE), Delegated DNS Address Information DHCP Option (OPTION_DELEGATED_DNS_ADDR_INFO) or a Delegation of Signing DHCP Option (OPTION_DS), the DHCP Server proceeds as described in [I-D.mglt-naming-delegation]. In addition, when the naming-delegation-action is set to SET_FRONT_END_NAMING_DELEGATION_WITH_DNS or SET_FRONT_END_NAMING_DELEGATION_WITH_DNSSEC, the DHCP Server MUST include in the Response the two additional DCHP Options. The Front End Delegating Information DHCP Option (OPTION_FRONT_END_DELEGATING_INFO) which indicates the FQDNs of the Front End Delegating Servers and their associated IP addresses. Then, it also MUST include the Delegating Authorized Resolvers DHCP Option (OPTION_DELEGATING_AUTH_RESOLVERS) which indicates the IP addresses or subnet prefixes of the Authorized Delegating Resolvers. Note that Naming Delegation is set differently for the Front End Naming Delegation Architecture and for the Naming Delegation Architecture. More specifically, in the Front End Naming Delegation, the ISP DHCP Server MUST NOT make the IP address of the Delegated DNS Server public in its zone file. 5.3. CPE Receiving the ISP DHCP Response for the Front End Naming Delegation Architecture Similarly to [I-D.mglt-naming-delegation], if the CPE has not received all expected DHCP Options, or cannot proceed to the configuration of the Naming Delegation Architecture, it MUST either clear the Naming Delegation settings or proceed to the appropriated settings. When the CPE receives the Delegating Authorized Resolvers DHCP Option (OPTION_DELEGATING_AUTH_RESOLVERS), the CPE may update its Firewall rules. The Front End Delegating Information DHCP Option (OPTION_FRONT_END_DELEGATING_INFO) is used to configure the DNS zone of the Home Network. The CPE may receive the Delegating Authorized Resolvers or the Front End Delegating Information DHCP Option from the ISP DHCP Server that are not the response to a Delegated DNS Architecture DHCP Option. Cloetens, et al. Expires January 4, 2013 [Page 12] Internet-Draft Home Network Front End Naming Delegation July 2012 This may happen if the ISP DHCP Server is updating or modifying its Front End Delegating DNS Server or the associated Delegating Authorized Resolvers. In that case, the CPE MUST make sure the message provides from the ISP DHCP Server and updates its Firewall rules as well as its DNS zone file. 6. DHCP Options The options detailed in this section are - Delegated DNS Architecture (OPTION_DELEGATED_DNS_ARCHITECTURE): is used by the DHCP Client on the CPE to inform how the Naming Delegation Architecture should be configured. In return, it is used by the ISP DHCP Server to report the Status Code. - Front End Delegating Information DHCP Option (OPTION_FRONT_END_DELEGATING_INFO): is used by the ISP DHCP Server to provide the CPE the FQDN and IP addresses of the Authoritative DNS Server of the Home Network Zone file. These Authoritative DNS Servers are the Front End DNS Server. - Delegating Authorized Resolvers DHCP Option (OPTION_DELEGATING_AUTH_RESOLVERS): is used by the DHCP Server to provide the CPE the IP addresses or subnet prefixes of the Delegating Authorized Resolvers. These are the resolvers authorized to send DNS(SEC) queries. 6.1. Delegated DNS Architecture Option The Delegated DNS Architecture DHCP Option is defined in [I-D.mglt-naming-delegation]. This document adds two new naming- delegation-actions defined below: - SET_FRONT_END_NAMING_DELEGATION_WITH_DNS - 2 - : Indicates that the DHCP Server MUST set the Front End Naming Delegation Architecture with only DNS, and MUST NOT consider DNSSEC Delegation. - SET_FRONT_END_NAMING_DELEGATION_WITH_DNSSEC - 3 - : Indicates that the DHCP Server MUST set the Front End Naming Delegation Architecture with DNSSEC. Cloetens, et al. Expires January 4, 2013 [Page 13] Internet-Draft Home Network Front End Naming Delegation July 2012 6.2. Front End Delegating Information Option 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | OPT_FRONT_END_DELEGATING_INFO | option-len | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | front-end-length | front-end-fqdn-length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | / front-end-delegating-fqdn / | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | | ipv6-address | | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | | ipv6-address | | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - option-code: OPT_FRONT_END_DELEGATING_INFO (16 bits) - option-len: Length (16 bits) of the Front End Delegating Information Option in octets. - front-end-length: Length (16 bits) of the Front End Delegating Server. - front-end-fqdn-length: Length (16 bits) of the Front End Delegating Server FQDN. - ipv6-address: IPv6 Address (128 bits). Cloetens, et al. Expires January 4, 2013 [Page 14] Internet-Draft Home Network Front End Naming Delegation July 2012 6.3. Delegating Authorized Resolvers Option 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |OPTION_DELEGATED_AUTH_RESOLVERS| option-len | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | prefix-length | | +-+-+-+-+-+-+-+-+ | | | | ipv6-prefix | | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | prefix-length | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | / ipv6-prefix / | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - option-code: OPTION_DELEGATED_AUTH_RESOLVERS (16 bits) - option-len: Length (16 bits) of the Delegating Authorized Resolvers Option in octets. - prefix-length: Length (8 bits) for this prefix in bits. - ipv6-prefix: IPv6 address or IPv6 prefix used by the authoritative DNS server to send DNS queries to the delegated domain name. 7. IANA Considerations This document adds two new DHCP Options: - OPTION_FRONT_END_DELEGATING_INFO: TBD - OPTION_DELEGATING_AUTH_RESOLVERS: TBD 8. Security Considerations This document addresses the DoS security issue of [I-D.mglt-naming-delegation]. Other security considerations remains as described in [I-D.mglt-naming-delegation]. Cloetens, et al. Expires January 4, 2013 [Page 15] Internet-Draft Home Network Front End Naming Delegation July 2012 9. Acknowledgment The authors wish to thank Ole Troan for pointing out issues with the IPv6 routed home concept and placing the scope of this document in a wider picture, Mark Townsley for encouragement and injecting a healthy debate on the merits of the idea, Ulrik de Bie for providing alternative solutions, Paul Mockapetris for pointing out issues of the trustworthiness of a reverse lookup, and Christian Jacquenet for seeing the value from a Service Provider point of view. 10. References 10.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. 10.2. Informational References [I-D.mglt-naming-delegation] Cloetens, W., Lemordant, P., and D. Migault, "IPv6 Home Network Naming Delegation Architecture", draft-mglt-naming-delegation-00 (work in progress), July 2012. Authors' Addresses Wouter Cloetens SoftAtHome vaartdijk 3 701 3018 Wijgmaal Belgium Phone: Email: wouter.cloetens@softathome.com Philippe Lemordant Francetelecom - Orange 2 avenue Pierre Marzin 22300 Lannion France Phone: +33 2 96 05 35 11 Email: philippe.lemordant@orange.com Cloetens, et al. Expires January 4, 2013 [Page 16] Internet-Draft Home Network Front End Naming Delegation July 2012 Daniel Migault Francetelecom - Orange 38 rue du General Leclerc 92794 Issy-les-Moulineaux Cedex 9 France Phone: +33 1 45 29 60 52 Email: mglt.ietf@gmail.com Cloetens, et al. Expires January 4, 2013 [Page 17]