| RFC 9464 | IKEv2 for Encrypted DNS | November 2023 |
| Boucadair, et al. | Standards Track | [Page] |
This document specifies new Internet Key Exchange Protocol Version 2 (IKEv2) Configuration Payload Attribute Types to assign DNS resolvers that support encrypted DNS protocols, such as DNS over HTTPS (DoH), DNS over TLS (DoT), and DNS over QUIC (DoQ).¶
This is an Internet Standards Track document.¶
This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 7841.¶
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at https://www.rfc-editor.org/info/rfc9464.¶
Copyright (c) 2023 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
This document specifies a mechanism for assigning encrypted DNS configurations to an Internet Key Exchange Protocol Version 2 (IKEv2) initiator [RFC7296]. Specifically, it assigns one or more Authentication Domain Names (ADNs) of DNS resolvers that support encrypted DNS protocols. The specific protocols supported are described using the Service Parameters format defined in [RFC9460]; supported protocols include DNS over HTTPS (DoH) [RFC8484], DNS over TLS (DoT) [RFC7858], and DNS over QUIC (DoQ) [RFC9250].¶
This document introduces three new IKEv2 Configuration Payload Attribute Types (Section 3) to add support for encrypted DNS resolvers. The ENCDNS_IP4 and ENCDNS_IP6 attribute types (Section 3.1) are used to provision ADNs, a list of IP addresses, and a set of service parameters. The ENCDNS_DIGEST_INFO attribute (Section 3.2) additionally allows a specific resolver certificate to be indicated by the IKEv2 responder.¶
The encrypted DNS resolver hosted by a Virtual Private Network (VPN) provider can get a domain-validated certificate from a public Certificate Authority (CA). The VPN client does not need to be provisioned with the root certificate of a private CA to authenticate the certificate of the encrypted DNS resolvers. The encrypted DNS resolver can run on private IP addresses, and its access can be restricted to clients connected to the VPN.¶
For many years, typical designs have often assumed that the DNS resolver was usually located inside the protected domain, but they don't consider implementations where the DNS resolver could be located outside of it. With encrypted DNS, implementing the latter scenario becomes plausible. Note that existing VPN client implementations might not expect the discovered DNS resolver IP addresses to be outside of the covered IP address ranges of the VPN tunnel.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
This document uses the terms defined in [RFC8499].¶
Also, this document uses the terms defined in [RFC7296]. In particular, readers should be familiar with the terms "initiator" and "responder" as used in that document.¶
This document makes use of the following terms:¶
The ENCDNS_IP* IKEv2 Configuration Payload Attribute Types, ENCDNS_IP4 and ENCDNS_IP6, are used to configure an initiator with encrypted DNS resolvers. Both attribute types share the format shown in Figure 1. The information included in these attributes adheres to the recommendation in Section 3.1.9 of [RFC9463].¶
1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-----------------------------+-------------------------------+ |R| Attribute Type | Length | +-+-----------------------------+---------------+---------------+ | Service Priority | Num Addresses | ADN Length | +-------------------------------+---------------+---------------+ ~ IP Address(es) ~ +---------------------------------------------------------------+ ~ Authentication Domain Name ~ +---------------------------------------------------------------+ ~ Service Parameters (SvcParams) ~ +---------------------------------------------------------------+
The description of the fields shown in Figure 1 is as follows:¶
Length of the enclosed data in octets. In particular, this field is set to:¶
A fully qualified domain name of the encrypted DNS resolver, in DNS presentation format and using an Internationalized Domain Names for Applications (IDNA) A-label [RFC5890]. The name MUST NOT contain any terminators (e.g., NULL, CR).¶
An example of a valid ADN for a DoH server is "doh1.example.com".¶
Specifies a set of service parameters that are encoded following the same rules for encoding SvcParams using the wire format specified in Section 2.2 of [RFC9460]. Section 3.1.5 of [RFC9463] lists a set of service parameters that are recommended to be supported by implementations.¶
The service parameters MUST NOT include "ipv4hint" or "ipv6hint" SvcParams, as they are superseded by the included IP addresses.¶
If no "port" service parameter is included, this indicates that default port numbers should be used. As a reminder, the default port number is 853 for DoT (Section 6 of [RFC7858]), 443 for DoH (Section 8.1 of [RFC8484]), and 853 for DoQ (Section 8 of [RFC9250]).¶
The service parameters apply to all IP addresses in the ENCDNS_IP* Configuration Payload Attribute.¶
The ENCDNS_DIGEST_INFO Configuration Payload Attribute (Figure 2) allows IKEv2 responders to specify a certificate digest that initiators can use when validating TLS connections to encrypted resolvers. This attribute can also be sent by the initiator to request specific hash algorithms for such digests.¶
1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-----------------------------+-------------------------------+ |R| Attribute Type | Length | +-+-------------+---------------+-------------------------------+ | Num Hash Algs | ADN Length | | +---------------+---------------+ + ~ Authentication Domain Name ~ +---------------------------------------------------------------+ ~ List of Hash Algorithm Identifiers ~ +---------------------------------------------------------------+ ~ Certificate Digest ~ +---------------------------------------------------------------+
Some of the fields shown in Figure 2 can be omitted, as further detailed below.¶
The format of the ENCDNS_DIGEST_INFO attribute if the Configuration payload has type CFG_REQUEST is shown in Figure 3.¶
1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-----------------------------+-------------------------------+ |R| Attribute Type | Length | +-+-------------+---------------+-------------------------------+ | Num Hash Algs | ADN Length | | +---------------+---------------+ + ~ List of Hash Algorithm Identifiers ~ +---------------------------------------------------------------+
The description of the fields shown in Figure 3 is as follows:¶
Specifies a list of 16-bit hash algorithm identifiers that are supported by the encrypted DNS client. This list may be controlled by a local policy.¶
The values of this field are identifiers taken from "IKEv2 Hash Algorithms" on IANA's "Internet Key Exchange Version 2 (IKEv2) Parameters" registry [IANA-IKE-HASH].¶
There is no padding between the hash algorithm identifiers.¶
Note that SHA2-256 is mandatory to implement (see Section 5).¶
The format of the ENCDNS_DIGEST_INFO attribute if the Configuration payload has type CFG_REPLY or CFG_SET is shown in Figure 4.¶
1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-----------------------------+-------------------------------+ |R| Attribute Type | Length | +-+-------------+---------------+-------------------------------+ | Num Hash Algs | ADN Length | | +---------------+---------------+ + ~ Authentication Domain Name ~ +-------------------------------+-------------------------------+ | Hash Algorithm Identifier | ~ +-------------------------------+ + ~ Certificate Digest ~ +---------------------------------------------------------------+
The description of the fields shown in Figure 4 is as follows:¶
The ENCDNS_DIGEST_INFO attribute may be present in the Configuration payload of CFG_ACK. In such a case, the ENCDNS_DIGEST_INFO MUST be returned with zero-length data.¶
As discussed in Section 3.15.1 of [RFC7296], there are no defined uses for the CFG_SET/CFG_ACK exchange. The use of the ENCDNS_DIGEST_INFO attribute for these messages is provided for completeness.¶
This section describes how the attributes defined in Section 3 are used to configure an IKEv2 initiator with one or more encrypted DNS resolvers. As a reminder, badly formatted attributes or unacceptable fields are handled as per Section 2.21 of [RFC7296].¶
Initiators first indicate support for encrypted DNS by including ENCDNS_IP* attributes in their CFG_REQUEST payloads. Responders supply encrypted DNS configuration by including ENCDNS_IP* attributes in their CFG_REPLY payloads. Concretely:¶
The DNS client establishes an encrypted DNS session (e.g., DoT, DoH, or DoQ) with the address or addresses conveyed in ENCDNS_IP* and uses the mechanisms discussed in Section 8 of [RFC8310] to authenticate the DNS resolver certificate using the ADN conveyed in ENCDNS_IP*.¶
If the CFG_REPLY includes an ENCDNS_DIGEST_INFO attribute, the client has to create an SPKI hash (Section 5) of the DNS resolver certificate received in the TLS handshake using the negotiated hash algorithm in the ENCDNS_DIGEST_INFO attribute. If the computed digest for an ADN matches the digest sent in the ENCDNS_DIGEST_INFO attribute, the encrypted DNS resolver certificate is successfully validated. If so, the client continues with the TLS connection as normal. Otherwise, the client MUST treat the resolver certificate validation failure as a non-recoverable error. This approach is similar to certificate usage PKIX-EE(1) with selector SPKI(1) as defined in [RFC7671], but without PKIX validation.¶
If the IPsec connection is a split-tunnel configuration and the initiator negotiated INTERNAL_DNS_DOMAIN as per [RFC8598], the DNS client resolves the internal names using ENCDNS_IP* DNS resolvers.¶
Note: [RFC8598] requires that the INTERNAL_IP6_DNS (or INTERNAL_IP4_DNS) attribute be present when INTERNAL_DNS_DOMAIN is included. This specification relaxes that constraint in the presence of ENCDNS_IP* attributes. That is, if ENCDNS_IP* attributes are supplied, responders are allowed to include INTERNAL_DNS_DOMAIN even in the absence of INTERNAL_IP6_DNS (or INTERNAL_IP4_DNS) attributes.¶
The SPKI hash of the encrypted DNS resolver certificate is the output of a cryptographic hash algorithm whose input is the DER-encoded ASN.1 representation of the SPKI.¶
This document adheres to the security considerations defined in [RFC7296]. In particular, this document does not alter the trust that the initiator has placed on the DNS configuration provided by a responder.¶
Networks are susceptible to internal attacks as discussed in Section 3.2 of [INT-THREAT-MOD]. Hosting encrypted DNS resolvers even in the case of split-VPN configuration can minimize the attack vector (e.g., a compromised network device cannot monitor/modify DNS traffic). This specification describes a mechanism for restricting access to the DNS messages to only the parties that need to know.¶
If the IKEv2 responder has used the NULL Authentication method [RFC7619] to authenticate itself, the initiator MUST NOT use returned ENCDNS_IP* resolvers configuration unless the initiator is preconfigured, e.g., in the operating system or the application.¶
This specification does not extend the scope of accepting DNSSEC trust anchors beyond the usage guidelines defined in Section 6 of [RFC8598].¶
As discussed in [RFC9076], the use of encrypted DNS does not reduce the data available in the DNS resolver. For example, the reader may refer to Section 8 of [RFC8484] or Section 7 of [RFC9250] for a discussion on specific privacy considerations for encrypted DNS.¶
IANA has assigned the following new IKEv2 Configuration Payload Attribute Types in the "IKEv2 Configuration Payload Attribute Types" namespace available at [IANA-IKE-CFG].¶
| Value | Attribute Type | Multivalued | Length | Reference |
|---|---|---|---|---|
| 27 | ENCDNS_IP4 | YES | 0 or more | RFC 9464 |
| 28 | ENCDNS_IP6 | YES | 0 or more | RFC 9464 |
| 29 | ENCDNS_DIGEST_INFO | YES | 0 or more | RFC 9464 |
Figure 5 depicts an example of a CFG_REQUEST to request the configuration of IPv6 DNS resolvers without providing any suggested values. In this example, the initiator uses the ENCDNS_DIGEST_INFO attribute to indicate that the encrypted DNS client supports SHA2-256 (2), SHA2-384 (3), and SHA2-512 (4) hash algorithms for certificate digests. The label of these algorithms is taken from [IANA-IKE-HASH]. The use of INTERNAL_IP6_ADDRESS is explained in [RFC7296] and thus is not reiterated here.¶
CP(CFG_REQUEST) = INTERNAL_IP6_ADDRESS() INTERNAL_IP6_DNS() ENCDNS_IP6() ENCDNS_DIGEST_INFO(0, (SHA2-256, SHA2-384, SHA2-512))
Figure 6 depicts an example of a CFG_REPLY that can be sent by a responder as a response to the above CFG_REQUEST. This response indicates the following information to identify the encrypted DNS resolver:¶
CP(CFG_REPLY) =
INTERNAL_IP6_ADDRESS(2001:db8:0:1:2:3:4:5/64)
ENCDNS_IP6(1, 1, 15,
(2001:db8:99:88:77:66:55:44),
"doh.example.com",
(alpn=h2 dohpath=/dns-query{?dns}))
ENCDNS_DIGEST_INFO(0, SHA2-256,
8b6e7a5971cc6bb0b4db5a71...)
In the example depicted in Figure 6, no ADN is included in the ENCDNS_DIGEST_INFO attribute because only one ADN is provided in the ENCDNS_IP6 attribute. Identifying the encrypted resolver associated with the supplied digest is therefore unambiguous.¶
An initiator may provide suggested values in the CFG_REQUEST when requesting an encrypted DNS resolver. For example, the initiator may:¶
Indicate a preferred resolver that is identified by an IPv6 address (see Figure 7).¶
CP(CFG_REQUEST) =
INTERNAL_IP6_ADDRESS()
INTERNAL_IP6_DNS()
ENCDNS_IP6(1, 1, 0,
(2001:db8:99:88:77:66:55:44))
Indicate a preferred resolver that is identified by an ADN (see Figure 8).¶
CP(CFG_REQUEST) = INTERNAL_IP6_ADDRESS() INTERNAL_IP6_DNS() ENCDNS_IP6(1, 0, 15, "doh.example.com")
Indicate a preferred transport protocol (DoT, in the example depicted in Figure 9).¶
CP(CFG_REQUEST) = INTERNAL_IP6_ADDRESS() INTERNAL_IP6_DNS() ENCDNS_IP6(1, 0, 0, (alpn=dot))
An initiator may also indicate that it supports Split DNS by including the INTERNAL_DNS_DOMAIN attribute in a CFG_REQUEST as shown in Figure 10. In this example, the initiator does not indicate any preference for the requested encrypted DNS server, nor does it indicate which DNS queries will be forwarded through the IPsec tunnel.¶
CP(CFG_REQUEST) = INTERNAL_IP6_ADDRESS() INTERNAL_IP6_DNS() ENCDNS_IP6() INTERNAL_DNS_DOMAIN()
Figure 11 shows an example of the responder's reply. Absent any prohibited local policy, the initiator uses the encrypted DNS server (doh.example.com) for any subsequent DNS queries for "example.com" and its subdomains.¶
CP(CFG_REPLY) =
INTERNAL_IP6_ADDRESS(2001:db8:0:1:2:3:4:5/64)
ENCDNS_IP6(1, 1, 15,
(2001:db8:99:88:77:66:55:44),
"doh.example.com",
(alpn=h2 dohpath=/dns-query{?dns}))
INTERNAL_DNS_DOMAIN(example.com)
Many thanks to Yoav Nir, Christian Jacquenet, Paul Wouters, and Tommy Pauly for their reviews and comments.¶
Yoav and Paul suggested the use of one single attribute carrying both the name and an IP address instead of depending on the existing INTERNAL_IP6_DNS and INTERNAL_IP4_DNS attributes.¶
Thanks to Tero Kivinen for the Shepherd review and Roman Danyliw for the AD review.¶
Thanks to Stewart Bryant for the gen-art review, Dhruv Dhody for the ops-dir review, and Patrick Mevzek for the dns-dir review.¶
Thanks to Paul Wouters, Zaheduzzaman Sarker, Éric Vyncke, and Robert Wilton for their comments during the IESG review.¶