--- 1/draft-ietf-ipsecme-split-dns-01.txt 2017-07-29 07:14:10.185106929 -0700 +++ 2/draft-ietf-ipsecme-split-dns-02.txt 2017-07-29 07:14:10.241108227 -0700 @@ -1,19 +1,19 @@ Network T. Pauly Internet-Draft Apple Inc. Intended status: Standards Track P. Wouters -Expires: January 20, 2018 Red Hat - July 19, 2017 +Expires: January 30, 2018 Red Hat + July 29, 2017 Split DNS Configuration for IKEv2 - draft-ietf-ipsecme-split-dns-01 + draft-ietf-ipsecme-split-dns-02 Abstract This document defines two Configuration Payload Attribute Types for the IKEv2 protocol that add support for private DNS domains. These domains should be resolved using DNS servers reachable through an IPsec connection, while leaving all other DNS resolution unchanged. This approach of resolving a subset of domains using non-public DNS servers is referred to as "Split DNS". @@ -25,21 +25,21 @@ Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on January 20, 2018. + This Internet-Draft will expire on January 30, 2018. Copyright Notice Copyright (c) 2017 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents @@ -59,21 +59,21 @@ 3.2. Configuration Reply . . . . . . . . . . . . . . . . . . . 4 3.3. Mapping DNS Servers to Domains . . . . . . . . . . . . . 5 3.4. Example Exchanges . . . . . . . . . . . . . . . . . . . . 5 3.4.1. Simple Case . . . . . . . . . . . . . . . . . . . . . 5 3.4.2. Requesting Domains and DNSSEC trust anchors . . . . . 6 4. Payload Formats . . . . . . . . . . . . . . . . . . . . . . . 6 4.1. INTERNAL_DNS_DOMAIN Configuration Attribute Type . . . . 6 4.2. INTERNAL_DNSSEC_TA Configuration Attribute . . . . . . . 7 5. Split DNS Usage Guidelines . . . . . . . . . . . . . . . . . 7 6. Security Considerations . . . . . . . . . . . . . . . . . . . 9 - 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 + 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 10 8.1. Normative References . . . . . . . . . . . . . . . . . . 10 8.2. Informative References . . . . . . . . . . . . . . . . . 10 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 11 1. Introduction Split DNS is a common configuration for secure tunnels, such as Virtual Private Networks in which host machines private to an organization can only be resolved using internal DNS resolvers @@ -187,23 +187,24 @@ Each INTERNAL_DNS_DOMAIN represents a domain that the DNS servers address listed in INTERNAL_IP4_DNS and INTERNAL_IP6_DNS can resolve. If the CFG_REQUEST included INTERNAL_DNS_DOMAIN attributes with non- zero lengths, the content MAY be ignored or be interpreted as a suggestion by the responder. For each DNS domain specified in an INTERNAL_DNS_DOMAIN attribute, one or more INTERNAL_DNSSEC_TA attributes MAY be included by the responder. This attribute lists the corresponding internal DNSSEC - trust anchor in the DNS wire format of a DS record as specified in - [RFC4034]. The INTERNAL_DNSSEC_TA attribute MUST immediately follow - the INTERNAL_DNS_DOMAIN attribute that it applies to. + trust anchor in the DNS presentation format of a DS record as + specified in [RFC4034]. The INTERNAL_DNSSEC_TA attribute MUST + immediately follow the INTERNAL_DNS_DOMAIN attribute that it applies + to. 3.3. Mapping DNS Servers to Domains All DNS servers provided in the CFG_REPLY MUST support resolving hostnames within all INTERNAL_DNS_DOMAIN domains. In other words, the INTERNAL_DNS_DOMAIN attributes in a CFG_REPLY payload form a single list of Split DNS domains that applies to the entire list of INTERNAL_IP4_DNS and INTERNAL_IP6_DNS attributes. 3.4. Example Exchanges @@ -267,32 +268,34 @@ 4. Payload Formats 4.1. INTERNAL_DNS_DOMAIN Configuration Attribute Type 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-----------------------------+-------------------------------+ |R| Attribute Type | Length | +-+-----------------------------+-------------------------------+ | | - ~ Domain Name ~ + ~ Domain Name in DNS presentation format ~ | | +---------------------------------------------------------------+ o Reserved (1 bit) - Defined in IKEv2 RFC [RFC7296]. o Attribute Type (15 bits) 25 - INTERNAL_DNS_DOMAIN. o Length (2 octets, unsigned integer) - Length of domain name. - o Domain Name (0 or more octets) - A domain or subdomain used for - Split DNS rules, such as example.com in DNS wire format. + o Domain Name (0 or more octets) - A Fully Qualified Domain Name + used for Split DNS rules, such as example.com, in DNS presentation + format and optionally using IDNA [RFC5890] for Internationalized + Domain Names. The value is NOT null-terminated. 4.2. INTERNAL_DNSSEC_TA Configuration Attribute 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-----------------------------+-------------------------------+ |R| Attribute Type | Length | +-+-----------------------------+---------------+---------------+ | Key Tag | Algorithm | Digest Type | +-------------------------------+---------------+---------------+ @@ -311,21 +314,21 @@ o Key Tag value (0 or 2 octets, unsigned integer) - Key Tag as specified in [RFC4034] Section 5.1 o DNSKEY algorithm (0 or 1 octet) - Value from the IANA DNS Security Algorithm Numbers Registry o DS algorithm (0 or 1 octet) - Value from the IANA Delegation Signer (DS) Resource Record (RR) Type Digest Algorithms Registry o Digest (0 or more octets) - The digest as specified in [RFC4034] - Section 5.1 in wire format. + Section 5.1 in presentation format. 5. Split DNS Usage Guidelines If a CFG_REPLY payload contains no INTERNAL_DNS_DOMAIN attributes, the client MAY use the provided INTERNAL_IP4_DNS or INTERNAL_IP6_DNS servers as the default DNS server(s) for all queries. If a client is configured by local policy to only accept a limited number of INTERNAL_DNS_DOMAIN values, the client MUST ignore any other INTERNAL_DNS_DOMAIN values. @@ -406,20 +409,29 @@ accept insecure delegations for domains that are DNSSEC signed in the public DNS view, for which it has not explicitely requested such deletation by specifying the domain specifically using a INTERNAL_DNS_DOMAIN(domain) request. A domain that is served via INTERNAL_DNS_DOMAIN should pay close attention to their use of indirect reference RRtypes such as CNAME, DNAME, MX or SRV records so that resolving works as intended when all, some or none of the IPsec connections are established. + The content of INTERNAL_DNS_DOMAIN and INTERNAL_DNSSEC_TA may be + passed to another (DNS) program for processing. The content MUST be + verified and sanitized before passing it to other software. For + example, domain names are limited to alphanumeric characters and the + minus ("-") and underscore ("_") symbol and if other other characters + are present, the entire payload could be ignored and not passed to + DNS software, or the malicious characters could be filtered out + before passing the payload to DNS software. + 7. IANA Considerations This document defines two new IKEv2 Configuration Payload Attribute Types, which are allocated from the "IKEv2 Configuration Payload Attribute Types" namespace. Multi- Value Attribute Type Valued Length Reference ------ ------------------- ------ ---------- --------------- 25 INTERNAL_DNS_DOMAIN YES 0 or more [this document]