--- 1/draft-ietf-ipsecme-split-dns-08.txt 2018-07-18 11:13:21.913377133 -0700 +++ 2/draft-ietf-ipsecme-split-dns-09.txt 2018-07-18 11:13:21.945377908 -0700 @@ -1,19 +1,19 @@ Network T. Pauly Internet-Draft Apple Inc. Intended status: Standards Track P. Wouters -Expires: December 20, 2018 Red Hat - June 18, 2018 +Expires: January 19, 2019 Red Hat + July 18, 2018 Split DNS Configuration for IKEv2 - draft-ietf-ipsecme-split-dns-08 + draft-ietf-ipsecme-split-dns-09 Abstract This document defines two Configuration Payload Attribute Types for the IKEv2 protocol that add support for private DNS domains. These domains are intended to be resolved using DNS servers reachable through an IPsec connection, while leaving all other DNS resolution unchanged. This approach of resolving a subset of domains using non- public DNS servers is referred to as "Split DNS". @@ -25,21 +25,21 @@ Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on December 20, 2018. + This Internet-Draft will expire on January 19, 2019. Copyright Notice Copyright (c) 2018 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents @@ -60,25 +60,25 @@ 3.3. Mapping DNS Servers to Domains . . . . . . . . . . . . . 5 3.4. Example Exchanges . . . . . . . . . . . . . . . . . . . . 5 3.4.1. Simple Case . . . . . . . . . . . . . . . . . . . . . 5 3.4.2. Requesting Domains and DNSSEC trust anchors . . . . . 6 4. Payload Formats . . . . . . . . . . . . . . . . . . . . . . . 6 4.1. INTERNAL_DNS_DOMAIN Configuration Attribute Type Request and Reply . . . . . . . . . . . . . . . . . . . . . . . . 7 4.2. INTERNAL_DNSSEC_TA Configuration Attribute . . . . . . . 7 5. INTERNAL_DNS_DOMAIN Usage Guidelines . . . . . . . . . . . . 9 6. INTERNAL_DNSSEC_TA Usage Guidelines . . . . . . . . . . . . . 10 - 7. Security Considerations . . . . . . . . . . . . . . . . . . . 10 - 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11 + 7. Security Considerations . . . . . . . . . . . . . . . . . . . 11 + 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 12 9.1. Normative References . . . . . . . . . . . . . . . . . . 12 - 9.2. Informative References . . . . . . . . . . . . . . . . . 12 + 9.2. Informative References . . . . . . . . . . . . . . . . . 13 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 13 1. Introduction Split DNS is a common configuration for secure tunnels, such as Virtual Private Networks in which host machines private to an organization can only be resolved using internal DNS resolvers [RFC2775]. In such configurations, it is often desirable to only resolve hosts within a set of private domains using the tunnel, while letting resolutions for public hosts be handled by a device's default @@ -404,49 +404,68 @@ INTERNAL_DNS_DOMAIN attributes SHOULD only be used on split tunnel configurations where only a subset of traffic is routed into a private remote network using the IPsec connection. If all traffic is routed over the IPsec connection, the existing global INTERNAL_IP4_DNS and INTERNAL_IP6_DNS can be used without creating specific DNS exemptions. 6. INTERNAL_DNSSEC_TA Usage Guidelines - Installing an INTERNAL_DNSSEC_TA trust anchor can be seen as the - equivalent of installing an Enterprise Certificate Agency (CA) + DNS records can be used to publish specific records containing trust + anchors for applications. The most common record type is the TLSA + record specified in [RFC6698]. This DNS record type publishes which + CA certificate or EE certificate to expect for a certain host name. + These records are protected by DNSSEC and thus can be trusted by the + application. Whether to trust TLSA records instead of the + traditional WebPKI depends on the local policy of the client. By + accepting an INTERNAL_DNSSEC_TA trust anchor via IKE from the remote + IKE server, the IPsec client might be allowing the remote IKE server + to override the trusted certificates for TLS. Similar override + concerns apply to other public key or fingerprint based DNS records, + such as OPENPGPKEY, SMIMEA or IPSECKEY records. + + Thus, installing an INTERNAL_DNSSEC_TA trust anchor can be seen as + the equivalent of installing an Enterprise Certificate Agency (CA) certificate. It allows the remote IKE/IPsec server to modify DNS answers including its DNSSEC cryptographic signatures by overriding existing DNS information with trust anchor conveyed via IKE and (temporarilly) installed on the IKE client. Of specific concern is the overriding of [RFC6698] based TLSA records, which represent a confirmation or override of an existing WebPKI TLS certificate. Other DNS record types that convey cryptographic materials (public keys or fingerprints) are OPENPGPKEY, SMIMEA, SSHP and IPSECKEY records. + IKE clients MUST use a preconfigured whitelist of domain names for + which it will allow INTERNAL_DNSSEC_TA updates. + + The DNS root zone (".") MUST NOT be whitelisted. + + Any updates to this whitelist of domain names MUST happen via + explicit human interaction to prevent invisible installation of trust + anchors. + + IKE clients SHOULD accept any INTERNAL_DNSSEC_TA updates for + subdomain names of the whitelisted domain names. For example, if + "example.net" is whitelisted, then INTERNAL_DNSSEC_TA received for + "antartica.example.net" SHOULD be accepted. + + IKE clients MAY interpret an INTERNAL_DNSSEC_TA for domain that was + not preconfigured as an indication that it needs to update its IKE + configuration (out of band). The client MUST NOT use such a + INTERNAL_DNSSEC_TA to reconfigure its local DNS settings. + IKE clients MUST ignore any received INTERNAL_DNSSEC_TA requests for a FDQN for which it did not receive and accept an INTERNAL_DNS_DOMAIN Configuration Payload. - DNS records can be used to publish specific records containing trust - anchors for applications. The most common record type is the TLSA - record specified in [RFC6698]. This DNS record type publishes which - CA certificate or EE certificate to expect for a certain host name. - These records are protected by DNSSEC and thus can be trusted by the - application. Whether to trust TLSA records instead of the - traditional WebPKI depends on the local policy of the client. By - accepting an INTERNAL_DNSSEC_TA trust anchor via IKE from the remote - IKE server, the IPsec client might be allowing the remote IKE server - to override the trusted certificates for TLS. The same applies to - other public key or fingerprint based DNS records, such as - OPENPGPKEY, SMIMEA or IPSECKEY records. - In most deployment scenario's, the IKE client has an expectation that it is connecting, using a split-network setup, to a specific organisation or enterprise. A recommended policy would be to only accept INTERNAL_DNSSEC_TA directives from that organization's DNS names. However, this might not be possible in all deployment scenarios, such as one where the IKE server is handing out a number of domains that are not within one parent domain. 7. Security Considerations