Internet-Draft | DNS over Dedicated QUIC | September 2021 |
Huitema, et al. | Expires 6 March 2022 | [Page] |
This document describes the use of QUIC to provide transport privacy for DNS. The encryption provided by QUIC has similar properties to that provided by TLS, while QUIC transport eliminates the head-of-line blocking issues inherent with TCP and provides more efficient error corrections than UDP. DNS over QUIC (DoQ) has privacy properties similar to DNS over TLS (DoT) specified in RFC7858, and latency characteristics similar to classic DNS over UDP.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 6 March 2022.¶
Copyright (c) 2021 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.¶
Domain Name System (DNS) concepts are specified in "Domain names - concepts and facilities" [RFC1034]. The transmission of DNS queries and responses over UDP and TCP is specified in "Domain names - implementation and specification" [RFC1035]. This document presents a mapping of the DNS protocol over the QUIC transport [RFC9000] [RFC9001]. DNS over QUIC is referred here as DoQ, in line with "DNS Terminology" [I-D.ietf-dnsop-rfc8499bis]. The goals of the DoQ mapping are:¶
In order to achieve these goals, and to support ongoing work on encryption of DNS, the scope of this document includes¶
In other words, this document is intended to specify QUIC as a general purpose transport for DNS.¶
The specific non-goals of this document are:¶
Specifying the transmission of an application over QUIC requires specifying how the application's messages are mapped to QUIC streams, and generally how the application will use QUIC. This is done for HTTP in "Hypertext Transfer Protocol Version 3 (HTTP/3)"[I-D.ietf-quic-http]. The purpose of this document is to define the way DNS messages can be transmitted over QUIC.¶
In this document, Section 4 presents the reasoning that guided the proposed design. Section 5 specifies the actual mapping of DoQ. Section 6 presents guidelines on the implementation, usage and deployment of DoQ.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC8174].¶
(RFC EDITOR NOTE: THIS SECTION TO BE REMOVED BEFORE PUBLICATION)The Github repository for this document is at https://github.com/huitema/dnsoquic. Proposed text and editorial changes are very much welcomed there, but any functional changes should always first be discussed on the IETF DPRIVE WG (dns-privacy) mailing list.¶
This section and its subsections present the design guidelines that were used for DoQ. This section is informative in nature.¶
DoT [RFC7858] defines how to mitigate some of the issues described in "DNS Privacy Considerations" [RFC7626] by specifying how to transmit DNS messages over TLS. The "Usage Profiles for DNS over TLS and DNS over DTLS" [RFC8310] specify Strict and Opportunistic Usage Profiles for DoT including how stub resolvers can authenticate recursive resolvers.¶
QUIC connection setup includes the negotiation of security parameters using TLS, as specified in "Using TLS to Secure QUIC" [RFC9001], enabling encryption of the QUIC transport. Transmitting DNS messages over QUIC will provide essentially the same privacy protections as DoT [RFC7858] including Strict and Opportunistic Usage Profiles [RFC8310]. Further discussion on this is provided in Section 9.¶
QUIC is specifically designed to reduce the delay between HTTP queries and HTTP responses. This is achieved through three main components:¶
This mapping of DNS to QUIC will take advantage of these features in three ways:¶
These considerations will be reflected in the mapping of DNS traffic to QUIC streams in Section 5.2.¶
The mapping of DoQ is defined for minimal overhead and maximum performance. This means a different traffic profile than HTTP3 over QUIC. This difference can be noted by firewalls and middleboxes. There may be environments in which HTTP3 over QUIC will be able to pass through, but DoQ will be blocked by these middle boxes.¶
As stated in Section 1, this document does not specify support for server initiated transactions within established DoQ connections. That is, only the initiator of the DoQ connection may send queries over the connection.¶
DSO supports server-initiated transactions within existing connections, however DSO is not applicable to DNS over HTTP since HTTP has its own mechanism for managing sessions, and this is incompatible with the DSO; the same is true for DoQ.¶
DoQ connections are established as described in the QUIC transport specification [RFC9000]. During connection establishment, DoQ support is indicated by selecting the ALPN token "doq" in the crypto handshake.¶
(RFC EDITOR NOTE: THIS SECTION TO BE REMOVED BEFORE PUBLICATION) Only implementations of the final, published RFC can identify themselves as "doq". Until such an RFC exists, implementations MUST NOT identify themselves using this string.¶
Implementations of draft versions of the protocol MUST add the string "-" and the corresponding draft number to the identifier. For example, draft-ietf-dprive-dnsoquic-00 is identified using the string "doq-i00".¶
By default, a DNS server that supports DoQ MUST listen for and accept QUIC connections on the dedicated UDP port TBD (number to be defined in Section 10), unless it has mutual agreement with its clients to use a port other than TBD for DoQ. In order to use a port other than TBD, both clients and servers would need a configuration option in their software.¶
By default, a DNS client desiring to use DoQ with a particular server MUST establish a QUIC connection to UDP port TBD on the server, unless it has mutual agreement with its server to use a port other than port TBD for DoQ. Such another port MUST NOT be port 53. This recommendation against use of port 53 for DoQ is to avoid confusion between DoQ and the use of DNS over UDP [RFC1035].¶
The mapping of DNS traffic over QUIC streams takes advantage of the QUIC stream features detailed in Section 2 of the QUIC transport specification [RFC9000].¶
DNS traffic follows a simple pattern in which the client sends a query, and the server provides one or more responses (multiple can responses occur in zone transfers).¶
The mapping specified here requires that the client selects a separate QUIC stream for each query. The server then uses the same stream to provide all the response messages for that query. In order that multiple responses can be parsed, a 2-octet length field is used in exactly the same way as the 2-octet length field defined for DNS over TCP [RFC1035]. The practical result of this is that the content of each QUIC stream is exactly the same as the content of a TCP connection that would manage exactly one query.¶
All DNS messages (queries and responses) sent over DoQ connections MUST be encoded as a 2-octet length field followed by the message content as specified in [RFC1035].¶
The client MUST select the next available client-initiated bidirectional stream for each subsequent query on a QUIC connection, in conformance with the QUIC transport specification [RFC9000].¶
The client MUST send the DNS query over the selected stream, and MUST indicate through the STREAM FIN mechanism that no further data will be sent on that stream.¶
The server MUST send the response(s) on the same stream and MUST indicate, after the last response, through the STREAM FIN mechanism that no further data will be sent on that stream.¶
Therefore, a single client initiated DNS transaction consumes a single stream. This means that the client's first query occurs on QUIC stream 0, the second on 4, and so on.¶
For completeness it is noted that versions prior to -02 of this specification proposed a simpler mapping scheme which omitted the 2 byte length field and supported only a single response on a given stream. The more complex mapping above was adopted to specifically cater for XFR support, however it breaks compatibility with earlier versions.¶
When sending queries over a QUIC connection, the DNS Message ID MUST be set to zero.¶
It is noted that this has implications for proxying DoQ message to other transports in that a mapping of some form must be performed (e.g., from DoQ connection/stream to unique Message ID).¶
The following error codes are defined for use when abruptly terminating streams, aborting reading of streams, or immediately closing connections:¶
See Section 10.4 for details on registering new error codes.¶
In QUIC, sending STOP_SENDING requests that a peer cease transmission on a stream. If a DoQ client wishes to cancel an outstanding request, it MUST issue a QUIC Stop Sending with error code DOQ_REQUEST_CANCELLED. This may be sent at any time but will be ignored if the server has already sent the response. The corresponding DNS transaction MUST be abandoned.¶
A server that receives STOP_SENDING MUST issue a RESET_STREAM with error code DOQ_REQUEST_CANCELLED, unless it has already sent a complete response in which case it MAY ignore the STOP_SENDING request. Servers MAY limit the number of DOQ_REQUEST_CANCELLED errors received on a connection before choosing to close the connection.¶
Note that this mechanism provides a way for secondaries to cancel a single zone transfer occurring on a given stream without having to close the QUIC connection.¶
Servers normally complete transactions by sending a DNS response (or responses) on the transaction's stream, including cases where the DNS response indicates a DNS error. For example, a Server Failure (SERVFAIL, [RFC1035]) SHOULD be notified to the client by sending back a response with the Response Code set to SERVFAIL.¶
If a server is incapable of sending a DNS response due to an internal error, it SHOULD issue a QUIC Stream Reset with error code DOQ_INTERNAL_ERROR. The corresponding DNS transaction MUST be abandoned. Clients MAY limit the number of unsolicited QUIC Stream Resets received on a connection before choosing to close the connection.¶
Note that this mechanism provides a way for primaries to abort a single zone transfer occurring on a given stream without having to close the QUIC connection.¶
Other error scenarios can occur due to malformed, incomplete or unexpected messages during a transaction. These include (but are not limited to)¶
If a peer encounters such an error condition it is considered a fatal error. It SHOULD forcibly abort the connection using QUIC's CONNECTION_CLOSE mechanism, and use the DoQ error code DOQ_PROTCOL_ERROR.¶
It is noted that the restrictions on use of the above EDNS(0) options has implications for proxying message from TCP/DoT/DoH over DoQ.¶
Section 10 of the QUIC transport specification [RFC9000] specifies that connections can be closed in three ways:¶
Clients and servers implementing DoQ SHOULD negotiate use of the idle timeout. Closing on idle timeout is done without any packet exchange, which minimizes protocol overhead. Per section 10.1 of the QUIC transport specification, the effective value of the idle timeout is computed as the minimum of the values advertised by the two endpoints. Practical considerations on setting the idle timeout are discussed in Section 6.5.2.¶
Clients SHOULD monitor the idle time incurred on their connection to the server, defined by the time spent since the last packet from the server has been received. When a client prepares to send a new DNS query to the server, it will check whether the idle time is sufficient lower than the idle timer. If it is, the client will send the DNS query over the existing connection. If not, the client will establish a new connection and send the query over that connection.¶
Clients MAY discard their connection to the server before the idle timeout expires. If they do that, they SHOULD close the connection explicitly, using QUIC's CONNECTION_CLOSE mechanism, and use the DoQ error code DOQ_NO_ERROR.¶
Clients and servers MAY close the connection for a variety of other reasons, indicated using QUIC's CONNECTION_CLOSE. Client and servers that send packets over a connection discarded by their peer MAY receive a stateless reset indication. If a connection fails, all queries in progress over the connection MUST be considered failed, and a Server Failure (SERVFAIL, [RFC1035]) SHOULD be notified to the initiator of the transaction.¶
A client MAY take advantage of the session resumption mechanisms supported by QUIC transport [RFC9000] and QUIC TLS [RFC9001]. Clients SHOULD consider potential privacy issues associated with session resumption before deciding to use this mechanism. These privacy issues are detailed in Section 9.2 and Section 9.1, and the implementation considerations are discussed in Section 6.5.3.¶
The 0-RTT mechanism SHOULD NOT be used to send DNS requests that are not "replayable" transactions. Our analysis so far shows that such replayable transactions can only be QUERY requests, although we may need to also consider NOTIFY requests once the analysis of NOTIFY services is complete, see Appendix A.¶
Servers MUST NOT execute non replayable transactions received in 0-RTT data. Servers MUST adopt one of the following behaviors:¶
For the zone transfer scenario, it would be possible to replay an XFR QUERY that had been sent in 0-RTT data. However the authentication mechanisms described in RFC9103 ("Zone transfer over TLS") will ensure that the response is not sent by the primary until the identity of the secondary has been verified i.e. the first behavior listed above.¶
DoQ Queries and Responses are sent on QUIC streams, which in theory can carry up to 2^62 bytes. However, DNS messages are restricted in practice to a maximum size of 65535 bytes. This maximum size is enforced by the use of a two-octet message length field in DNS over TCP [RFC1035] and DNS over TLS [RFC7858], and by the definition of the "application/dns-message" for DNS over HTTP [RFC8484]. DoQ enforces the same restriction.¶
The Extension Mechanisms for DNS (EDNS) [RFC6891] allow peers to specify the UDP message size. This parameter is ignored by DoQ. DoQ implementations always assume that the maximum message size is 65535 bytes.¶
For the stub to recursive resolver scenario, the authentication requirements are the same as described in DoT [RFC7858] and "Usage Profiles for DNS over TLS and DNS over DTLS" [RFC8310]. There is no need to authenticate the client's identity in either scenario.¶
For zone transfer, the requirements are the same as described in [RFC9103].¶
For the recursive resolver to authoritative nameserver scenario, authentication requirements are unspecified at the time of writing and are the subject on ongoing work in the DPRIVE WG.¶
If the establishment of the DoQ connection fails, clients MAY attempt to fall back to DoT and then potentially clear text, as specified in DoT [RFC7858] and "Usage Profiles for DNS over TLS and DNS over DTLS" [RFC8310], depending on their privacy profile.¶
DNS clients SHOULD remember server IP addresses that don't support DoQ, including timeouts, connection refusals, and QUIC handshake failures, and not request DoQ from them for a reasonable period (such as one hour per server). DNS clients following an out-of-band key-pinned privacy profile ([RFC7858]) MAY be more aggressive about retrying DoQ connection failures.¶
Section 8 of the QUIC transport specification [RFC9000] defines Address Validation procedures to avoid servers being used in address amplification attacks. DoQ implementations MUST conform to this specification, which limits the worst case amplification to a factor 3.¶
DoQ implementations SHOULD consider configuring servers to use the Address Validation using Retry Packets procedure defined in section 8.1.2 of the QUIC transport specification [RFC9000]). This procedure imposes a 1-RTT delay for verifying the return routability of the source address of a client, similar to the DNS Cookies mechanism [RFC7873].¶
DoQ implementations that configure Address Validation using Retry Packets SHOULD implement the Address Validation for Future Connections procedure defined in section 8.1.3 of the QUIC transport specification [RFC9000]). This defines how servers can send NEW TOKEN frames to clients after the client address is validated, in order to avoid the 1-RTT penalty during subsequent connections by the client from the same address.¶
Implementations SHOULD protect against the traffic analysis attacks described in Section 9.4 by the judicious injection of padding. This could be done either by padding individual DNS messages using the EDNS(0) Padding Option [RFC7830] and by padding QUIC packets (see Section 8.6 of the QUIC transport specification [RFC9000]).¶
In theory, padding at the QUIC level could result in better performance for the equivalent protection, because the amount of padding can take into account non-DNS frames such as acknowledgeemnts or flow control updates, and also because QUIC packets can carry multiple DNS messages. However, applications can only control the amount of padding in QUIC packets if the implementation of QUIC exposes adequate APIs. This leads to the following recommendation:¶
"DNS Transport over TCP - Implementation Requirements" [RFC7766] provides updated guidance on DNS over TCP, some of which is applicable to DoQ. This section attempts to specify which and how those considerations apply to DoQ.¶
Historic implementations of DNS clients are known to open and close TCP connections for each DNS query. To avoid excess QUIC connections, each with a single query, clients SHOULD reuse a single QUIC connection to the recursive resolver.¶
In order to achieve performance on par with UDP, DNS clients SHOULD send their queries concurrently over the QUIC streams on a QUIC connection. That is, when a DNS client sends multiple queries to a server over a QUIC connection, it SHOULD NOT wait for an outstanding reply before sending the next query.¶
Proper management of established and idle connections is important to the healthy operation of a DNS server. An implementation of DoQ SHOULD follow best practices similar to those specified for DNS over TCP [RFC7766], in particular with regard to:¶
Failure to do so may lead to resource exhaustion and denial of service.¶
Clients that want to maintain long duration DoQ connections SHOULD use the idle timeout mechanisms defined in Section 10.1 of the QUIC transport specification [RFC9000]. Clients and servers MUST NOT send the edns-tcp-keepalive EDNS(0) Option [RFC7828] in any messages sent on a DoQ connection (because it is specific to the use of TCP/TLS as a transport).¶
This document does not make specific recommendations for timeout values on idle connections. Clients and servers should reuse and/or close connections depending on the level of available resources. Timeouts may be longer during periods of low activity and shorter during periods of high activity.¶
Using 0-RTT for DNS over QUIC has many compelling advantages. Clients can establish connections and send queries without incurring a connection delay. Servers can thus negotiate low values of the connection timers, which reduces the total number of connections that they need to manage. They can do that because the clients that use 0-RTT will not incur latency penalties if new connections are required for a query.¶
Session resumption and 0-RTT data transmission create privacy risks detailed in detailed in Section 9.2 and Section 9.1. The following recommendations are meant to reduce the privacy risks while enjoying the performance benefits of 0-RTT data, with the restriction specified in Section 5.5.¶
Clients SHOULD use resumption tickets only once, as specified in Appendix C.4 to [RFC8446]. Clients could receive address validation tokens from the server using the NEW TOKEN mechanism; see section 8 of [RFC9000]. The associated tracking risks are mentioned in Section 9.3. Clients SHOULD only use the address validation tokens when they are also using session resumption, thus avoiding additional tracking risks.¶
Servers SHOULD issue session resumption tickets with a sufficiently long life time (e.g., 6 hours), so that clients are not tempted to either keep connection alive or frequently poll the server to renew session resumption tickets. Servers SHOULD implement the anti-replay mechanisms specified in section 8 of [RFC8446].¶
As specified in Section 7 of "DNS Transport over TCP - Implementation Requirements" [RFC7766], resolvers are RECOMMENDED to support the preparing of responses in parallel and sending them out of order. In DoQ, they do that by sending responses on their specific stream as soon as possible, without waiting for availability of responses for previously opened streams.¶
[RFC9103] specifies zone transfer over TLS (XoT) and includes updates to [RFC1995] (IXFR), [RFC5936] (AXFR) and [RFC7766]. Considerations relating to the re-use of XoT connections described there apply analogously to zone transfers performed using DoQ connections. For example:¶
Servers and Clients manage flow control using the mechanisms defined in section 4 of [RFC9000]. These mechanisms allow clients and servers to specify how many streams can be created, how much data can be sent on a stream, and how much data can be sent on the union of all streams. For DNS over QUIC, controlling how many streams are created allows servers to control how many new requests the client can send on a given connection.¶
Flow control exists to protect endpoint resources. For servers, global and per-stream flow control limits control how much data can be sent by clients. The same mechanisms allow clients to control how much data can be sent by servers. Values that are too small will unnecessarily limit performance. Values that are too large might expose endpoints to overload or memory exhaustion. Implementations or deployments will need to adjust flow control limits to balance these concerns. In particular, zone transfer implementations will need to control these limits carefully to ensure both large and concurrent zone transfers are well managed.¶
Initial values of parameters control how many requests and how much data can be sent by clients and servers at the beginning of the connection. These values are specified in transport parameters exchanged during the connection handshake. The parameter values received in the initial connection also control how many requests and how much data can be sent by clients using 0-RTT data in a resumed connection. Using too small values of these initial parameters would restrict the usefulness of allowing 0-RTT data.¶
(RFC EDITOR NOTE: THIS SECTION TO BE REMOVED BEFORE PUBLICATION) This section records the status of known implementations of the protocol defined by this specification at the time of posting of this Internet-Draft, and is based on a proposal described in [RFC7942].¶
AdGuard launched a DoQ recursive resolver service in December 2020. They have released a suite of open source tools that support DoQ:¶
To our knowledge, no benchmarking studies comparing DoT, DoH and DoQ are published yet. However anecdotal evidence from the AdGuard DoQ recursive resolver deployment indicates that it performs well compared to the other encrypted protocols, particularly in mobile environments. Reasons given for this include that DoQ¶
The security considerations of DoQ should be comparable to those of DoT [RFC7858].¶
The general considerations of encrypted transports provided in "DNS Privacy Considerations" [I-D.ietf-dprive-rfc7626-bis] apply to DoQ. The specific considerations provided there do not differ between DoT and DoQ, and are not discussed further here.¶
QUIC incorporates the mechanisms of TLS 1.3 [RFC8446] and this enables QUIC transmission of "0-RTT" data. This can provide interesting latency gains, but it raises two concerns:¶
These issues are developed in Section 9.1 and Section 9.2.¶
The 0-RTT data can be replayed by adversaries. That data may trigger queries by a recursive resolver to authoritative resolvers. Adversaries may be able to pick a time at which the recursive resolver outgoing traffic is observable, and thus find out what name was queried for in the 0-RTT data.¶
This risk is in fact a subset of the general problem of observing the behavior of the recursive resolver discussed in "DNS Privacy Considerations" [RFC7626]. The attack is partially mitigated by reducing the observability of this traffic. However, the risk is amplified for 0-RTT data, because the attacker might replay it at chosen times, several times.¶
The recommendation for TLS 1.3 [RFC8446] is that the capability to use 0-RTT data should be turned off by default, and only enabled if the user clearly understands the associated risks. In our case, allowing 0-RTT data provides significant performance gains, and we are concerned that a recommendation to not use it would simply be ignored. Instead, we provide a set of practical recommendations in Section 5.5 and Section 6.5.3.¶
The prevention on allowing replayable transactions in 0-RTT data expressed in Section 5.5 blocks the most obvious risks of replay attacks, as it only allows for transactions that will not change the long term state of the server.¶
Attacks trying to assess the state of the cache are more powerful if the attacker can choose the time at which the 0-RTT data will be replayed. Such attacks are blocked if the server enforces single-use tickets, or if the server implements a combination of Client Hello recording and freshness checks, as specified in section 8 of [RFC8446]. These blocking mechanisms rely on shared state between all server instances in a server system. In the case of DNS over QUIC, the protection against replay attacks on the DNS cache is achieved if this state is shared between all servers that share the same DNS cache.¶
The attacks described above apply to the stub resolver to recursive resolver scenario, but similar attacks might be envisaged in the recursive resolver to authoritative resolver scenario, and the same mitigations apply.¶
The QUIC session resumption mechanism reduces the cost of re-establishing sessions and enables 0-RTT data. There is a linkability issue associated with session resumption, if the same resumption token is used several times. Attackers on path between client and server could observe repeated usage of the token and use that to track the client over time or over multiple locations.¶
The session resumption mechanism allows servers to correlate the resumed sessions with the initial sessions, and thus to track the client. This creates a virtual long duration session. The series of queries in that session can be used by the server to identify the client. Servers can most probably do that already if the client address remains constant, but session resumption tickets also enable tracking after changes of the client's address.¶
The recommendations in Section 6.5.3 are designed to mitigate these risks. Using session tickets only once mitigates the risk of tracking by third parties. Refusing to resume a session if addresses change mitigates the risk of tracking by the server.¶
The privacy trade-offs here may be context specific. Stub resolvers will have a strong motivation to prefer privacy over latency since they often change location. However, recursive resolvers that use a small set of static IP addresses are more likely to prefer the reduced latency provided by session resumption and may consider this a valid reason to use resumption tickets even if the IP address changed between sessions.¶
Encrypted zone transfer (RFC9103) explicitly does not attempt to hide the identity of the parties involved in the transfer, but at the same time such transfers are not particularly latency sensitive. This means that applications supporting zone transfers may decide to apply the same protections as stub to recursive applications.¶
QUIC specifies address validation mechanisms in section 8 of [RFC9000]. Use of an address validation token allows QUIC servers to avoid an extra RTT for new connections. Address validation tokens are typically tied to an IP address. QUIC clients normally only use these tokens when setting a new connection from a previously used address. However, due to the prevalence of NAT, clients are not always aware that they are using a new address. There is a linkability risk if clients mistakenly use address validation tokens after unknowingly moving to a new location.¶
The recommendations in Section 6.5.3 mitigates this risk by tying the usage of the NEW TOKEN to that of session resumption.¶
Even though QUIC packets are encrypted, adversaries can gain information from observing packet lengths, in both queries and responses, as well as packet timing. Many DNS requests are emitted by web browsers. Loading a specific web page may require resolving dozen of DNS names. If an application adopts a simple mapping of one query or response per packet, or "one QUIC STREAM frame per packet", then the succession of packet lengths may provide enough information to identify the requested site.¶
Implementations SHOULD use the mechanisms defined in Section 6.4 to mitigate this attack.¶
This document creates a new registration for the identification of DoQ in the "Application Layer Protocol Negotiation (ALPN) Protocol IDs" registry [RFC7301].¶
The "doq" string identifies DoQ: Protocol: DoQ Identification Sequence: 0x64 0x6F 0x71 ("doq") Specification: This document¶
Port 853 is currently reserved for 'DNS query-response protocol run over TLS/DTLS' [RFC7858]. However, the specification for DNS over DTLS (DoD) [RFC8094] is experimental, limited to stub to resolver, and no implementations or deployments currently exist to our knowledge (even though several years have passed since the specification was published).¶
This specification proposes to additionally reserve the use of port 853 for DoQ. QUIC was designed to be able to co-exist with other protocols on the same port, including DTLS , see Section 17.2 in [RFC9000].¶
IANA is requested to add the following value to the "Service Name and Transport Protocol Port Number Registry" in the System Range. The registry for that range requires IETF Review or IESG Approval [RFC6335].¶
Service Name dns-over-quic Port Number 853 Transport Protocol(s) UDP Assignee IESG Contact IETF Chair Description DNS query-response protocol run over QUIC Reference This document¶
(RFC EDITOR NOTE: THIS SECTION TO BE REMOVED BEFORE PUBLICATION) Early experiments MAY use port 784. This port is marked in the IANA registry as unassigned.¶
(Note that version in -02 of this draft experiments were directed to use port 8853.)¶
IANA is requested to add the following value to the Extended DNS Error Codes registry [RFC8914]:¶
INFO-CODE TBD Purpose Too Early Reference This document¶
IANA [SHALL add/has added] a registry for "DNS over QUIC Error Codes" on the "Domain Name System (DNS) Parameters" web page.¶
The "DNS over QUIC Error Codes" registry governs a 62-bit space. This space is split into three regions that are governed by different policies:¶
Provisional reservations share the range of values larger than 0x3f with some permanent registrations. This is by design, to enable conversion of provisional registrations into permanent registrations without requiring changes in deployed systems. (This design is aligned with the principles set in section 22 of [RFC9000].)¶
Registrations in this registry MUST include the following fields:¶
In addition, permanent registrations MUST include:¶
Provisional registrations of codepoints are intended to allow for private use and experimentation with extensions to DNS over QUIC. However, provisional registrations could be reclaimed and reassigned for another purpose. In addition to the parameters listed above, provisional registrations MUST include:¶
A request to update the date on any provisional registration can be made without review from the designated expert(s).¶
The initial contents of this registry are shown in Table 1.¶
Value | Error | Description | Specification |
---|---|---|---|
0x0 | DOQ_NO_ERROR | No error | Section 5.3 |
0x1 | DOQ_INTERNAL_ERROR | Implementation error | Section 5.3 |
0x2 | DOQ_PROTOCOL_ERROR | Generic protocol violation | Section 5.3 |
0x3 | DOQ_REQUEST_CANCELLED | Request cancelled by client | Section 5.3 |
This document liberally borrows text from the HTTP-3 specification [I-D.ietf-quic-http] edited by Mike Bishop, and from the DoT specification [RFC7858] authored by Zi Hu, Liang Zhu, John Heidemann, Allison Mankin, Duane Wessels, and Paul Hoffman.¶
The privacy issue with 0-RTT data and session resumption were analyzed by Daniel Kahn Gillmor (DKG) in a message to the IETF "DPRIVE" working group [DNS0RTT].¶
Thanks to Tony Finch for an extensive review of the initial version of this draft, and to Robert Evans for the discussion of 0-RTT privacy issues. Reviews by Paul Hoffman and Martin Thomson and interoperability tests conducted by Stephane Bortzmeyer helped improve the definition of the protocol.¶
This appendix discusses the issue of allowing NOTIFY to be sent in 0-RTT data.¶
Section Section 5.5 says "The 0-RTT mechanism SHOULD NOT be used to send DNS requests that are not "replayable" transactions", and suggests this is limited to OPCODE QUERY. It might also be viable to propose that NOTIFY should be permitted in 0-RTT data because although it technically changes the state of the receiving server, the effect of replaying NOTIFYs has negligible impact in practice.¶
NOTIFY messages prompt a secondary to either send an SOA query or an XFR request to the primary on the basis that a newer version of the zone is available. It has long been recognized that NOTIFYs can be forged and, in theory, used to cause a secondary to send repeated unnecessary requests to the primary. For this reason, most implementations have some form of throttling of the SOA/XFR queries triggered by the receipt of one or more NOTIFYs.¶
RFC9103 describes the privacy risks associated with both NOTIFY and SOA queries and does not include addressing those risks within the scope of encrypting zone transfers. Given this, the privacy benefit of using DoQ for NOTIFY is not clear - but for the same reason, sending NOTIFY as 0-RTT data has no privacy risk above that of sending it using cleartext DNS.¶