Network Working GroupInternet Engineering Task Force (IETF) P. PfisterInternet-DraftRequest for Comments: 8375 Cisco Systems Updates:RFC7788 (if approved)7788 T. LemonIntended status:Category: Standards TrackNominum, Inc. Expires: March 5,Nibbhaya Consulting ISSN: 2070-1721 May 2018September 1, 2017 Special UseSpecial-Use Domain 'home.arpa.'draft-ietf-homenet-dot-14Abstract This document specifies the behavior that is expected from the Domain Name System with regard to DNS queries for names ending with'.home.arpa.','.home.arpa.' and designates this domain as a special-use domain name. 'home.arpa.' is designated for non-unique use in residential home networks. The Home Networking Control Protocol (HNCP) is updated to use the 'home.arpa.' domain instead of '.home'. Status of This Memo ThisInternet-Draftissubmitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documentsan Internet Standards Track document. This document is a product of the Internet Engineering Task Force (IETF).Note that other groups may also distribute working documents as Internet-Drafts. The listIt represents the consensus ofcurrent Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents validthe IETF community. It has received public review and has been approved fora maximumpublication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 7841. Information about the current status ofsix monthsthis document, any errata, and how to provide feedback on it may beupdated, replaced, or obsoleted by other documentsobtained atany time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on March 5, 2018.https://www.rfc-editor.org/info/rfc8375. Copyright Notice Copyright (c)20172018 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents(http://trustee.ietf.org/license-info)(https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Requirements Language . . . . . . . . . . . . . . . . . . . . 3 3. General Guidance . . . . . . . . . . . . . . . . . . . . . . 3 4. Domain Name Reservation Considerations . . . . . . . . . . . 4 5. Updates to Home Networking Control Protocol . . . . . . . . . 6 6. Security Considerations . . . . . . . . . . . . . . . . . . . 7 6.1. Local Significance . . . . . . . . . . . . . . . . . . . 7 6.2. Insecure Delegation . . . . . . . . . . . . . . . . . . . 8 6.3. Bypassing Manually Configured Resolvers . . . . . . . . . 8 7. Delegation of 'home.arpa.' . . . . . . . . . . . . . . . . . 8 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 9.AcknowledgmentsReferences . . . . . . . . . . . . . . . . . . . . . . . . . 910.9.1. Normative References . . . . . . . . . . . . . . . . . . 9 9.2. Informative References . . . . . . .9 10.1. Normative References. . . . . . . . . . 10 Acknowledgments . . . . . . . .9 10.2. Informative References. . . . . . . . . . . . . . . . .1011 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 11 1. Introduction Users and devices within a home network (hereafter referred to as "homenet") require devices and services to be identified by names that are unique within the boundaries of the homenet [RFC7368]. The naming mechanism needs to function without configuration from the user. While it may be possible for a name to be delegated by an ISP, homenets must also function in the absence of such a delegation. This document reserves the name 'home.arpa.' to serve as the default name for this purpose, withwitha scope limited to each individual homenet. This document corrects an error in[RFC7788],[RFC7788] by replacing '.home' with 'home.arpa.' as the defaultdomain-namedomain name for homenets. '.home'had beenwas selected as the most user-friendlyoption. However,option; however, there are existing uses of '.home' that may be in conflict with thisuse: evidenceuse. Evidence indicates that '.home' queries frequently leak out and reach the root name servers [ICANN1] [ICANN2]. In addition,it's necessary,for compatibility with DNSSEC(Section(see Section 6), it's necessary that an insecure delegation([RFC4035] section 4.3)(see Section 4.3 of [RFC4035]) be present for the name. There is an existing process for allocating names under '.arpa.' [RFC3172]. No such process is available for requesting a similar delegation in the root at the request of the IETF, which does not administer that zone. As a result, all unregistered uses of '.home' (that is, all current uses at the time of this document's publication), particularly as specified inRFC7788,[RFC7788], are deprecated. This document registers the domain 'home.arpa.' as a special-use domain name [RFC6761] and specifies the behavior that is expected from the Domain Name System with regard to DNS queries for names whose rightmost non-terminal labels are 'home.arpa.'. Queries for names ending with '.home.arpa.' are of local significance within the scope of a homenet, meaning that identical queries will result in different results from one homenet to another. In other words, a name ending in '.home.arpa.' is not globally unique. Although this document makes specific reference toRFC7788,[RFC7788], it is not intended that the use of 'home.arpa.' be restricted solely to networks where HNCP isdeployed; it is rather the case thatdeployed. Rather, 'home.arpa.' is intended to be the correct domain for uses like the one described for '.home' inRFC7788:[RFC7788]: local name service in residential homenets. 2. Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here. 3. General Guidance The domain name 'home.arpa.' is to be used for naming within residential homenets. Names ending with '.home.arpa.' reference alocally-served zone,zone that is served locally, the contents of which are unique only to a particularhomenet,homenet and are not globally unique. Such names refer to nodes and/or services that are located within a homenet (e.g., aprinter,printer or a toaster). DNS queries for names ending with '.home.arpa.' are resolved using local resolvers on the homenet. Such queries MUST NOT be recursively forwarded to servers outside the logical boundaries of the homenet. Some service discovery user interfaces that are expected to be used on homenets conceal information such as domain names from end users. However, in some cases, it is still expected thatin some cases,users will need to see, remember, and eventype,type names ending with '.home.arpa.'. Theworking groupHomenet Working Group hopes that this name will in some way indicate to as many readers as possible that such domain names are referring to devices in the home, but we recognize that it is an imperfect solution. 4. Domain Name Reservation Considerations This section specifies considerations for systems involved in domain name resolution when resolving queries for names ending with '.home.arpa.'. Each item in this section addresses some aspect of the DNS or the process of resolving domain names that would be affected by thisspecial usespecial-use allocation. Detailed explanations of these items can be found in[RFC6761],Section5.5 of [RFC6761]. Although the term 'homenet' in [RFC7788] refers to home networks that implement a particular set of features, in this document the term is used to mean any home network, regardless of the set of features it implements. 1. Users can use names ending with '.home.arpa.' just as they would use any other domain name. The 'home.arpa.' name is chosen to be readily recognized by users as signifying that the name is addressing a service on the homenet to which the user's device is connected. 2. Application software SHOULD NOT treat names ending in '.home.arpa.' differently than other names. In particular, there is no basis for trusting names that are subdomains of 'home.arpa.' (see Section 6). 3. Name resolution APIs and libraries MUST NOT recognize names that end in '.home.arpa.' as special and MUST NOT treat them as having special significance, except that it may be necessary that such APIs not bypass the locally configured recursive resolvers. One or more IP addresses for recursive DNS servers will usually be supplied to the client through router advertisements or DHCP. For an administrative domain that uses subdomains of 'home.arpa.', such as a homenet, the recursive resolvers provided by that domain will be able to answer queries for subdomains of 'home.arpa.'; other resolvers will not, or they will provide answers that are not correct within that administrative domain. A host that is configured to use a resolver other than one that has been provided by the local network may be unable to resolve, or may receive incorrect results for, subdomains of 'home.arpa.'. In order to avoid this, it is permissible that hosts use thelocally-providedresolvers that are locally provided for resolving'home.arpa.''home.arpa.', even when they are configured to use other resolvers. 4. There are three considerations for recursive resolvers that follow this specification: A. Recursive resolvers at sites using 'home.arpa.' MUST transparently support DNSSEC queries: queries for DNSSEC records and queries with theDODNSSEC OK (DO) bit set([RFC4035] section 3.2.1).(see Section 3.2.1 of [RFC4035]). While validation is not required, it is strongly encouraged: a caching recursive resolver that does not validate answers that can be validated may cache invalid data.ThisThis, inturnturn, will prevent validating stub resolvers from successfully validating answers. B. Unless configured otherwise, recursive resolvers and DNS proxies MUST behave as described in Section 3 of the Locally Served Zones([RFC6303] Section 3).document [RFC6303]. That is, queries for 'home.arpa.' and subdomains of 'home.arpa.' MUST NOT be forwarded, with one important exception: a query for a DS record with the DO bit set MUST return the correct answer for that question, including correct information in the authority section that proves that the record is nonexistent.SoSo, forexampleexample, a query for the NS record for 'home.arpa.' MUST NOT result in that query being forwarded to an upstream cache nor to the authoritative DNS server for '.arpa.'. However, as necessary to provide accurate authority information, a query for the DS record MUST result in forwarding whatever queries arenecessary being forwarded;necessary; typically, this will just be a query for the DS record, since the necessary authority information will be included in the authority section of the response if the DO bit is set. C. In addition to the behavior specified above, recursive resolvers that can be used in a homenet MUST be configurable to forward queries for 'home.arpa.' and subdomains of 'home.arpa.' to an authoritative server for 'home.arpa.'. This server will provide authoritative data for 'home.arpa.' within a particular homenet. The special handling for DS records for the 'home.arpa.' delegation is still required. It is permissible to combine the recursive resolver function for general DNS lookups with an authoritative resolver for 'home.arpa.'; in this case, rather than forwarding queries for subdomains of 'home.arpa.' to an authoritative server, the resolver answers them authoritatively. The behavior with respect to forwarding queries specifically for 'home.arpa.' remains the same. 5. No special processing of 'home.arpa.' is required for authoritative DNS server implementations. It is possible that an authoritative DNS server might attempt to check the authoritative servers for 'home.arpa.' for a delegation beneath that name before answering authoritatively for such a delegated name. In such a case, because the name always has only localsignificancesignificance, there will be no such delegation in the 'home.arpa.' zone, and so the server would refuse to answer authoritatively for such a zone. A server that implements this sort of check MUST be configurable so that either it does not do this check for the 'home.arpa.'domain,domain or it ignores the results of the check. 6. DNS server operators MAY configure an authoritative server for 'home.arpa.' for use in homenets and other home networks. The operator for the DNS servers authoritative for 'home.arpa.' in the global DNS will configure any such servers as described in Section 7. 7. 'home.arpa.' is a subdomain of the 'arpa' top-level domain, which is operated by IANA under the authority of the Internet Architecture Board according to the rules established in [RFC3172]. There are no other registrars for.arpa.'.arpa'. 5. Updates to Home Networking Control Protocol The final paragraph in Section 8 of [RFC7788], the Home Networking ControlProtocol [RFC7788], section 8,Protocol, is updated as follows: OLD: Names and unqualified zones are used in an HNCP network to provide naming and service discovery with local significance. A network- wide zone is appended to all single labels or unqualified zones in order to qualify them. ".home" is the default; however, an administrator MAY configure the announcement of a Domain-Name TLV (Section 10.6) for the network to use a different one. In case multiple are announced, the domain of the node with the greatest node identifier takes precedence. NEW: Names and unqualified zones are used in an HNCP network to provide naming and service discovery with local significance. A network- wide zone is appended to all single labels or unqualified zones in order to qualify them. 'home.arpa.' is the default; however, an administrator MAY configure the announcement of a Domain-Name TLV (Section 10.6) for the network to use a different one. In case multiple TLVs are announced, the domain of the node with the greatest node identifier takes precedence. The 'home.arpa.' special-use name does not require a special resolution protocol. Names for which the rightmost two labels are 'home.arpa.' are resolved using the DNS protocol [RFC1035]. 6. Security Considerations 6.1. Local Significance A DNS record that is returned as a response to a query foran FQDNa Fully Qualified Domain Name (FQDN) that is a subdomain of 'home.arpa.' is expected to have local significance. It is expected to be returned by a server involved in name resolution for the homenet the device is connected in. However, such a response MUST NOT be considered more trustworthy thanwould bea similar response for any other DNS query. Because 'home.arpa.' is not globally scoped and cannot be secured using DNSSEC based on the root domain's trust anchor, there is no way to tell, using a standard DNS query, in which homenet scope an answer belongs. Consequently, users may experience surprising results with such names when roaming to different homenets. To prevent this from happening, it could be useful for the resolver on the host to securely differentiate between differenthomenets,homenets and between identical names on different homenets. However, a mechanism for doing this has not yet beenstandardized,standardized and doing so is out of scope for this document. It is expected that this will be explored in future work.Locally Served Zones ([RFC6303] section 7) recommends installingThe advice in [RFC6303], Section 7, to install local trust anchors for locally servedzones. However, in order for this to be effective,zones can only work if theremust beis some way of configuring the trust anchor in the host. Homenet currently specifies no mechanism for configuring such trust anchors. As a result, while this advice sounds good, it is not practicable. Also,althoughalthough, inprincipleprinciple, it might be useful to install a trust anchor for a particular instance of 'home.arpa.', it's reasonable to expect that a host with such a trust anchormightmight, from time totimetime, connect to more than one network with its own instance of 'home.arpa.'. Such a host would be unable to access services on any instance of 'home.arpa.' other than the one for which a trust anchor was configured. Itisis, inprincipleprinciple, possible to attach an identifier to an instance of 'home.arpa.' that could be used to identify which trust anchor to rely on for validating names in that particular instance. However, the security implications of this are complicated, and such a mechanism, as well as a discussion of those implications, is out of scope for this document. 6.2. Insecure Delegation It is not possible to install a trust anchor (a DS RR) for this zone in the '.arpa' zone. The reason for this is that in order to do so, it would be necessary to have the key-signing key for the zone([RFC4034](see Section5).5 of [RFC4034]). Since the zone is not globally unique, no one key would work. An alternative would be to provideaan authenticated denial of existence([RFC4033](see Section3.2).3.2 of [RFC4033]). This would be done simply by not having a delegation from the 'arpa.' zone. However, this requires the validating resolver to treat 'home.arpa.' specially. If a validating resolver that doesn't treat 'home.arpa.' specially attempts to validate a name in 'home.arpa.', an authenticated denial of existence of 'home' as a subdomain of 'arpa.' would cause the validation to fail. Therefore, the only delegation that will allow names under 'home.arpa.' to be resolved by all validating resolvers is an insecuredelegationdelegation, as in[RFC6303] section 7.Section 7 of [RFC6303]. Consequently, unless a trust anchor for the particular instance of the 'home.arpa.' zone being validated is manually configured on the validating resolver, DNSSEC signing and validation of names within the 'home.arpa.' zone is not possible. 6.3. Bypassing Manually Configured Resolvers In item 3 of Section 4,item 3,an exception is made to the behavior of stub resolversallowingthat allows them to query local resolvers for subdomains of 'home.arpa.' even when they have been manually configured to use other resolvers. This behavior obviously has security and privacyimplications,implications and may not be desirable depending on the context. It may be better to simply ignore this exception and, when one or more recursive resolvers are configured manually, simply fail to provide correct answers for subdomains of 'home.arpa.'. At thistimetime, we do not have operational experience that would guide us in making this decision; implementors are encouraged to consider the context in which their software will be deployed when deciding how to resolve this question. 7. Delegation of 'home.arpa.' In order to be fully functional, there must be a delegation of 'home.arpa.' in the '.arpa.' zone [RFC3172]. This delegation MUST NOT include a DSrecord,record and MUST point to one or more black hole servers, forexampleexample, 'blackhole-1.iana.org.' and 'blackhole- 2.iana.org.'. The reason that this delegation must not be signed is that not signing the delegation breaks the DNSSEC chain of trust, which prevents a validating stub resolver from rejecting names published under 'home.arpa.' on a homenet name server. 8. IANA Considerations IANAis requested to recordhas recorded the domain name 'home.arpa.' in theSpecial-Use"Special-Use DomainNamesNames" registry [SUDN].IANA is requested,IANA, with the approval of the IAB,to implementhas implemented the delegation requested in Section 7. IANAis further requested to createhas created a new subregistry within the "Locally-Served DNS Zones" registry [LSDZ], titled"Transport- Independent"Transport-Independent Locally-Served DNSZones",Zone Registry", with the same format as the other subregistries. IANAis requested to addhas added an entry in this new registry for 'home.arpa.' with the description "Homenet Special-Use Domain", listing this document as the reference. The registration procedure for this subregistry should be the same as for the others, currently "IETF Review"([RFC8126](see Section4.8). 9. Acknowledgments The authors would like to thank Stuart Cheshire for his prior work on '.home', as well as the homenet chairs: Mark Townsley and Ray Bellis. We would also like to thank Paul Hoffman for providing review and comments on the IANA considerations section, Andrew Sullivan for his review and proposed text, and Suzanne Woolf and Ray Bellis for their very detailed review comments and process insights. Thanks to Mark Andrews for providing an exhaustive reference list on the topic4.8 ofinsecure delegations. Thanks to Dale Worley for catching a rather egregious mistake and for the Gen-Art review, and to Daniel Migault for a thorough SecDir review. Thanks to Warren Kumari for catching some additional issues, and to Adam Roach for some helpful clarifications. 10.[RFC8126]). 9. References10.1.9.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997,<https://www.rfc- editor.org/info/rfc2119>.<https://www.rfc-editor.org/info/rfc2119>. [RFC3172] Huston, G., Ed., "Management Guidelines & Operational Requirements for the Address and Routing Parameter Area Domain ("arpa")", BCP 52, RFC 3172, DOI 10.17487/RFC3172, September 2001, <https://www.rfc-editor.org/info/rfc3172>. [RFC4035] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose, "Protocol Modifications for the DNS Security Extensions", RFC 4035, DOI 10.17487/RFC4035, March 2005, <https://www.rfc-editor.org/info/rfc4035>. [RFC6303] Andrews, M., "Locally Served DNS Zones", BCP 163, RFC 6303, DOI 10.17487/RFC6303, July 2011, <https://www.rfc-editor.org/info/rfc6303>. [RFC6761] Cheshire, S. and M. Krochmal, "Special-Use Domain Names", RFC 6761, DOI 10.17487/RFC6761, February 2013, <https://www.rfc-editor.org/info/rfc6761>. [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, <https://www.rfc-editor.org/info/rfc8174>.10.2.9.2. Informative References [ICANN1] "New gTLD Collision Risk Mitigation",OctoberAugust 2013,<https://www.icann.org/en/system/files/files/new-gtld- collision-mitigation-05aug13-en.pdf>.<https://www.icann.org/en/system/files/files/ new-gtld-collision-mitigation-05aug13-en.pdf>. [ICANN2] "New gTLD Collision Occurence Management", October 2013,<https://www.icann.org/en/system/files/files/resolutions- new-gtld-annex-1-07oct13-en.pdf>.<https://www.icann.org/en/system/files/files/ resolutions-new-gtld-annex-1-07oct13-en.pdf>. [LSDZ] "Locally-Served DNSZones Registry",Zones", July 2011,<https://www.iana.org/assignments/locally-served-dns- zones/locally-served-dns-zones.xhtml>.<https://www.iana.org/assignments/ locally-served-dns-zones/>. [RFC1035] Mockapetris, P., "Domain names - implementation and specification", STD 13, RFC 1035, DOI 10.17487/RFC1035, November 1987, <https://www.rfc-editor.org/info/rfc1035>. [RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose, "DNS Security Introduction and Requirements", RFC 4033, DOI 10.17487/RFC4033, March 2005, <https://www.rfc-editor.org/info/rfc4033>. [RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose, "Resource Records for the DNS Security Extensions", RFC 4034, DOI 10.17487/RFC4034, March 2005, <https://www.rfc-editor.org/info/rfc4034>. [RFC7368] Chown, T., Ed., Arkko, J., Brandt, A., Troan, O., and J. Weil, "IPv6 Home Networking Architecture Principles", RFC 7368, DOI 10.17487/RFC7368, October 2014, <https://www.rfc-editor.org/info/rfc7368>. [RFC7788] Stenberg, M., Barth, S., and P. Pfister, "Home Networking Control Protocol", RFC 7788, DOI 10.17487/RFC7788, April 2016, <https://www.rfc-editor.org/info/rfc7788>. [RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for Writing an IANA Considerations Section in RFCs", BCP 26, RFC 8126, DOI 10.17487/RFC8126, June 2017, <https://www.rfc-editor.org/info/rfc8126>. [SUDN] "Special-Use DomainNames Registry",Names", July 2012,<https://www.iana.org/assignments/special-use-domain- names/special-use-domain-names.xhtml>.<https://www.iana.org/assignments/ special-use-domain-names/>. Acknowledgments The authors would like to thank Stuart Cheshire, as well as the homenet chairs, Mark Townsley and Ray Bellis, for their prior work on '.home'. We would also like to thank Paul Hoffman for providing review and comments on the IANA Considerations section, Andrew Sullivan for his review and proposed text, and Suzanne Woolf and Ray Bellis for their very detailed review comments and process insights. Thanks to Mark Andrews for providing an exhaustive reference list on the topic of insecure delegations. Thanks to Dale Worley for catching a rather egregious mistake and for the Gen-Art review, and thanks to Daniel Migault for a thorough SecDir review. Thanks to Warren Kumari for catching some additional issues and to Adam Roach for some helpful clarifications. Authors' Addresses Pierre Pfister Cisco Systems Paris France Email: pierre.pfister@darou.fr Ted LemonNominum, Inc. 800 Bridge Parkway Redwood City, California 94065Nibbhaya Consulting P.O. Box 958 Brattleboro, Vermont 05301-0958 United States of AmericaPhone: +1 650 381 6000Email:ted.lemon@nominum.commellon@fugue.com