This repository has been archived by the owner on May 21, 2021. It is now read-only.
forked from ietf-homenet-wg/ietf-homenet-hna
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathdraft-ietf-homenet-front-end-naming-delegation-08.txt
1792 lines (1312 loc) · 82.8 KB
/
draft-ietf-homenet-front-end-naming-delegation-08.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
Homenet D. Migault
Internet-Draft Ericsson
Intended status: Informational R. Weber
Expires: November 11, 2019 Nominum
R. Hunter
Globis Consulting BV
C. Griffiths
W. Cloetens
SoftAtHome<
May 10, 2019
Outsourcing Home Network Authoritative Naming Service
draft-ietf-homenet-front-end-naming-delegation-08
Abstract
Designation of services and devices of a home network is not user
friendly, and mechanisms should enable a user to designate services
and devices inside a home network using names.
In order to enable internal communications while the home network
experiments Internet connectivity shortage, the naming service should
be hosted on a device inside the home network. On the other hand,
home networks devices have not been designed to handle heavy loads.
As a result, hosting the naming service on such home network device,
visible on the Internet exposes this device to resource exhaustion
and other attacks, which could make the home network unreachable, and
most probably would also affect the internal communications of the
home network.
As result, home networks may prefer not serving the naming service
for the Internet, but instead prefer outsourcing it to a third party.
This document describes a mechanisms that enables the Home Network
Authority (HNA) to outsource the naming service to the Outsourcing
Infrastructure.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Migault, et al. Expires November 11, 2019 [Page 1]
Internet-Draft Outsourcing Authoritative Naming Service May 2019
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on November 11, 2019.
Copyright Notice
Copyright (c) 2019 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Requirements notation . . . . . . . . . . . . . . . . . . . . 3
2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4
4. Architecture Description . . . . . . . . . . . . . . . . . . 6
4.1. Architecture Overview . . . . . . . . . . . . . . . . . . 6
4.2. Example: Homenet Zone . . . . . . . . . . . . . . . . . . 8
4.3. Example: HNA necessary parameters for outsourcing . . . . 10
5. Synchronization between HNA and the Synchronization Server . 11
5.1. Synchronization with a Hidden Primary . . . . . . . . . . 12
5.2. Securing Synchronization . . . . . . . . . . . . . . . . 13
5.3. HNA Security Policies . . . . . . . . . . . . . . . . . . 14
6. DNSSEC compliant Homenet Architecture . . . . . . . . . . . . 14
6.1. Zone Signing" . . . . . . . . . . . . . . . . . . . . . . 15
6.2. Secure Delegation" . . . . . . . . . . . . . . . . . . . 16
7. Handling Different Views . . . . . . . . . . . . . . . . . . 17
7.1. Misleading Reasons for Local Scope DNS Zone" . . . . . . 17
7.2. Consequences" . . . . . . . . . . . . . . . . . . . . . . 18
7.3. Guidance and Recommendations . . . . . . . . . . . . . . 19
7.4. Homenet Reverse Zone . . . . . . . . . . . . . . . . . . 19
8. Renumbering . . . . . . . . . . . . . . . . . . . . . . . . . 19
8.1. Hidden Primary . . . . . . . . . . . . . . . . . . . . . 20
8.2. Synchronization Server . . . . . . . . . . . . . . . . . 21
9. Privacy Considerations . . . . . . . . . . . . . . . . . . . 22
10. Security Considerations . . . . . . . . . . . . . . . . . . . 23
Migault, et al. Expires November 11, 2019 [Page 2]
Internet-Draft Outsourcing Authoritative Naming Service May 2019
10.1. Names are less secure than IP addresses . . . . . . . . 23
10.2. Names are less volatile than IP addresses . . . . . . . 23
10.3. DNS Reflection Attacks . . . . . . . . . . . . . . . . . 24
10.4. "Reflection Attack involving the Hidden Primary . . . . 24
10.5. Reflection Attacks involving the Synchronization Server 25
10.6. Reflection Attacks involving the Public Authoritative
Servers . . . . . . . . . . . . . . . . . . . . . . . . 26
10.7. Flooding Attack . . . . . . . . . . . . . . . . . . . . 26
10.8. Replay Attack . . . . . . . . . . . . . . . . . . . . . 27
11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 28
12. Acknowledgment . . . . . . . . . . . . . . . . . . . . . . . 28
13. References . . . . . . . . . . . . . . . . . . . . . . . . . 28
13.1. Normative References . . . . . . . . . . . . . . . . . . 28
13.2. Informative References . . . . . . . . . . . . . . . . . 31
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 32
1. Requirements notation
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
2. Introduction
IPv6 provides global end to end IP reachability. End users prefer to
use names instead of long and complex IPv6 addresses when accessing
services hosted in the home network.
Customer Edge Routers and other Customer Premises Equipment (CPEs)
are already providing IPv6 connectivity to the home network, and
generally provide IPv6 addresses or prefixes to the nodes of the home
network. In addition, [RFC7368] recommends that home networks be
resilient to connectivity disruption from the ISP. This could be
achieved by a dedicated device inside the home network that builds,
serves or manage the Homenet Zone, thus providing bindings between
names and IP addresses.
CPEs are of course good candidates to manage the binding between
names and IP addresses of nodes. However, this could also be
performed by another device in the home network that is not a CPE.
In addition, a given home network may have multiple nodes that may
implement this functionality. Since management of the Homenet Zone
involves DNS specific mechanisms that cannot be distributed (primary
server), when multiple nodes can potentially manage the Homenet Zone,
a single node needs to be selected. This selected node is designated
as the Homenet Naming Authority (HNA).
Migault, et al. Expires November 11, 2019 [Page 3]
Internet-Draft Outsourcing Authoritative Naming Service May 2019
CPEs, Homenet Naming Authority, as well as home network devices are
usually low powered devices not designed not for terminating heavy
traffic. As a result, hosting an authoritative DNS service on the
Internet may expose the home network to resource exhaustion and other
attacks. This may isolate the home network from the Internet and
also impact the services hosted by the such an home network device,
thus affecting overall home network communication.
In order to avoid resource exhaustion and other attacks, this
document describes an architecture that outsources the authoritative
naming service of the home network. More specifically, the Homenet
Naming Authority builds the Homenet Zone and outsources it to an
Outsourcing Infrastructure. The Outsourcing Infrastructure in in
charge of publishing the corresponding Public Homenet Zone on the
Internet.
Section 4.1 provides an architecture description that describes the
relation between the Homenet Naming Authority and the Outsourcing
Architecture. In order to keep the Public Homenet Zone up-to-date
Section 5 describes how the Homenet Zone and the Public Homenet Zone
can be synchronized. The proposed architecture aims at deploying
DNSSEC, and the Public Homenet Zone is expected to be signed with a
secure delegation. The zone signing and secure delegation may be
performed either by the Homenet Naming Authority or by the
Outsourcing Infrastructure. Section 6 discusses these two
alternatives. Section 7 discusses the consequences of publishing
multiple representations of the same zone also commonly designated as
views. This section provides guidance to limit the risks associated
with multiple views. Section 7.4 discusses management of the reverse
zone. Section 8 discusses how renumbering should be handled.
Finally, Section 9 and Section 10 respectively discuss privacy and
security considerations when outsourcing the Homenet Zone.
3. Terminology
o Customer Premises Equipment: (CPE) is a router providing
connectivity to the home network.
o Homenet Naming Authority: (HNA) is a home network node responsible
to manage the Homenet Zone. This includes building the Homenet
Zone, as well as managing the distribution of that Homenet Zone
through the Outsourcing Infrastructure.
o Registered Homenet Domain: is the Domain Name associated to the
home network.
o Homenet Zone: is the DNS zone associated with the home network.
It is designated by its Registered Homenet Domain. This zone is
Migault, et al. Expires November 11, 2019 [Page 4]
Internet-Draft Outsourcing Authoritative Naming Service May 2019
built by the HNA and contains the bindings between names and IP
addresses of the nodes in the home network. The HNA synchronizes
the Homenet Zone with the Synchronization Server via a hidden
primary / secondary architecture. The Outsourcing Infrastructure
may process the Homenet Zone - for example providing DNSSEC
signing - to generate the Public Homenet Zone. This Public
Homenet Zone is then transmitted to the Public Authoritative
Server(s) that publish it on the Internet.
o Public Homenet Zone: is the public version of the Homenet Zone.
It is expected to be signed with DNSSEC. It is hosted by the
Public Authoritative Server(s), which are authoritative for this
zone. The Public Homenet Zone and the Homenet Zone might be
different. For example some names might not become reachable from
the Internet, and thus not be hosted in the Public Homenet Zone.
Another example of difference may also occur when the Public
Homenet Zone is signed whereas the Homenet Zone is not signed.
o Outsourcing Infrastructure: is the combination of the
Synchronization Server and the Public Authoritative Server(s).
o Public Authoritative Servers: are the authoritative name servers
hosting the Public Homenet Zone. Name resolution requests for the
Homenet Domain are sent to these servers. For resiliency the
Public Homenet Zone SHOULD be hosted on multiple servers.
o Synchronization Server: is the server with which the HNA
synchronizes the Homenet Zone. The Synchronization Server is
configured as a secondary and the HNA acts as primary. There MAY
be multiple Synchronization Servers, but the text assumes a single
server. In addition, the text assumes the Synchronization Server
is a separate entity. This is not a requirement, and when the HNA
signs the zone, the synchronization function might also be
operated by the Public Authoritative Servers.
o Homenet Reverse Zone: The reverse zone file associated with the
Homenet Zone.
o Reverse Public Authoritative Servers: are the authoritative name
server(s) hosting the Public Homenet Reverse Zone. Queries for
reverse resolution of the Homenet Domain are sent to this server.
Similarly to Public Authoritative Servers, for resiliency, the
Homenet Reverse Zone SHOULD be hosted on multiple servers.
o Reverse Synchronization Server: is the server with which the HNA
synchronizes the Homenet Reverse Zone. It is configured as a
secondary and the HNA acts as primary. There MAY be multiple
Reverse Synchronization Servers, but the text assumes a single
Migault, et al. Expires November 11, 2019 [Page 5]
Internet-Draft Outsourcing Authoritative Naming Service May 2019
server. In addition, the text assumes the Reverse Synchronization
Server is a separate entity. This is not a requirement, and when
the HNA signs the zone, the synchronization function might also be
operated by the Reverse Public Authoritative Servers.
o Hidden Primary: designates the primary server of the HNA, that
synchronizes the Homenet Zone with the Synchronization Server. A
primary / secondary architecture is used between the HNA and the
Synchronization Server. The hidden primary is not expected to
serve end user queries for the Homenet Zone as a regular primary
server would. The hidden primary is only known to its associated
Synchronization Server.
4. Architecture Description
Architecture Description This section describes the architecture for
outsourcing the authoritative naming service from the HNA to the
Outsourcing Infrastructure. Section 4.1 describes the architecture,
Section 4.2 and Section 4.3 illustrates this architecture and shows
how the Homenet Zone should be built by the HNA. It also lists the
necessary parameters the HNA needs to be able to outsource the
authoritative naming service. These two sections are informational
and non-normative.
4.1. Architecture Overview
Figure 1 provides an overview of the architecture.
The home network is designated by the Registered Homenet Domain Name
- example.com in Figure 1. The HNA builds the Homenet Zone
associated with the home network. How the Homenet Zone is built is
out of the scope of this document. The HNA may host or interact with
multiple services to determine name-to-address mappings, such as a
web GUI, DHCP [RFC6644] or mDNS [RFC6762]. These services may
coexist and may be used to populate the Homenet Zone. This document
assumes the Homenet Zone has been populated with domain names that
are intended to be publicly published and that are publicly
reachable. More specifically, names associated with services or
devices that are not expected to be reachable from outside the home
network or names bound to non-globally reachable IP addresses MUST
NOT be part of the Homenet Zone.
Once the Homenet Zone has been built, the HNA does not host an
authoritative naming service, but instead outsources it to the
Outsourcing Infrastructure. The Outsourcing Infrastructure takes the
Homenet Zone as an input and publishes the Public Homenet Zone. If
the HNA does not sign the Homenet Zone, the Outsourcing
Infrastructure may instead sign it on behalf of the HNA. Figure 1
Migault, et al. Expires November 11, 2019 [Page 6]
Internet-Draft Outsourcing Authoritative Naming Service May 2019
provides a more detailed description of the Outsourcing
Infrastructure, but overall, it is expected that the HNA provides the
Homenet Zone. Then the Public Homenet Zone is derived from the
Homenet Zone and published on the Internet.
As a result, DNS queries from the DNS resolvers on the Internet are
answered by the Outsourcing Infrastructure and do not reach the HNA.
Figure 1 illustrates the case of the resolution of node1.example.com.
home network +-------------------+ Internet
| |
| HNA |
| | +-----------------------+
+-------+ |+-----------------+| | Public Authoritative |
| | || Homenet Zone || | Server(s) |
| node1 | || || |+---------------------+|
| | || || || Public Homenet Zone ||
+-------+ || Homenet Domain ||=========|| ||
|| Name || ^ || (example.com) ||
node1.\ || (example.com) || | |+---------------------+|
example.com |+-----------------+| | +-----------------------+
+-------------------+ | ^ |
Synchronization | |
| |
DNSSEC resolution for node1.example.com | v
+-----------------------+
| |
| DNSSEC Resolver |
| |
+-----------------------+
Figure 1: Homenet Naming Architecture Description
The Outsourcing Infrastructure is described in Figure 2. The
Synchronization Server receives the Homenet Zone as an input. The
received zone may be transformed to output the Public Homenet Zone.
Various operations may be performed here, however this document only
considers zone signing as a potential operation. This should occur
only when the HNA outsources this operation to the Synchronization
Server. On the other hand, if the HNA signs the Homenet Zone itself,
the zone would be collected by the Synchronization Server and
directly transferred to the Public Authoritative Server(s). These
policies are discussed and detailed in Section 6 and Section 7.
Migault, et al. Expires November 11, 2019 [Page 7]
Internet-Draft Outsourcing Authoritative Naming Service May 2019
Internet
+------------------------------------------------------+
| Outsourcing Infrastructure |
+------------------------------------------------------+
+----------------------+ +----------------------+
| | | |
| Synchronization | | Public Authoritative |
| Server | | Server(s) |
| | | |
| +------------------+ | X |+--------------------+|
| | Homenet Zone | | ^ || Public Homenet Zone||
=========>| | | | || ||
^ | | | | | || ||
| | | (example.com) | | | || (example.com) ||
| | +------------------+ | | |+--------------------+|
| +----------------------+ | +----------------------+
| Homenet to Public Zone
Synchronization transformation
from the HNA
Figure 2: Outsourcing Infrastructure Description
4.2. Example: Homenet Zone
This section is not normative and intends to illustrate how the HNA
builds the Homenet Zone.
As depicted in Figure 1 and Figure 2, the Public Homenet Zone is
hosted on the Public Authoritative Server(s), whereas the Homenet
Zone is hosted on the HNA. Motivations for keeping these two zones
identical are detailed in Section 7, and this section considers that
the HNA builds the zone that will be effectively published on the
Public Authoritative Server(s). In other words "Homenet to Public
Zone transformation" is the identity also commonly designated as "no
operation" (NOP).
In that case, the Homenet Zone should configure its Name Server RRset
(NS) and Start of Authority (SOA) with the values associated with the
Public Authoritative Server(s). This is illustrated in Figure 3.
public.primary.example.net is the FQDN of the Public Authoritative
Server(s), and IP1, IP2, IP3, IP4 are the associated IP addresses.
Then the HNA should add the additional new nodes that enter the home
network, remove those that should be removed, and sign the Homenet
Zone.
Migault, et al. Expires November 11, 2019 [Page 8]
Internet-Draft Outsourcing Authoritative Naming Service May 2019
$ORIGIN example.com
$TTL 1h
@ IN SOA public.primary.example.net
hostmaster.example.com. (
2013120710 ; serial number of this zone file
1d ; secondary refresh
2h ; secondary retry time in case of a problem
4w ; secondary expiration time
1h ; maximum caching time in case of failed
; lookups
)
@ NS public.authoritative.servers.example.net
public.primary.example.net A @IP1
public.primary.example.net A @IP2
public.primary.example.net AAAA @IP3
public.primary.example.net AAAA @IP4
Figure 3: Homenet Zone
The SOA RRset is defined in [RFC1033], [RFC1035] and [RFC2308]. This
SOA is specific, as it is used for the synchronization between the
Hidden Primary and the Synchronization Server and published on the
DNS Public Authoritative Server(s)..
o MNAME: indicates the primary. In our case the zone is published
on the Public Authoritative Server(s), and its name MUST be
included. If multiple Public Authoritative Server(s) are
involved, one of them MUST be chosen. More specifically, the HNA
MUST NOT include the name of the Hidden Primary.
o RNAME: indicates the email address to reach the administrator.
[RFC2142] recommends using hostmaster@domain and replacing the '@'
sign by '.'.
o REFRESH and RETRY: indicate respectively in seconds how often
secondaries need to check the primary, and the time between two
refresh when a refresh has failed. Default values indicated by
[RFC1033] are 3600 (1 hour) for refresh and 600 (10 minutes) for
retry. This value might be too long for highly dynamic content.
However, the Public Authoritative Server(s) and the HNA are
expected to implement NOTIFY [RFC1996]. So whilst shorter refresh
timers might increase the bandwidth usage for secondaries hosting
large number of zones, it will have little practical impact on the
elapsed time required to achieve synchronization between the
Migault, et al. Expires November 11, 2019 [Page 9]
Internet-Draft Outsourcing Authoritative Naming Service May 2019
Outsourcing Infrastructure and the Hidden Master. As a result,
the default values are acceptable.
o EXPIRE: is the upper limit data SHOULD be kept in absence of
refresh. The default value indicated by [RFC1033] is 3600000
(approx. 42 days). In home network architectures, the HNA
provides both the DNS synchronization and the access to the home
network. This device may be plugged and unplugged by the end user
without notification, thus we recommend a long expiry timer.
o MINIMUM: indicates the minimum TTL. The default value indicated
by [RFC1033] is 86400 (1 day). For home network, this value MAY
be reduced, and 3600 (1 hour) seems more appropriate.
<<!-- ## Considerations on multiple Registered Homenet Domain Names
## are left for future versions When multiple Registered Homenet
Domains are used -like example.com, example.net, example.org, a DNS
Homenet Zone file per Registered Homenet Domain SHOULD be generated.
In order to synchronize the zone contents, the HNA may provide all
bindings in each zone files. As a result, any update MUST be
performed on all zone files, i.e. for all Registered Homenet Domains.
To limit thees updates when multiple Registered Homenet Domains are
involved, the HNA MAY fill all bindings in a specific zone file and
redirect all other zones to that zone. This can be achieved with
redirecting mechanisms like CNAME {{RFC2181}}, {{RFC1034}}, DNAME
{{RFC6672}} or CNAME+DNAME {{I-D.sury-dnsext-cname-dname}}. This is
an implementation issue to determine whether redirection mechanisms
MAY be preferred for large Homenet Zones, or when the number of
Registered Homenet Domain becomes quite large. -->>
4.3. Example: HNA necessary parameters for outsourcing
This section specifies the various parameters required by the HNA to
configure the naming architecture of this document. This section is
informational, and is intended to clarify the information handled by
the HNA and the various settings to be done.
Synchronization Server may be configured with the following
parameters. These parameters are necessary to establish a secure
channel between the HNA and the Synchronization Server as well as to
specify the DNS zone that is in the scope of the communication:
o Synchronization Server: The associated FQDNs or IP addresses of
the Synchronization Server. IP addresses are optional and the
FQDN is sufficient. To secure the binding name and IP addresses,
a DNSSEC exchange is required. Otherwise, the IP addresses should
be entered manually.
Migault, et al. Expires November 11, 2019 [Page 10]
Internet-Draft Outsourcing Authoritative Naming Service May 2019
o Authentication Method: How the HNA authenticates itself to the
Synchronization Server. This MAY depend on the implementation but
this should cover at least IPsec, DTLS and TSIG
o Authentication data: Associated Data. PSK only requires a single
argument. If other authentication mechanisms based on
certificates are used, then HNA private keys, certificates and
certification authority should be specified.
o Public Authoritative Server(s): The FQDN or IP addresses of the
Public Authoritative Server(s). It MAY correspond to the data
that will be set in the NS RRsets and SOA of the Homenet Zone. IP
addresses are optional and the FQDN is sufficient. To secure the
binding between name and IP addresses, a DNSSEC exchange is
required. Otherwise, the IP addresses should be entered manually.
o Registered Homenet Domain: The domain name used to establish the
secure channel. This name is used by the Synchronization Server
and the HNA for the primary / secondary configuration as well as
to index the NOTIFY queries of the HNA when the HNA has been
renumbered.
Setting the Homenet Zone requires the following information.
o Registered Homenet Domain: The Domain Name of the zone. Multiple
Registered Homenet Domains may be provided. This will generate
the creation of multiple Public Homenet Zones.
o Public Authoritative Server(s): The Public Authoritative Server(s)
associated with the Registered Homenet Domain. Multiple Public
Authoritative Server(s) may be provided.
5. Synchronization between HNA and the Synchronization Server
The Homenet Reverse Zone and the Homenet Zone MAY be updated either
with DNS UPDATE [RFC2136] or using a primary / secondary
synchronization. The primary / secondary mechanism is preferred as
it scales better and avoids DoS attacks: First the primary notifies
the secondary that the zone must be updated and leaves the secondary
to proceed with the update when possible. Then, a NOTIFY message is
sent by the primary, which is a small packet that is less likely to
load the secondary. Finally, the AXFR query performed by the
secondary is a small packet sent over TCP (section 4.2 [RFC5936]),
which mitigates reflection attacks using a forged NOTIFY. On the
other hand, DNS UPDATE (which can be transported over UDP), requires
Migault, et al. Expires November 11, 2019 [Page 11]
Internet-Draft Outsourcing Authoritative Naming Service May 2019
more processing than a NOTIFY, and does not allow the server to
perform asynchronous updates.
This document RECOMMENDS use of a primary / secondary mechanism
instead of the use of DNS UPDATE. This section details the primary /
secondary mechanism.
5.1. Synchronization with a Hidden Primary
Uploading and dynamically updating the zone file on the
Synchronization Server can be seen as zone provisioning between the
HNA (Hidden Primary) and the Synchronization Server (Secondary
Server). This can be handled either in band or out of band.
Note that there is no standard way to distribute a DNS primary
between multiple devices. As a result, if multiple devices are
candidate for hosting the Hidden Primary, some specific mechanisms
should be designed so the home network only selects a single HNA for
the Hidden Primary. Selection mechanisms based on HNCP [RFC7788] are
good candidates.
The Synchronization Server is configured as a secondary for the
Homenet Domain Name. This secondary configuration has been
previously agreed between the end user and the provider of the
Synchronization Server. In order to set the primary / secondary
architecture, the HNA acts as a Hidden Primary Server, which is a
regular authoritative DNS Server listening on the WAN interface.
The Hidden Primary Server SHOULD accept SOA [RFC1033], AXFR
[RFC1034], and IXFR [RFC1995] queries from its configured secondary
DNS server(s). The Hidden Primary Server SHOULD send NOTIFY messages
[RFC1996] in order to update Public DNS server zones as updates
occur. Because, the Homenet Zones are likely to be small, the HNA
MUST implement AXFR and SHOULD implement IXFR.
Hidden Primary Server differs from a regular authoritative server for
the home network by:
o Interface Binding: the Hidden Primary Server listens on the WAN
Interface, whereas a regular authoritative server for the home
network would listen on the home network interface.
o Limited exchanges: the purpose of the Hidden Primary Server is to
synchronize with the Synchronization Server, not to serve any
zones to end users. As a result, exchanges are performed with
specific nodes (the Synchronization Server). Further, exchange
types are limited. The only legitimate exchanges are: NOTIFY
initiated by the Hidden Primary and IXFR or AXFR exchanges
Migault, et al. Expires November 11, 2019 [Page 12]
Internet-Draft Outsourcing Authoritative Naming Service May 2019
initiated by the Synchronization Server. On the other hand,
regular authoritative servers would respond to any hosts, and any
DNS query would be processed. The HNA SHOULD filter IXFR/AXFR
traffic and drop traffic not initiated by the Synchronization
Server. The HNA MUST listen for DNS on TCP and UDP and MUST at
least allow SOA lookups of the Homenet Zone.
5.2. Securing Synchronization
Exchange between the Synchronization Server and the HNA MUST be
secured, at least for integrity protection and for authentication.
TSIG [RFC2845] or SIG(0) [RFC2931] MAY be used to secure the DNS
communications between the HNA and the Synchronization Server. TSIG
uses a symmetric key which can be managed by TKEY [RFC2930].
Management of the key involved in SIG(0) is performed through zone
updates. How keys are rolled over with SIG(0) is out-of-scope of
this document. The advantage of these mechanisms is that they are
only associated with the DNS application. Not relying on shared
libraries eases testing and integration. On the other hand, using
TSIG, TKEY or SIG(0) requires these mechanisms to be implemented on
the HNA, which adds code and complexity. Another disadvantage is
that TKEY does not provide authentication mechanisms.
Protocols like TLS [RFC5246] / DTLS [RFC6347] MAY be used to secure
the transactions between the Synchronization Server and the HNA. The
advantage of TLS/DTLS is that this technology is widely deployed, and
most of the devices already embed TLS/DTLS libraries, possibly also
taking advantage of hardware acceleration. Further, TLS/DTLS
provides authentication facilities and can use certificates to
authenticate the Synchronization Server and the HNA. On the other
hand, using TLS/DTLS requires implementing DNS exchanges over TLS/
DTLS, as well as a new service port. This document therefore does
NOT RECOMMEND this option.
IPsec [RFC4301] IKEv2 [RFC7296] MAY also be used to secure
transactions between the HNA and the Synchronization Server.
Similarly to TLS/DTLS, most HNAs already embed an IPsec stack, and
IKEv2 supports multiple authentication mechanisms via the EAP
framework. In addition, IPsec can be used to protect DNS exchanges
between the HNA and the Synchronization Server without any
modifications of the DNS server or client. DNS integration over
IPsec only requires an additional security policy in the Security
Policy Database (SPD). One disadvantage of IPsec is that NATs and
firewall traversal may be problematic. However, in our case, the HNA
is connected to the Internet, and IPsec communication between the HNA
and the Synchronization Server should not be impacted by middle
boxes.
Migault, et al. Expires November 11, 2019 [Page 13]
Internet-Draft Outsourcing Authoritative Naming Service May 2019
<<!-- As mentioned above, TSIG, IPsec and TLS/DTLS MAY be used to
secure transactions between the HNA and the Public Authentication
Servers. The HNA and the Synchronization Server SHOULD implement
TSIG and IPsec. -->>
How the PSK can be used by any of the TSIG, TLS/DTLS or IPsec
protocols: Authentication based on certificates implies a mutual
authentication and thus requires the HNA to manage a private key, a
public key, or certificates, as well as Certificate Authorities.
This adds complexity to the configuration especially on the HNA side.
For this reason, we RECOMMEND that the HNA MAY use PSK or certificate
base authentication, and that the Synchronization Server MUST support
PSK and certificate based authentication.
Note also that authentication of message exchanges between the HNA
and the Synchronization Server SHOULD NOT use the external IP address
of the HNA to index the appropriate keys. As detailed in Section 8,
the IP addresses of the Synchronization Server and the Hidden Primary
are subject to change, for example while the network is being
renumbered. This means that the necessary keys to authenticate
transaction SHOULD NOT be indexed using the IP address, and SHOULD be
resilient to IP address changes.
5.3. HNA Security Policies
This section details security policies related to the Hidden Primary
/ Secondary synchronization.
The Hidden Primary, as described in this document SHOULD drop any
queries from the home network. This could be implemented via port
binding and/or firewall rules. The precise mechanism deployed is out
of scope of this document. The Hidden Primary SHOULD drop any DNS
queries arriving on the WAN interface that are not issued from the
Synchronization Server. The Hidden Primary SHOULD drop any outgoing
packets other than DNS NOTIFY query, SOA response, IXFR response or
AXFR responses. The Hidden Primary SHOULD drop any incoming packets
other than DNS NOTIFY response, SOA query, IXFR query or AXFR query.
The Hidden Primary SHOULD drop any non protected IXFR or AXFR
exchange,depending on how the synchronization is secured.
6. DNSSEC compliant Homenet Architecture
[RFC7368] in Section 3.7.3 recommends DNSSEC to be deployed on both
the authoritative server and the resolver. The resolver side is out
of scope of this document, and only the authoritative part of the
server is considered.
Migault, et al. Expires November 11, 2019 [Page 14]
Internet-Draft Outsourcing Authoritative Naming Service May 2019
Deploying DNSSEC requires signing the zone and configuring a secure
delegation. As described in Section 4.1, signing can be performed
either by the HNA or by the Outsourcing Infrastructure. Section 6.1
details the implications of these two alternatives. Similarly, the
secure delegation can be performed by the HNA or by the Outsourcing
Infrastructure. Section 6.2 discusses these two alternatives.
6.1. Zone Signing"
This section discusses the pros and cons when zone signing is
performed by the HNA or by the Outsourcing Infrastructure. It is
RECOMMENDED that the HNA signs the zone unless there is a strong
argument against this, such as a HNA that is not capable of signing
the zone. In that case zone signing MAY be performed by the
Outsourcing Infrastructure on behalf of the HNA.
Reasons for signing the zone by the HNA are:
o 1) Keeping the Homenet Zone and the Public Homenet Zone equal to
securely optimize DNS resolution. As the Public Zone is signed
with DNSSEC, RRsets are authenticated, and thus DNS responses can
be validated even though they are not provided by the
authoritative server. This provides the HNA the ability to
respond on behalf of the Public Authoritative Server(s). This
could be useful for example if, in the future, the HNA announces
to the home network that the HNA can act as a local authoritative
primary or equivalent for the Homenet Zone. Currently the HNA is
not expected to receive authoritative DNS queries, as its IP
address is not mentioned in the Public Homenet Zone. On the other
hand most HNAs host a resolving function, and could be configured
to perform a local lookup to the Homenet Zone instead of
initiating a DNS exchange with the Public Authoritative Server(s).
Note that outsourcing the zone signing operation means that all
DNSSEC queries SHOULD be cached to perform a local lookup,
otherwise a resolution with the Public Authoritative Server(s)
would be performed.
o 2) Keeping the Homenet Zone and the Public Homenet Zone equal to
securely address the connectivity disruption independence detailed
in [RFC7368] section 4.4.1 and 3.7.5. As local lookups are
possible in case of network disruption, communications within the
home network can still rely on the DNSSEC service. Note that
outsourcing the zone signing operation does not address
connectivity disruption independence with DNSSEC. Instead local
lookup would provide DNS as opposed to DNSSEC responses provided
by the Public Authoritative Server(s).
Migault, et al. Expires November 11, 2019 [Page 15]
Internet-Draft Outsourcing Authoritative Naming Service May 2019
o 3) Keeping the Homenet Zone and the Public Homenet Zone equal to
guarantee coherence between DNS responses. Using a unique zone is
one way to guarantee uniqueness of the responses among servers and
places. Issues generated by different views are discussed in more
details in Section 7.
4) Privacy and Integrity of the DNSSEC Homenet Zone are better
guaranteed. When the Zone is signed by the HNA, it makes
modification of the DNS data - for example for flow redirection -
impossible. As a result, signing the Homenet Zone by the HNA
provides better protection for end user privacy.
Reasons for signing the zone by the Outsourcing Infrastructure are:
1) The HNA may not be capable of signing the zone, most likely
because its firmware does not support this function. However this
reason is expected to become less and less valid over time.
2) Outsourcing DNSSEC management operations. Management operations
involve key roll-over, which can be performed automatically by the
HNA and transparently for the end user. Avoiding DNSSEC management
is mostly motivated by bad software implementations.
3) Reducing the impact of HNA replacement on the Public Homenet Zone.
Unless the HNA private keys can be extracted and stored off-device,
HNA hardware replacement will result in an emergency key roll-over.
This can be mitigated by using relatively small TTLs.
4) Reducing configuration impact on the end user. Unless there are
zero configuration mechanisms in place to provide credentials between
the new HNA and the Synchronization Server, authentication
associations between the HNA and the Synchronization Server would
need to be re-configured. As HNA replacement is not expected to
happen regularly, end users may not be at ease with such
configuration settings. However, mechanisms as described in
[I-D.ietf-homenet-naming-architecture-dhc-options] use DHCP Options
to outsource the configuration and avoid this issue.
5) The Outsourcing Infrastructure is more likely to handle private
keys more securely than the HNA. However, having all private keys in
one place may also nullify that benefit.
6.2. Secure Delegation"
Secure delegation is achieved only if the DS RRset is properly set in
the parent zone. Secure delegation can be performed by the HNA or
the Outsourcing Infrastructures (that is the Synchronization Server
or the Public Authoritative Server(s)).
Migault, et al. Expires November 11, 2019 [Page 16]
Internet-Draft Outsourcing Authoritative Naming Service May 2019
The DS RRset can be updated manually with nsupdate for example. This
requires the HNA or the Outsourcing Infrastructure to be
authenticated by the DNS server hosting the parent of the Public
Homenet Zone. Such a trust channel between the HNA and the parent
DNS server may be hard to maintain with HNAs, and thus may be easier
to establish with the Outsourcing Infrastructure. In fact, the
Public Authoritative Server(s) may use Automating DNSSEC Delegation
Trust Maintenance [RFC7344].
7. Handling Different Views
The Homenet Zone provides information about the home network. Some
users may be tempted to have provide responses dependent on the
origin of the DNS query. More specifically, some users may be
tempted to provide a different view for DNS queries originating from
the home network and for DNS queries coming from the Internet. Each
view could then be associated with a dedicated Homenet Zone.
<!--Regarding {{fig-naming-arch}}, an example of an implementation of
two distinct view could be the Homenet Zone that describes the
homenet view and the Public Homenet Zone that contains the Internet
view, with these two zones being different.-->
Note that this document does not specify how DNS queries originating
from the home network are addressed to the Homenet Zone. This could
be done via hosting the DNS resolver on the HNA for example.
This section is not normative. Section 7.1 details why some nodes
may only be reachable from the home network and not from the global
Internet. Section 7.2 briefly describes the consequences of having
distinct views such as a "home network view" and an "Internet view".
Finally, Section 7.3 provides guidance on how to resolve names that
are only significant in the home network, without creating different
views.
7.1. Misleading Reasons for Local Scope DNS Zone"
The motivation for supporting different views is to provide different
answers dependent on the origin of the DNS query, for reasons such
as:
1: An end user may want to have services not published on the
Internet. Services like the HNA administration interface that
provides the GUI to administer your HNA might not seem advisable to
publish on the Internet. Similarly, services like the mapper that
registers the devices of your home network may also not be desirable
to be published on the Internet. In both cases, these services
should only be known or used by the network administrator. To
Migault, et al. Expires November 11, 2019 [Page 17]
Internet-Draft Outsourcing Authoritative Naming Service May 2019
restrict the access of such services, the home network administrator
may choose to publish these pieces of information only within the
home network, where it might be assumed that the users are more
trusted than on the Internet. Even though this assumption may not be
valid, at least this may reduce the surface of any attack.
2: Services within the home network may be reachable using non global
IP addresses. IPv4 and NAT may be one reason. On the other hand
IPv6 may favor link-local or site-local IP addresses. These IP
addresses are not significant outside the boundaries of the home
network. As a result, they MAY be published in the home network
view, and SHOULD NOT be published in the Public Homenet Zone.
7.2. Consequences"
Enabling different views leads to a non-coherent naming system.
Depending on where resolution is performed, some services will not be
available. This may be especially inconvenient with devices with
multiple interfaces that are attached both to the Internet via a
3G/4G interface and to the home network via a WLAN interface.
Devices may also cache the results of name resolution, and these
cached entries may no longer be valid if a mobile device moves
between a homenet connection and an internet connection e.g. a device
temporarily loses wifi signal and switches to 3G.
Regarding local-scope IP addresses, such devices may end up with poor
connectivity. Suppose, for example, that DNS resolution is performed
via the WLAN interface attached to the HNA, and the response provides
local-scope IP addresses, but the communication is initiated on the
3G/4G interface. Communications with local-scope addresses will be
unreachable on the Internet, thus aborting the communication. The
same situation occurs if a device is flip / flopping between various
WLAN networks.
Regarding DNSSEC, if the HNA does not sign the Homenet Zone and
outsources the signing process, the two views are different, because
one is protected with DNSSEC whereas the other is not. Devices with
multiple interfaces will have difficulty securing the naming
resolution, as responses originating from the home network may not be
signed.
For devices with all its interfaces attached to a single
administrative domain, that is to say the home network, or the
Internet. Incoherence between DNS responses may still also occur if