Disclosure of Negative Trust Anchors in DNS Responses

Disclosure of Negative Trust Anchors in DNS Responses Quad9

babak@farrokhi.net

Cloudflare

jabley@cloudflare.com

Cloudflare

sebastiaan@cloudflare.com

Internet DNS EDE Extended DNS Errors DNSSEC NTA Negative Trust Anchor This document describes a mechanism for disclosing that a Negative Trust Anchor (NTA) was in effect at the time that a DNS response was generated, using an Extended DNS Error (EDE).

Introduction defines the Extended DNS Error (EDE) mechanism, which allows DNS servers to encode additional information in a DNS response. defines the concept of a DNSSEC Negative Trust Anchor (NTA), an operational mechanism by which a validating resolver can be configured to temporarily disable DNSSEC validation for a specific domain to mitigate misconfiguration. A resolver with an NTA in effect might send a response that ordinarily would have been suppressed because of validation failures. This document defines a new EDE that can be sent with a response to indicate that the response was subject to an active NTA. A further goal of this signal is transparency toward end users and applications. Section 3.1 of recommends that operators disclose the NTAs they have in place, for example on a website, and notes that no in-band DNS signal exists to indicate that an NTA is in effect. This document defines that in-band signal, complementing such out-of-band disclosure.

Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here. This document assumes a familiarity with common DNS terminology as described in .

Extended DNS Error Code TBD - Negative Trust Anchor in Effect A response that includes one or more instances of EDE TBD was generated with a covering NTA in effect. As with all EDEs, the EDE defined in this document is diagnostic; per Section 6 of a client MUST NOT use its presence to alter protocol processing. The inclusion of this EDE in a response does not change AD bit processing in DNS messages in any way. The only purpose of this EDE is to provide additional information about the response in which it appears. This EDE is intended for use in DNS responses sent by a DNS resolver with a configured NTA and SHOULD NOT be included in other responses. For example, a DNS response sent by an authoritative-only DNS server, which does not perform validation and hence has no obvious use for an NTA, SHOULD NOT include this EDE.

Operational Considerations An operator that applies an NTA SHOULD return this EDE in affected responses, so that end users and applications can tell that the response may not have been DNSSEC-validated. This complements, and does not replace, the disclosure recommended in Section 3.1 of . A response might be affected by an NTA for various reasons, not just in the case where the QNAME is subordinate to the domain for which an NTA has been configured. In any case, a resolver MAY include this EDE on any responses while an NTA is in effect, regardless of whether the presence of the NTA had a material effect on the contents of the response. A resolver with multiple NTAs in place simultaneously MAY include multiple instances of this EDE in a single response, each representing a different NTA. The operator MAY use the EXTRA-TEXT field to add context about the NTA, such as the name at which it was configured, the reason it was put in place, a reference where more information can be found, or its expected duration. As noted in Section 2 of , EXTRA-TEXT is intended for human consumption; operators SHOULD keep it readable and SHOULD NOT include private or sensitive information. Structured data MAY be included in the EXTRA-TEXT field, as described in . When multiple instances of this EDE are included, the EXTRA-TEXT field in each instance SHOULD be populated.

IANA Considerations IANA has made the following allocation in the "Extended DNS Error Codes" registry under the "Domain Name System (DNS) Parameters" registry group:

INFO-CODE	Purpose	Reference
TBD	Negative Trust Anchor	This document

Security Considerations An NTA represents an intentional, operator-driven suspension of DNSSEC validation for a specific domain. See for further discussion of the operational and security implications of NTAs. The presence of the EDE defined in this document does not modify AD bit processing in DNS messages, and its only purpose is to provide additional information. EDEs encoded in DNS messages carry no cryptographic signatures and hence enjoy no inherent integrity protection. An on-path attacker could add, remove, or modify an EDE. Clients that require integrity protection of these signals should use an authenticated and encrypted transport between client and resolver, such as DNS over TLS or DNS over HTTPS . See Section 6 of for more discussion.

References Normative References Extended DNS Errors This document defines an extensible method to return additional information about the cause of DNS errors. Though created primarily to extend SERVFAIL to provide additional information about the cause of DNS and DNSSEC failures, the Extended DNS Errors option defined in this document allows all response types to contain extended error information. Extended DNS Error information does not change the processing of RCODEs. Definition and Use of DNSSEC Negative Trust Anchors DNS Security Extensions (DNSSEC) is now entering widespread deployment. However, domain signing tools and processes are not yet as mature and reliable as those for non-DNSSEC-related domain administration tools and processes. This document defines Negative Trust Anchors (NTAs), which can be used to mitigate DNSSEC validation failures by disabling DNSSEC validation at specified domains. Key words for use in RFCs to Indicate Requirement Levels In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings. DNS Terminology The Domain Name System (DNS) is defined in literally dozens of different RFCs. The terminology used by implementers and developers of DNS protocols, and by operators of DNS systems, has changed in the decades since the DNS was first defined. This document gives current definitions for many of the terms used in the DNS in a single document. This document updates RFC 2308 by clarifying the definitions of "forwarder" and "QNAME". It obsoletes RFC 8499 by adding multiple terms and clarifications. Comprehensive lists of changed and new definitions can be found in Appendices A and B. Structured Error Data for Filtered DNS Citrix Systems, Inc. Nokia Open-Xchange Orange DNS filtering is widely deployed for various reasons, including network security and policy enforcement. However, filtered DNS responses lack structured information for end users to understand the reason for the filtering. Existing mechanisms to provide explanatory details to end users cause harm especially if the blocked DNS response is for HTTPS resources. This document updates RFC 8914 by signaling client support for structuring the EXTRA-TEXT field of the Extended DNS Error to provide details on the DNS filtering. Such details can be parsed by the client and displayed, logged, or used for other purposes. Informative References Specification for DNS over Transport Layer Security (TLS) This document describes the use of Transport Layer Security (TLS) to provide privacy for DNS. Encryption provided by TLS eliminates opportunities for eavesdropping and on-path tampering with DNS queries in the network, such as discussed in RFC 7626. In addition, this document specifies two usage profiles for DNS over TLS and provides advice on performance considerations to minimize overhead from using TCP and TLS with DNS. This document focuses on securing stub-to-recursive traffic, as per the charter of the DPRIVE Working Group. It does not prevent future applications of the protocol to recursive-to-authoritative traffic. DNS Queries over HTTPS (DoH) This document defines a protocol for sending DNS queries and getting DNS responses over HTTPS. Each DNS query-response pair is mapped into an HTTP exchange.

Acknowledgements The authors thank the contributors to this document.