A Domain Name System (DNS) Service Parameter and Resource Record for Tunneling Information

A Domain Name System (DNS) Service Parameter and Resource Record for Tunneling Information Independent

2386 Panoramic Circle Apopka FL 32703 US +1-508-333-2270 d3e3e3@gmail.com

Futurewei Technologies

2220 Central Expressway Santa Clara CA 95050 US haoyu.song@futurewei.com

DNSOP DNS SVCB Tunnel Encapsulation A Domain Name System (DNS) Service Binding (SVCB) Service Parameter Type and a DNS Resource Record (RR) Type are specified for storing connection tunneling / encapsulation information in the DNS.

Introduction The Domain Name System (DNS) is a hierarchical, distributed, highly available database with a variety of security features used for bi-directional mapping between domain names and addresses, for email routing, and for other information . This data is formatted into resource records (RRs) whose content type and structure are indicated by the RR Type field. General familiarity with the DNS and its terminology is assumed in this document.

Tunneling It is common for there to be a requirement to use or some benefit from using a "tunnel" or encapsulation scheme when connecting to a service/host. For a reachability use case, see Section 1.3 of . Typically, this involves taking a packet with a transport header addressed to the ultimate destination, adding a tunnel header to the packet, and then adding an outer transport header before transmitting the packet out of a network interface (port). The resulting packet is illustrated in . In some cases, such as IP-in-IP, the Tunneling Header may be null.

Encapsulation The addition of the Outer Transport and Tunneling Headers will lengthen packets which may result in the need for fragmentation. Some tunneling protocol support fragmentation but for those that do not, fragmentation of the Tunneled Packet before encapsulation may be required. This document specifies a Domain Name System (DNS) Service Binding (SVCB) Service Parameter Type and a DNS Resource Record (RR) Type for storing connection tunneling / encapsulation information in the DNS. This enables the storage and retrieval of tunneling information that may be needed to connect to a remote service or host.

Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here. The following acronyms are used in this document:

DNS - Domain Name System .
IANA - Internet Assigned Numbers Authority <www.iana.org>.
RDATA - The data portion of an RR.
RR - DNS Resource Record.
RRType - The type field in an RR.
SVCB - Service Binding .

SVCB RR Service Parameter "tunnel" The SVCB (Service Binding) RR is specified in . It provides, when used in the "Service Mode", for the encoding of a variety of "Service Parameters" to assist in connecting to a service. The "tunnel" SVCB Service Parameter, whose numeric key value is TBD1, has a value consisting of the Tunnel Type, Tunnel Parameters Length, and Tunnel Parameters TLVs. It uses the same Tunnel Type codes and parameter TLVs as are specified for the BGP Tunnel Encapsulation Attribute in as shown in . The presentation format for this value is hexadecimal.

SVCB tunnel Service Parameter Value For further details on the fields in see which re-uses these fields with the same names and specifies those details.

TUNNEL RR Type RDATA The RDATA for this RR type includes the following as explained further below and illustrated in :

tunneling information in the format used in the BGP Tunnel Encapsulation Attribute , and
a domain name that maps to the Inner Transport Header destination.

The RRType Code for the TUNNEL RR is TBD2.

TUNNEL RRTYPE Data The fields in are explained below. The contiguous Tunnel Type, Tunnel Parameters Length, and Tunnel Parameters TLV (Value) as a block of data are identical to the "Tunnel Encapsulation TLV" specified in ("The BGP Tunnel Encapsulation Attribute").

Priority

- This field is a two-byte unsigned integer using network byte order that is the priority of using this tunnel to the target. A client MUST use the tunnel with the lowest priority field value RR (highest priority) that meets the following conditions:

The client implements the Tunnel Type.
The client can resolve the Target Name.
The type of packet being tunneled in not prohibited by an optional Protocol Type Tunnel Parameters TLV (see Section 3.4.1 of ). For example, the tunneling could be restricted to TCP packets.

Tunnel Type

- This is the Tunnel Type from the IANA "BGP Tunnel Encapsulation Attribute Tunnel Types" registry as specified in .

Tunnel Parameters Length

- A two-byte unsigned integer using network byte order giving the number of octets in the Tunnel Parameters TLVs field. Necessary because that field is not self-terminating.

Tunnel Parameters TLVs

- This field consists of "Tunnel Encapsulation Attribute Sub-TLVs" as specified in . These TLVs can specify a variety of parameters, including the following, which may be useful in constructing the Outer Transport Header ():

Tunnel Egress Endpoint
Differentiated Services Field
UDP Destination Port

Target Name

- The domain name of the ultimate destination in DNS wire encoding format. This domain name MUST NOT be compressed . Used to obtain the destination address for the construction of the Inner Transport Header as shown in . (The Outer Transport Header comes from the Tunnel Egress Endpoint sub-TLV.)

Use of the Specified RRs A client/application seeking to send packets to a host or service can query the DNS using the name of the host or service for the TUNNEL RR. If that name is found and one or more TUNNEL RRs are returned, it can use the highest priority TUNNEL RR for which it has implemented the Tunnel Type indicated in that RR to create and populate a tunneling header as shown in . The Target Name in that TUNNEL RR can then be used to obtain an address for use in the Outer Transport Header as also shown in . With these headers, a packet can then be transmitted. Where a client/application is already using the SVCB RR , similar logic applies using the tunnel SVCB Service Parameter.

Acknowledgements The suggestions and comments of the following persons are gratefully acknowledged: tbd

IANA Considerations IANA is requested to assign a value from the Service Parameter Keys Registry on the "DNS Service Bindings (SVCB)" IANA web page as follows:

Number	Name	Meaning	Reference
TBD1	tunnel	Tunneling information	[this document]

IANA is requested to assign a TUNNEL RR Type (TBD2) as in the template in Appendix A.

Security Considerations For SVCB Security Considerations, see . For Tunnel Encapsulation attribute Security Considerations, see Tunneling information, including end point identity derived from the facilities specified in this document, is only as reliable as the DNS data. Use of DNSSEC should be considered.

References Normative References Informative References

Tunnel RR Type Template