Note: Adaptive DNS Discovery
- doc
- SVCB
- DHCP and Router Advertisement Options for the Discovery of Network-designated Resolvers (DNR)
- Discovery of Designated Resolvers (DDR)
- Adaptive DNS Resolver Discovery
- DoH and DoT Server Deployment Consideration for Enterprise Network
- A Bootstrapping Procedure to Discover and Authenticate DNS-over-TLS and DNS-over-HTTPS Servers for IoT and BYOD Devices
doc
Designated Resolver: 被一个resolver指定的、用于提供Encrypted DNS服务的另一个Resolver
SVCB
https://datatracker.ietf.org/doc/draft-ietf-dnsop-svcb-https/
用于规范化提供service的配置信息,例如DoH/DoT
DHCP and Router Advertisement Options for the Discovery of Network-designated Resolvers (DNR)
https://datatracker.ietf.org/doc/html/draft-ietf-add-ddr-00
内容比较简单,就是DHCP/RA把ADN(Authenticated Domain Name)、或者IP Address + Port 同步一下。
信任锚点的问题仍然存在。区分managed CPE & unmanaged CPE。
DHCP/RA的合法性:
- DHCPv6-Shield : RFC7610,CPE扔掉local endpoint的DHCP Response message
- RA-Guard: RFC7113, CPE扔掉local endpoint的RA message
- Source Address Validation Improvement (SAVI) for DHCP: RFC7513, CPE过滤fourged source IP addresses packets
Discovery of Designated Resolvers (DDR)
https://datatracker.ietf.org/doc/html/draft-ietf-add-ddr-00
涉及两种Resolver: 提供SVCB信息的原Resolver、SVCB指定的Designated Resolver
已知原Resolver的Address,Discovery: dns://resolver.arpa,查询_dns.resolver.arpa的SVCB
- Authenticated Discovery: Encrypted DNS部署的certificate必须包含双方的IP/Domain
- Opportunistic Discovery: 如果双方的IP地址相同,且为Private IP,则opportunistically跳过certificate检查
已知原Resolver的Domain Name,Discovery: 查询_dns.example.net的SVCB
resolver.arpa 为 special use domain name (SUDN),不应cache
Discovery过程缺乏认证,可能MITM。
Adaptive DNS Resolver Discovery
https://datatracker.ietf.org/doc/html/draft-pauly-add-resolver-discovery-01
Discovery:
- SVCB RR, DNSSEC
- provision domain (PvD) file from Designated DoH Resolver
Validation:
- a well-known HTTPS URI based on a zone apex
- TLS certificate to confirm of domain name ownership
avoid deploying a DoH server that is only designated by a small number of names.
DoH and DoT Server Deployment Consideration for Enterprise Network
https://datatracker.ietf.org/doc/draft-reddy-add-enterprise/
核心是信任锚点从哪里开始算
公共的CA证书下的DoH/DoT
还是经过校验(例如user/password、PAKE、VPN)等派发的DoH/DoT
A Bootstrapping Procedure to Discover and Authenticate DNS-over-TLS and DNS-over-HTTPS Servers for IoT and BYOD Devices
https://datatracker.ietf.org/doc/draft-reddy-add-iot-byod-bootstrap/
先连接到指定网络,例如VPN,或者local network
dnssd 或者 mdns 获取EST Server地址: _est._tcp.example.com / _est._tcp.local
rfc7030: Enrollment over Secure Transport (EST),PAKE协议认证EST server后,下载并信任DNS Service EE Certificate
