1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
1479
1480
1481
1482
1483
1484
1485
1486
1487
1488
1489
1490
1491
1492
1493
1494
1495
1496
1497
1498
1499
1500
1501
1502
1503
1504
1505
1506
1507
1508
1509
1510
1511
1512
1513
1514
1515
1516
1517
1518
1519
1520
1521
1522
1523
1524
1525
1526
1527
1528
1529
1530
1531
1532
1533
1534
1535
1536
1537
1538
1539
1540
1541
1542
1543
1544
1545
1546
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556
1557
1558
1559
1560
1561
1562
1563
1564
1565
1566
1567
1568
1569
1570
1571
1572
1573
1574
1575
1576
1577
1578
1579
1580
1581
1582
1583
1584
1585
1586
1587
1588
1589
1590
1591
1592
1593
1594
1595
1596
1597
1598
1599
1600
1601
1602
1603
1604
1605
1606
1607
1608
1609
1610
1611
1612
1613
1614
1615
1616
1617
1618
1619
1620
1621
1622
1623
1624
1625
1626
1627
|
Internet Engineering Task Force (IETF) T. Savolainen
Request for Comments: 6731 Nokia
Category: Standards Track J. Kato
ISSN: 2070-1721 NTT
T. Lemon
Nominum, Inc.
December 2012
Improved Recursive DNS Server Selection for Multi-Interfaced Nodes
Abstract
A multi-interfaced node is connected to multiple networks, some of
which might be utilizing private DNS namespaces. A node commonly
receives recursive DNS server configuration information from all
connected networks. Some of the recursive DNS servers might have
information about namespaces other servers do not have. When a
multi-interfaced node needs to utilize DNS, the node has to choose
which of the recursive DNS servers to use. This document describes
DHCPv4 and DHCPv6 options that can be used to configure nodes with
information required to perform informed recursive DNS server
selection decisions.
Status of This Memo
This is an Internet Standards Track document.
This document is a product of the Internet Engineering Task Force
(IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by the
Internet Engineering Steering Group (IESG). Further information on
Internet Standards is available in Section 2 of RFC 5741.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
http://www.rfc-editor.org/info/rfc6731.
Copyright Notice
Copyright (c) 2012 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
Savolainen, et al. Standards Track [Page 1]
^L
RFC 6731 RDNSS Selection for MIF Nodes December 2012
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Requirements Language . . . . . . . . . . . . . . . . . . 4
2. Private Namespaces and Problems for Multi-Interfaced Nodes . . 4
2.1. Fully Qualified Domain Names with Limited Scopes . . . . . 4
2.2. Network-Interface-Specific IP Addresses . . . . . . . . . 5
2.3. A Problem Not Fully Solved by the Described Solution . . . 6
3. Deployment Scenarios . . . . . . . . . . . . . . . . . . . . . 7
3.1. CPE Deployment Scenario . . . . . . . . . . . . . . . . . 7
3.2. Cellular Network Scenario . . . . . . . . . . . . . . . . 7
3.3. VPN Scenario . . . . . . . . . . . . . . . . . . . . . . . 8
3.4. Dual-Stack Accesses . . . . . . . . . . . . . . . . . . . 8
4. Improved RDNSS Selection . . . . . . . . . . . . . . . . . . . 8
4.1. Procedure for Prioritizing RDNSSes and Handling
Responses . . . . . . . . . . . . . . . . . . . . . . . . 9
4.2. RDNSS Selection DHCPv6 Option . . . . . . . . . . . . . . 11
4.3. RDNSS Selection DHCPv4 Option . . . . . . . . . . . . . . 13
4.4. Scalability Considerations . . . . . . . . . . . . . . . . 15
4.5. Limitations on Use . . . . . . . . . . . . . . . . . . . . 15
4.6. Coexistence of Various RDNSS Configuration Tools . . . . . 16
4.7. Considerations on Follow-Up Queries . . . . . . . . . . . 17
4.8. Closing Network Interfaces and Local Caches . . . . . . . 17
5. Example of a Node Behavior . . . . . . . . . . . . . . . . . . 17
6. Considerations for Network Administrators . . . . . . . . . . 19
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 20
8. Security Considerations . . . . . . . . . . . . . . . . . . . 20
8.1. Attack Vectors . . . . . . . . . . . . . . . . . . . . . . 20
8.2. Trust Levels of Network Interfaces . . . . . . . . . . . . 21
8.3. Importance of Following the Algorithm . . . . . . . . . . 21
9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 21
9.1. Normative References . . . . . . . . . . . . . . . . . . . 21
9.2. Informative References . . . . . . . . . . . . . . . . . . 22
Appendix A. Possible Alternative Practices for RDNSS Selection . 23
A.1. Sending Queries Out on Multiple Interfaces in Parallel . . 23
A.2. Search List Option for DNS Forward Lookup Decisions . . . 23
A.3. More-Specific Routes for Reverse Lookup Decisions . . . . 24
A.4. Longest Matching Prefix for Reverse Lookup Decisions . . . 24
Appendix B. DNSSEC and Multiple Answers Validating with
Different Trust Anchors . . . . . . . . . . . . . . . 24
Appendix C. Pseudocode for RDNSS Selection . . . . . . . . . . . 24
Appendix D. Acknowledgements . . . . . . . . . . . . . . . . . . 29
Savolainen, et al. Standards Track [Page 2]
^L
RFC 6731 RDNSS Selection for MIF Nodes December 2012
1. Introduction
A multi-interfaced node (MIF node) faces several problems a single-
homed node does not encounter, as is described in [RFC6418]. This
document studies in detail the problems private namespaces might
cause for multi-interfaced nodes and provides a solution. The node
might be implemented as a host or as a router.
We start from the premise that network operators sometimes include
private, but still globally unique, namespaces in the answers they
provide from Recursive DNS Servers (RDNSSes) and that those private
namespaces are at least as useful to nodes as the answers from the
public DNS. When private namespaces are visible for a node, some
RDNSSes have information other RDNSSes do not have. The node ought
to be able to query the RDNSS that can resolve the query regardless
of whether the answer comes from the public DNS or a private
namespace.
An example of an application that benefits from multi-interfacing is
a web browser that commonly accesses many different destinations,
each of which is available on only one network. The browser
therefore needs to be able to communicate over different network
interfaces, depending on the destination it is trying to reach.
Selection of the correct interface and source address is often
crucial in the networks using private namespaces. In such
deployments, the destination's IP addresses might only be reachable
on the network interface over which the destination's name was
resolved. Henceforth, the solution described in this document is
assumed to be commonly used in combination with tools for delivering
additional routing and source and destination address selection
policies (e.g., [RFC4191] and [RFC3442].
This document is organized in the following manner. Background
information about problem descriptions and example deployment
scenarios are included in Sections 2 and 3. Section 4 contains all
normative descriptions for DHCP options and node behavior.
Informative Section 5 illustrates behavior of a node implementing
functionality described in Section 4. Section 6 contains normative
guidelines related to creation of private namespaces. The IANA
considerations are in Section 7. Informational Section 8 summarizes
identified security considerations.
Appendix A describes best current practices that are possible with
tools preceding this document and that are possibilities on networks
not supporting the solution described in this document. Appendix B
discusses a scenario where multiple answers are possible to validate,
Savolainen, et al. Standards Track [Page 3]
^L
RFC 6731 RDNSS Selection for MIF Nodes December 2012
but with different trust anchors. Appendix C illustrates with
pseudocode the functionality described in Section 4.
1.1. Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119].
2. Private Namespaces and Problems for Multi-Interfaced Nodes
This section describes two private namespace scenarios related to
node multi-interfacing for which the procedure described in Section 4
provides a solution. Additionally, Section 2.3 describes a problem
for which this document provides only a partial solution.
2.1. Fully Qualified Domain Names with Limited Scopes
A multi-interfaced node can be connected to one or more networks that
are using private namespaces. As an example, the node can
simultaneously open a Wireless LAN (WLAN) connection to the public
Internet, a cellular connection to an operator network, and a Virtual
Private Network (VPN) connection to an enterprise network. When an
application initiates a connection establishment to a Fully Qualified
Domain Name (FQDN), the node needs to be able to choose the right
RDNSS for making a successful DNS query. This is illustrated in
Figure 1. An FQDN for a public name can be resolved with any RDNSS,
but for an FQDN of the private name of an enterprise's or operator's
service, the node needs to be able to correctly select the right
RDNSS for the DNS resolution, i.e., do also network interface
selection already before destination's IP address is known.
Savolainen, et al. Standards Track [Page 4]
^L
RFC 6731 RDNSS Selection for MIF Nodes December 2012
+---------------+
| RDNSS with | | Enterprise
+------+ | public + |----| Intranet
| | | enterprise's | |
| |===== VPN =======| private names | |
| | +---------------+ +----+
| MIF | | FW |
| node | +----+
| | +---------------+ |
| |----- WLAN ------| RDNSS with |----| Public
| | | public names | | Internet
| | +---------------+ +----+
| | | FW |
| | +---------------+ +----+
| |---- cellular ---| RDNSS with | |
+------+ | public + | | Operator
| operator's |----| Intranet
| private names | |
+---------------+
Figure 1: Private DNS Namespaces Illustrated
2.2. Network-Interface-Specific IP Addresses
In the second problem, an FQDN is valid and resolvable via different
network interfaces, but to different and not necessarily globally
reachable IP addresses, as is illustrated in Figure 2. The node's
routing, source, and destination address selection mechanism has to
ensure the destination's IP address is only used in combination with
source IP addresses of the network interface on which the name was
resolved.
+--------------------| |
+------+ IPv6 | RDNSS A |------| IPv6
| |-- interface 1 --| saying Peer is | |
| | | at: 2001:0db8:0::1 | |
| MIF | +--------------------+ +------+
| node | | Peer |
| | +--------------------+ +------+
| | IPv6 | RDNSS B | |
| |-- interface 2 --| saying Peer is | |
+------+ | at: 2001:0db8:1::1 |------| IPv6
+--------------------+ |
Figure 2: Private DNS Namespaces and Different IP Addresses for an
FQDN on Interfaces 1 and 2
Savolainen, et al. Standards Track [Page 5]
^L
RFC 6731 RDNSS Selection for MIF Nodes December 2012
A similar situation can happen with IPv6 protocol translation and
AAAA record synthesis [RFC6147]. A synthetic AAAA record is
guaranteed to be valid only on the network on which it was
synthesized. Figure 3 illustrates a scenario where the peer's IPv4
address is synthesized into different IPv6 addresses by RDNSSes A and
B.
+-------------------| +-------+
+------+ IPv6 | RDNSS A |----| NAT64 |
| |-- interface 1 --| saying Peer is | +-------+
| | | at: A_Pref96:IPv4 | |
| MIF | +-------------------+ | +------+
| node | IPv4 +---| Peer |
| | +-------------------+ | +------+
| | IPv6 | RDNSS B | |
| |-- interface 2 --| saying Peer is | +-------+
+------+ | at: B_Pref96:IPv4 |----| NAT64 |
+-------------------+ +-------+
Figure 3: AAAA Synthesis Results in
Network-Interface-Specific IPv6 Addresses
It is worth noting that network-specific IP addresses can also cause
problems for a single-homed node, if the node retains DNS cache
during movement from one network to another. After the network
change, a node can have entries in its DNS cache that are no longer
correct or appropriate for its new network position.
2.3. A Problem Not Fully Solved by the Described Solution
A more complex scenario is an FQDN, which in addition to possibly
resolving into network-interface-specific IP addresses, identifies on
different network interfaces completely different peer entities with
potentially different sets of service offerings. In an even more
complex scenario, an FQDN identifies a unique peer entity, but one
that provides different services on its different network interfaces.
The solution described in this document is not able to tackle these
higher-layer issues. In fact, these problems might be solvable only
by manual user intervention.
However, when DNS Security (DNSSEC) is used, the DNSSEC validation
procedure can provide assistance for selecting correct responses for
some, but not all, use cases. A node might prefer to use the DNS
answer that validates with the preferred trust anchor.
Savolainen, et al. Standards Track [Page 6]
^L
RFC 6731 RDNSS Selection for MIF Nodes December 2012
3. Deployment Scenarios
This document has been written with three particular deployment
scenarios in mind. The first is a Customer Premises Equipment (CPE)
with two or more uplink Virtual Local Area Network (VLAN)
connections. The second scenario involves a cellular device with two
uplink Internet connections: WLAN and cellular. The third scenario
is for VPNs, where use of a local RDNSS might be preferred for
latency reasons, but the enterprise's RDNSS has to be used to resolve
private names used by the enterprise.
In this section, we are referring to the RDNSS preference values
defined in Section 4. The purpose of that is to illustrate when
administrators might choose to utilize the different preference
values.
3.1. CPE Deployment Scenario
A home gateway can have two uplink connections leading to different
networks, as described in [WITHOUT-IPV6NAT]. In the two-uplink
scenario, only one uplink connection leads to the Internet, while the
other uplink connection leads to a private network utilizing private
namespaces.
It is desirable that the CPE does not have to send DNS queries over
both uplink connections, but instead, CPE need only send default
queries to the RDNSS of the interface leading to the Internet and
queries related to the private namespace to the RDNSS of the private
network. This can be configured by setting the RDNSS of the private
network to know about listed domains and networks, but not to be a
default RDNSS.
In this scenario, the legacy hosts can be supported by deploying DNS
proxy on the CPE and configuring hosts in the LAN to talk to the DNS
proxy. However, updated hosts would be able to talk directly to the
correct RDNSS of each uplink ISP's RDNSS. It is a deployment
decision whether the updated hosts would be pointed to a DNS proxy or
to actual RDNSSes.
Depending on actual deployments, all VLAN connections might be
considered trusted.
3.2. Cellular Network Scenario
A cellular device can have both WLAN and cellular network interfaces
up. In such a case, it is often desirable to use WLAN by default,
except for the connections that the cellular network operator wants
to go over the cellular interface. The use of WLAN for DNS queries
Savolainen, et al. Standards Track [Page 7]
^L
RFC 6731 RDNSS Selection for MIF Nodes December 2012
likely improves the power consumption of cellular devices and often
provides lower latency. The cellular network might utilize private
names; hence, the cellular device needs to ask for those through the
cellular interface. This can be configured by setting the RDNSS of
the cellular network to be of low preference and listing the domains
and networks related to the cellular network's private namespaces as
being available via the cellular network's RDNSS. This will cause a
node to send DNS queries by default to the RDNSS of the WLAN
interface (that is, by default, considered to be of medium
preference) and queries related to private namespaces to the RDNSS of
the cellular interface.
In this scenario, the cellular interface can be considered trusted
and WLAN oftentimes untrusted.
3.3. VPN Scenario
Depending on a deployment, there might be interest in using VPN only
for the traffic destined to a enterprise network. The enterprise
might be using private namespaces; hence, related DNS queries need to
be sent over VPN to the enterprise's RDNSS, while by default, the
RDNSS of a local access network might be used for all other traffic.
This can be configured by setting the RDNSS of the VPN interface to
be of low preference and listing the domains and networks related to
an enterprise network's private namespaces being available via the
RDNSS of the VPN interface. This will cause a node to send DNS
queries by default directly to the RDNSS of the WLAN interface (that
is, by default, considered to be of medium preference) and queries
related to private namespaces to the RDNSS of the VPN interface.
In this scenario, the VPN interface can be considered trusted and the
local access network untrusted.
3.4. Dual-Stack Accesses
In all three scenarios, one or more of the connected networks can
support both IPv4 and IPv6. In such a case, both or either of DHCPv4
and DHCPv6 can be used to learn RDNSS selection information.
4. Improved RDNSS Selection
This section describes DHCP options and a procedure that a (stub/
proxy) resolver can utilize for improved RDNSS selection in the face
of private namespaces and multiple simultaneously active network
interfaces. The procedure is subject to limitations of use as
described in Section 4.5. The pseudocode in Appendix C illustrates
how the improved RDNSS selection works.
Savolainen, et al. Standards Track [Page 8]
^L
RFC 6731 RDNSS Selection for MIF Nodes December 2012
4.1. Procedure for Prioritizing RDNSSes and Handling Responses
A resolver SHALL build a preference list of RDNSSes it will contact
depending on the query. To build the list in an optimal way, a node
SHALL request for RDNSS selection information with the DHCP options
defined in Sections 4.2 and 4.3 before any DNS queries need to be
made. With help of the received RDNSS selection information, the
node can determine if any of the available RDNSSes have special
knowledge about specific domains needed for forward DNS lookups or
network addresses (later referred as "network") needed for reverse
DNS lookups.
A resolver lacking more specific information can assume that all
information is available from any RDNSS of any network interface.
The RDNSSes learned by other RDNSS address configuration methods can
be considered as default RDNSSes, but preference-wise, they MUST be
handled as medium preference RDNSSes (see also Section 4.6).
When a DNS query needs to be made, the resolver MUST give highest
preference to the RDNSSes explicitly known to serve a matching domain
or network. The resolver MUST take into account differences in trust
levels (see Section 8.2) of pieces of received RDNSS selection
information. The resolver MUST prefer RDNSSes of trusted interfaces.
The RDNSSes of untrusted interfaces can be of highest preference only
if the trusted interfaces specifically configures low preference
RDNSSes. The non-exhaustive list of cases in Figure 4 illustrates
how the different trust levels of received RDNSS selection
information influence the RDNSS selection logic. In Figure 4,
"Medium", "High", and "Low" indicate the explicitly configured
RDNSS's preference over other RDNSSes. The "Medium" preference is
also used with RDNSSes for which no explicit preference configuration
information is available. The "Specific domains" in Figure 4
indicate the explicitly configured "Domains and networks" private
namespace information that a particular RDNSS has.
A resolver MUST prioritize between equally trusted RDNSSes with the
help of the DHCP option preference field. The resolver MUST NOT
prioritize less trusted RDNSSes higher than trusted, even in the case
when a less trusted RDNSS would apparently have additional
information. In the case of all other things being equal, the
resolver can make the prioritization decision based on its internal
preferences.
Savolainen, et al. Standards Track [Page 9]
^L
RFC 6731 RDNSS Selection for MIF Nodes December 2012
Information from | Information from | Resulting RDNSS
more trusted | less trusted | preference
interface A | interface B | selection
--------------------------+------------------------+-----------------
1. Medium preference | Medium preference | Default:
default | default | A, then B
--------------------------+------------------------+-----------------
2. Medium preference | High preference default| Default:
default | | A, then B
| Specific domains | Specific:
| | A, then B
--------------------------+------------------------+-----------------
3. Low preference default | Medium preference | Default:
| default | B, then A
--------------------------+------------------------+-----------------
4. Low preference default | Medium preference | Default:
| default | B, then A
Specific domains | | Specific:
| | A, then B
--------------------------+------------------------+-----------------
Figure 4: RDNSS Selection in the Case of Different Trust Levels
Because DNSSEC provides cryptographic assurance of the integrity of
DNS data, it is necessary to prefer data that can be validated under
DNSSEC over data that cannot. There are two ways that a node can
determine that data is valid under DNSSEC. The first is to perform
DNSSEC validation itself. The second is to have a secure connection
to an authenticated RDNSS and to rely on that RDNSS to perform DNSSEC
validation (signaling that it has done so using the AD bit). DNSSEC
is necessary to detect forged responses, and without it any DNS
response could be forged or altered. Unless the DNS responses have
been validated with DNSSEC, a node cannot make a decision to prefer
data from any interface with any great assurance.
A node SHALL send requests to RDNSSes in the order defined by the
preference list until an acceptable reply is received, all replies
are received, or a timeout occurs. In the case of a requested name
matching to a specific domain or network rule accepted from any
interface, a DNSSEC-aware resolver MUST NOT proceed with a reply that
cannot be validated using DNSSEC until all RDNSSes on the preference
list have been contacted or timed out. This protects against
possible redirection attacks. In the case of the requested name not
matching to any specific domain or network, the first received
response from any RDNSS can be considered acceptable. A DNSSEC-aware
node MAY always contact all RDNSSes in an attempt to receive a
response that can be validated, but contacting all RDNSSes is not
Savolainen, et al. Standards Track [Page 10]
^L
RFC 6731 RDNSS Selection for MIF Nodes December 2012
mandated for the default case as that would consume excess resources
in some deployments.
In the case of a validated NXDOMAIN response being received from an
RDNSS that can provide answers for the queried name, a node MUST NOT
accept non-validated replies from other RDNSSes (see Appendix B for
considerations related to multiple trust anchors).
4.2. RDNSS Selection DHCPv6 Option
DHCPv6 option described below can be used to inform resolvers what
RDNSS can be contacted when initiating forward or reverse DNS lookup
procedures. This option is DNS record type agnostic and applies, for
example, equally to both A and AAAA queries.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| OPTION_RDNSS_SELECTION | option-len |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| DNS-recursive-name-server (IPv6 address) |
| |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Reserved |prf| |
+-+-+-+-+-+-+-+-+ Domains and networks |
| (variable length) |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 5: DHCPv6 Option for Explicit Domain Configuration
option-code: OPTION_RDNSS_SELECTION (74)
option-len: Length of the option in octets
DNS-recursive-name-server: An IPv6 address of RDNSS
Reserved: Field reserved for the future. MUST be set to zero and
MUST be ignored on receipt.
Savolainen, et al. Standards Track [Page 11]
^L
RFC 6731 RDNSS Selection for MIF Nodes December 2012
prf: RDNSS preference:
01 High
00 Medium
11 Low
10 Reserved
Reserved preference value (10) MUST NOT be sent. On receipt,
the Reserved value MUST be treated as Medium preference (00).
Domains and networks: The list of domains for forward DNS lookup and
networks for reverse DNS lookup about which
the RDNSS has special knowledge. Field MUST
be encoded as specified in Section 8 of
[RFC3315]. A special domain of "." is used to
indicate capability to resolve global names
and act as a default RDNSS. Lack of a "."
domain on the list indicates that the RDNSS
only has information related to listed domains
and networks. Networks for reverse mapping
are encoded as defined for IP6.ARPA [RFC3596]
or IN-ADDR.ARPA [RFC2317].
A node SHOULD include the Option Request Option (OPTION_ORO
[RFC3315]) in a DHCPv6 request with the OPTION_RDNSS_SELECTION option
code to inform the DHCPv6 server about the support for the improved
RDNSS selection logic. The DHCPv6 server receiving this information
can then choose to provision RDNSS addresses only with
OPTION_RDNSS_SELECTION.
OPTION_RDNSS_SELECTION contains one or more domains of which the
related RDNSS has particular knowledge. The option can occur
multiple times in a single DHCPv6 message, if multiple RDNSSes are to
be configured. This can be the case, for example, if a network link
has multiple RDNSSes for reliability purposes.
The list of networks MUST cover all the domains configured in this
option. The length of the included networks SHOULD be as long as
possible to avoid potential collision with information received on
other option instances or with options received from DHCP servers of
other network interfaces. Overlapping networks are interpreted so
that the resolver can use any of the RDNSSes for queries matching the
networks.
If OPTION_RDNSS_SELECTION contains an RDNSS address already learned
from other DHCPv6 servers of the same network and contains new
domains or networks, the node SHOULD append the information to the
information received earlier. The node MUST NOT remove previously
Savolainen, et al. Standards Track [Page 12]
^L
RFC 6731 RDNSS Selection for MIF Nodes December 2012
obtained information. However, the node SHOULD NOT extend the
lifetime of earlier information either. When a conflicting RDNSS
address is learned from a less trusted interface, the node MUST
ignore the option.
Like the RDNSS options of [RFC3646], OPTION_RDNSS_SELECTION MUST NOT
appear in any other than the following DHCPv6 messages: Solicit,
Advertise, Request, Renew, Rebind, Information-Request, and Reply.
The client SHALL periodically refresh information learned with
OPTION_RDNSS_SELECTION. The information SHALL be refreshed on link-
state changes, such as those caused by node mobility, and when
renewing lifetimes of IPv6 addresses configured with DHCPv6.
Additionally, the DHCPv6 Information Refresh Time Option, as
specified in [RFC4242], can be used to control the update frequency.
4.3. RDNSS Selection DHCPv4 Option
The DHCPv4 option described below can be used to inform resolvers
which RDNSS can be contacted when initiating forward or reverse DNS
lookup procedures. This option is DNS record type agnostic and
applies, for example, equally to both A and AAAA queries.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| CODE | Len | Reserved |prf| Primary .. |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| .. DNS-recursive-name-server's IPv4 address | Secondary .. |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| .. DNS-recursive-name-server's IPv4 address | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
| |
+ Domains and networks |
| (variable length) |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 6: DHCPv4 Option for Explicit Domain Configuration
option-code: RDNSS Selection (146)
option-len: Length of the option in octets
Reserved: Field reserved for the future. MUST be set to zero and
MUST be ignored on receipt.
Savolainen, et al. Standards Track [Page 13]
^L
RFC 6731 RDNSS Selection for MIF Nodes December 2012
prf: RDNSS preference:
01 High
00 Medium
11 Low
10 Reserved
Reserved preference value (10) MUST NOT be sent. On receipt,
the Reserved value MUST be treated as Medium preference (00).
Primary DNS-recursive-name-server's IPv4 address: Address of a
primary RDNSS
Secondary DNS-recursive-name-server's IPv4 address: Address of a
secondary RDNSS
or 0.0.0.0 if
not configured
Domains and networks: The list of domains for forward DNS lookup and
networks for reverse DNS lookup about which
the RDNSSes have special knowledge. Field
MUST be encoded as specified in Section 8 of
[RFC3315]. A special domain of "." is used to
indicate capability to resolve global names
and act as the default RDNSS. Lack of a "."
domain on the list indicates that RDNSSes only
have information related to listed domains and
networks. Networks for reverse mapping are
encoded as defined for IP6.ARPA [RFC3596] or
IN-ADDR.ARPA [RFC2317].
The RDNSS Selection option contains one or more domains of which the
primary and secondary RDNSSes have particular knowledge. If the
length of the domains and networks field causes option length to
exceed the maximum permissible for a single option (255 octets), then
multiple options MAY be used, as described in "Encoding Long Options
in the Dynamic Host Configuration Protocol (DHCPv4)" [RFC3396]. When
multiple options are present, the data portions of all option
instances are concatenated together.
The list of networks MUST cover all the domains configured in this
option. The length of the included networks SHOULD be as long as
possible to avoid potential collision with information received on
other option instances or with options received from DHCP servers of
other network interfaces. Overlapping networks are interpreted so
that the resolver can use any of the RDNSSes for queries matching the
networks.
Savolainen, et al. Standards Track [Page 14]
^L
RFC 6731 RDNSS Selection for MIF Nodes December 2012
If the RDNSS Selection option contains an RDNSS address already
learned from other DHCPv4 servers of the same network and contains
new domains or networks, the node SHOULD append the information to
the information received earlier. The node MUST NOT remove
previously obtained information. However, the node SHOULD NOT extend
the lifetime of earlier information either. When a conflicting RDNSS
address is learned from a less trusted interface, the node MUST
ignore the option.
The client SHALL periodically refresh information learned with the
RDNSS Selection option. The information SHALL be refreshed on link-
state changes, such as those caused by node mobility, and when
extending the lease of IPv4 addresses configured with DHCPv4.
4.4. Scalability Considerations
The general size limitations of the DHCP messages limit the number of
domains and networks that can be carried inside of these RDNSS
selection options. The DHCP options for RDNSS selection are best
suited for those deployments where relatively few and carefully
selected domains and networks are enough.
4.5. Limitations on Use
The RDNSS selection option SHOULD NOT be enabled by default. (In
this section, "RDNSS selection option" refers to the DHCPv4 RDNSS
Selection option and the DHCPv6 OPTION_RDNSS_SELECTION.) The option
can be used in the following environments:
1. The RDNSS selection option is delivered across a secure, trusted
channel.
2. The RDNSS selection option is not secured, but the client on a
node does DNSSEC validation.
3. The RDNSS selection option is not secured, the resolver does
DNSSEC validation, and the client communicates with the resolver
configured with the RDNSS selection option over a secure, trusted
channel.
4. The IP address of the RDNSS that is being recommended in the
RDNSS selection option is known and trusted by the client; that
is, the RDNSS selection option serves not to introduce the client
to a new RDNSS, but rather to inform it that the RDNSS it has
already been configured to trust is available to it for resolving
certain domains.
Savolainen, et al. Standards Track [Page 15]
^L
RFC 6731 RDNSS Selection for MIF Nodes December 2012
As the DHCP by itself cannot tell whether it is using a secure,
trusted channel, or whether the client on a node is performing DNSSEC
validation, this option cannot be used without being explicitly
enabled. The functionality can be enabled for an interface via
administrative means, such as by provisioning tools or manual
configuration. Furthermore, the functionality can be automatically
enabled by a client on a node that knows it is performing DNSSEC
validation or by a node that is configured or hard-coded to trust
certain interfaces (see Section 8.2).
4.6. Coexistence of Various RDNSS Configuration Tools
The DHCPv4 RDNSS Selection option and the DHCPv6
OPTION_RDNSS_SELECTION are designed to coexist with each other and
with other tools used for RDNSS address configuration.
For RDNSS selection purposes, information received from all tools
MUST be combined together into a single list, as discussed in
Section 4.1.
It can happen that DHCPv4 and DHCPv6 are providing conflicting RDNSS
selection information on the same or on equally trusted interfaces.
In such a case, DHCPv6 MUST be preferred unless DHCPv4 is utilizing
additional security frameworks for protecting the messages.
The RDNSSes learned via tools other than the DHCPv4 RDNSS Selection
option and the DHCPv6 OPTION_RDNSS_SELECTION MUST be handled as
default RDNSSes, with medium preference, when building a list of
RDNSSes to talk to (see Section 4.1).
The non-exhaustive list of possible other sources for RDNSS address
configuration are:
(1) DHCPv6 OPTION_DNS_SERVERS defined in [RFC3646].
(2) DHCPv4 Domain Server option defined in [RFC2132].
(3) IPv6 Router Advertisement RDNSS Option defined in [RFC6106].
When the RDNSS selection option contains a default RDNSS address and
other sources are providing RNDSS addresses, the resolver MUST make
the decision about which one to prefer based on the RDNSS preference
field value. If the RDNSS selection option defines medium
preference, then the RDNSS from the RDNSS selection option SHALL be
selected.
If multiple sources are providing same RDNSS(es) IP address(es), each
address MUST be added to the RDNSS list only once.
Savolainen, et al. Standards Track [Page 16]
^L
RFC 6731 RDNSS Selection for MIF Nodes December 2012
If a node had indicated support for OPTION_RDNSS_SELECTION in a
DHCPv6 request, the DHCPv6 server MAY omit sending of
OPTION_DNS_SERVERS. This enables offloading use case where the
network administrator wishes to only advertise low preference default
RDNSSes.
4.7. Considerations on Follow-Up Queries
Any follow-up queries that are performed on the basis of an answer
received on an interface MUST continue to use the same interface,
irrespective of the RDNSS selection settings on any other interface.
For example, if a node receives a reply with a canonical name (CNAME)
or delegation name (DNAME), the follow-up queries MUST be sent to
RDNSS(es) of the same interface, or to the same RDNSS, irrespectively
of the FQDN received. Otherwise, referrals can fail.
4.8. Closing Network Interfaces and Local Caches
Cached information related to private namespaces can become obsolete
after the network interface over which the information was learned is
closed (Section 2.2) or a new parallel network interface is opened
that alters RDNSS selection preferences. An implementation SHOULD
ensure obsolete information is not retained in these events. One
implementation approach to avoid unwanted/obsolete responses from the
local cache is to manage per-interface DNS caches or have interface
information stored in the DNS cache. An alternative approach is to
perform, possibly selective, DNS cache flushing on interface change
events.
5. Example of a Node Behavior
Figure 7 illustrates node behavior when it initializes two network
interfaces for parallel usage and learns domain and network
information from DHCPv6 servers.
Savolainen, et al. Standards Track [Page 17]
^L
RFC 6731 RDNSS Selection for MIF Nodes December 2012
Application Node DHCPv6 server DHCPv6 server
on interface 1 on interface 2
| | |
| +-----------+ |
(1) | | open | |
| | interface | |
| +-----------+ |
| | |
(2) | |---option REQ-->|
| |<--option RESP--|
| | |
| +-----------+ |
(3) | | store | |
| | domains | |
| +-----------+ |
| | |
| +-----------+ |
(4) | | open | |
| | interface | |
| +-----------+ |
| | | |
(5) | |---option REQ------------------->|
| |<--option RESP-------------------|
| | | |
| +----------+ | |
(6) | | store | | |
| | domains | | |
| +----------+ | |
| | | |
Figure 7: Illustration of Learning Domains
Flow explanations:
1. A node opens its first network interface.
2. The node obtains domain 'domain1.example.com' and IPv6 network
'0.8.b.d.0.1.0.0.2.ip6.arpa' for the new interface 1 from the
DHCPv6 server.
3. The node stores the learned domains and IPv6 networks for later
use.
4. The node opens its second network interface 2.
5. The node obtains domain 'domain2.example.com' and IPv6 network
information, say '1.8.b.d.0.1.0.0.2.ip6.arpa' for the new
interface 2 from the DHCPv6 server.
Savolainen, et al. Standards Track [Page 18]
^L
RFC 6731 RDNSS Selection for MIF Nodes December 2012
6. The node stores the learned domains and networks for later use.
Figure 8 illustrates how a resolver uses the learned domain
information. Network information use for reverse lookups is not
illustrated, but that would be similar to the example in Figure 8.
Application Node RDNSS RDNSS
on interface 1 on interface 2
| | | |
(1) |--Name REQ-->| | |
| | | |
| +----------------+ | |
(2) | | RDNSS | | |
| | prioritization | | |
| +----------------+ | |
| | | |
(3) | |------------DNS resolution------>|
| |<--------------------------------|
| | | |
(4) |<--Name resp-| | |
| | | |
Figure 8: Example on Choosing Interface Based on Domain
Flow explanations:
1. An application makes a request for resolving an FQDN, e.g.,
'private.domain2.example.com'.
2. A node creates list of RDNSSes to contact and uses configured
RDNSS selection information and stored domain information on
prioritization decisions.
3. The node has chosen interface 2, as it was learned earlier from
DHCPv6 that the interface 2 has domain 'domain2.example.com'.
The node then resolves the requested name using interface 2's
RDNSS to an IPv6 address.
4. The node replies to the application with the resolved IPv6
address.
6. Considerations for Network Administrators
Network administrators deploying private namespaces can assist
advanced nodes in their RDNSS selection process by providing the
information described within this document.
Savolainen, et al. Standards Track [Page 19]
^L
RFC 6731 RDNSS Selection for MIF Nodes December 2012
Private namespaces MUST be globally unique in order to keep DNS
unambiguous and henceforth avoid caching-related issues and
destination selection problems (see Section 2.3). Exceptions to this
rule are domains utilized for local name resolution (such as .local).
Private namespaces MUST only consist of subdomains of domains for
which the relevant operator provides authoritative name service.
Thus, subdomains of example.com are permitted in the private
namespace served by an operator's RDNSSes only if the same operator
provides a SOA record for example.com.
It is RECOMMENDED for administrators utilizing this tool to deploy
DNSSEC for their zone in order to counter attacks against private
namespaces.
7. IANA Considerations
Per this memo, IANA has assigned two new option codes.
The first option code has been assigned for the DHCPv4 RDNSS
Selection option (146) from the "BOOTP Vendor Extensions and DHCP
Options" registry in the group "Dynamic Host Configuration Protocol
(DHCP) and Bootstrap Protocol (BOOTP) Parameters".
The second option code is requested to be assigned for the DHCPv6
OPTION_RDNSS_SELECTION (74) from the "DHCP Option Codes" registry in
the group "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)".
8. Security Considerations
8.1. Attack Vectors
It is possible that attackers might try to utilize the DHCPv4 RDNSS
Selection option or the DHCPv6 OPTION_RDNSS_SELECTION option to
redirect some or all DNS queries sent by a resolver to undesired
destinations. The purpose of an attack might be denial of service,
preparation for man-in-the-middle attack, or something akin.
Attackers might try to lure specific traffic by advertising domains
and networks from very small to very large scope or simply by trying
to place the attacker's RDNSS as the highest preference default
RDNSS.
The best countermeasure for nodes is to implement validating DNSSEC-
aware resolvers. Trusting validation done by an RDNSS is a
possibility only if a node trusts the RDNSS and can use a secure
channel for DNS messages.
Savolainen, et al. Standards Track [Page 20]
^L
RFC 6731 RDNSS Selection for MIF Nodes December 2012
8.2. Trust Levels of Network Interfaces
Trustworthiness of an interface and configuration information
received over the interface is implementation and/or node deployment
dependent, and the details of determining that trust are beyond the
scope of this specification. Trust might, for example, be based on
the nature of the interface: an authenticated and encrypted VPN, or a
layer 2 connection to a trusted home network or to a trusted cellular
network, might be considered trusted, while an unauthenticated and
unencrypted connection to an unknown visited network would likely be
considered untrusted.
In many cases, an implementation might not be able to determine trust
levels without explicit configuration provided by the user or the
node's administrator. Therefore, for example, an implementation
might not by default trust configuration received even over VPN
interfaces. In some occasions, standards defining organizations that
are specific to access network technology might be able to define
trust levels as part of the system design work.
8.3. Importance of Following the Algorithm
Section 4 uses normative language for describing a node's internal
behavior in order to ensure that nodes will not open up new attack
vectors by accidental use of RDNSS selection options. During the
standards work, consensus was that it is safer to not always enable
this option by default, but only when deemed useful and safe.
9. References
9.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2132] Alexander, S. and R. Droms, "DHCP Options and BOOTP Vendor
Extensions", RFC 2132, March 1997.
[RFC2317] Eidnes, H., de Groot, G., and P. Vixie, "Classless IN-
ADDR.ARPA delegation", BCP 20, RFC 2317, March 1998.
[RFC3315] Droms, R., Bound, J., Volz, B., Lemon, T., Perkins, C.,
and M. Carney, "Dynamic Host Configuration Protocol for
IPv6 (DHCPv6)", RFC 3315, July 2003.
[RFC3396] Lemon, T. and S. Cheshire, "Encoding Long Options in the
Dynamic Host Configuration Protocol (DHCPv4)", RFC 3396,
November 2002.
Savolainen, et al. Standards Track [Page 21]
^L
RFC 6731 RDNSS Selection for MIF Nodes December 2012
[RFC3596] Thomson, S., Huitema, C., Ksinant, V., and M. Souissi,
"DNS Extensions to Support IP Version 6", RFC 3596,
October 2003.
[RFC4242] Venaas, S., Chown, T., and B. Volz, "Information Refresh
Time Option for Dynamic Host Configuration Protocol for
IPv6 (DHCPv6)", RFC 4242, November 2005.
9.2. Informative References
[RFC3397] Aboba, B. and S. Cheshire, "Dynamic Host Configuration
Protocol (DHCP) Domain Search Option", RFC 3397,
November 2002.
[RFC3442] Lemon, T., Cheshire, S., and B. Volz, "The Classless
Static Route Option for Dynamic Host Configuration
Protocol (DHCP) version 4", RFC 3442, December 2002.
[RFC3646] Droms, R., "DNS Configuration options for Dynamic Host
Configuration Protocol for IPv6 (DHCPv6)", RFC 3646,
December 2003.
[RFC4191] Draves, R. and D. Thaler, "Default Router Preferences and
More-Specific Routes", RFC 4191, November 2005.
[RFC4193] Hinden, R. and B. Haberman, "Unique Local IPv6 Unicast
Addresses", RFC 4193, October 2005.
[RFC6106] Jeong, J., Park, S., Beloeil, L., and S. Madanapalli,
"IPv6 Router Advertisement Options for DNS Configuration",
RFC 6106, November 2010.
[RFC6147] Bagnulo, M., Sullivan, A., Matthews, P., and I. van
Beijnum, "DNS64: DNS Extensions for Network Address
Translation from IPv6 Clients to IPv4 Servers", RFC 6147,
April 2011.
[RFC6418] Blanchet, M. and P. Seite, "Multiple Interfaces and
Provisioning Domains Problem Statement", RFC 6418,
November 2011.
[WITHOUT-IPV6NAT]
Troan, O., Miles, D., Matsushima, S., Okimoto, T., and D.
Wing, "IPv6 Multihoming without Network Address
Translation", Work in Progress, February 2012.
Savolainen, et al. Standards Track [Page 22]
^L
RFC 6731 RDNSS Selection for MIF Nodes December 2012
Appendix A. Possible Alternative Practices for RDNSS Selection
On some private namespace deployments, explicit policies for RDNSS
selection are not available. This section describes ways for nodes
to mitigate the problem by sending wide-spread queries and by
utilizing possibly existing indirect information elements as hints.
A.1. Sending Queries Out on Multiple Interfaces in Parallel
A possible current practice is to send DNS queries out of multiple
interfaces and pick up the best out of the received responses. A
node can implement DNSSEC in order to be able to reject responses
that cannot be validated. Selection between legitimate answers is
implementation specific, but replies from trusted RDNSSes are
preferred.
A downside of this approach is increased consumption of resources,
namely, power consumption if an interface, e.g., wireless, has to be
brought up just for the DNS query that could have been resolved via a
cheaper interface. Also, load on RDNSSes is increased. However,
local caching of results mitigates these problems, and a node might
also learn interfaces that seem to be able to provide 'better'
responses than others and prefer those, without forgetting that
fallback is required for cases when the node is connected to more
than one network using private namespaces.
A.2. Search List Option for DNS Forward Lookup Decisions
A node can learn the special domains of attached network interfaces
from IPv6 Router Advertisement DNS Search List Option [RFC6106] or
DHCP search list options -- DHCPv4 Domain Search Option number 119
[RFC3397] and DHCPv6 Domain Search List Option number 24 [RFC3646].
The node behavior is very similar to that illustrated in the example
in Section 5. While these options are not intended to be used in
RDNSS selection, they can be used by the nodes as hints for smarter
RDNSS prioritization purposes in order to increase likelihood of fast
and successful DNS queries.
Overloading of existing DNS search list options is not without
problems: resolvers would obviously use the domains learned from
search lists for name resolution purposes. This might not be a
problem in deployments where DNS search list options contain few
domains like 'example.com, private.example.com' but can become a
problem if many domains are configured.
Savolainen, et al. Standards Track [Page 23]
^L
RFC 6731 RDNSS Selection for MIF Nodes December 2012
A.3. More-Specific Routes for Reverse Lookup Decisions
[RFC4191] defines how more-specific routes can be provisioned for
nodes. This information is not intended to be used in RDNSS
selection, but nevertheless, a node can use this information as a
hint about which interface would be best to try first for reverse
lookup procedures. An RDNSS configured via the same interface as
more-specific routes is more likely capable to answer reverse lookup
questions correctly than an RDNSS of another interface. The
likelihood of success is possibly higher if an RDNSS address is
received in the same RA [RFC6106] as the more-specific route
information.
A.4. Longest Matching Prefix for Reverse Lookup Decisions
A node can utilize the longest matching prefix approach when deciding
which RDNSS to contact for reverse lookup purposes. Namely, the node
can send a DNS query to an RDNSS learned over an interface having a
longest matching prefix to the address being queried. This approach
can help in cases where Unique Local Addressing (ULA) [RFC4193]
addresses are used and when the queried address belongs to a node or
server within the same network (for example, intranet).
Appendix B. DNSSEC and Multiple Answers Validating with Different Trust
Anchors
When validating DNS answers with DNSSEC, a validator might order the
list of trust anchors it uses to start validation chains, in the
order of the node's preferences for those trust anchors. A node
could use this ability in order to select among alternative DNS
results from different interfaces. Suppose that a node has a trust
anchor for the public DNS root and also has a special-purpose trust
anchor for example.com. An answer is received on interface i1 for
www.example.com, and the validation for that succeeds by using the
public trust anchor. Also, an answer is received on interface i2 for
www.example.com, and the validation for that succeeds by using the
trust anchor for example.com. In this case, the node has evidence
for relying on i2 for answers in the example.com zone.
Appendix C. Pseudocode for RDNSS Selection
This section illustrates the RDNSS selection logic in C-style
pseudocode. The code is not intended to be usable as such; it is
only here for illustration purposes.
The beginning of the whole procedure is a call to "dns_query"
function with a query and list of RDNSSes given as parameters.
Savolainen, et al. Standards Track [Page 24]
^L
RFC 6731 RDNSS Selection for MIF Nodes December 2012
/* This is a structure that holds all information related to an RDNSS.*/
/* Here we include only the information related for this illustration.*/
struct rdnss
{
int prf; /* Preference of an RDNSS. */
int interface; /* Type of an interface RDNSS was learned over. */
struct d_and_n; /* Domains and networks information for this RDNSS. */
};
int has_special_knowledge( const struct rdnss *rdnss,
const char *query)
{
/* This function matches the query to the domains and networks
information of the given RDNSS. The function returns TRUE
if the query matches the domains and networks; otherwise, FALSE. */
/* The implementation of this matching function
is left for reader, or rather writer. */
/* return TRUE if query matches rdnss->d_and_n, otherwise FALSE. */
}
const struct rdnss* compare_rdnss_prf( const struct rdnss *rdnss_1,
const struct rdnss *rdnss_2 )
{
/* This function compares preference values of two RDNSSes and
returns the more preferred RDNSS. The function prefers rdnss_1
in the case of equal preference values. */
if (rdnss_1->prf == HIGH_PRF) return rdnss_1;
if (rdnss_2->prf == HIGH_PRF) return rdnss_2;
if (rdnss_1->prf == MED_PRF) return rdnss_1;
if (rdnss_2->prf == MED_PRF) return rdnss_2;
return rdnss_1;
}
const struct rdnss* compare_rdnss_trust( const struct rdnss *rdnss_1,
const struct rdnss *rdnss_2 )
{
/* This function compares trust of the two given RDNSSes. The trust
is based on the trust on the interface RDNSS was learned on. */
/* If the interface is the same, the trust is also the same,
and hence, function will return NULL to indicate lack of
difference in trust. */
if (rdnss_1->interface == rdnss_2->interface) return NULL;
Savolainen, et al. Standards Track [Page 25]
^L
RFC 6731 RDNSS Selection for MIF Nodes December 2012
/* Otherwise, implementation-specific rules define which interface
is considered more secure than the other. The rules shown here
are only for illustrative purposes and must be overwritten by
real implementations. */
if (rdnss_1->interface == IF_VPN) return rdnss_1;
if (rdnss_2->interface == IF_VPN) return rdnss_2;
if (rdnss_1->interface == IF_CELLULAR) return rdnss_1;
if (rdnss_2->interface == IF_CELLULAR) return rdnss_2;
if (rdnss_1->interface == IF_WLAN) return rdnss_1;
if (rdnss_2->interface == IF_WLAN) return rdnss_2;
/* Both RDNSSes are from unknown interfaces, so return NULL as
trust-based comparison is impossible. */
return NULL;
}
int compare_rdnsses ( const struct rdnss *rdnss_1,
const struct rdnss *rdnss_2,
const char *query)
{
/* This function compares two RDNSSes and decides which one is more
preferred for resolving the query. If the rdnss_1 is more
preferred, the function returns TRUE; otherwise, FALSE. */
const struct rdnss *more_trusted_rdnss = NULL;
const struct rdnss *less_trusted_rdnss = NULL;
/* Find out if either RDNSS is more trusted. */
more_trusted_rdnss = compare_rdnss_trust( rdnss_1, rdnss_2 );
/* Check if either was more trusted. */
if (more_trusted_rdnss)
{
/* Check which RDNSS was less trusted. */
less_trusted_rdnss =
more_trusted_rdnss == rdnss_1 ? rdnss_2 : rdnss_1;
/* If the more trusted interface is not of low preference
or has special knowledge about the query, or the more
trusted is more preferred and the less trusted has no special
information, prefer more trusted. Otherwise, prefer less trusted. */
if (more_trusted_rdnss->prf != LOW_PRF ||
has_special_knowledge( more_trusted_rdnss, query ) ||
(compare_rdnss_prf( more_trusted_rdnss, less_trusted_rdnss)
== more_trusted_rdnss &&
!has_special_knowledge( less_trusted_rdnss, query)))
Savolainen, et al. Standards Track [Page 26]
^L
RFC 6731 RDNSS Selection for MIF Nodes December 2012
{
/* If the more_trusted_rdnss was rdnss_1, return TRUE. */
return more_trusted_rdnss == rdnss_1 ? TRUE : FALSE;
}
else
{
/* If the more_trusted_rdnss was rdnss_1, return TRUE. */
return less_trusted_rdnss == rdnss_1 ? TRUE : FALSE;
}
}
else
{
/* There is no trust difference between RDNSSes; therefore, prefer the
RDNSS that has special knowledge. If both have specific knowledge,
then prefer the rdnss_1. */
if (has_special_knowledge( rdnss_1, query )) return TRUE;
if (has_special_knowledge( rdnss_2, query )) return FALSE;
/* Neither had special knowledge. Therefore, return TRUE if
rdnss_1 is more preferred; otherwise, return FALSE */
return compare_rdnss_prf( rdnss_1 , rdnss_2 )
== rdnss_1 ? TRUE : FALSE;
}
}
void bubble_sort_rdnsses( struct rdnss rdnss_list[],
const int rdnsses,
const char* query)
{
/* This function implements a bubble sort to arrange
RDNSSes in rdnss_list into preference order. */
int i;
int swapped = 0;
struct rdnss rdnss_swap;
do
{
/* Clear swapped-indicator. */
swapped = FALSE;
/* Go through the RDNSS list. */
for (i = 0; i < rdnsses-1; i++)
{
/* Check if the next two items are in the right order, i.e.,
more preferred before less preferred. */
if (compare_rdnsses( &rdnss_list[i],
&rdnss_list[i+1], query) == FALSE)
Savolainen, et al. Standards Track [Page 27]
^L
RFC 6731 RDNSS Selection for MIF Nodes December 2012
{
/* The order between two was not right, so swap these two RDNSSes. */
rdnss_swap = rdnss_list[i];
rdnss_list[i] = rdnss_list[i+1];
rdnss_list[i+1] = rdnss_swap;
swapped = TRUE;
}
}
} while (swapped);
/* No more swaps, which means the rdnss_list is now sorted
into preference order. */
}
struct hostent *dns_query( struct rdnss rdnss_list[],
const int rdnsses,
const char* query )
{
/* Perform address resolution for the query. */
int i;
struct hostent response;
/* Sort the RDNSSes into preference order. */
/* This is the function with which this pseudocode starts. */
bubble_sort_rdnsses( &rdnss_list[0], rdnsses, query );
/* Go thourgh all RDNSSes or until valid response is found. */
for (i = 0; i < rdnsses; i++)
{
/* Use the highest preference RDNSS first. */
response = send_and_validate_dns_query( rndss_list[i], query);
/* Check if DNSSEC validation is in use, and if so, validate the
received response. */
if (dnssec_in_use)
{
response = dnssec_validate(response);
/* If response is validated, use that. Otherwise, proceed to next
RDNSS. */
if (response) return response;
else continue;
}
/* If acceptable response has been found, return it. */
if (response) return response;
}
Savolainen, et al. Standards Track [Page 28]
^L
RFC 6731 RDNSS Selection for MIF Nodes December 2012
return NULL;
}
Appendix D. Acknowledgements
The authors would like to thank the following people for their
valuable feedback and improvement ideas: Mark Andrews, Jari Arkko,
Marcelo Bagnulo, Brian Carpenter, Stuart Cheshire, Lars Eggert,
Stephan Farrell, Tomohiro Fujisaki, Brian Haberman, Peter Koch,
Suresh Krishnan, Murray Kucherawy, Barry Leiba, Edward Lewis, Kurtis
Lindqvist, Arifumi Matsumoto, Erik Nordmark, Steve Padgett, Fabien
Rapin, Matthew Ryan, Robert Sparks, Dave Thaler, Sean Turner,
Margaret Wasserman, Dan Wing, and Dec Wojciech. Ted Lemon and Julien
Laganier receive special thanks for their contributions to security
considerations.
Authors' Addresses
Teemu Savolainen
Nokia
Hermiankatu 12 D
Tampere FI-33720
Finland
EMail: teemu.savolainen@nokia.com
Jun-ya Kato
NTT
9-11, Midori-Cho 3-Chome Musashino-Shi
Tokyo 180-8585
Japan
EMail: kato@syce.net
Ted Lemon
Nominum, Inc.
2000 Seaport Boulevard
Redwood City, CA 94063
USA
Phone: +1 650 381 6000
EMail: Ted.Lemon@nominum.com
Savolainen, et al. Standards Track [Page 29]
^L
|
