-
Notifications
You must be signed in to change notification settings - Fork 1
/
draft-levine-orgboundary-02.txt
448 lines (291 loc) · 17 KB
/
draft-levine-orgboundary-02.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
Network Working Group J. Levine
Internet-Draft Taughannock Networks
Intended status: Informational July 31, 2013
Expires: February 01, 2014
Publishing Organization Boundaries in the DNS
draft-levine-orgboundary-02
Abstract
Often, the organization that manages a subtree in the DNS is
different from the one that manages the tree above it. Rather than
describing a particular design, we describe an architecture to
publish in the DNS the boundaries between organizations that can be
adapted to various policy models.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on February 01, 2014.
Copyright Notice
Copyright (c) 2013 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Levine Expires February 01, 2014 [Page 1]
Internet-Draft Org Boundaries July 2013
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Design Issues . . . . . . . . . . . . . . . . . . . . . . . . 3
3. Lookup Process . . . . . . . . . . . . . . . . . . . . . . . 3
4. Record Syntax . . . . . . . . . . . . . . . . . . . . . . . . 5
5. DNS Records . . . . . . . . . . . . . . . . . . . . . . . . . 5
6. Discussion . . . . . . . . . . . . . . . . . . . . . . . . . 6
7. Security Considerations . . . . . . . . . . . . . . . . . . . 7
8. Normative References . . . . . . . . . . . . . . . . . . . . 7
Appendix A. Change Log . . . . . . . . . . . . . . . . . . . . . 8
A.1. Changes from -01 to -02 . . . . . . . . . . . . . . . . . 8
A.2. Changes from -00 to -01 . . . . . . . . . . . . . . . . . 8
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 8
1. Introduction
Often, the organization that manages a subtree in the DNS is
different from the one that manages the tree above it. Many
applications use information about such boundaries to implement
security policies. For example, web browsers use them to limit the
names where web cookies can be set, and Secure Socket Layer (SSL)
certificate services use them to determine the party responsible for
the domain in a signing request. Some mail security applications
such as Domain-based Messaging Authetnication, Reporting and
Conformance (DMARC) use them to locate an organization's policy
records in the DNS.
The most widely used source of boundary data is the Public Suffix
List, maintained by the Mozilla Foundation. It is distributed as a
text file available at a well known location, with some libraries
available to parse and search it. While it has worked adequately, it
has a variety of issues:
1. Processing the file is relatively slow, so adequate performance
requires that each application cache a copy of the file.
2. The file is in a unique format that requires a specialized parser
and lookup routines.
3. The file is managed by a third party rather than directly by the
domain owners, meaning the likelihood of stale data is a concern.
Levine Expires February 01, 2014 [Page 2]
Internet-Draft Org Boundaries July 2013
2. Design Issues
Organization boundaries can be assigned on what one could call an
opt-in or opt-out basis. "Opt-in" means that two names are only
managed by the same organization if both actively assert that they
are related. "Opt-out" means that if there is any boundary
information at all for a DNS subtree, each name is assumed to be
under the same management as its parent unless there is a boundary
assertion to the contrary. This design describes an opt-out model.
Within the opt-out model, this design can adapt to a variety of
scenarios:
o Policies can be published by the domains themselves, or by a third
party. In the former case, each domain might assert its own
boundary policies. In the latter case, the third party makes the
assertions, which may or may not agree with what the domains
themselves would want.
o Multiple levels of delegation may be implemented, which is
different from irregular boundaries. For example, "ca", "on.ca",
and "toronto.on.ca" are irregular boundaries, because they're all
handled by the Canadian Internet Registration Authority (CIRA).
CentralNIC's "uk.com" would be a second level of delegation below
Verisign's com.
o Different sets of boundary rules can be published for different
applications. For example, the boundaries for SSL certificates
might be different from the boundaries for e-mail policies, or for
web cookie setting policies.
In the lookup process below, the boundary point data is stored in TXT
records. While it wouldn't be harmful to use a new RRTYPE, it would
also provide little benefit: All of the DNS names used include a
distinctive prefixed name component, so there should not be any
resource records at those names other than the TXT record for the
boundary. To avoid confusion due to top-level wildcard records that
might inadvertently cover the subtree of boundary records, the TXT
strings contain a prefix tag.
3. Lookup Process
The DNS protocol is defined in [RFC1034] and [RFC1035]. The query is
for RRTYPE 15 (TXT).
Each collection of boundary data has a "base name" and a "prefix
tag".
Levine Expires February 01, 2014 [Page 3]
Internet-Draft Org Boundaries July 2013
The base name is a location in the DNS tree where the organizational
boundary data is rooted. In particular, the "official" boundary data
has a base name of "." (the DNS root), while using some other base
name implies the owner of the base name is the party making
organizational boundary assertions.
The prefix tag is the string "_ob" and is intended to be unique. If
there are different kinds of boundary data, the tag can be further
prefixed, e.g., "_cookie._ob" for conventional HTTP cookies, or
"_dmarc._ob" for organizational boundaries intended to be used only
within the context of the DMARC protocol. [[TBD: Add a DMARC
reference.]]. Note that due to the way wildcard matches, a query for
a specific boundary type will match the general boundary type if
there is no specific boundary. [[ I think this also falls out
correctly even when there are also non-wildcard records, but I need
to check that, ]]
A valid policy record starts with a fixed string "ob=1 ", meaning
organization boundary version 1. If a lookup returns no TXT records
that start with this string, or more than one record that starts with
the string, the lookup fails.
In general, the lookup process takes as input a domain name and
returns the name of the node in the DNS closest to the root that also
belongs to the same organization. This may be the domain itself or a
parent. If there is no policy for the domain the lookup fails; there
are no defaults, and the DNS root is not within any organization
boundary. (Applications may apply defaults of their own, but that is
beyond the scope of this specification.)
For the first lookup, the client extracts the top level component
(i.e., the rightmost label, as "label" is defined in Section 3 of
[RFC1034])) of the domain name from the subcomponents, if any, and
inserts the prefix in front of that component, after other components
if any. For example, if the domain to be checked is "example.com" or
"www.example.com", the client issues a DNS query for
"example._ob.com" or "www.example._ob.com". If the domain is simply
"example", the client looks up "_ob.example". If the base name is
not null, it is appended to the name to be looked up, so if the name
"example.com" were to be checked in a collection with the base name
"cookies.example", the full queried name would be
"example._ob.com.cookies.example."
If a valid policy record is returned, the contents of the record
after the required prefix string comprise the domain name at or just
below the policy boundary. For example, a check for a boundary
between "com" and "example.com" would be issued at "example._ob.com",
and the expected response would be "ob=1 com".
Levine Expires February 01, 2014 [Page 4]
Internet-Draft Org Boundaries July 2013
If there are no boundaries below the queried point, the policy record
contains "ob=1 ." indicating the root. For example, if all
subdomains of the "example" top-level domain (TLD) are under the same
management as the TLD itself, checks for "_ob.example" or
"www._ob.example" would return "ob=1 .".
If the client process only handles a single level of delegation, the
process stops after a single lookup. If it allows multiple levels of
delegation, the client inserts the prefix tag into the name just
below (i.e., to the left of) the name at the largest matching
boundary indicated in the lookup result, and repeats the lookup. For
example:
o When evaluating "www.foo.example.com", the first query would be to
"www.foo.example._ob.com". If the reply to this is "ob=1 com",
then the second query would go to "www.foo._ob.example.com".
o When evaluating "www.example.on.ca", the first query would be to
"www.example.on_ob.ca". If the reply to this is "ob=1 on.ca", the
next lookup would be to "www._ob.example.on.ca".
This process repeats until a DNS lookup returns NXDOMAIN (DNS RRCODE
3), at which point the result of this algorithm is the domain name
that last returned a successful query with the first label ("_ob")
removed.
The total number of DNS lookups is the number of levels of boundary
delegation, which is unlikely to be more than 1 or 2 in most
realistic scenarios.
4. Record Syntax
Expressed in ABNF ([RFC5234]), the syntax of a reply is as follows:
ob-reply = "ob=1 " ("." | Domain )
"Domain" is defined in Section 4.1.2 of [RFC5321].
5. DNS Records
The publishing entity uses wildcards and prefixed names that parallel
the regular names under a TLD to cover the relevant name space.
If there is a boundary below a given name, an entry in the TLD record
covers the names below it. For example, if there is a boundary
immediately below ".TEST", a suitable record would be:
Levine Expires February 01, 2014 [Page 5]
Internet-Draft Org Boundaries July 2013
*._ob.test IN TXT "ob=1 test"
If the boundary is at the TEST domain, i.e., TEST is under the same
management as FOO.TEST, the record would indicate no boundaries, and
an additional non-wildcard record is needed to cover TEST itself:
*._ob.test txt "ob=1 ."
_ob.test txt "ob=1 ."
In domains with irregular policy boundaries, multiple records in the
record describe the boundary points. For example, in the CA (Canada)
TLD, for national organizations there might be a boundary directly
below the national TLD; for provincial organizations there might be a
boundary below a provincial subdomain such as "on.ca"; and for local
(e.g., municipal) organizations, a boundary below a municipal
subdomain such as "toronto.on.ca" might exist. A suitable set of of
records covers this structure. The closest encloser rule in RFC 4592
[RFC4592] makes the wildcards match the appropriate names.
*._ob.ca txt "ob=1 ca"
*.on._ob.ca txt "ob=1 on.ca"
*.toronto.on._ob.ca txt "ob=1 toronto.on.ca"
For any set of policy boundaries in a tree of DNS names, a suitable
set of policy records can describe the boundaries, so a client can
find the boundary for any name in the tree with a single policy
lookup per level of delegation.
Since the delegation structure is unlikely to change with any
frequency, very long time-to-live (TTL) values in the organizational
boundary records are appropriate.
6. Discussion
Some domains have very irregular boundaries. This may require a
large number of records to describe all the boundaries, perhaps
several hundred, but it doesn't seem like a number that would
challenge modern DNS servers.
The wildcard lookup means that each time an application looks up the
boundaries for a hostname, the lookup results use DNS cache entries
that will not be reused other than for subsequent lookups for the
identical hostname. This might cause cache churn, but it seems at
worst no more than we already tolerate from DNSBL lookups.
Levine Expires February 01, 2014 [Page 6]
Internet-Draft Org Boundaries July 2013
The record format described above uses dots as reserved characters to
indicate the boundaries between labels in names. This is adequate if
policies only apply to host names, but if becomes important to allow
arbitrary names, it would be easy to encode them in TXT records.
Keeping in mind that a TXT record contains a sequence of strings,
each preceded by a count byte, each component of the name is
represented as a string. So the last record above would be
represented as:
*.toronto.on._ob.ca IN TXT "ob=1" "toronto" "on" "ca"
7. Security Considerations
The purpose of publishing organization boundaries is to provide
advice to third parties that wish to know whether two names are
managed by the same organization, allowing those names to be treated
"as the same" in some sense. Clients that rely on published
boundaries are outsourcing some part of their own security policy to
the publisher, so their own security depends on the publisher's
boundaries being accurate.
Although in some sense domains are always in control of their
subdomains, there are many situations in which parent domains are not
expected to influence subdomains. For example, the Internet
Corporation for Assigned Names and Numers (ICANN) contracted global
TLDs (gTLDs) and registers second level domains. Since there is no
technical bar to a parent publishing records that shadow part or all
of the boundary record namespace for delegated subdomains, correct
operation depends on the parent and subdomains agreeing about who
publishes what.
8. Normative References
[RFC1034] Mockapetris, P., "Domain names - concepts and facilities",
STD 13, RFC 1034, November 1987.
[RFC1035] Mockapetris, P., "Domain names - implementation and
specification", STD 13, RFC 1035, November 1987.
[RFC4592] Lewis, E., "The Role of Wildcards in the Domain Name
System", RFC 4592, July 2006.
[RFC5234] Crocker, D. and P. Overell, "Augmented BNF for Syntax
Specifications: ABNF", STD 68, RFC 5234, January 2008.
[RFC5321] Klensin, J., "Simple Mail Transfer Protocol", RFC 5321,
October 2008.
Levine Expires February 01, 2014 [Page 7]
Internet-Draft Org Boundaries July 2013
Appendix A. Change Log
*NOTE TO RFC EDITOR: This section may be removed upon publication of
this document as an RFC.*
A.1. Changes from -01 to -02
Add ABNF.
MSK overhaul of the middle part.
Put the wildcards back.
A.2. Changes from -00 to -01
Take out wildcards and put everything in one record.
Add DNS nits.
Author's Address
John Levine
Taughannock Networks
PO Box 727
Trumansburg, NY 14886
Phone: +1 831 480 2300
Email: [email protected]
URI: http://jl.ly
Levine Expires February 01, 2014 [Page 8]