<?xml version='1.0' encoding='utf-8'?> version="1.0" encoding="UTF-8"?>

<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.6.15 (Ruby 3.1.2) -->

<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-ietf-add-ddr-10" number="9462" submissionType="IETF" category="std" consensus="true" tocInclude="true" sortRefs="true" symRefs="true" updates="" obsoletes="" xml:lang="en" version="3">

  <!-- xml2rfc v2v3 conversion 3.13.1 -->
    <title abbrev="DDR">Discovery of Designated Resolvers</title>
    <seriesInfo name="Internet-Draft" value="draft-ietf-add-ddr-10"/> name="RFC" value="9462"/>
    <author initials="T." surname="Pauly" fullname="Tommy Pauly">
      <organization>Apple Inc.</organization>
          <street>One Apple Park Way</street>
          <city>Cupertino, California 95014</city>
          <country>United States of America</country>
    <author initials="E." surname="Kinnear" fullname="Eric Kinnear">
      <organization>Apple Inc.</organization>
          <street>One Apple Park Way</street>
          <city>Cupertino, California 95014</city>
          <country>United States of America</country>
    <author initials="C. A." surname="Wood" fullname="Christopher A. Wood">
          <street>101 Townsend St</street>
          <city>San Francisco</city>
          <country>United States of America</country>
    <author initials="P." surname="McManus" fullname="Patrick McManus">
    <author initials="T." surname="Jensen" fullname="Tommy Jensen">
    <date year="2022" month="August" day="05"/>
    <workgroup>ADD</workgroup> year="2023" month="September"/>

<!-- [rfced] Please insert any keywords (beyond those that appear in the
title) for use on <https://www.rfc-editor.org/search>. -->

<!-- [rfced] Datatracker "idnits" output for the original approved
document included the following warning.  Please let us know if any
changes are needed as related to this warning:

 == There are 10 instances of lines with non-RFC2606-compliant FQDNs in
    the document. -->

      <t>This document defines Discovery of Designated Resolvers (DDR), a
mechanism for DNS clients to use DNS records to discover a resolver's encrypted
DNS configuration. An encrypted DNS resolver discovered in this manner is referred
to as a "Designated Resolver". This mechanism can be used to move from unencrypted
DNS to encrypted DNS when only the IP address of a resolver is known. This mechanism is
designed to be limited to cases where unencrypted DNS resolvers and their designated
resolvers are operated by the same entity or cooperating entities. It can also be used
to discover support for encrypted DNS protocols when the name of an encrypted DNS resolver is known.</t>
    <note removeInRFC="true">
      <name>Discussion Venues</name>
      <t>Discussion of known.

<!-- [rfced] Abstract and Section 2:  We see both the singular form
"mechanism" and the plural form "mechanisms" in this document takes place on the
  Adaptive DNS when
specifically discussing DDR.  Which is correct - singular or plural?

 This document defines Discovery Working Group mailing list (add@ietf.org),
  which is archived at <eref target="https://mailarchive.ietf.org/arch/browse/add/"/>.</t>
      <t>Source of Designated Resolvers (DDR), a
 mechanism for DNS clients to use DNS records to discover a resolver's
 encrypted DNS configuration.  An encrypted DNS resolver discovered in
 this draft and an issue tracker manner is referred to as a "Designated Resolver".  This
 mechanism can be found at
  <eref target="https://github.com/ietf-wg-add/draft-ietf-add-ddr"/>.</t>
    </note> used to move from unencrypted DNS to encrypted DNS
 when only the IP address of a resolver is known.  This mechanism is
 designed to be limited to cases where unencrypted DNS resolvers and
 their designated resolvers are operated by the same entity or
 cooperating entities.
 DDR:  Discovery of Designated Resolvers.  Refers to the mechanisms
    defined in this document. -->

    <section anchor="introduction">
      <t>When DNS clients wish to use encrypted DNS protocols such as DNS-over-TLS DNS over TLS (DoT)
<xref target="RFC7858"/>, DNS-over-QUIC DNS over QUIC (DoQ) <xref target="RFC9250"/>, or DNS-over-HTTPS DNS over HTTPS (DoH) <xref target="RFC8484"/>,
they can require additional information beyond the IP address of the DNS server,
such as the resolver's hostname, alternate IP addresses, non-standard ports, or
URI templates. Templates. However, common configuration mechanisms only provide the resolver's
IP address during configuration. Such mechanisms include network provisioning protocols
like DHCP <xref target="RFC2132"/> <xref target="RFC8415"/> and IPv6 Router Advertisement (RA) options <xref target="RFC8106"/>,
as well as manual configuration.</t> configuration.

<!-- [rfced] Sections 1 and 6.5:  We see different RFCs cited for
IPv6 Router Advertisement options:  RFC 8106 in Section 1 but
RFC 4861 in Section 6.5.  Should the same RFC be cited in both
sections as related to IPv6 Router Advertisement options?

Please note, however, that we do not see any mention of Router
Advertisement options in RFC 4861 - only Neighbor Discovery options.
Should the sentence in Section 6.5 be updated to avoid possible

 Such mechanisms include network
 provisioning protocols like DHCP [RFC2132] [RFC8415] and IPv6 Router
 Advertisement (RA) options [RFC8106], as well as manual
 Discovery of network-designated resolvers (DNR, [I-D.ietf-add-dnr])
 allows a network to provide designation of resolvers directly through
 DHCP [RFC2132] [RFC8415] and IPv6 Router Advertisement (RA) [RFC4861]
 options. -->

      <t>This document defines two mechanisms for clients to discover designated
resolvers that support these encrypted protocols using DNS server Service
Binding (SVCB, (SVCB) records <xref target="I-D.ietf-dnsop-svcb-https"/>) records:</t> target="RFC9460"/>:</t>
      <ol spacing="normal" type="1"><li>When only an IP address of an Unencrypted DNS Resolver is known, the client
queries a special use domain name Special-Use Domain Name (SUDN) <xref target="RFC6761"/> to discover DNS SVCB
records associated with one or more Encrypted DNS Resolvers the Unencrypted DNS
Resolver has designated for use when support for DNS encryption is
requested (<xref target="bootstrapping"/>).</li>
        <li>When the hostname of an Encrypted DNS Resolver is known, the client requests
details by sending a query for a DNS SVCB record. This can be used to discover
alternate encrypted DNS protocols supported by a known server, or to provide
details if a resolver name is provisioned by a network (<xref target="encrypted"/>).</li>
      <t>Both of these approaches allow clients to confirm that a discovered Encrypted DNS
Resolver is designated by the originally provisioned resolver. "Designated" in
this context means that the resolvers are operated by the same entity or
cooperating entities; for example, the resolvers are accessible on the same
IP address, or there is a certificate that contains the IP address for the
original designating resolver.</t>
      <section anchor="specification-of-requirements">
        <name>Specification of Requirements</name>
       <t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>",
       "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>",
       "<bcp14>SHALL NOT</bcp14>", "<bcp14>SHOULD</bcp14>",
       "<bcp14>SHOULD NOT</bcp14>",
       "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
       "<bcp14>MAY</bcp14>", and
"OPTIONAL" "<bcp14>OPTIONAL</bcp14>" in this document
       are to be interpreted as described in BCP 14 BCP&nbsp;14
       <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only
       when, they appear in all capitals, as shown here.</t>
    <section anchor="terminology">
      <t>This document defines the following terms:</t>
          <t>Discovery of Designated Resolvers. Refers "DDR" refers to the mechanisms defined
in this document.</t>
        <dt>Designated Resolver:</dt>
          <t>A resolver, presumably an Encrypted DNS Resolver, designated by another resolver
for use in its own place. This designation can be verified with TLS certificates.</t>
        <dt>Encrypted DNS Resolver:</dt>
          <t>A DNS resolver using any encrypted DNS transport. This includes current
mechanisms such as DoH, DoT, and DoQ, as well as future mechanisms.</t>
        <dt>Unencrypted DNS Resolver:</dt>
          <t>A DNS resolver using a transport without encryption, historically
TCP or UDP port 53.</t>
    <section anchor="dns-service-binding-records">
      <name>DNS Service Binding Records</name>
      <t>DNS resolvers can advertise one or more Designated Resolvers that
may offer support over encrypted channels and are controlled by the same
      <t>When a client discovers Designated Resolvers, it learns information such as
the supported protocols and ports. This information is provided in ServiceMode
Service Binding (SVCB)
SVCB records for DNS Servers, servers, although AliasMode SVCB records
can be used to direct clients to the needed ServiceMode SVCB record per
<xref target="I-D.ietf-dnsop-svcb-https"/>. target="RFC9460"/>. The formatting of these records, including the
DNS-unique parameters such as "dohpath", are defined by <xref target="I-D.ietf-add-svcb-dns"/>.</t> target="RFC9461"/>.</t>
      <t>The following is an example of an SVCB record describing a DoH server discovered
by querying for <tt>_dns.example.net</tt>:</t>

<!-- [rfced] Please review each artwork element.  Specifically,
should any artwork element be tagged as sourcecode or another
element?  Please see
<https://www.rfc-editor.org/materials/sourcecode-types.txt>; if the
current list of preferred values for "type" does not contain an
applicable type, please let us know.  Also, if you choose to use
the sourcecode tag, it is acceptable to leave the "type" attribute not
set. -->

_dns.example.net.  7200  IN SVCB 1 example.net. (
     alpn=h2 dohpath=/dns-query{?dns} )
      <t>The following is an example of an SVCB record describing a DoT server discovered
by querying for <tt>_dns.example.net</tt>:</t>
_dns.example.net.  7200  IN SVCB 1 dot.example.net (
     alpn=dot port=8530 )
      <t>The following is an example of an SVCB record describing a DoQ server discovered
by querying for <tt>_dns.example.net</tt>:</t>
_dns.example.net.  7200  IN SVCB 1 doq.example.net (
     alpn=doq port=8530 )
      <t>If multiple Designated Resolvers are available, using one or more
encrypted DNS protocols, the resolver deployment can indicate a preference using
the priority fields in each SVCB record <xref target="I-D.ietf-dnsop-svcb-https"/>.</t> target="RFC9460"/>.</t>
      <t>If the client encounters a mandatory parameter in an SVCB record it does not
understand, it MUST NOT <bcp14>MUST NOT</bcp14> use that record to discover a Designated Resolver, in accordance
with <xref section="8" sectionFormat="of" target="I-D.ietf-dnsop-svcb-https"/>. target="RFC9460"/>. The
client can still use other records in the same response if the client can understand
all of their mandatory parameters. This allows future encrypted deployments to
simultaneously support protocols even if a given client is not aware of all those
protocols. For example, if the Unencrypted DNS Resolver returns three SVCB records, records -- one
for DoH, one for DoT, and one for a yet-to-exist protocol, protocol -- a client which that only supports
DoH and DoT should be able to use those records while safely ignoring the third record.</t>
      <t>To avoid name lookup deadlock, clients that use Designated Resolvers need to ensure
that a specific Encrypted Resolver is not used for any queries that are needed to
resolve the name of the resolver itself or to perform certificate revocation checks for
the resolver, as described in <xref section="10" sectionFormat="of" target="RFC8484"/>. Designated Resolvers need to ensure that this deadlock is avoidable avoidable, as also described in <xref section="10" sectionFormat="of" target="RFC8484"/>.</t>

<!-- [rfced] Sections 3, 4.1, and 4.2:  Should these instances of
"Encrypted Resolver" be "Encrypted DNS Resolver" per the rest of
this document, or "encrypted resolver" per companion documents
9463 (draft-ietf-add-dnr) and 9464 (draft-ietf-ipsecme-add-ike), assuming
that the term is used more generally in the other documents?

 To avoid name lookup deadlock, clients that use Designated Resolvers
 need to ensure that a specific Encrypted Resolver is not used for any
 queries that are needed to resolve the name of the resolver itself or
 to perform certificate revocation checks for the resolver, as
 described in Section 10 of [RFC8484].
 Use without
 validation can allow an attacker to direct traffic to an Encrypted
 Resolver that is unrelated to the original Unencrypted DNS Resolver,
 as described in Section 7.
 If the IP address is not shared, opportunistic use
 allows for attackers to redirect queries to an unrelated Encrypted
 Resolver, as described in Section 7. -->

      <t>This document focuses on discovering DoH, DoT, and DoQ Designated Resolvers.
Other protocols can also use the format defined by <xref target="I-D.ietf-add-svcb-dns"/>. target="RFC9461"/>.
However, if any such protocol does not involve some form of certificate
validation, new validation mechanisms will need to be defined to support
validating designation as defined in <xref target="verified"/>.</t>
    <section anchor="bootstrapping">
      <name>Discovery Using Resolver IP Addresses</name>
      <t>When a DNS client is configured with an Unencrypted DNS Resolver IP address, it
<bcp14>SHOULD</bcp14> query the resolver for SVCB records of a service with a scheme of "dns" and
an Authority of "resolver.arpa" before making other queries. This allows the client
to switch to using Encrypted DNS for all other queries, if possible. Specifically,
the client issues a query for <tt>_dns.resolver.arpa.</tt> with the SVCB resource record type
(64) <xref target="I-D.ietf-dnsop-svcb-https"/>.</t> target="RFC9460"/>.

<!-- [rfced] Section 4:  This text has the only instance of
initial-capitalized "Authority" in this document or this cluster of
documents (https://www.rfc-editor.org/cluster_info.php?cid=C461).
Is the capitalization necessary?

 When a DNS client is configured with an Unencrypted DNS Resolver IP
 address, it SHOULD query the resolver for SVCB records of a service
 with a scheme of "dns" and an Authority of "resolver.arpa" before
 making other queries. -->

      <t>Responses to the SVCB query for the "resolver.arpa" SUDN describe Designated Resolvers.
To ensure that different Designated Resolver configurations can be correctly
distinguished and associated with A and AAAA records for the resolver, ServiceMode
SVCB responses to these queries MUST NOT <bcp14>MUST NOT</bcp14> use the "." or "resolver.arpa" value for
the TargetName. Similarly, clients MUST NOT <bcp14>MUST NOT</bcp14> perform A or AAAA queries for
      <t>The following is an example of an SVCB record describing a DoH server discovered
by querying for <tt>_dns.resolver.arpa</tt>:</t>
_dns.resolver.arpa.  7200  IN SVCB 1 doh.example.net (
     alpn=h2 dohpath=/dns-query{?dns} )
      <t>The following is an example of an SVCB record describing a DoT server discovered
by querying for <tt>_dns.resolver.arpa</tt>:</t>
_dns.resolver.arpa.  7200  IN SVCB 1 dot.example.net (
     alpn=dot port=8530 )
      <t>The following is an example of an SVCB record describing a DoQ server discovered
by querying for <tt>_dns.resolver.arpa</tt>:</t>
_dns.resolver.arpa.  7200  IN SVCB 1 doq.example.net (
     alpn=doq port=8530 )
      <t>If the recursive resolver that receives this query has one or more Designated
Resolvers, it will return the corresponding SVCB records. When responding
to these special queries for "resolver.arpa", the recursive resolver
<bcp14>SHOULD</bcp14> include the A and AAAA records for the name of the Designated Resolver
in the Additional Answers section. This will save the DNS client an additional
round trip to retrieve the address of the designated resolver; see <xref section="5" sectionFormat="of" target="I-D.ietf-dnsop-svcb-https"/>.</t> target="RFC9460"/>.</t>
      <t>Designated Resolvers SHOULD <bcp14>SHOULD</bcp14> be accessible using the IP address families that
are supported by their associated Unencrypted DNS Resolvers. If an Unencrypted DNS Resolver
is accessible using an IPv4 address, it ought to provide an A record for an
IPv4 address of the Designated Resolver; similarly, if it is accessible using an
IPv6 address, it ought to provide a AAAA record for an IPv6 address of the
Designated Resolver. The Designated Resolver MAY <bcp14>MAY</bcp14> support more address families
than the Unencrypted DNS Resolver, but it SHOULD NOT <bcp14>SHOULD NOT</bcp14> support fewer. If this is
not done, clients that only have connectivity over one address family might not
be able to access the Designated Resolver.</t>
      <t>If the recursive resolver that receives this query has no Designated Resolvers,
it SHOULD <bcp14>SHOULD</bcp14> return NODATA for queries to the "resolver.arpa" zone, to provide
a consistent and accurate signal to clients that it does not have a
Designated Resolver.</t>
      <section anchor="use-of-designated-resolvers">
        <name>Use of Designated Resolvers</name>
        <t>When a client discovers Designated Resolvers from an Unencrypted DNS Resolver IP
address, it can choose to use these Designated Resolvers either automatically, (1)&nbsp;automatically or based (2)&nbsp;based on some other policy, heuristic, or user choice.</t>
        <t>This document defines two preferred methods to for automatically use using Designated
        <ul spacing="normal">
          <li>Verified Discovery (<xref target="verified"/>), for when a TLS certificate can
be used to validate the resolver's identity.</li>
          <li>Opportunistic Discovery (<xref target="opportunistic"/>), for when a resolver's IP address
is a private or local address.</li>
        <t>A client MAY <bcp14>MAY</bcp14> additionally use a discovered Designated Resolver without
either of these methods, based on implementation-specific policy or user input.
Details of such policy are out of scope of for this document. Clients MUST NOT <bcp14>MUST NOT</bcp14>
automatically use a Designated Resolver without some sort of validation,
such as the two methods defined in this document or a future mechanism. Use
without validation can allow an attacker to direct traffic to an Encrypted
Resolver that is unrelated to the original Unencrypted DNS Resolver, as
described in <xref target="security"/>.</t>
        <t>A client MUST NOT re-use <bcp14>MUST NOT</bcp14> reuse a designation discovered using the IP address of one
Unencrypted DNS Resolver in place of any other Unencrypted DNS Resolver. Instead,
the client needs to repeat the discovery process to discover the Designated Resolver
of the other Unencrypted DNS Resolver. In other words, designations are
per-resolver and MUST NOT <bcp14>MUST NOT</bcp14> be used to configure the client's universal DNS
behavior. This ensures in all cases that queries are being sent to a party
designated by the resolver originally being used.</t>
        <section anchor="use-of-designated-resolvers-across-network-changes">
          <name>Use of Designated Resolvers across network changes</name> Network Changes</name>
          <t>If a client is configured with the same Unencrypted DNS Resolver IP address on
multiple different networks, a Designated Resolver that has been discovered on one
network SHOULD NOT <bcp14>SHOULD NOT</bcp14> be reused on any of the other networks without repeating the
discovery process for each network, since the same IP address may be used for
different servers on the different networks.</t>
      <section anchor="verified">
        <name>Verified Discovery</name>
        <t>Verified Discovery is a mechanism that allows the automatic use of a
Designated Resolver that supports DNS encryption that performs a TLS handshake.</t>
        <t>In order to be considered a verified Designated Resolver, the TLS certificate
presented by the Designated Resolver needs to pass the following checks made
by the client:</t>
        <ol spacing="normal" type="1"><li>The client MUST <bcp14>MUST</bcp14> verify the chain of certificates up to a trust anchor
as described in <xref section="6" sectionFormat="of" target="RFC5280"/>. This <bcp14>SHOULD</bcp14> use the default
system or application trust anchors, unless otherwise configured.

<!-- [rfced] Section 4.2:  To what does "This" refer in this
sentence - the client, verifying the chain of certificates, or
something else?  If the suggested text is not correct, please provide
clarifying text.

Original (the previous sentence is included for context):
 1.  The client MUST verify the chain of certificates up to a trust
     anchor as described in Section 6 of [RFC5280].  This SHOULD use
     the default system or application trust anchors, unless otherwise configured.</li>

 1.  The client MUST verify the chain of certificates up to a trust
     anchor as described in Section 6 of [RFC5280]; the client
     therefore SHOULD use the default system or application trust
     anchors, unless otherwise configured. -->

          <li>The client <bcp14>MUST</bcp14> verify that the certificate contains the IP address of the
designating Unencrypted DNS Resolver in an iPAddress entry of the subjectAltName
extension as described in <xref section="" sectionFormat="of" target="RFC5280"/>.</li>
        <t>If these checks pass, the client SHOULD <bcp14>SHOULD</bcp14> use the discovered Designated Resolver
for any cases in which it would have otherwise used the Unencrypted DNS Resolver,
so as to prefer Encrypted DNS whenever possible.</t>
        <t>If these checks fail, the client MUST NOT <bcp14>MUST NOT</bcp14> automatically use the discovered
Designated Resolver if this designation was only discovered via a
<tt>_dns.resolver.arpa.</tt> query (if the designation was advertised directly
by the network as described in <xref target="dnr-interaction"/>, the server can still
be used). Additionally, the client SHOULD <bcp14>SHOULD</bcp14> suppress any further
queries for Designated Resolvers using this Unencrypted DNS Resolver for the
length of time indicated by the SVCB record's Time to Live (TTL) in order
to avoid excessive queries that will lead to further failed validations.
The client MAY <bcp14>MAY</bcp14> issue new queries if the SVCB record's TTL is excessively
long (as determined by client policy) to minimize the length of time an
intermittent attacker can prevent the use of encrypted DNS.</t>
        <t>If the Designated Resolver and the Unencrypted DNS Resolver share an IP
address, clients MAY <bcp14>MAY</bcp14> choose to opportunistically use the Designated Resolver even
without this certificate check (<xref target="opportunistic"/>). If the IP address is not shared,
opportunistic use allows for attackers to redirect queries to an unrelated Encrypted
Resolver, as described in <xref target="security"/>.</t>
        <t>Connections to a Designated Resolver can use a different IP address than
the IP address of the Unencrypted DNS Resolver, such as Resolver -- for example, if the process of
resolving the SVCB service yields additional addresses. Even when a different
IP address is used for the connection, the TLS certificate checks described
in this section still apply for the original IP address of the Unencrypted
DNS Resolver.</t>
      <section anchor="opportunistic">
        <name>Opportunistic Discovery</name>
        <t>There are situations where Verified Discovery of encrypted DNS
configuration over unencrypted DNS is not possible. This includes Unencrypted DNS
Resolvers on private IP addresses <xref target="RFC1918"/>, Unique Local Addresses (ULAs)
<xref target="RFC4193"/>, and Link Local Addresses Link-Local addresses <xref target="RFC3927"/> <xref target="RFC4291"/>, whose
identity cannot be safely confirmed using TLS certificates under most conditions.</t> conditions.

<!-- [rfced] Section 4.3:  We had trouble following this sentence.
To what does "This includes" refer?  If the suggested text is not
correct, please provide clarifying text.

Original (the previous sentence is included for context):
 There are situations where Verified Discovery of encrypted DNS
 configuration over unencrypted DNS is not possible.  This includes
 Unencrypted DNS Resolvers on private IP addresses [RFC1918], Unique
 Local Addresses (ULAs) [RFC4193], and Link Local Addresses [RFC3927]
 [RFC4291], whose identity cannot be safely confirmed using TLS
 certificates under most conditions.

 There are situations where Verified Discovery of encrypted DNS
 configuration over unencrypted DNS is not possible.  For example,
 the identities of Unencrypted DNS Resolvers on private IP addresses
 [RFC1918], Unique Local Addresses (ULAs) [RFC4193], and Link-Local
 addresses [RFC3927] [RFC4291] cannot be safely confirmed using TLS
 certificates under most conditions. -->

        <t>An Opportunistic Privacy Profile opportunistic privacy profile is defined for DoT in <xref section="4.1" sectionFormat="of" target="RFC7858"/>
as a mode in which clients do not validate the name of the resolver presented in
the certificate. This Opportunistic Privacy Profile opportunistic privacy profile similarly applies to
DoQ <xref target="RFC9250"/>. For this profile, <xref section="4.1" sectionFormat="of" target="RFC7858"/> explains that
clients might or might not validate the resolver; however, even if clients choose
to perform some certificate validation checks, they will not be able to validate
the names presented in the SubjectAlternativeName field of the certificate for
private and local IP addresses.</t>
        <t>A client MAY <bcp14>MAY</bcp14> use information from the SVCB record for "_dns.resolver.arpa" with
this Opportunistic Privacy Profile opportunistic privacy profile as long as the IP address of the Encrypted
DNS Resolver does not differ from the IP address of the Unencrypted
DNS Resolver. Clients SHOULD <bcp14>SHOULD</bcp14> use this mode only for resolvers using private or
local IP addresses, since resolvers that use other addresses are able to provision
TLS certificates for their addresses.</t>
    <section anchor="encrypted">
      <name>Discovery Using Resolver Names</name>
      <t>A DNS client that already knows the name of an Encrypted DNS Resolver can use DDR
to discover details about all supported encrypted DNS protocols. This situation
can arise if a client has been configured to use a given Encrypted DNS Resolver, or
if a network provisioning protocol (such as DHCP or IPv6 Router Advertisements) RAs)
provides a name for an Encrypted DNS Resolver alongside the resolver IP address,
such as by using Discovery of Network Network-designated Resolvers (DNR) <xref target="I-D.ietf-add-dnr"/>.</t> target="RFC9463"/>.</t>
      <t>For these cases, the client simply sends a DNS SVCB query using the known name
of the resolver. This query can be issued to the named Encrypted DNS Resolver itself
or to any other resolver. Unlike the case of bootstrapping from an Unencrypted DNS
Resolver (<xref target="bootstrapping"/>), these records SHOULD <bcp14>SHOULD</bcp14> be available in the public
DNS if the same domain name's A or AAAA records are available in the
public DNS to allow using any resolver to discover another resolver's Designated
Resolvers. When the name can only be resolved in private namespaces,
these records SHOULD <bcp14>SHOULD</bcp14> be available to the same audience as the A and AAAA records.</t>
      <t>For example, if the client already knows about a DoT server
<tt>resolver.example.com</tt>, it can issue an SVCB query for
<tt>_dns.resolver.example.com</tt> to discover if there are other encrypted DNS
protocols available. In the following example, the SVCB answers indicate that
<tt>resolver.example.com</tt> supports both DoH and DoT, DoT and that the DoH server
indicates a higher priority than the DoT server.</t>
_dns.resolver.example.com.  7200  IN SVCB 1 resolver.example.com. (
     alpn=h2 dohpath=/dns-query{?dns} )
_dns.resolver.example.com.  7200  IN SVCB 2 resolver.example.com. (
     alpn=dot )
      <t>Clients MUST <bcp14>MUST</bcp14> validate that for any Encrypted DNS Resolver discovered using a
known resolver name, the TLS certificate of the resolver contains the
known name in a subjectAltName extension. In the example above,
this means that both servers need to have certificates that cover
the name <tt>resolver.example.com</tt>. Often, the various supported encrypted
DNS protocols will be specified such that the SVCB TargetName matches the
known name, as is true in the example above. However, even when the
TargetName is different (for example, if the DoH server had a TargetName of
<tt>doh.example.com</tt>), the clients still check for the original known resolver
name in the certificate.</t>
      <t>Note that this resolver validation is not related to the DNS resolver that
provided the SVCB answer.</t>
      <t>As another example, being able to discover a Designated Resolver for a known
Encrypted DNS Resolver is useful when a client has a DoT configuration for
<tt>foo.resolver.example.com</tt> but is on a network that blocks DoT traffic. The
client can still send a query to any other accessible resolver (either the local
network resolver or an accessible DoH server) to discover if there is a designated
DoH server for <tt>foo.resolver.example.com</tt>.</t>
    <section anchor="deployment-considerations">
      <name>Deployment Considerations</name>
      <t>Resolver deployments that support DDR are advised to consider the following
      <section anchor="caching-forwarders">
        <name>Caching Forwarders</name>
        <t>A DNS forwarder SHOULD NOT <bcp14>SHOULD NOT</bcp14> forward queries for "resolver.arpa" (or any subdomains)
upstream. This prevents a client from receiving an SVCB record that will fail to
authenticate because the forwarder's IP address is not in the upstream resolver's
Designated Resolver's TLS certificate SAN SubjectAlternativeName (SAN) field. A DNS forwarder which that already acts as a
completely transparent forwarder MAY <bcp14>MAY</bcp14> choose to forward these queries when the operator
expects that this does not apply, either because the operator either knows that the upstream
resolver does have the forwarder's IP address in its TLS certificate's SAN field
or that the operator expects clients to validate the connection via some future mechanism.</t> mechanism.

<!-- [rfced] Section 6.1: We added "SAN" after
"SubjectAlternativeName" here, but we have some follow-up items for

(a) If this definition is incorrect, please provide the correct

(b) Should "SubjectAlternativeName" be "SubjectAltName"?  We see
that RFCs 6876, 6940, and 7086 use "SubjectAltName field", but we
don't see any instances of "SubjectAlternativeName field" in any
recent RFCs.

(c) If the "Possibly" text below is not correct, please clarify the
meaning of "upstream resolver's Designated Resolver's".

 This prevents a client from receiving an
 SVCB record that will fail to authenticate because the forwarder's IP
 address is not in the upstream resolver's Designated Resolver's TLS
 certificate SAN field.

 This prevents a client from receiving an
 SVCB record that will fail to authenticate because the forwarder's IP
 address is not in the upstream resolver's Designated Resolver's TLS
 certificate SubjectAlternativeName (SAN) field.

 This prevents a client from receiving an
 SVCB record that will fail to authenticate because the forwarder's IP
 address is not in the TLS certificate SubjectAlternativeName (SAN)
 field of the upstream resolver's Designated Resolver. -->

        <t>Operators who choose to forward queries for "resolver.arpa" upstream should note
that client behavior is never guaranteed and that the use of DDR by a resolver does not
communicate a requirement for clients to use the SVCB record when it cannot be
      <section anchor="certificate-management">
        <name>Certificate Management</name>
        <t>Resolver owners that support Verified Discovery will need to list valid
referring IP addresses in their TLS certificates. This may pose challenges for
resolvers with a large number of referring IP addresses.</t>
      <section anchor="server-name-handling">
        <name>Server Name Handling</name>
        <t>Clients MUST NOT <bcp14>MUST NOT</bcp14> use "resolver.arpa" as the server name either in the either (1)&nbsp;the TLS
Server Name Indication (SNI) (<xref target="RFC8446"/>) <xref target="RFC8446"/> for DoT, DoQ, or DoH connections, connections or in the (2)&nbsp;the URI host for DoH requests.</t>
        <t>When performing discovery using resolver IP addresses, clients MUST <bcp14>MUST</bcp14>
use the original IP address of the Unencrypted DNS Resolver as the URI
host for DoH requests.</t>
        <t>Note that since IP addresses are not supported by default in the TLS SNI,
resolvers that support discovery using IP addresses will need to be
configured to present the appropriate TLS certificate when no SNI is present
for DoT, DoQ, and DoH.</t>
      <section anchor="handling-non-ddr-queries-for-resolverarpa">
        <name>Handling non-DDR queries Non-DDR Queries for resolver.arpa</name>
        <t>DNS resolvers that support DDR by responding to queries for _dns.resolver.arpa
<bcp14>MUST</bcp14> treat resolver.arpa as a locally served zone per <xref target="RFC6303"/>.
In practice, this means that resolvers SHOULD <bcp14>SHOULD</bcp14> respond to queries of any type
other than SVCB for _dns.resolver.arpa with NODATA and queries of any
type for any domain name under resolver.arpa with NODATA.</t>
      <section anchor="dnr-interaction">
        <name>Interaction with Network-Designated Resolvers</name>
        <t>Discovery of network-designated resolvers (DNR,
        <t>DNR <xref target="I-D.ietf-add-dnr"/>) target="RFC9463"/> allows
a network to provide designation of resolvers directly through DHCP <xref target="RFC2132"/>
          <xref target="RFC8415"/> and through IPv6 Router Advertisement (RA) RA options <xref target="RFC4861"/> options. target="RFC4861"/>. When such
indications are present, clients can suppress queries for "resolver.arpa" to the
unencrypted DNS server indicated by the network over DHCP or RAs, and the DNR
indications SHOULD <bcp14>SHOULD</bcp14> take precedence over those discovered using "resolver.arpa"
for the same resolver if there is a conflict, since DNR is considered a more
reliable source.</t>
        <t>The designated resolver information in DNR might not contain a full set of
SvcParams needed to connect to an encrypted DNS resolver. In such a case, the client
can use an SVCB query using a resolver name, as described in <xref target="encrypted"/>, to the
Authentication Domain Name (ADN).</t>
    <section anchor="security">
      <name>Security Considerations</name>
      <t>Since clients can receive DNS SVCB answers over unencrypted DNS, on-path
attackers can prevent successful discovery by dropping SVCB queries or answers, answers
and thus can prevent clients from switching to use using encrypted DNS.
Clients should be aware that it might not be possible to distinguish between
resolvers that do not have any Designated Resolver and such an active attack.
To limit the impact of discovery queries being dropped either maliciously or
unintentionally, clients can re-send their SVCB queries periodically.</t>
      <t><xref section="8.2" sectionFormat="of" target="I-D.ietf-add-svcb-dns"/> target="RFC9461"/> describes a second another type of downgrade attack
where an attacker can block connections to the encrypted DNS server. For DDR,
clients need to validate a Designated Resolver using a connection to the
server before trusting it, so attackers that can block these connections can
prevent clients from switching to using encrypted DNS.

<!-- [rfced] Section 7:  Should "trusting it, so" be "trusting it;
otherwise," or should "can prevent clients" perhaps be "cannot
prevent clients"?  The sentence as written seems to indicate that the
way should be paved for attackers to block the connections, when it
seems that the opposite should be true.

 For DDR, clients need to validate a Designated Resolver
 using a connection to the server before trusting it, so attackers
 that can block these connections can prevent clients from switching
 to use encrypted DNS.</t> DNS. -->

      <t>Encrypted DNS Resolvers that allow discovery using DNS SVCB answers over unencrypted
DNS MUST NOT <bcp14>MUST NOT</bcp14> provide differentiated behavior based solely on metadata in
the SVCB record, such as the HTTP path or alternate port number, which
are parameters that an attacker could modify. For example, if a
DoH resolver provides a filtering service for one URI path, path and
a non-filtered service for another URI path, an attacker could select
which of these services is used by modifying the "dohpath" parameter.
These attacks can be mitigated by providing separate resolver IP
addresses or hostnames.</t>
      <t>While the IP address of the Unencrypted DNS Resolver is often provisioned over
insecure mechanisms, it can also be provisioned securely, such as via manual
configuration, on a VPN, or on a network with protections like RA-Guard
<xref target="RFC6105"/>. An attacker might try to direct Encrypted DNS traffic to itself by
causing the client to think that a discovered Designated Resolver uses
a different IP address from the Unencrypted DNS Resolver. Such a Designated Resolver
might have a valid certificate, certificate but might be operated by an attacker that is trying to
observe or modify user queries without the knowledge of the client or network.</t>
      <t>If the IP address of a Designated Resolver differs from that of an
Unencrypted DNS Resolver, clients applying Verified Discovery (<xref target="verified"/>) MUST <bcp14>MUST</bcp14>
validate that the IP address of the Unencrypted DNS Resolver is covered by the
SubjectAlternativeName of the Designated Resolver's TLS certificate. If that
validation fails, the client MUST NOT <bcp14>MUST NOT</bcp14> automatically use the discovered Designated
      <t>Clients using Opportunistic Discovery (<xref target="opportunistic"/>) MUST <bcp14>MUST</bcp14> be limited to cases
where the Unencrypted DNS Resolver and Designated Resolver have the same IP address,
which SHOULD <bcp14>SHOULD</bcp14> be a private or local IP address.
Clients which that do not follow Opportunistic Discovery (<xref target="opportunistic"/>) and instead
try to connect without first checking for a designation run the possible risk of
being intercepted by an attacker hosting an Encrypted DNS Resolver on an IP address of
an Unencrypted DNS Resolver where the attacker has failed to gain control of the
Unencrypted DNS Resolver.</t>
      <t>The constraints on the use of Designated Resolvers specified here apply
specifically to the automatic discovery mechanisms defined in this document, which are
referred to as Verified Discovery and Opportunistic Discovery. Clients
<bcp14>MAY</bcp14> use some other mechanism to verify and use Designated Resolvers discovered
using the DNS SVCB record. However, the use of such an alternate mechanism needs
to take into account the attack scenarios detailed here.</t>
    <section anchor="iana">
      <name>IANA Considerations</name>
      <section anchor="special-use-domain-name-resolverarpa">
        <name>Special Use
        <name>Special-Use Domain Name "resolver.arpa"</name>
        <t>IANA has registered "resolver.arpa" in the "Special-Use
Domain Names" registry established by <xref target="RFC6761"/>.</t>

<!--[rfced] Section 8.1: Should 'resolver.arpa.' include the final period as
it appears in the IANA registry (see
https://www.iana.org/assignments/special-use-domain-names)?  We note
that the period does not appear in the "Transport-Independent
Locally-Served DNS Zone Registry" (see

Original (note the final period in the second paragraph):

8.1.  Special Use Domain Name "resolver.arpa"

   This document calls for the addition of "resolver.arpa" to the
   Special-Use Domain Names (SUDN) registry established by <xref target="RFC6761"/>.</t>
        <t>IANA [RFC6761].

   IANA is requested to add an entry in "Transport-Independent Locally-Served Locally-
   Served DNS Zones" registry for 'resolver.arpa.' with the description
   "DNS Resolver Special-Use Domain", listing this document as the

If the period should be present, please consider whether any other mentions of
'resolver.arpa' should be updated.  We note that the period is used
consistently in RFC 8375, which registers 'home.arpa.'

        <t>IANA has added an entry in the "Transport-Independent Locally-Served
DNS Zone Registry" for 'resolver.arpa.' with the description "DNS Resolver
Special-Use Domain" and listed this document as the reference.</t>
      <section anchor="domain-name-reservation-considerations">
        <name>Domain Name Reservation Considerations</name>
        <t>In accordance with <xref section="5" sectionFormat="of" target="RFC6761"/>, the answers to the following
questions are provided relative to this document:</t>
        <t>1) Are
      <ol spacing="normal" type="1">
      <li><t>Are human users expected to recognize these names as special and use them
differently? In what way?</t>
        <t>No. This name is used automatically by DNS stub resolvers running on client devices on behalf of users, and users will never see this name directly.</t>
        <t>2) Are directly.</t></li>
        <li><t>Are writers of application software expected to make their software
recognize these names as special and treat them differently? In what way?</t>
        <t>No. There is no use case where a non-DNS application (covered by the next
question) would need to use this name.</t>
        <t>3) Are name.</t></li>
        <li><t>Are writers of name resolution APIs and libraries expected to make their
software recognize these names as special and treat them differently? If so, how?</t>
        <t>Yes. DNS &nbsp;DNS client implementors are expected to use this name when querying for
a resolver's properties instead of records for the name itself. DNS servers
are expected to respond to queries for this name with their own properties
instead of checking the matching zone as it would for normal domain names.</t>
        <t>4) Are names.</t></li>
        <li><t>Are developers of caching domain name servers expected to make their
implementations recognize these names as special and treat them differently?
If so, how?</t>
        <t>Yes. Caching &nbsp;Caching domain name servers should not forward queries for this name name, to
avoid causing validation failures due to IP address mismatch.</t>
        <t>5) Are mismatch.</t></li>
        <li><t>Are developers of authoritative domain name servers expected to make their
implementations recognize these names as special and treat them differently?
If so, how?</t>
        <t>No. DDR is designed for use by recursive resolvers. Theoretically, an authoritative
server could choose to support this name if it wants to advertise support for
encrypted DNS protocols over plain-text plaintext DNS, but that scenario is covered
by other work in the IETF DNSOP working group.</t>
        <t>6) Does Working Group.</t></li>
        <li><t>Does this reserved Special-Use Domain Name have any potential impact on
DNS server operators? If they try to configure their authoritative DNS server
as authoritative for this reserved name, will compliant name server software
reject it as invalid? Do DNS server operators need to know about that and
understand why? Even if the name server software doesn't prevent them from
using this reserved name, are there other ways that it may not work as expected,
of which the DNS server operator should be aware?</t>
        <t>This name is locally served, and any resolver which that supports this name should
never forward the query. DNS server operators should be aware that records for
this name will be used by clients to modify the way they connect to their
        <t>7) How
        <li><t>How should DNS Registries/Registrars treat requests to register this reserved
domain name? Should such requests be denied? Should such requests be allowed,
but only to a specially-designated specially designated entity?</t>
        <t>IANA should hold holds the registration for this name. Non-IANA requests to register
this name should always be denied by DNS Registries/Registrars.</t>
        <name>Normative References</name>
        <reference anchor="RFC7858">
            <title>Specification for DNS over Transport Layer Security (TLS)</title>
            <author fullname="Z. Hu" initials="Z." surname="Hu">
            <author fullname="L. Zhu" initials="L." surname="Zhu">
            <author fullname="J. Heidemann" initials="J." surname="Heidemann">
            <author fullname="A. Mankin" initials="A." surname="Mankin">
            <author fullname="D. Wessels" initials="D." surname="Wessels">
            <author fullname="P. Hoffman" initials="P." surname="Hoffman">
            <date month="May" year="2016"/>
              <t>This document describes the use of Transport Layer Security (TLS) Registries/Registrars.</t></li>

<!-- [rfced] Section 8.2:  We see that Questions 1 through 5 refer to provide privacy for DNS.  Encryption provided by TLS eliminates opportunities for eavesdropping
"these names" but Questions 6 and on-path tampering with DNS queries 7 refer to "name" in the network, such as discussed in RFC 7626.  In addition, singular
(e.g., "this reserved name", "this reserved domain name").  Although
we also see this document specifies two usage profiles for DNS over TLS and provides advice on performance considerations to minimize overhead from using TCP and TLS with DNS.</t>
              <t>This document focuses on securing stub-to-recursive traffic, as per the charter of the DPRIVE Working Group.  It does not prevent future applications of the protocol to recursive-to-authoritative traffic.</t>
          <seriesInfo name="RFC" value="7858"/>
          <seriesInfo name="DOI" value="10.17487/RFC7858"/>
        <reference anchor="RFC9250">
            <title>DNS over Dedicated QUIC Connections</title>
            <author fullname="C. Huitema" initials="C." surname="Huitema">
            <author fullname="S. Dickinson" initials="S." surname="Dickinson">
            <author fullname="A. Mankin" initials="A." surname="Mankin">
            <date month="May" year="2022"/>
              <t>This document describes the use of QUIC to provide transport confidentiality for DNS. The encryption provided by QUIC has similar properties switch to those provided by TLS, while QUIC transport eliminates the head-of-line blocking issues inherent with TCP and provides more efficient packet-loss recovery than UDP. DNS over QUIC (DoQ) has privacy properties similar to DNS over TLS (DoT) specified singular in RFC 7858, Questions 6 and latency characteristics similar to classic DNS over UDP. This specification describes the use 7 in
Section 5 of DoQ as a general-purpose transport for DNS and includes RFC 6761, we suggest using the use of DoQ for stub to recursive, recursive to authoritative, and zone transfer scenarios.</t>
          <seriesInfo name="RFC" value="9250"/>
          <seriesInfo name="DOI" value="10.17487/RFC9250"/>
        <reference anchor="RFC8484">
            <title>DNS Queries over HTTPS (DoH)</title>
            <author fullname="P. Hoffman" initials="P." surname="Hoffman">
            <author fullname="P. McManus" initials="P." surname="McManus">
            <date month="October" year="2018"/>
              <t>This document defines a protocol for sending DNS queries and getting DNS responses over HTTPS.  Each DNS query-response pair is mapped into an HTTP exchange.</t>
          <seriesInfo name="RFC" value="8484"/>
          <seriesInfo name="DOI" value="10.17487/RFC8484"/>
        <reference anchor="RFC6761">
            <title>Special-Use Domain Names</title>
            <author fullname="S. Cheshire" initials="S." surname="Cheshire">
            <author fullname="M. Krochmal" initials="M." surname="Krochmal">
            <date month="February" year="2013"/>
              <t>This document describes what it means to say that a Domain Name (DNS name) is reserved for special use, when reserving such plural "names" in all
questions.  Please let us know your preference. -->

<!--[rfced] Section 8: Should a name is appropriate, and the procedure for doing so.  It establishes an subsection be added as follows
regarding IANA's Action 3?

8.3.  .ARPA Zone Management

   IANA registry for such domain names, and seeds it with entries for some of has added the already established special domain names.</t>
          <seriesInfo name="RFC" value="6761"/>
          <seriesInfo name="DOI" value="10.17487/RFC6761"/>
        <reference anchor="RFC2119">
            <title>Key words for use in RFCs to Indicate Requirement Levels</title>
            <author fullname="S. Bradner" initials="S." surname="Bradner">
            <date month="March" year="1997"/>
              <t>In many standards track documents several words are used following entry to signify the requirements in the specification.  These words are often capitalized. This document defines these words as they should be interpreted in IETF documents.  This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="2119"/>
          <seriesInfo name="DOI" value="10.17487/RFC2119"/>
        <reference anchor="RFC8174">
            <title>Ambiguity ".ARPA Zone Management" list.

   For discovery of Uppercase vs Lowercase in designated DNS resolvers
   RFC 2119 Key Words</title>
            <author fullname="B. Leiba" initials="B." surname="Leiba">
            <date month="May" year="2017"/>
              <t>RFC 2119 specifies common key words that may be used in protocol  specifications.  This document aims 9462

For background, mail from IANA (2 Sep 2022):


The following entry has been added to reduce the ambiguity by clarifying that only UPPERCASE usage IANA's .ARPA Zone Management list:

resolver.arpa For discovery of the key words have the  defined special meanings.</t>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="8174"/>
          <seriesInfo name="DOI" value="10.17487/RFC8174"/>
        </reference> designated DNS resolvers

Please see


<displayreference target="I-D.schinazi-httpbis-doh-preference-hints" to="DoH-HINTS"/>
<displayreference target="I-D.ietf-tls-esni" to="ECH"/>

        <name>Normative References</name>

<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7858.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9250.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8484.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6761.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml"/>

<!-- draft-ietf-dnsop-svcb-https (RFC 9460) -->
<reference anchor="I-D.ietf-dnsop-svcb-https"> anchor='RFC9460' target='https://www.rfc-editor.org/info/rfc9460'>
<title>Service binding Binding and parameter specification Parameter Specification via the DNS (DNS SVCB and HTTPS RRs)</title>
            <author fullname="Ben Schwartz">
            <author fullname="Mike Bishop">
              <organization>Akamai Technologies</organization>
            <author fullname="Erik Nygren">
              <organization>Akamai Technologies</organization> Resource Records (RRs))</title>
<author initials='B' surname='Schwartz' fullname='Benjamin Schwartz'>
<organization />
<author initials='M' surname='Bishop' fullname='Mike Bishop'>
<organization />
<author initials='E' surname='Nygren' fullname='Erik Nygren'>
<organization />
<date day="24" month="May" year="2022"/>
              <t>   This document specifies the "SVCB" and "HTTPS" DNS resource record
   (RR) types to facilitate the lookup of information needed to make
   connections to network services, such as for HTTP origins.  SVCB
   records allow a service to be provided from multiple alternative
   endpoints, each with associated parameters (such as transport
   protocol configuration and keys for encrypting the TLS ClientHello).
   They also enable aliasing of apex domains, which is not possible with
   CNAME.  The HTTPS RR is a variation of SVCB for use with HTTP [HTTP].
   By providing more information to the client before it attempts to
   establish a connection, these records offer potential benefits to
   both performance and privacy.

   TO BE REMOVED: This document is being collaborated on in Github at:
   (https://github.com/MikeBishop/dns-alt-svc).  The most recent working
   version of the document, open issues, etc. should all be available
   there.  The authors (gratefully) accept pull requests.

            </abstract> month="September" year="2023"/>
<seriesInfo name="Internet-Draft" value="draft-ietf-dnsop-svcb-https-10"/> name="RFC" value="9460"/>
<seriesInfo name="DOI" value="10.17487/RFC9460"/>

<!-- draft-ietf-add-svcb-dns (RFC 9461) -->
<reference anchor="I-D.ietf-add-svcb-dns"> anchor='RFC9461' target='https://www.rfc-editor.org/info/rfc9461'>
<title>Service Binding Mapping for DNS Servers</title>
<author initials="B." surname="Schwartz" fullname="Benjamin Schwartz">
              <organization>Google LLC</organization>
            <date day="5" month="July" year="2022"/>
              <t>   The SVCB DNS resource record type expresses a bound collection of
   endpoint metadata, for use when establishing a connection to a named
   service.  DNS itself can be such a service, when the server is
   identified by a domain name.  This document provides the SVCB mapping
   for named DNS servers, allowing them to indicate support for
   encrypted transport protocols.

          <seriesInfo name="Internet-Draft" value="draft-ietf-add-svcb-dns-06"/>
        <reference anchor="RFC5280">
            <title>Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile</title>
            <author fullname="D. Cooper" initials="D." surname="Cooper">
            <author fullname="S. Santesson" initials="S." surname="Santesson">
            <author fullname="S. Farrell" initials="S." surname="Farrell">
            <author fullname="S. Boeyen" initials="S." surname="Boeyen">
            <author fullname="R. Housley" initials="R." surname="Housley">
            <author fullname="W. Polk" initials="W." surname="Polk">
            <date month="May" year="2008"/>
              <t>This memo profiles the X.509 v3 certificate and X.509 v2 certificate revocation list (CRL) for use in the Internet.  An overview of this approach and model is provided as an introduction.  The X.509 v3 certificate format is described in detail, with additional information regarding the format and semantics of Internet name forms.  Standard certificate extensions are described and two Internet-specific extensions are defined.  A set of required certificate extensions is specified.  The X.509 v2 CRL format is described in detail along with standard and Internet-specific extensions.  An algorithm for X.509 certification path validation is described.  An ASN.1 module and examples are provided in the appendices.  [STANDARDS-TRACK]</t>
          <seriesInfo name="RFC" value="5280"/>
          <seriesInfo name="DOI" value="10.17487/RFC5280"/>
        <reference anchor="RFC1918">
            <title>Address Allocation for Private Internets</title>
            <author fullname="Y. Rekhter" initials="Y." surname="Rekhter">
            <author fullname="B. Moskowitz" initials="B." surname="Moskowitz">
            <author fullname="D. Karrenberg" initials="D." surname="Karrenberg">
            <author fullname="G. J. de Groot" initials="G. J." surname="de Groot">
            <author fullname="E. Lear" initials="E." surname="Lear">
<date month="February" year="1996"/>
              <t>This document describes address allocation for private internets.  This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
          <seriesInfo name="BCP" value="5"/>
          <seriesInfo name="RFC" value="1918"/>
          <seriesInfo name="DOI" value="10.17487/RFC1918"/>
        <reference anchor="RFC4193">
            <title>Unique Local IPv6 Unicast Addresses</title>
            <author fullname="R. Hinden" initials="R." surname="Hinden">
            <author fullname="B. Haberman" initials="B." surname="Haberman">
            <date month="October" year="2005"/>
              <t>This document defines an IPv6 unicast address format that is globally unique and is intended for local communications, usually inside of a site. These addresses are not expected to be routable on the global Internet.  [STANDARDS-TRACK]</t>
          <seriesInfo name="RFC" value="4193"/>
          <seriesInfo name="DOI" value="10.17487/RFC4193"/>
        <reference anchor="RFC3927">
            <title>Dynamic Configuration of IPv4 Link-Local Addresses</title>
            <author fullname="S. Cheshire" initials="S." surname="Cheshire">
            <author fullname="B. Aboba" initials="B." surname="Aboba">
            <author fullname="E. Guttman" initials="E." surname="Guttman">
            <date month="May" year="2005"/>
              <t>To participate in wide-area IP networking, a host needs to be configured with IP addresses for its interfaces, either manually by the user or automatically from a source on the network such as a Dynamic Host Configuration Protocol (DHCP) server.  Unfortunately, such address configuration information may not always be available. It is therefore beneficial for a host to be able to depend on a useful subset of IP networking functions even when no address configuration is available.  This document describes how a host may automatically configure an interface with an IPv4 address within the 169.254/16 prefix that is valid for communication with other devices connected to the same physical (or logical) link.</t>
              <t>IPv4 Link-Local addresses are not suitable for communication with devices not directly connected to the same physical (or logical) link, and are only used where stable, routable addresses are not available (such as on ad hoc or isolated networks).  This document does not recommend that IPv4 Link-Local addresses and routable addresses be configured simultaneously on the same interface.  [STANDARDS-TRACK]</t>
          <seriesInfo name="RFC" value="3927"/>
          <seriesInfo name="DOI" value="10.17487/RFC3927"/>
        <reference anchor="RFC4291">
            <title>IP Version 6 Addressing Architecture</title>
            <author fullname="R. Hinden" initials="R." surname="Hinden">
            <author fullname="S. Deering" initials="S." surname="Deering">
            <date month="February" year="2006"/>
              <t>This specification defines the addressing architecture of the IP Version 6 (IPv6) protocol.  The document includes the IPv6 addressing model, text representations of IPv6 addresses, definition of IPv6 unicast addresses, anycast addresses, and multicast addresses, and an IPv6 node's required addresses.</t>
              <t>This document obsoletes RFC 3513, "IP Version 6 Addressing Architecture".   [STANDARDS-TRACK]</t>
            </abstract> month="September" year="2023"/>
<seriesInfo name="RFC" value="4291"/> value="9461"/>
<seriesInfo name="DOI" value="10.17487/RFC4291"/> value="10.17487/RFC9461"/>

<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5280.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.1918.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.4193.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.3927.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.4291.xml"/>

<!-- draft-ietf-add-dnr (RFC 9463) -->
<reference anchor="I-D.ietf-add-dnr"> anchor='RFC9463' target='https://www.rfc-editor.org/info/rfc9463'>
DHCP and Router Advertisement Options for the Discovery of Network-designated Resolvers (DNR)</title> (DNR)
<author initials="M." surname="Boucadair" fullname="Mohamed Boucadair">
              <organization>Orange</organization> Boucadair" role="editor">
<author initials="T." surname="Reddy.K" fullname="Tirumaleswar Reddy">
              <organization>Akamai</organization> Reddy.K" role="editor">
<author initials="D." surname="Wing" fullname="Dan Wing">
              <organization>Citrix Systems, Inc.</organization>
<author initials="N." surname="Cook" fullname="Neil Cook">
<author initials="T." surname="Jensen" fullname="Tommy Jensen">
<date day="24" month="July" year="2022"/>
              <t>   The document specifies new DHCP and IPv6 Router Advertisement options
   to discover encrypted DNS resolvers (e.g., DNS-over-HTTPS, DNS-over-
   TLS, DNS-over-QUIC).  Particularly, it allows a host to learn an
   authentication domain name together with a list of IP addresses and a
   set of service parameters to reach such encrypted DNS resolvers.

          <seriesInfo name="Internet-Draft" value="draft-ietf-add-dnr-12"/>
        <reference anchor="RFC6303">
            <title>Locally Served DNS Zones</title>
            <author fullname="M. Andrews" initials="M." surname="Andrews">
            <date month="July" year="2011"/>
              <t>Experience with the Domain Name System (DNS) has shown that there are a number of DNS zones that all iterative resolvers and recursive nameservers should automatically serve, unless configured otherwise. RFC 4193 specifies that this should occur for D.F.IP6.ARPA.  This document extends the practice to cover the IN-ADDR.ARPA zones for RFC 1918 address space and other well-known zones with similar characteristics.  This memo documents an Internet Best Current Practice.</t>
            </abstract> month="September" year="2023"/>
<seriesInfo name="BCP" value="163"/>
          <seriesInfo name="RFC" value="6303"/> value="9463"/>
<seriesInfo name="DOI" value="10.17487/RFC6303"/> value="10.17487/RFC9463"/>

<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6303.xml"/>

        <name>Informative References</name>
        <reference anchor="RFC2132">
            <title>DHCP Options and BOOTP Vendor Extensions</title>
            <author fullname="S. Alexander" initials="S." surname="Alexander">
            <author fullname="R. Droms" initials="R." surname="Droms">
            <date month="March" year="1997"/>
              <t>This document specifies the current set of DHCP options.  Future options will be specified in separate RFCs.  The current list of valid options is also available in ftp://ftp.isi.edu/in-notes/iana/assignments. [STANDARDS-TRACK]</t>
          <seriesInfo name="RFC" value="2132"/>
          <seriesInfo name="DOI" value="10.17487/RFC2132"/>
        <reference anchor="RFC8415">
            <title>Dynamic Host Configuration Protocol for IPv6 (DHCPv6)</title>
            <author fullname="T. Mrugalski" initials="T." surname="Mrugalski">
            <author fullname="M. Siodelski" initials="M." surname="Siodelski">
            <author fullname="B. Volz" initials="B." surname="Volz">
            <author fullname="A. Yourtchenko" initials="A." surname="Yourtchenko">
            <author fullname="M. Richardson" initials="M." surname="Richardson">
            <author fullname="S. Jiang" initials="S." surname="Jiang">
            <author fullname="T. Lemon" initials="T." surname="Lemon">
            <author fullname="T. Winters" initials="T." surname="Winters">
            <date month="November" year="2018"/>
              <t>This document describes the Dynamic Host Configuration Protocol for IPv6 (DHCPv6): an extensible mechanism for configuring nodes with network configuration parameters, IP addresses, and prefixes. Parameters can be provided statelessly, or in combination with stateful assignment of one or more IPv6 addresses and/or IPv6 prefixes.  DHCPv6 can operate either in place of or in addition to stateless address autoconfiguration (SLAAC).</t>
              <t>This document updates the text from RFC 3315 (the original DHCPv6 specification) and incorporates prefix delegation (RFC 3633), stateless DHCPv6 (RFC 3736), an option to specify an upper bound for how long a client should wait before refreshing information (RFC 4242), a mechanism for throttling DHCPv6 clients when DHCPv6 service is not available (RFC 7083), and relay agent handling of unknown messages (RFC 7283).  In addition, this document clarifies the interactions between models of operation (RFC 7550).  As such, this document obsoletes RFC 3315, RFC 3633, RFC 3736, RFC 4242, RFC 7083, RFC 7283, and RFC 7550.</t>
          <seriesInfo name="RFC" value="8415"/>
          <seriesInfo name="DOI" value="10.17487/RFC8415"/>
        <reference anchor="RFC8106">
            <title>IPv6 Router Advertisement Options for DNS Configuration</title>
            <author fullname="J. Jeong" initials="J." surname="Jeong">
            <author fullname="S. Park" initials="S." surname="Park">
            <author fullname="L. Beloeil" initials="L." surname="Beloeil">
            <author fullname="S. Madanapalli" initials="S." surname="Madanapalli">
            <date month="March" year="2017"/>
              <t>This document specifies IPv6 Router Advertisement (RA) options (called "DNS RA options") to allow IPv6 routers to advertise a list of DNS Recursive Server Addresses and a DNS Search List to IPv6 hosts.</t>
              <t>This document, which obsoletes RFC 6106, defines a higher default value of the lifetime of the DNS RA options to reduce the likelihood of expiry of the options on links with a relatively high rate of packet loss.</t>
          <seriesInfo name="RFC" value="8106"/>
          <seriesInfo name="DOI" value="10.17487/RFC8106"/>
        <reference anchor="RFC8446">
            <title>The Transport Layer Security (TLS) Protocol Version 1.3</title>
            <author fullname="E. Rescorla" initials="E." surname="Rescorla">
            <date month="August" year="2018"/>
              <t>This document specifies version 1.3 of the Transport Layer Security (TLS) protocol.  TLS allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery.</t>
              <t>This document updates RFCs 5705 and 6066, and obsoletes RFCs 5077, 5246, and 6961.  This document also specifies new requirements for TLS 1.2 implementations.</t>
          <seriesInfo name="RFC" value="8446"/>
          <seriesInfo name="DOI" value="10.17487/RFC8446"/>
        <reference anchor="RFC4861">
            <title>Neighbor Discovery for IP version 6 (IPv6)</title>
            <author fullname="T. Narten" initials="T." surname="Narten">
            <author fullname="E. Nordmark" initials="E." surname="Nordmark">
            <author fullname="W. Simpson" initials="W." surname="Simpson">
            <author fullname="H. Soliman" initials="H." surname="Soliman">
            <date month="September" year="2007"/>
              <t>This document specifies the Neighbor Discovery protocol for IP Version 6.  IPv6 nodes on the same link use Neighbor Discovery to discover each other's presence, to determine each other's link-layer addresses, to find routers, and to maintain reachability information about the paths to active neighbors.  [STANDARDS-TRACK]</t>
          <seriesInfo name="RFC" value="4861"/>
          <seriesInfo name="DOI" value="10.17487/RFC4861"/>
        <reference anchor="RFC6105">
            <title>IPv6 Router Advertisement Guard</title>
            <author fullname="E. Levy-Abegnoli" initials="E." surname="Levy-Abegnoli">
            <author fullname="G. Van de Velde" initials="G." surname="Van de Velde">
            <author fullname="C. Popoviciu" initials="C." surname="Popoviciu">
            <author fullname="J. Mohacsi" initials="J." surname="Mohacsi">
            <date month="February" year="2011"/>
              <t>Routed protocols are often susceptible to spoof attacks.  The canonical solution for IPv6 is Secure Neighbor Discovery (SEND), a solution that is non-trivial to deploy.  This document proposes a light-weight alternative and complement to SEND based on filtering in the layer-2 network fabric, using a variety of filtering criteria, including, for example, SEND status.  This document is not an Internet Standards Track specification; it is published for informational purposes.</t>
          <seriesInfo name="RFC" value="6105"/>
          <seriesInfo name="DOI" value="10.17487/RFC6105"/>
        <reference anchor="RFC8880">
            <title>Special Use Domain Name 'ipv4only.arpa'</title>
            <author fullname="S. Cheshire" initials="S." surname="Cheshire">
            <author fullname="D. Schinazi" initials="D." surname="Schinazi">
            <date month="August" year="2020"/>
              <t>NAT64 (Network Address and Protocol Translation from IPv6 Clients to IPv4 Servers) allows client devices using IPv6 to communicate with servers that have only IPv4 connectivity.</t>
              <t>The specification for how a client discovers its local network's NAT64 prefix (RFC 7050) defines the special name 'ipv4only.arpa' for this purpose. However, in its Domain Name Reservation Considerations section (Section 8.1), that specification (RFC 7050) indicates that the name actually has no particularly special properties that would require special handling.</t>
              <t>Consequently, despite the well-articulated special purpose of the name, 'ipv4only.arpa' was not recorded in the Special-Use Domain Names registry as a name with special properties.</t>
              <t>This document updates RFC 7050. It describes the special treatment required and formally declares the special properties of the name. It also adds similar declarations for the corresponding reverse mapping names.</t>
          <seriesInfo name="RFC" value="8880"/>
          <seriesInfo name="DOI" value="10.17487/RFC8880"/>
        <reference anchor="I-D.schinazi-httpbis-doh-preference-hints">
            <title>DoH Preference Hints for HTTP</title>
            <author fullname="David Schinazi">
              <organization>Google LLC</organization>
            <author fullname="Nick Sullivan">
            <author fullname="Jesse Kipp">
            <date day="13" month="July" year="2020"/>
              <t>   When using a publicly available DNS-over-HTTPS (DoH) server, some
   clients may suffer poor performance when the authoritative DNS server
   is located far from the DoH server.  For example, a publicly
   available DoH server provided by a Content Delivery Network (CDN)
   should be able to resolve names hosted by that CDN with good
   performance but might take longer to resolve names provided by other
   CDNs, or might provide suboptimal results if that CDN is using DNS-
   based load balancing and returns different address records depending
   or where the DNS query originated from.  This document attempts to
   lessen these issues by allowing the web server to indicate to the
   client which DoH server can best resolve its addresses.  This
   document defines an HTTP header field that enables web host operators
   to inform user agents of the preferred DoH servers to use for
   subsequent DNS lookups for the host's domain.

   Discussion of this work is encouraged to happen on the ADD IETF
   mailing list add@ietf.org or on the GitHub repository which contains
   the draft: https://github.com/DavidSchinazi/draft-httpbis-doh-

          <seriesInfo name="Internet-Draft" value="draft-schinazi-httpbis-doh-preference-hints-02"/>
        <reference anchor="I-D.ietf-tls-esni">
            <title>TLS Encrypted Client Hello</title>
            <author fullname="Eric Rescorla">
              <organization>RTFM, Inc.</organization>
            <author fullname="Kazuho Oku">
            <author fullname="Nick Sullivan">
            <author fullname="Christopher A. Wood">
            <date day="13" month="February" year="2022"/>
              <t>   This document describes a mechanism in Transport Layer Security (TLS)
   for encrypting a ClientHello message under a server public key.

Discussion Venues

   This note is to be removed before publishing as an RFC.

   Source for this draft and an issue tracker can be found at

          <seriesInfo name="Internet-Draft" value="draft-ietf-tls-esni-14"/>

<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2132.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8415.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8106.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8446.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.4861.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6105.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8880.xml"/>

<!-- draft-schinazi-httpbis-doh-preference-hints (Expired) -->
<xi:include href="https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.schinazi-httpbis-doh-preference-hints.xml"/>

<!-- draft-ietf-tls-esni (I-D Exists) -->

    <section anchor="rationale-for-using-a-special-use-domain-name">
      <name>Rationale for using Using a Special Use Special-Use Domain Name</name>
      <t>The "resolver.arpa" SUDN is similar to "ipv4only.arpa" in that the querying
client is not interested in an answer from the authoritative "arpa" name
servers. The intent of the SUDN is to allow clients to communicate with the
Unencrypted DNS Resolver much like "ipv4only.arpa" allows for client-to-middlebox
communication. For more context, see <xref target="RFC8880"/> for the rationale behind "ipv4only.arpa" in
<xref target="RFC8880"/>.</t> "ipv4only.arpa".</t>
    <section anchor="rationale">
      <name>Rationale for using Using SVCB records</name> Records</name>
      <t>This mechanism uses SVCB/HTTPS resource records <xref target="I-D.ietf-dnsop-svcb-https"/> target="RFC9460"/>
to communicate that a given domain designates a particular Designated
Resolver for clients to use in place of an Unencrypted DNS Resolver (using a SUDN)
or another Encrypted DNS Resolver (using its domain name).</t>
      <t>There are various other proposals for how to provide similar functionality.
There are several reasons that this mechanism has chosen SVCB records:</t>
      <ul spacing="normal">
        <li>Discovering encrypted DNS resolvers using DNS records keeps client logic for DNS
self-contained and allows a DNS resolver operator to define which resolver names
and IP addresses are related to one another.</li>
        <li>Using DNS records also does not rely on bootstrapping with higher-level
application operations (such as those discussed in <xref target="I-D.schinazi-httpbis-doh-preference-hints"/>).</li>
        <li>SVCB records are extensible and allow the definition of parameter keys. This makes keys, making them a superior mechanism for extensibility as compared to approaches such as
overloading TXT records. The same keys can be used for discovering Designated
Resolvers of different transport types as well as those advertised by
Unencrypted DNS Resolvers or another Encrypted DNS Resolver.</li>
        <li>Clients and servers that are interested in privacy of names will already need
to support SVCB records in order to use Encrypted the TLS Client Hello Encrypted ClientHello
<xref target="I-D.ietf-tls-esni"/>. Without encrypting names in TLS, the value of encrypting
DNS is reduced, so pairing the solutions provides the largest greatest benefit.</li>

<!-- ##markdown-source:
xSuUSv9rCg6JsCEbTC0BWJ5qMS9WA7N1M/W/3jHnMvN7AAA= [rfced] Please review the "Inclusive Language" portion of the
online Style Guide at
and let us know if any changes are needed.

Note that our script did not flag any words in particular, but this
should still be reviewed as a best practice. -->

<!-- [rfced] The following terms appear to be used inconsistently in
this document.  Please let us know which form is preferred.

 designated resolver(s) / Designated Resolver(s)

 _dns.resolver.arpa / "_dns.resolver.arpa" / _dns.resolver.arpa.

 resolver.arpa / "resolver.arpa"

 encrypted DNS / Encrypted DNS (used more generally, i.e., other
   than resolvers)