Service Binding Mapping for DNS Servers

Service Binding Mapping for DNS Servers Meta Platforms, Inc.

ietf@bemasc.net

int add DoH DoT DoQ DDR DNR The SVCB DNS resource record type expresses a bound collection of endpoint metadata, for use when establishing a connection to a named service. DNS itself can be such a service, when the server is identified by a domain name. This document provides the SVCB mapping for named DNS servers, allowing them to indicate support for encrypted transport protocols.

Introduction The SVCB resource record (RR) type provides clients with information about how to reach alternative endpoints for a service. These endpoints may offer improved performance or privacy properties. The service is identified by a "scheme" indicating the service type, a hostname, and, optionally, other information such as a port number. A DNS server is often identified only by its IP address (e.g., in DHCP), but in some contexts it can also be identified by a hostname (e.g., "NS" records, manual resolver configuration) and sometimes also a non-default port number. The use of the SVCB RR type requires a mapping document for each service type (), indicating how a client for that service can interpret the contents of the SVCB SvcParams. This document provides the mapping for the "dns" service type, allowing DNS servers to offer alternative endpoints and transports, including encrypted transports like DNS over TLS (DoT) , DNS over HTTPS (DoH) , and DNS over QUIC (DoQ) . The SVCB mapping described in this document is intended as a general-purpose baseline. Subsequent specifications will adapt this mechanism as needed to support specific configurations (e.g., for communication between stub resolvers and recursive resolvers).

Conventions and Definitions The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.

Identities and Names SVCB record names (i.e., QNAMEs) for DNS services are formed using Port Prefix Naming (), with a scheme of "dns". For example, SVCB records for a DNS service identified as dns1.example.com would be queried at _dns.dns1.example.com. In some use cases, the name used for retrieving these DNS records is different from the server identity used to authenticate the secure transport. To distinguish between these, this document uses the following terms:

Binding authority:: The service name () and optional port number used as input to Port Prefix Naming.
Authentication name:: The name used for secure transport authentication. This MUST be a DNS hostname or a literal IP address. Unless otherwise specified, this is the service name from the binding authority.

Special Case: Non-default Ports Normally, a DNS service is identified by an IP address or a domain name. When connecting to the service using unencrypted DNS over UDP or TCP, clients use the default port number for DNS (53). However, in rare cases, a DNS service might be identified by both a name and a port number. For example, the DNS URI scheme optionally includes an authority, comprised of a host and a port number (with a default of 53). DNS URIs normally omit the authority or specify an IP address, but a hostname and non-default port number are allowed. When the binding authority specifies a non-default port number, Port Prefix Naming places the port number in an additional prefix on the name. For example, if the binding authority is "dns1.example.com:9953", the client would query for SVCB records at _9953._dns.dns1.example.com. If two DNS services operating on different port numbers provide different behaviors, this arrangement allows them to preserve the distinction when specifying alternative endpoints.

Applicable Existing SvcParamKeys

"alpn" This key indicates the set of supported protocols (). There is no default protocol, so the "no-default-alpn" key does not apply. If the "alpn" SvcParamKey is absent, the client MUST treat the SVCB record as "incompatible" (as defined in ) unless some other recognized SvcParam indicates a supported protocol. If the protocol set contains any HTTP versions (e.g., "h2", "h3"), then the record indicates support for DoH and the "dohpath" key MUST be present (). All keys specified for use with the HTTPS record are also permissible and apply to the resulting HTTP connection. If the protocol set contains protocols with different default ports and no "port" key is specified, then protocols are contacted separately on their default ports. Note that in this configuration, Application-Layer Protocol Negotiation (ALPN) negotiation does not defend against cross-protocol downgrade attacks.

"port" This key is used to indicate the target port for connection (). If omitted, the client SHALL use the default port number for each transport protocol (853 for DoT and DoQ, 443 for DoH). This key is automatically mandatory for this binding. This means that a client that does not respect the "port" key MUST ignore any SVCB record that contains this key. (See for the definition of "automatically mandatory".) Support for the "port" key can be unsafe if the client has implicit elevated access to some network service (e.g., a local service that is inaccessible to remote parties) and that service uses a TCP-based protocol other than TLS. A hostile DNS server might be able to manipulate this service by causing the client to send a specially crafted TLS Server Name Indication (SNI) or session ticket that can be misparsed as a command or exploit. To avoid such attacks, clients SHOULD NOT support the "port" key unless one of the following conditions applies:

The client is being used with a DNS server that it trusts not to attempt this attack.
The client is being used in a context where implicit elevated access cannot apply.
The client restricts the set of allowed TCP port values to exclude any ports where a confusion attack is likely to be possible (e.g., the "bad ports" list from Section "Port blocking" of ).

Other Applicable SvcParamKeys These SvcParamKeys from apply to the "dns" scheme without modification:

mandatory
ipv4hint
ipv6hint

Future SvcParamKeys might also be applicable.

New SvcParamKey: "dohpath" "dohpath" is a single-valued SvcParamKey whose value (in both presentation format and wire format) MUST be a URI Template in relative form () encoded in UTF-8 . If the "alpn" SvcParam indicates support for HTTP, "dohpath" MUST be present. The URI Template MUST contain a "dns" variable, and MUST be chosen such that the result after DoH URI Template expansion () is always a valid and functional ":path" value (). When using this SVCB record, the client MUST send any DoH requests to the HTTP origin identified by the "https" scheme, the authentication name, and the port from the "port" SvcParam (if present). HTTP requests MUST be directed to the resource resulting from DoH URI Template expansion of the "dohpath" value. Clients SHOULD NOT query for any HTTPS RRs when using "dohpath". Instead, the SvcParams and address records associated with this SVCB record SHOULD be used for the HTTPS connection, with the same semantics as an HTTPS RR. However, for consistency, service operators SHOULD publish an equivalent HTTPS RR, especially if clients might learn about this DoH service through a different channel.

Limitations This document is concerned exclusively with the DNS transport and does not affect or inform the construction or interpretation of DNS messages. For example, nothing in this document indicates whether the service is intended for use as a recursive or authoritative DNS server. Clients need to know the intended use of services based on their context. Not all features of this specification will be applicable or effective in all contexts:

If the authentication name is received over an insecure channel (e.g., a glue NS record), this specification cannot prevent the client from connecting to an attacker.
Different transports might prove to be popular for different purposes (e.g., querying a recursive resolver vs. an authoritative server). Implementors are not obligated to implement all the defined transports, although doing so is beneficial for compatibility.
Where resolution speed is a high priority, the SVCB TargetName SHOULD follow the convention described in , and the use of AliasMode records () is NOT RECOMMENDED.

Examples

A resolver known as simple.example that supports DNS over TLS on port 853 (implicitly, as this is its default port):
A DoH-only resolver at https://doh.example/dns-query{?dns}. (DNS over TLS is not supported.):
A resolver known as resolver.example that supports:
- DoT on resolver.example ports 853 (implicit in record 1) and 8530 (explicit in record 2), with "resolver.example" as the Authentication Domain Name,
- DoQ on resolver.example port 853 (record 1),
- DoH at https://resolver.example/q{?dns} (record 1), and
- an experimental protocol on fooexp.resolver.example:5353 (record 3):
A name server named ns.example. whose service configuration is published on a different domain:

Security Considerations

Adversary on the Query Path This section considers an adversary who can add or remove responses to the SVCB query. During secure transport establishment, clients MUST authenticate the server to its authentication name, which is not influenced by the SVCB record contents. Accordingly, this document does not mandate the use of DNSSEC. This document also does not specify how clients authenticate the name (e.g., selection of roots of trust), as this procedure might vary according to the context.

Downgrade Attacks This attacker cannot impersonate the secure endpoint, but it can forge a response indicating that the requested SVCB records do not exist. For a SVCB-reliant client (), this only results in a denial of service. However, SVCB-optional clients will generally fall back to insecure DNS in this case, exposing all DNS traffic to attacks.

Redirection Attacks SVCB-reliant clients always enforce the Authentication Domain Name, but they are still subject to attacks using the transport, port number, and "dohpath" value, which are controlled by this adversary. By changing these values in the SVCB answers, the adversary can direct DNS queries for $HOSTNAME to any port on $HOSTNAME and any path on "https://$HOSTNAME". If the DNS client uses shared TLS or HTTP state, the client could be correctly authenticated (e.g., using a TLS client certificate or HTTP cookie). This behavior creates a number of possible attacks for certain server configurations. For example, if https://$HOSTNAME/upload accepts any POST request as a public file upload, the adversary could forge a SVCB record containing dohpath=/upload{?dns}. This would cause the client to upload and publish every query, resulting in unexpected storage costs for the server and privacy loss for the client. Similarly, if two DoH endpoints are available on the same origin and the service has designated one of them for use with this specification, this adversary can cause clients to use the other endpoint instead. To mitigate redirection attacks, a client of this SVCB mapping MUST NOT identify or authenticate itself when performing DNS queries, except to servers that it specifically knows are not vulnerable to such attacks. If an endpoint sends an invalid response to a DNS query, the client SHOULD NOT send more queries to that endpoint and MAY log this error. Multiple DNS services MUST NOT share a hostname identifier () unless they are so similar that it is safe to allow an attacker to choose which one is used.

Adversary on the Transport Path This section considers an adversary who can modify network traffic between the client and the alternative service (identified by the TargetName). For a SVCB-reliant client, this adversary can only cause a denial of service. However, because DNS is unencrypted by default, this adversary can execute a downgrade attack against SVCB-optional clients. Accordingly, when the use of this specification is optional, clients SHOULD switch to SVCB-reliant behavior if SVCB resolution succeeds. Specifications making use of this mapping MAY adjust this fallback behavior to suit their requirements.

IANA Considerations Per , IANA has added the following entry to the "Service Parameter Keys (SvcParamKeys)" registry.

Number	Name	Meaning	Format Reference	Change Controller	Reference
7	dohpath	DNS-over-HTTPS path template	RFC 9461	IETF	RFC 9461

Per , IANA has added the following entry to the DNS "Underscored and Globally Scoped DNS Node Names" registry:

RR Type	_NODE NAME	Reference
SVCB	_dns	RFC 9461

References Normative References Service Binding and Parameter Specification via the DNS (SVCB and HTTPS Resource Records) Informative References Fetch Living Standard WHATWG

Mapping Summary This table serves as a non-normative summary of the DNS mapping for SVCB.

Mapped scheme	"dns"
RR type	SVCB (64)
Name prefix	`_dns` for port 53, else `_$PORT._dns`
Required keys	`alpn` or equivalent
Automatically mandatory keys	`port`
Special behaviors	Supports all HTTPS RR SvcParamKeys
	Overrides the HTTPS RR for DoH
	Default port is per-transport
	Cleartext fallback is discouraged

Acknowledgments Thanks to the many reviewers and contributors, including , , , , , , , and .