IETF Logo Mail Archive

Re: [Add] I-D Action: draft-ietf-add-resolver-info-06.txt

Tommy Jensen <Jensen.Thomas@microsoft.com> Fri, 13 October 2023 16:53 UTC

Return-Path: <Jensen.Thomas@microsoft.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 775C8C14F693 for <add@ietfa.amsl.com>; Fri, 13 Oct 2023 09:53:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.996
X-Spam-Level:
X-Spam-Status: No, score=-6.996 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, TRACKER_ID=0.1, T_KAM_HTML_FONT_INVALID=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id msBIstluxsmM for <add@ietfa.amsl.com>; Fri, 13 Oct 2023 09:53:41 -0700 (PDT)
Received: from DM5PR00CU002.outbound.protection.outlook.com (mail-centralusazon11021020.outbound.protection.outlook.com [52.101.62.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1A5F8C14F749 for <add@ietf.org>; Fri, 13 Oct 2023 09:53:40 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=NcDE9/PKOLcje8075hLwRvuhiVXlphOVUyN7hPP4AxDbbl8YkjYa97z5Q21krfWS5zeBCeVmLHF1mupv2PfZfFHuL70vFCT33j3y6WSPfO1JHqflSFrgy7e/JAY4/spR83BZ5GMzATxIwRnQsW2r6ZB6d0QjTIyTAxNZNeH49ExCI9OXc7d0h8EvIk1/SATZUr+8CCW3XYrs3jU/+JbsyzrCk8IamOLmqYnSdn18aDWEp77TxVNkh0GsL2sw7UXG+kh3WKgTbFvzvtnWLpvztoKmX9l3439FDj2kAGnpwcEYg3Mvfr8tAzqzr585HdUZdX3Rxs5gtdVPlnWBTPSRBA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=r7UFJGPHecBR2P+CIaj23JXIsa+TefQkKXWSVy3B+pc=; b=dNAWvcxHhR2Eu9BnUoXone8j+SDSJvJKKN8robFw9O9r0YZ0zmGyNZu9yMtgav02FjrsDjOIAQWkK6mj4iiFldJe4iWbVmgRbCOt9+r1uVsI+GUmnTBr6z4MQwX5Ys9t5fZTPVZi+EZx7OraSXk4sANF8+VkEtr4QFYs4Ph1rM3nZybVRMrH+d1Tq9bgKOUmN0vVg0JZGgWm9wuXJkxs6BFNYSZx5xp4jgAxO6SRIwwGhVG35O8LG4UmdeByCjFGfV8Ge+PwdNlLOnXpInRraCzOSJMHu7nPpvobfsb5iyySpwvYr+evyi+FBjNpk9p7SX8oyxaCSs94qBDuJsAh7w==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=r7UFJGPHecBR2P+CIaj23JXIsa+TefQkKXWSVy3B+pc=; b=O/sJUqJkEqZqeML9r7BcoK6zN72PmxzB+D2vekQwHBaQV5VqUB+2h4hSz2lk+NL9qxM0eQ+yXx9zyj4ZpgILeewUND2QGA8Pj9DLughOtwgZq3ofsuxht03thEZ4PVe6p6+CqICtD8PXbS792WHzaXxWwLpOnQn2Ugoybl006CA=
Received: from DM6PR00MB0767.namprd00.prod.outlook.com (2603:10b6:5:1bc::8) by CY4PEPF0000B275.namprd00.prod.outlook.com (2603:10b6:92f::c) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6856.0; Fri, 13 Oct 2023 16:53:36 +0000
Received: from DM6PR00MB0767.namprd00.prod.outlook.com ([fe80::df6f:c11f:152:7f17]) by DM6PR00MB0767.namprd00.prod.outlook.com ([fe80::df6f:c11f:152:7f17%4]) with mapi id 15.20.6936.000; Fri, 13 Oct 2023 16:53:36 +0000
From: Tommy Jensen <Jensen.Thomas@microsoft.com>
To: Ben Schwartz <bemasc=40meta.com@dmarc.ietf.org>, tirumal reddy <kondtir@gmail.com>
CC: "add@ietf.org" <add@ietf.org>
Thread-Topic: [Add] I-D Action: draft-ietf-add-resolver-info-06.txt
Thread-Index: AQHZ/e5QuzpDjjqS4kqMPkWheKzkZ7BH6PLA
Date: Fri, 13 Oct 2023 16:53:36 +0000
Message-ID: <DM6PR00MB07677636CDF58B2CD25F13C0FAD2A@DM6PR00MB0767.namprd00.prod.outlook.com>
References: <169640714475.30083.4833419078785956639@ietfa.amsl.com> <CAFpG3ge7G=0f+sWGqL8ANWG+nd=e3ngf7CdbUfhpjQvRYaatbg@mail.gmail.com> <BN8PR15MB32818870E42CB776F3A5F1DFB3CCA@BN8PR15MB3281.namprd15.prod.outlook.com> <CAFpG3gcnL1Fmx5hbQEBJUzTVsoBf7CMOOUuHiV-8DRQOLrbY4A@mail.gmail.com> <BN8PR15MB32816A104B16005165DA5C75B3D2A@BN8PR15MB3281.namprd15.prod.outlook.com>
In-Reply-To: <BN8PR15MB32816A104B16005165DA5C75B3D2A@BN8PR15MB3281.namprd15.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=microsoft.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: DM6PR00MB0767:EE_|CY4PEPF0000B275:EE_
x-ms-office365-filtering-correlation-id: 2bca2ad7-d126-46e9-58b9-08dbcc0cf149
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: Ti6wzJFJ75fvlMRWeOPRd8cnOvanwnawR7WqUVATjcZGp6mxQ+HopTVHDWTaH1S8WwpChXKmE7wn3+jobC2OLxC6U5FyrB/R4grl+u+tdGdap9APN+g1ZeC43iDTX09cAN6/CjBWhM7DPTo9eocBInVGprZO9y0TPpIBmCyxSQ/zAWTUrfNihqVA8Bc+IxIXDSqyiDzoEZZMAwXippSw8tU6tWjC638k8stZtzLILm+UWUCvDiQgN9vPyXWIIsOU+ozp6P92zoDibPNtI2RwpdMc2kB48rLn6nBieQpSQOHg4JJUVyTgVk45DYOUMjQjf/iyaFdzq5BZOguiBi+C4TwHDG0qwOEB54PQI1yWoaQqPKd/CWDWUYMOo3+sVTYiUZrYxkDyBiupn08mbLpfnE1Q1jc+/eJ6mIdCVtAscb0BM9CO5xtgGllSO5FohGyTxLGM6hIovJAbVDF7n8dkwpBzy0EDFWanOLuNWazCAJXgrKnwf/GJ6bV+lA6W9TOak9CEgAD3CV753BuGyrB7B4P9CICxaUWnoI6wkIZ0uRF6PDaj4fRQyEHBqdpYEmTbr6/1xs4EO28pHy720RW9zZA6/YWws1WL0iJ80yzJ8fqdubrrCj0FQRaMTYG25GaPn90XlJqOx2+nX9gwJ22v1g==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM6PR00MB0767.namprd00.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(39860400002)(136003)(376002)(346002)(366004)(396003)(230922051799003)(186009)(451199024)(64100799003)(1800799009)(66476007)(55016003)(83380400001)(71200400001)(8990500004)(66574015)(166002)(38100700002)(82950400001)(66446008)(76116006)(66556008)(82960400001)(66946007)(110136005)(64756008)(316002)(8936002)(6506007)(5660300002)(8676002)(52536014)(4326008)(41300700001)(53546011)(7696005)(9686003)(2906002)(478600001)(966005)(10290500003)(38070700005)(122000001)(33656002)(86362001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: rL1U8kcqxm+ISbsWsaIeZkmbxte5hUw6GcVktzs209YY8eITVu8GsQLxrceW26gaYD6GAZhdXHkdBCwI708r13kP7LWcglRXtpws6KgIYNTj4REJY+XwlMUbT33/mDI3hl6M7uaYLPWD4uo6yBJaqP2Ho9ZlP/s4OCS2tmohxG5iAL3d8Hdp2U8uhfUlQcdG5IiUimnkOGOXqJxC6CTUN2bJO6HsX8zElIpZwBbAtUoTppf5cmlsutFulNdTs0keHm3R0o0NwTDoOHW9zpi4fYyd3dnXhuihq+hJmtVZW7pfWF9MRyrQHFHsHOLI4KniKyFx5FUQwkCfPklvpYlVZ60KbQDu8wehJzuqFY56luuN09zwDJk5p+G/qy+G02chuI9FMDcAa5GLC6C2yKi8xfZnlRKntMiL3W4nYJCk7B5u4RGI/H7V73gnFrh9ZkzX0X4irbeNk8rsjxunwzYz3Zcb3O/qDkO9RzZk7esuRTfUjA4YoXFyCl1niumgY7yDriS0RotHp7/VGLe4wz4UQH+zVbk8U5tgNq6JrLbiDPfKVzHvnAORmL8jOaZDIeRdrSYGqMm5ZcRyZp1wVJBm42zmHUaLLvcXV7Y7l14ktyE7ADfhXUrKmgQanoOAPyhi+Zpvd1QdEhiMJqofcyAN3octLTa7a7BmiR+5WswGGCm1Du7uTxhfUgYbxNXMIPv9I0a4st5JihJWyGmxuNFmPxqwuYPC75X0VAj+KcqvF89k0Srk0PVGvXrXozHt9PeOttv0YzqGBYsTmuYWwp+U9jegR2uVGL/C0eFQBGtmw3+sCpFlX1WSxYYWXe2KD/ppbJFPIsEyBhOXukKzddEOcit/a/xeDbY6JRzlLgcwFTzoqHlqEl5eAoYP8qQOP17LpoCTKm8zY8/jaR48engspvjpRNsEHLtY3bOGBdOIDaSrnUzTB6b31vYVldVnLGBDdssU6Snd9cXHS51kjZc69rsoGxeZtdB1Uja0NJt0+EyIlHhk2UrZ4wobpIdZwU9cmnCUp6QVbPfLiXvaJwJW9t4DU+rJk4Ba+MsL/b00Gw7ahGHL8t03WdxmT/cWfB3fcKl2oH4FjFZsfv1GR13ajtr88OaMXJLcjgK9RdZdD0XIjTGUORm6cBgTOi0MYhx+qFpgExbZpJBfYSxs5VG5DfhvO4oky/nOiXk7iy7IDSLTc6eRx8CZIDYjHBVUK3mszSrpOOc6e+OLR5QgvAy4yjat+5DhQZ/cNeLJyErhg0EmH9cEh6ixfjyZ8OpUtSmNO6DXOeR8mYEpFNQ8U4lAOLN+2o1mtwS6n3yhOp3iqSzRmC4RYZdaBF3G6W7acT8rxYoreSG7G88tlglMCHHEoYblgiAwYZ/t1K0h52rQUOomC8fQIBwKpm6TZ7RW/G71/JZwiEzho6DqTebXmDLJHcybsY2AKa1Juku6yhVkh+gWgwCMa0CNOtwLJ69Rcoj16m74PetMMtxjDv000KPqX2n2IyxG7prz1FY4AdCnqq4jnl+adN0C8GJn3t8Ayz3ZR2dDjC8GbREWZK2wqVnFSdqZ9t62EAQVREFAmiyFsPltF6thVZ/5Lyts37LqEt5aqh8xEohaoTjzvjtq9b30tauapF8CzfPtg8mid0rWN57r2VwWZtW9Xn7lIT/3c7dY
Content-Type: multipart/alternative; boundary="_000_DM6PR00MB07677636CDF58B2CD25F13C0FAD2ADM6PR00MB0767namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DM6PR00MB0767.namprd00.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 2bca2ad7-d126-46e9-58b9-08dbcc0cf149
X-MS-Exchange-CrossTenant-originalarrivaltime: 13 Oct 2023 16:53:36.2539 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: NcN4ZGSlnlLwZ6f/WG/ipwsR1NNBkc2iO7OMyDPdXZ0hhXrX4NruGonikjzYwaBMAc8w8MOhrDAdrbY31/L9VA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PEPF0000B275
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/OnhgKpgQ-j0sk5jK8Yo8eyJyaoQ>
Subject: Re: [Add] I-D Action: draft-ietf-add-resolver-info-06.txt
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Oct 2023 16:53:45 -0000

> Instead of asking "does this enable an attack", we have to ask "does this make the attacks worse in some scenario"?

Agreed. I still argue that the ability to poison an arbitrary record is not as bad as the ability to lie about the current resolver’s properties, which include an arbitrary URL, especially knowing that a DNSSEC-validating client can raise trust in the answer in the non-DDR case versus in the DDR case.

> In general, RESINFO claims are not verifiable by the client.

True, the claims themselves are not verifiable, as in the client cannot verify the resolver is in fact using QNAME minimalization, without some kind of ridiculously expensive, out of band, TEE powered relationship, but…

> The client simply has to trust that the server is telling the truth, which means it needs a particular kind of pre-existing trust relationship with that server operator

In the non-DDR case, the record will be for a name the client used to connect to the resolver over encrypted DNS. In this case, the record’s authenticity can be confirmed using DNSSEC to be as trustworthy as the original resolver choice configuration (detect upstream forgery). The same cannot be said of the DDR case, since resolver.arpa cannot be validly signed (no detection of forgery).

> I think the simplest solution is to note in the draft that clients MUST NOT rely on RESINFO unless they have an out-of-band agreement with the server operator to abide by its published RESINFO policy

No argument that this is the simplest solution. However, I believe the authors and those interested in adopting the draft may take issue with that, as it will reduce its useful deployment scale, but there’s no doubt it would address this concern. I would be interested to hear from other interested adopters to see what their target scenario is and if this is problematic. For the record, my first suggestion during shepherd review was to declare that clients MUST NOT rely on RESINFO when the resolver was discovered using DDR, and the sig solution was proposed because excluding DDR discovered resolvers was undesirable.

Who else is actively planning to implement RESINFO? Please weigh in.

Thanks,
Tommy

From: Add <add-bounces@ietf.org> On Behalf Of Ben Schwartz
Sent: Friday, October 13, 2023 8:59 AM
To: tirumal reddy <kondtir@gmail.com>
Cc: add@ietf.org
Subject: [EXTERNAL] Re: [Add] I-D Action: draft-ietf-add-resolver-info-06.txt

Reasoning about the security properties of insecure systems is tricky.  Instead of asking "does this enable an attack", we have to ask "does this make the attacks worse in some scenario"?

In this thread, we are discussing attackers who are falsifying RESINFO records.  This is only possible if (1) the attacker is upstream of the server* (which could be a resolver or forwarder) AND (2) that server is not DNSSEC-validating AND (3) that server is not using authenticated encryption on this connection AND (4) that server is not RESINFO-aware.

Given these preconditions, we can then ask: does accepting RESINFO make anything worse for the client?  Under these conditions, the attacker can already observe all upstream queries and generate arbitrary responses.  They essentially have taken over the resolver.  For example, the attacker controls the effective QNAME minimization policy: the attacker could capture all queries until the full QNAME is revealed, then pass that name un-minimized to the root servers and other parent zones.

The same logic applies to Kaminsky attacks and off-path cache poisoning: this attacker could point the IP addresses of popular TLD nameservers (or maybe even the root) back to themselves, allowing them to capture virtually all queries and control the responses.

Adding special cryptographic protections to RESINFO is not helpful when the actual functions of the resolver remain unprotected.

In general, RESINFO claims are not verifiable by the client.  The client simply has to trust that the server is telling the truth, which means it needs a particular kind of pre-existing trust relationship with that server operator.  I think the simplest solution is to note in the draft that clients MUST NOT rely on RESINFO unless they have an out-of-band agreement with the server operator to abide by its published RESINFO policy ... which implicitly prevents this attack (via point 4 above).

If we really feel the need to provide authenticated-but-still-untrusted RESINFO, we can move it to EDNS, which is not vulnerable except in pathologically insecure deployments.

--Ben

*Excluding off-path cache poisoning attacks for the moment.
________________________________
From: tirumal reddy <kondtir@gmail.com<mailto:kondtir@gmail.com>>
Sent: Friday, October 13, 2023 8:14 AM
To: Ben Schwartz <bemasc@meta.com<mailto:bemasc@meta.com>>
Cc: add@ietf.org<mailto:add@ietf.org> <add@ietf.org<mailto:add@ietf.org>>
Subject: Re: [Add] I-D Action: draft-ietf-add-resolver-info-06.txt

On Thu, 12 Oct 2023 at 04: 03, Ben Schwartz <bemasc@ meta. com> wrote: I guess "sig" is based on a security concern I raised about draft-jt-add-dns-server-redirection? In that draft, an upstream injection attacker could poison
ZjQcmQRYFpfptBannerStart
This Message Is From an External Sender

ZjQcmQRYFpfptBannerEnd
On Thu, 12 Oct 2023 at 04:03, Ben Schwartz <bemasc@meta.com<mailto:bemasc@meta.com>> wrote:
I guess "sig" is based on a security concern I raised about draft-jt-add-dns-server-redirection?  In that draft, an upstream injection attacker could poison the resolver's own SVCB record, allowing the attacker to make the client bypass their chosen resolver entirely, and instead use the attacker's resolver ~forever.  This is a kind of "scope expansion": a transient, injection-only attacker on one path can upgrade themselves into a permanent, read-write attacker on all paths.

RESINFO doesn't have this problem.  Yes, an upstream attacker could inject a RESINFO response, but only to the same extent that they could poison any other query in the cache.  (If the resolver is DNSSEC-validating, injection on resolver.arpa is impossible.)  I don't see a scope expansion attack here.

Yes, scope expansion attack is not possible but DNSSEC protection is not possible with SUDN "resolver.arpa". In case of DDR, the client will not know whether RESINFO RR is originating from the discovered encrypted resolver or not.

-Tiru


Operationally, "sig" seems distinctly inconvenient.  Any DNS server that sits behind a TLS terminator or CDN will have extreme difficulty implementing it.

I recommend removing "sig".

If upstream attackers are a concern, I would solve that by moving RESINFO into EDNS, which is not controlled by the authoritative server.  (EDNS could still be manipulated by an attacker between a forwarder and its upstream resolver ... but that attacker can already control the content of all responses, so they effectively are the resolver.  Also, if the resolver and forwarder are so tightly integrated that the resolver can sign RESINFO with the forwarder's TLS private key, why aren't they using a secure transport?)

--Ben Schwartz
________________________________
From: Add <add-bounces@ietf.org<mailto:add-bounces@ietf.org>> on behalf of tirumal reddy <kondtir@gmail.com<mailto:kondtir@gmail.com>>
Sent: Wednesday, October 11, 2023 3:30 AM
To: add@ietf.org<mailto:add@ietf.org> <add@ietf.org<mailto:add@ietf.org>>
Subject: Re: [Add] I-D Action: draft-ietf-add-resolver-info-06.txt

This revision, https: //www. ietf. org/archive/id/draft-ietf-add-resolver-info-06. html, addresses comments from Martin on the "sig" attribute use. The authors consider it ready to advance the draft to the next stage.   -Tiru On Wed, 4
ZjQcmQRYFpfptBannerStart
This Message Is From an External Sender

ZjQcmQRYFpfptBannerEnd
This revision, https://www.ietf.org/archive/id/draft-ietf-add-resolver-info-06.html, addresses comments from Martin on the "sig" attribute use. The authors consider it ready to advance the draft to the next stage.

-Tiru

On Wed, 4 Oct 2023 at 13:42, <internet-drafts@ietf.org<mailto:internet-drafts@ietf.org>> wrote:
Internet-Draft draft-ietf-add-resolver-info-06.txt is now available. It is a
work item of the Adaptive DNS Discovery (ADD) WG of the IETF.

   Title:   DNS Resolver Information
   Authors: Tirumaleswar Reddy
            Mohamed Boucadair
   Name:    draft-ietf-add-resolver-info-06.txt
   Pages:   10
   Dates:   2023-10-04

Abstract:

   This document specifies a method for DNS resolvers to publish
   information about themselves.  DNS clients can use the resolver
   information to identify the capabilities of DNS resolvers.  How such
   an information is then used by DNS clients is out of the scope of the
   document.

The IETF datatracker status page for this Internet-Draft is:
https://datatracker.ietf.org/doc/draft-ietf-add-resolver-info/

There is also an HTML version available at:
https://www.ietf.org/archive/id/draft-ietf-add-resolver-info-06.html

A diff from the previous version is available at:
https://author-tools.ietf.org/iddiff?url2=draft-ietf-add-resolver-info-06

Internet-Drafts are also available by rsync at:
rsync.ietf.org::internet-drafts


--
Add mailing list
Add@ietf.org<mailto:Add@ietf.org>
https://www.ietf.org/mailman/listinfo/add

v2.23.0 | Report a Bug | By Email