[DNSOP] proposal: Covert in-band zone data

[Evan Hunt <each@isc.org>]

Colleages,

Some years ago, Dan Mahoney and I submitted a draft describing a proposed
mechanism for storing confidential zone comments alongside normal zone
data - a NOTE RR, which would be transferrable from primary to secondary
servers, but not accessible to ordinary DNS queries.  It generated some
iniital interest, but not much momentum, and we let the proposal lapse.

More recently, Witold Krecicki had a very similar idea for a mechanism to
disseminate private key data between primary and secondary servers.  We
talked it over and decided to expand the NOTE record semantics into a
generic method for storing and transferring covert in-band zone data.

The generic mechanism is described in draft-krecicki-dns-covert-00. It
calls for the allocation of a range of "Covert-RR" type code values,
which would have restrictions on their dissemenination.  A primary server
implementing Covert-RR types must not allow them to queried, nor to be
transerred to a secondary server unless that server indicates via an EDNS
option that it *also* understands Covert record semantics and will not
transfer the data to any peer that doesn't.

The original NOTE RR draft has been shrunk down and rewritten as a
proposed use case for Covert RR's.  Additional use cases will be coming
in the future; in particular, draft-pusateri-dnsop-update-timeout seems
like it might be a good candidate.

Details are below. Please have a look.  Thanks!

--------
Name:		draft-krecicki-dns-covert
Revision:	00
Title:		Domain Name System (DNS) Resource Record types for transferring covert information from primary to secondaries
Document date:	2019-07-06
Group:		Individual Submission
Pages:		6
URL:            https://www.ietf.org/internet-drafts/draft-krecicki-dns-covert-00.txt
Status:         https://datatracker.ietf.org/doc/draft-krecicki-dns-covert/
Htmlized:       https://tools.ietf.org/html/draft-krecicki-dns-covert-00
Htmlized:       https://datatracker.ietf.org/doc/html/draft-krecicki-dns-covert


Abstract:
   The Domain Name System (DNS) Resource Record TYPEs IANA registry
   reserves the range 128-255 for Q-TYPEs and Meta-TYPEs [RFC6895] -
   Resource Records that can only be queried for or contain transient
   data associated with a particular DNS message.

   This document reserves a range of RR TYPE numbers for Covert-TYPEs -
   types that are an integral part of the zone but cannot be accessed
   via a normal QUERY operation.

   Uses for such records could include zone comments that are
   transferrable with the zone, expiry times for dynamically updated
   records, or Zone Signing Keys for inline signing.  This document,
   however, does not define any specific Covert RR types.

--------
Name:		draft-hunt-note-rr
Revision:	02
Title:		A DNS Resource Record for Confidential Comments (NOTE RR)
Document date:	2019-07-06
Group:		Individual Submission
Pages:		4
URL:            https://www.ietf.org/internet-drafts/draft-hunt-note-rr-02.txt
Status:         https://datatracker.ietf.org/doc/draft-hunt-note-rr/
Htmlized:       https://tools.ietf.org/html/draft-hunt-note-rr-02
Htmlized:       https://datatracker.ietf.org/doc/html/draft-hunt-note-rr
Diff:           https://www.ietf.org/rfcdiff?url2=draft-hunt-note-rr-02

Abstract:
   While the DNS zone master file format has always allowed comments,
   there is no existing mechanism to preserve comments once the zone has
   been loaded into memory or converted to a binary representation.
   This note proposes a new RR type "NOTE", to be allocated from the
   Covert-RR type range proposed in [I-D.krecicki-dns-covert], so that
   confidential comments can be stored alongside zone data, and included
   in zone transfers when Covert semantics are supported by the
   secondary.