Colleages, Some years ago, Dan Mahoney and I submitted a draft describing a proposed mechanism for storing confidential zone comments alongside normal zone data - a NOTE RR, which would be transferrable from primary to secondary servers, but not accessible to ordinary DNS queries. It generated some iniital interest, but not much momentum, and we let the proposal lapse.
More recently, Witold Krecicki had a very similar idea for a mechanism to disseminate private key data between primary and secondary servers. We talked it over and decided to expand the NOTE record semantics into a generic method for storing and transferring covert in-band zone data. The generic mechanism is described in draft-krecicki-dns-covert-00. It calls for the allocation of a range of "Covert-RR" type code values, which would have restrictions on their dissemenination. A primary server implementing Covert-RR types must not allow them to queried, nor to be transerred to a secondary server unless that server indicates via an EDNS option that it *also* understands Covert record semantics and will not transfer the data to any peer that doesn't. The original NOTE RR draft has been shrunk down and rewritten as a proposed use case for Covert RR's. Additional use cases will be coming in the future; in particular, draft-pusateri-dnsop-update-timeout seems like it might be a good candidate. Details are below. Please have a look. Thanks! -------- Name: draft-krecicki-dns-covert Revision: 00 Title: Domain Name System (DNS) Resource Record types for transferring covert information from primary to secondaries Document date: 2019-07-06 Group: Individual Submission Pages: 6 URL: https://www.ietf.org/internet-drafts/draft-krecicki-dns-covert-00.txt Status: https://datatracker.ietf.org/doc/draft-krecicki-dns-covert/ Htmlized: https://tools.ietf.org/html/draft-krecicki-dns-covert-00 Htmlized: https://datatracker.ietf.org/doc/html/draft-krecicki-dns-covert Abstract: The Domain Name System (DNS) Resource Record TYPEs IANA registry reserves the range 128-255 for Q-TYPEs and Meta-TYPEs [RFC6895] - Resource Records that can only be queried for or contain transient data associated with a particular DNS message. This document reserves a range of RR TYPE numbers for Covert-TYPEs - types that are an integral part of the zone but cannot be accessed via a normal QUERY operation. Uses for such records could include zone comments that are transferrable with the zone, expiry times for dynamically updated records, or Zone Signing Keys for inline signing. This document, however, does not define any specific Covert RR types. -------- Name: draft-hunt-note-rr Revision: 02 Title: A DNS Resource Record for Confidential Comments (NOTE RR) Document date: 2019-07-06 Group: Individual Submission Pages: 4 URL: https://www.ietf.org/internet-drafts/draft-hunt-note-rr-02.txt Status: https://datatracker.ietf.org/doc/draft-hunt-note-rr/ Htmlized: https://tools.ietf.org/html/draft-hunt-note-rr-02 Htmlized: https://datatracker.ietf.org/doc/html/draft-hunt-note-rr Diff: https://www.ietf.org/rfcdiff?url2=draft-hunt-note-rr-02 Abstract: While the DNS zone master file format has always allowed comments, there is no existing mechanism to preserve comments once the zone has been loaded into memory or converted to a binary representation. This note proposes a new RR type "NOTE", to be allocated from the Covert-RR type range proposed in [I-D.krecicki-dns-covert], so that confidential comments can be stored alongside zone data, and included in zone transfers when Covert semantics are supported by the secondary. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
