DNS Resolver Information

Historically, DNS stub resolvers typically communicated with the recursive resolvers without needing to know anything about the features of the recursive resolvers. More recently, recursive resolvers have different features that may help the stub resolvers identify the capabilities of the resolver. Thus stub resolvers can discover and authenticate encrypted DNS servers provided by a local network, for example using the techniques proposed in [I-D.ietf-add-dnr] and [I-D.ietf-add-ddr]. Thus stub resolvers need a way to get information from the discovered recursive resolvers about its capabilities. This document specifies a method for stub resolvers to ask recursive resolvers for such information. In short, a new RRtype is defined for stub resolvers to query the recursive resolvers. The information that a resolver might want to give is defined in .

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here. This document makes use of the terms defined in and . 'Encrypted DNS' refers to a DNS protocol that provides an encrypted channel between a DNS client and server (e.g., DoT, DoH, or DoQ).

A stub resolver that wants to get information about a resolver can use the RRtype "RESINFO" defined in this document, and the IANA assignment is given in . The contents of the RDATA in the response to this query are defined in . If the resolver understands the RESINFO RRtype, the RRset in the Answer section MUST have exactly one record. The client can retrieve the resolver information using the RESINFO RRtype and QNAME of the domain name that is used to authenticate the DNS server (referred to as ADN in [I-D.ietf-add-dnr]). If the special use domain name "resolver.arpa" defined in [I-D.ietf-add-ddr] is used to discover the Encrypted DNS server, the client can first retrieve a CNAME that aliases `_dns.resolver.arpa` to `_dns.$HOSTNAME` and then retrieve the resolver information using the RESINFO RRtype and QNAME of the `$HOSTNAME`.

The resolver information is returned as a JSON object. The JSON object MUST use the I-JSON message format defined in . Note that was based on , but was replaced by . Requiring the use of I-JSON instead of more general JSON format greatly increases the likelihood of interoperability. The names in this object are defined in an IANA registry. The JSON object returned by a DNS query MAY contain any name/value pairs. All names in the returned object MUST either be defined in the IANA registry or, if for local use only, begin with the substring "temp-". The IANA registry will never register names that begin with "temp-". All names MUST consist only of lower-case ASCII characters, digits, and hyphens (that is, Unicode characters U+0061 through 007A, U+0030 through U+0039, and U+002D), and MUST be 63 characters or shorter. The IANA registry will not register names that begin with "temp-", so these names can be used freely by any implementer. Note that the message returned by the resolver MUST be in I-JSON format. I-JSON requires that the message MUST be encoded in UTF8.

The resolver information includes the following attributes: If the DNS server supports QNAME minimisation to improve DNS privacy, the parameter value is set to true. This is a mandatory attribute. If the DNS server supports extended DNS error (EDE) to return additional information about the cause of DNS errors, the parameter lists the possible extended DNS error codes that can be returned by the DNS server. This is an optional attribute. Note that the extended error code "Blocked" defined in Section 4.16 of identifies access to domains is blocked due to an policy by the operator of the DNS server, extended error code "Censored" defined in Section 4.17 of identifies access to domains is blocked based on a requirement from an external entity and the extended error code "Filtered" defined in Section 4.18 of identifies access to domains is blocked based on the request from the client to blacklist domains. If the DNS server requires client authentication, the parameter value is set to true. For example, when not on the enterprise network (e.g., at home or coffee shop) yet needing to access the enterprise Encrypted DNS server, roaming users can use client authentication to access the Enterprise provided Encrypted DNS server. This is an optional attribute. A URL that points to the generic unstructured resolver information (e.g., DoH APIs supported, possible HTTP status codes returned by the DoH server, how to report a problem, etc.) for troubleshooting purpose. This is an optional attribute. A URL that points to a human-friendly description of the resolver identity to display to the end-user. shows an example of resolver information.

As specified in , the I-JSON object is encoded as UTF8. explicitly allows the returned objects to be in any order.

Unless a DNS request to retrieve the resolver information is sent over DNS-over-TLS (DoT) or DNS-over- HTTPS (DoH) , the response is susceptible to forgery. The DNS resolver information can be retrieved after the encrypted connection is established to the DNS server. If the client wishes to retrieve the resolver information before the encryption connection is established to the DNS resolver, the client MUST use local DNSSEC validation.

This document defines a new DNS RR type, RESINFO, whose value TBD will be allocated by IANA from the "Resource Record (RR) TYPEs" sub-registry of the "Domain Name System (DNS) Parameters" registry:

IANA will create a new registry titled "DNS Resolver Information" that will contain definitions of the names that can be used to provide the resolver information. The registration procedure is by Specification Required, as defined in . The registry has the following fields for each element:

IANA will add the names "resinfourl", "identityurl", "extendeddnserror" and "qnameminimization" to the DNS Resolver Information registry.

This specification leverages the work that has been done in . Thanks to Tommy Jensen, Vittorio Bertola, Vinny Parla, Chris Box, Ben Schwartz and Shashank Jain for the discussion and comments.