From 9650c3a4fdf79a3d753c7b63722b945ea037dca8 Mon Sep 17 00:00:00 2001 From: moparisthebest Date: Tue, 12 Mar 2019 00:23:49 -0400 Subject: [PATCH] ProtoXEP: DNS Queries over XMPP (DoX) --- inbox/dox.xml | 181 ++++++++++++++++++++++++++++++++++++++++++++++++++ xep.ent | 4 ++ 2 files changed, 185 insertions(+) create mode 100644 inbox/dox.xml diff --git a/inbox/dox.xml b/inbox/dox.xml new file mode 100644 index 00000000..31de2ca1 --- /dev/null +++ b/inbox/dox.xml @@ -0,0 +1,181 @@ + + +%ents; +]> + + +
+ DNS Queries over XMPP (DoX) + This specification defines an XMPP protocol extension for sending DNS queries and getting DNS responses over XML streams. Each DNS query-response pair is mapped + into an IQ exchange. + &LEGALNOTICE; + xxxx + ProtoXEP + Standards Track + Standards + Council + + XMPP Core + XEP-0030 + + + + dox + + http://www.xmpp.org/schemas/dox.xsd + + + Travis + Burtrum + travis@burtrum.org + travis@burtrum.org + + + 0.0.1 + 2019-03-11 + tjb +

First draft.

+
+
+ + +

This document defines a specific protocol, DNS over XMPP (DoX), for + sending DNS &rfc1035; queries and getting DNS responses over &xmppcore; (and therefore TLS &rfc8446; security for integrity and confidentiality.

+

The integration with XMPP provides a transport suitable for both + existing DNS clients and native XMPP applications seeking access to + the DNS.

+

This protocol is almost identical in scope to DNS Queries over HTTPS (DoH) &rfc8484;

+
+ + +

This specification addresses the following requirements:

+
    +
  1. Sending a DNS query.
  2. +
  3. Responding with a DNS response.
  4. +
+
+ + +

The DoX protocol is extremely simple:

+
    +
  1. The requesting entity (requestor) sends an IQ-get containing a <dns/> element qualified by the 'urn:xmpp:dox:0' namespace, which contains the DNS query.
  2. +
  3. The resolving entity (resolver) returns either an IQ-result containing a <dns/> element qualified by the 'urn:xmpp:dox:0' namespace, which contains the DNS response (if it supports the namespace) or an IQ-error (if it does not).
  4. +
  5. In both the query and response, the content of the <dns/> element is the DNS on-the-wire format as defined in &rfc1035;. The body MUST be encoded with base64 &rfc4648;. Padding characters for base64 MUST NOT be included.
  6. +
+
+ +

Sending a DNS query is done by sending an &IQ; get over the stream from the requestor to the resolver.

+ + vOIBIAABAAAAAAABB2V4YW1wbGUDb3JnAAABAAEAACkQAAAAAAAADAAKAAj5HO5JuEe+mA + +]]> +

If the resolver supports the dns namespace, it MUST return an IQ-result, which contains the DNS response:

+ + vOKBoAABAAEAAAABB2V4YW1wbGUDb3JnAAABAAHADAABAAEAAAhjAARduNgiAAApEAAAAAAAAAA + +]]> +

If the resolver does not support the dns namespace, it MUST return a &unavailable; error:

+ + vOIBIAABAAAAAAABB2V4YW1wbGUDb3JnAAABAAEAACkQAAAAAAAADAAKAAj5HO5JuEe+mA + + + + +]]> +

The other error conditions defined in RFC 6120 could also be returned if appropriate.

+
+ + +

If an entity supports the DoX protocol, it MUST report that fact by including a service discovery feature of "urn:xmpp:dox:0" in response to a &xep0030; information request:

+ + + +]]> + + + ... + + ... + + +]]> +

In order for an application to determine whether an entity supports this protocol, where possible it SHOULD use the dynamic, presence-based profile of service discovery defined in &xep0115;. However, if an application has not received entity capabilities information from an entity, it SHOULD use explicit service discovery instead.

+

Support could also be pre-arranged between parties by putting a resolver at a known JID, in which case the requestor can just start sending queries to the resolver

+
+ + +

Some XMPP clients do not respond to IQ stanzas containing unsupported payloads. Although this is in violation of &xmppcore;, this behavior can result in disconnection of clients that are in fact actively connected to the server.

+
+ + +

Running DNS over XMPP relies on the security of the underlying XMPP + transport, therefore all queries and responses MUST use TLS or equivalent connection security. This mitigates classic amplification attacks for UDP- + based DNS.

+

Session-level encryption has well-known weaknesses with respect to + traffic analysis, which might be particularly acute when dealing with + DNS queries. DoX resolvers can also add DNS padding + &rfc7830; if the DoX requestor requests it in the DNS query. An + experimental effort to offer guidance on choosing the padding length + can be found in &rfc8467;.

+

The TLS connection provides transport security for the interaction + between the DoX resolver and requestor, but it does not provide the + response integrity of DNS data provided by DNSSEC. DNSSEC and DoX + are independent and fully compatible protocols, each solving + different problems. The use of one does not diminish the need nor + the usefulness of the other. It is the choice of a requestor to either + perform full DNSSEC validation of answers or to trust the DoX resolver + to do DNSSEC validation and inspect the AD (Authentic Data) bit in + the returned message to determine whether an answer was authentic or + not.

+

In the absence of DNSSEC information, a DoX resolver can give a requestor + invalid data in response to a DNS query. A DoX capable requestor MUST discard any responses not specifically requested, this prohibition does not guarantee protection against invalid data, but it does reduce the risk.

+

If a server receives a dns request directed to a full JID &LOCALFULL; associated with a registered account but there is no connected resource matching the 'to' address, RFC 6120 requires it to reply with a &unavailable; error and set the 'from' address of the IQ-error to the full JID provided in the 'to' address of the dns request. If a connected resource receives a dns request but it does not want to reveal its network availability to the sender for any reason (e.g., because the sender is not authorized to know the connected resource's availability), then it too MUST reply with a &unavailable; error. This consistency between the server response and the resolver response helps to prevent presence leaks.

+
+ + +

No interaction with &IANA; is necessary as a result of this document.

+
+ + + +

The ®ISTRAR; includes "urn:xmpp:dox:0" in its registry of protocol namespaces (see &NAMESPACES;).

+
+
+ + + + + + + + + The protocol documented by this schema is defined in + XEP-XXXX: https://xmpp.org/extensions/inbox/dox.html + + + + + + +]]> + +
diff --git a/xep.ent b/xep.ent index 4af49a8e..f5e0f792 100644 --- a/xep.ent +++ b/xep.ent @@ -687,6 +687,10 @@ THE SOFTWARE. RFC 7700 RFC 7700: Preparation, Enforcement, and Comparison of Internationalized Strings Representing Nicknames<http://tools.ietf.org/html/rfc7700>." > RFC 7712 RFC 7712: Domain Name Associations (DNA) in the Extensible Messaging and Presence Protocol (XMPP)<http://tools.ietf.org/html/rfc7712>." > RFC 7764 RFC 7764: Guidance on Markdown: Design Philosophies, Stability Strategies, and Select Registrations <http://tools.ietf.org/html/rfc7764>." > +RFC 7830 RFC 7830: The EDNS(0) Padding Option <http://tools.ietf.org/html/rfc7830>." > +RFC 8446 RFC 8446: The Transport Layer Security (TLS) Protocol Version 1.3 <http://tools.ietf.org/html/rfc8446>." > +RFC 8467 RFC 8467: Padding Policies for Extension Mechanisms for DNS (EDNS(0)) <http://tools.ietf.org/html/rfc8467>." > +RFC 8484 RFC 8484: DNS Queries over HTTPS (DoH) <http://tools.ietf.org/html/rfc8484>." >