Network Working Group B. Trammell
Internet-Draft ETH Zurich
Intended status: Experimental March 20, 2017
Expires: September 21, 2017

RAINS (Another Internet Naming Service) Protocol Specification
draft-trammell-rains-protocol-02

Abstract

This document defines an alternate protocol for Internet name resolution, designed as a prototype to facilitate conversation about the evolution or replacement of the Domain Name System protocol. It attempts to answer the question: “how would we design DNS knowing what we do now,” on the background of the properties of an ideal naming service described in [I-D.trammell-inip-pins].

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at http://datatracker.ietf.org/drafts/current/.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

This Internet-Draft will expire on September 21, 2017.

Copyright Notice

Copyright (c) 2017 IETF Trust and the persons identified as the document authors. All rights reserved.

This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.


Table of Contents

1. Introduction

This document defines an experimental protocol for providing Internet name resolution services, as a replacement for DNS, called RAINS (RAINS, Another Internet Naming Service). It is designed as a prototype to facilitate conversation about the evolution or replacement of the Domain Name System protocol, and was developed as a name resolution system for the SCION (“Scalability, Control, and Isolation on Next-Generation Networks”) future Internet architecture [SCION]. It attempts to answer the question: “how would we design the DNS knowing what we do now,” on the background of the properties of an ideal naming service described in [I-D.trammell-inip-pins].

Its architecture (Section 3) and information model (Section 4) are largely compatible with the existing Domain Name System. However, it does take several radical departures from DNS as presently defined and implemented:

Instead of using a custom binary framing as DNS, RAINS uses Concise Binary Object Representation [RFC7049], partially in an effort to make implementations easier to verify and less likely to contain potentially dangerous parser bugs [PARSER-BUGS]. Like DNS, CBOR messages can be carried atop any number of substrate protocols; RAINS is presently defined to use TLS over persistent TCP connections (see Section 6).

2. Terminology

The terms MUST, MUST NOT, SHOULD, SHOULD NOT, and MAY, when they appear in all-capitals, are to be interpreted as defined in [RFC2119].

In addition, the following terms are used in this document as defined:

3. Architecture

The RAINS architecture is simple, and resembles the architecture of DNS. A RAINS Server is an entity that provides transient and/or permanent storage for assertions about names, and a lookup function that finds assertions for a given query about a name, either by searching local storage or by delegating to another RAINS server. RAINS servers can take on any or all of three roles:

RAINS Servers use the RAINS Protocol defined in this document to exchange queries and assertions. RAINS Clients use a subset variant of the RAINS Protocol (called the RAINS Client Protocol) to interact with RAINS Servers providing query services on their behalf.

4. Information Model

Messages in the RAINS Protocol are made up of two kinds of elements: Assertion and Query.

The information model in this section omits information elements required by the resolution mechanism itself; these are defined in more detail in Section 5 and Section 6.

4.1. Assertion

An Assertion is a signed statement about a mapping from a subject name to an object value, and consists of the following elements:

The Types supported for each assertion are:

For a given {subject, type} tuple, multiple assertions can be valid at a given point in time; the union of the object values of all of these assertions is considered to be the set of valid values at that point in time.

4.1.1. Context in Assertions

Assertion contexts are used to determine the validity of the signature by the declared authority as follows:

Assertion context is the mechanism by which RAINS provides explicit inconsistency (see section 5.3.2 of [I-D.trammell-inip-pins]). Some examples illustrate how context works:

Further examples showing how context can be used in queries as well are given in Section 4.2.1 below.

Developing conventions for assertion contexts for different situations will require implementation and deployment experience, and is a subject for future work.

4.1.2. Signatures in Assertions

A signature over an assertion contains the following information elements:

The signature protects all the information in an assertion as well as its own valid-since and valid-until values and the revocation token; it does not protect other signatures on the assertion.

4.1.3. Shards and Zones

Assertions may also be grouped and signed as a group. A shard is a set of assertions within the same zone and context, protected by one or more signatures over all assertions within the shard. A shard may have an additional property that given a subject and an authenticated shard, it can be shown that either an assertion with a given name and type exists within the shard or does not exist at all.

A shard has the following information elements:

For efficiency’s sake, information elements within a shard common to all assertions (zone, context, signature) within the shard may be omitted from the assertions themselves.

A zone is the entire set of shards subject to a given authority within a given context. There are three kinds of zones; treating these zones differently may allow lookup protocol optimizations:

A zone has the following information elements:

4.1.4. Zone-Reflexive Assertions

A zone may make an assertion about itself by using an empty subject name. This facility can be used for any assertion type, but is especially useful for self-signing root zones.

4.2. Query

A query is a request for a set of assertions supporting a conclusion about a given subject-object mapping. It consists of the following information elements:

A query expresses interest about all the given types of assertion in all the specified contexts; more complex expressions of which types in which contexts must be asked using multiple queries. Preferences for tradeoffs (freshness, bandwidth efficiency, latency, privacy preservation) in servicing a query may be bound to the query using query options.

4.2.1. Context in Queries

Context is used in queries as it is in assertions (see Section 4.1.1). Assertion contexts in an answer to a query have to match the context in the query in order to respond to a query. The Context section of a query contains the context of desired assertions; a special “any” context (represented by the empty string) indicates that assertions in any context will be accepted.

Query contexts can also be used to provide additional information to RAINS servers about the query. For example, context can provide a method for explicit selection of a CDN server not based on either the client’s or the resolver’s address (see [RFC7871]). Here, the CDN creates a context for each of its content zones, and an external service selects appropriate contexts for the client based not just on client source address but passive and active measurement of performance. Queries for names at which content resides can then be made within these contexts, with the priority order of the contexts reflecting the goodness of the zone for the client. Here, a context might be zrh.cx–.cdn-zones.some-cdn.com for names of servers hosting content in a CDN’s Zurich data center, and a client could represent its desire to find content nearby by making queries in the zrh.cx–, fra.cx– (Frankfurt), and ams.cx– (Amsterdam) contexts within cdn-zones .some-cdn.com. In all cases, the assertions themselves will be signed by the authority for cdn-zones.some-cdn.com, accurately representing that it is the CDN, not the owner of the related name in the global context, that is making the assertion.

As with assertion contexts, developing conventions for query contexts for different situations will require implementation and deployment experience, and is a subject for future work.

4.2.2. Answers to Queries

An answer consists of a set of assertions, shards, and/or zones which respond to a query. If the query contained a token, it is bound to that query via the token.

The content of an answer depends on whether the answer is positive or negative. A positive answer contains the information requested in the smallest atomic container that can be found, usually a single assertion. A negative answer contains the information used to verify it; either a shard with the Complete-Flag set, an entire Zone, or a Zone-Nameset assertion showing the name is illegal within the zone.

A query is taken to have an inconclusive answer when no answer returns to the querier before the query’s Valid-Until time.

4.3. Address to Object Mapping

In contrast to the current domain name system, information about addresses is stored in a completely separate tree, keyed by address and prefix. An address assertion consists of the following elements:

The following object types are available:

Assertions about addresses can be grouped into Zones. An address Zone has the following information elements:

Queries for addresses are similar to those for names, and consist of the following information elements:

4.3.1. Context in Address Assertions

Just as in forward Assertions, Assertion contexts are used in address assertions to determine the scope of an address assertion, and the signature chain used to verify it.

Each local context may have a root address space zone (0/0), but these root address spaces may only delegate addresses that are reserved for local use [RFC1918] [RFC4193]. Local context assertions for other addresses are invalid.

5. Data Model

The RAINS data model is a relatively straightforward mapping of the information model in Section 4 to the Concise Binary Object Representation (CBOR) [RFC7049], with an outer message type providing a mechanism for future capabilities-based versioning and recognition of a message as a RAINS message.

Messages, assertions, shards, zones, queries, and notifications are each represented as a CBOR map of integer keys to values, which allows each of these types to be extended in the future, as well as the addition of non- standard, application-specific information to RAINS messages and data items. A common registry of map keys is given in Table 1. RAINS implementations MUST ignore map keys the do not understand. Integer map keys in the range -22 to +23 are reserved for the use of future versions or extensions to the RAINS protocol.

Message contents, signatures and object values are implemented as type- prefixed CBOR arrays with fixed meanings of each array element; the structure of these lower-level elements can therefore not be extended. Message section types are given in Table 2, object types in Table 5, and signature algorithms in Table 9.

5.1. Symbol Table

The meaning of each of the integer keys in message, zone, shard, assertion, and notification maps is given in the symbol table below:

CBOR Map Keys used in RAINS
Code Name Description
0 signatures Signatures on a message or section
1 capabilities Capabilities of server sending message
2 token Token for referring to a data item
3 subject-name Subject name in an assertion
4 subject-zone Zone name in an assertion
5 subject-addr Subject address in address assertion or zone
6 context Context of an assertion or query
7 objects Objects of an assertion
8 query-name Fully qualified name for a query
10 query-types Acceptable object types for query
11 shard-range Lexical range of Assertions in Shard
12 query-expires Absolute timestamp for query expiration
13 query-opts Set of query options requested
21 note-type Notification type
22 note-data Additional notification data
23 content Content of a message, shard, or zone

5.2. Message

All interactions in RAINS take place in an outer envelope called a Message, which is a CBOR map tagged with the RAINS Message tag (hex 0xE99BA8, decimal 15309736).

A Message map MAY contain a signatures (0) key, whose value is an array of Signatures over the entire message as defined in Section 5.14, to be verified against the infrastructure key for the RAINS Server originating the message.

A Message map MAY contain a capabilities (1) key, whose value is described in {#cbor-capabilities}.

A Message map SHOULD contain a token (2) key, whose value is a byte array of maximum length 32. See Section 5.13 for details.

A Message map MUST contain a content (23) key, whose value is an array of Message Sections; a Message Section is either an Assertion, Shard, Zone, or Query, or Notification.

5.3. Message Section header

Each Message Section in the Message’s content value MUST be a two-element array. The first element in the array is the message section type, encoded as an integer as in Section 5.1. The second element in the array is a message section body, a CBOR map defined as in the subsections shown in Section 5.1:

Message Section Type Codes
Code Name Description
1 assertion Assertion (see Section 5.4)
-1 revassertion Address Assertion (see Section 5.8)
2 shard Shard (see Section 5.5)
3 zone Zone (see Section 5.6)
-3 revzone Address Zone (see Section 5.9)
4 query Query (see Section 5.7)
-4 revquery Address Query (see Section 5.10
23 notification Notification (see Section 5.11)

5.4. Assertion body

An Assertion body is a map. The keys present in this map depend on whether the Assertion is contained in a Message Section or in a Shard or Zone.

Assertions contained in Message Sections are “bare Assertions”. Since they cannot inherit any values from their containers, they MUST contain the signatures (0), subject-name (3), subject-zone (4), context (6), and objects (7) keys.

Assertions within a Shard or Zone are “contained Assertions”, and can inherit values from their containers. A contained Assertion MUST contain the subject- name (3) and objects (7) keys. The subject-zone (4) and context (6) keys MUST NOT be present. They are assumed to have the same value as the corresponding values in the containing Shard or Zone for signature generation and signature verification purposes; see Section 5.14.

It MAY contain , but in this case the values of these keys MUST be identical to the values in the containing Shard or Zone.

A contained Assertion SHOULD contain the signatures (0) key, since an unsigned contained Assertion cannot be used by a RAINS server to answer a query; it must be returned in a signed Shard or Zone.

The value of the signatures (0) key, if present, is an array of one or more Signatures as defined in Section 5.14. If not present, the containing Shard or Zone MUST be signed. Signatures on a contained Assertion are generated as if the inherited subject-zone and context values are present in the Assertion, whether actually present or not. The signatures on the Assertion are to be verified against the appropriate key for the Zone containing the Assertion in the given context, as described in Section 4.1.2.

The value of the subject-name (3) key is a UTF-8 encoded [RFC3629] string containing the name of the subject of the assertion. The subject name never contains the zone in which the subject name; the fully-qualified name is obtained by joining the subject-name to the subject-zone with a ‘.’ character. The subject-name must be valid according to the nameset expression for the zone, if any.

The value of the subject-zone (4) key, if present, is a UTF-8 encoded string containing the name of the zone in which the assertion is made. If not present, the zone of the assertion is inherited from the containing Shard or Zone.

The value of the context (6) key, if present, is a UTF-8 encoded string containing the name of the context in which the assertion is valid. If not present, the context of the assertion is inherited from the containing Shard or Zone.

The value of the objects (7) key is an array of objects, as defined in Section 5.12.

5.5. Shard body

A Shard body is a map. The keys present in the map depend on whether the Shard is contained in a Message Section or in a Zone.

Shards contained in Message Sections are “bare Shards”. Since they cannot inherit any values from their contained Zone, they MUST contain the content (23), signatures (0), subject-zone (4), context (6), and may contain the shard-range (11) key.

Shards within a Zone are “contained Shards”, and can inherit values from their containing Zone. A contained Shard MUST contain the content (23) key, and MAY contain the shard-range(11) key. The subject-zone (4) and context (6) keys MUST NOT be present. They are assumed to have the same value as the corresponding values in the containing Zone for signature generation and signature verification purposes; see Section 5.14.

A contained Shard SHOULD contain the signatures (0) key if it also contains a shard-range (11) key, since an unsigned contained Shard cannot be used by a RAINS server to answer a query for nonexistence; it must be returned in a signed Zone.

The value of the content (23) key is an array of Assertion bodies as defined in {#cbor-assertion}.

The value of the signatures (0) key, if present, is an array of one or more Signatures as defined in Section 5.14. If not present, the containing Zone MUST be signed. Signatures on a contained Shard are generated as if the inherited subject-zone and values are present in the Shard, whether actually present or not. The signatures on the Shard are to be verified against the appropriate key for the Zone containing the Shard in the given context, as described in Section 4.1.2.

The value of the subject-zone (4) key, if present, is a UTF-8 encoded string containing the name of the zone in which the Assertions within the Shard is made. If not present, the zone of the assertion is inherited from the containing Zone.

The value of the context (6) key, if present, is a UTF-8 encoded string containing the name of the context in which the Assertions within the Shard are valid. If not present, the context of the assertion is inherited from the containing Zone.

If the shard-range (11) key is present, the the shard is lexicographically complete within the range described in its value: a mapping for a (subject-name, object-type) pair that should be between the two values given in the range but is not is asserted to not exist. Lexicographic sorting is done on subject names by ordering Unicode codepoints in ascending order; ordering on object types is done via their code values in Section 5.12 in ascending order.

The shard-range value MUST be a two element array of strings or nulls (subject-name A, subject-name B). A must lexicographically sort before B, but neither subject name need be present in the shard’s contents. If A is null, the shard begins at the beginning of the zone. If B is null, the shard ends at the end of the zone. The shard MUST NOT contain any assertions whose subject names sort before A or after B. In addition, the authority for the shard belongs to MUST NOT make any assertions during the period of validity of the shard’s signatures that would fall between subject-name A and subject-name B inclusive that are not contained within the shard (see Section 6.4).

If the shard-range key is not present, the shard is not lexicographically complete and MUST NOT be used to make assertions about nonexistance.

5.6. Zone Message Section body

A Zone body is a map. Zones MUST contain the content (23), signatures (0), subject-zone (4), and context (6) keys.

Signatures on the Zone are to be verified against the appropriate key for the Zone in the given context, as described in Section 4.1.2.

The value of the content (23) key is an array of Shard bodies as defined in {#cbor-shard} and/or Assertion bodies as defined in {#cbor-assertion}.

The value of the subject-zone (4) key is a UTF-8 encoded string containing the name of the Zone.

The value of the context (6) key is a UTF-8 encoded string containing the name of the context for which the Zone is valid.

5.7. Query Message Section body

A Query body is a map. Queries MUST contain the the token (2), query-name (8), context (6), and query-types (10) keys. Queries MAY contain the query- expires (12) and query-opts (13) keys.

The value of the token (2) key, is a byte array of maximum length 32. Future messages or notifications containing answers to this query MUST contain this token, if present. See Section 5.13.

The value of the context (6) key is a UTF-8 encoded string containing the name of the context to which a query pertains. A zero-length string indicates that assertions will be accepted in any context.

The value of the query-types (10) key is an array of integers encoding the type(s) of objects (as in Section 5.12) acceptable in answers to the query. All values in the query-type array are treated at equal priority: [2,3] means the querier is equally interested in both IPv4 and IPv6 addresses for the query-name. An empty query-types array indicates that objects of any type are acceptable in answers to the query.

The value of the query-expires (12) key, if present, is a CBOR integer counting seconds since the UNIX epoch UTC, identified with tag value 1 and encoded as in section 2.4.1 of [RFC7049]. After the query-expires time, the query will have been considered not answered by the original issuer.

The value of the query-opts (13) key, if present, is an array of integers in priority order of the querier’s preferences in tradeoffs in answering the query, as in Table 3.

Query Option Codes
Code Description
1 Minimize end-to-end latency
2 Minimize last-hop answer size (bandwidth)
3 Minimize information leakage beyond first hop
4 No information leakage beyond first hop: cached answers only
5 Expired assertions are acceptable
6 Enable query token tracing
7 Disable verification delegation (client protocol only)
8 Suppress proactive caching of future assertions

Options 1-5 specify performance/privacy tradeoffs. Each server is free to determine how to minimize each performance metric requested; however, servers MUST NOT generate queries to other servers if “no information leakage” is specified, and servers MUST NOT return expired assertions unless “expired assertions acceptable” is specified.

Option 6 specifies that a given token (see Section 5.13) should be used on all queries resulting from a given query, allowing traceability through an entire RAINS infrastructure. It is meant for debugging purposes.

By default, a client service will perform verification of negative queries and return a 404 No Assertion Exists for queries with a consistent proof of non- existence, within a message signed by the query service’s infrakey. Option 7 disables this behavior, and causes the query service to return the shard proving nonexistence for verification by the client. It is intended to be used with untrusted query services.

Option 8 specifies that a querier’s interest in a query is strictly ephemeral, and that future assertions related to this query SHOULD NOT be proactively pushed to the querier.

5.8. Address Assertion Message Section body

Assertions about addresses are similar to assertions about names, but keyed by address and restricted in terms of the objects they can contain. An Address Assertion body is a map. The keys present in this map depend on whether the Assertion is contained in a Message Section or in an Address Zone.

Address Assertions contained in Message Sections are “bare Address Assertions”, and MUST contain the signatures (0), subject-addr (5), context (6), and objects (7) keys.

Address Assertions contained in an Address Zone are “contained Address Assertions”, and can inherit their context from and be signed within their containing Zone. A contained Address Assertion MUST contain the subject-addr (5) and objects (7) keys. It MAY contain the context (6) key, but in this case the value of this keys MUST be identical to the value in the containing Address Zone.

A contained Address Assertion SHOULD contain the signatures (0) key, since an unsigned contained Address Assertion cannot be used by a RAINS server to answer a query; it must be returned in a signed Address Zone.

The value of the signatures (0) key, if present, is an array of one or more Signatures as defined in Section 5.14. If not present, the containing Address Zone MUST be signed. Signatures on a contained Address Assertion are generated as if the inherited context value are present in the Assertion, whether actually present or not. The signatures on the Assertion are to be verified against the appropriate key for the Address Zone containing the Assertion in the given context, as described in Section 4.1.2.

The value of the subject-addr (5) key is a three element CBOR array. The first element of the array is the address family encoded as an object type, 2 for IPv6 addresses and 3 for IPv4 addresses. The second element is the prefix length encoded as an integer, 0-128 for IPv6 and 0-32 for IPv4. The third element is the address, encoded as in Section 5.12. Subject addresses with the maximum prefix length for the address family are subject host addresses, and are nameable; subject addresses with less than the maximum prefix length are subject network addresses, and are delegatable.

The value of the context (6) key, if present, is a UTF-8 string containing the name of the context in which the Address Assertion is valid. If not present, the context of the Address Assertion is inherited from the containing Address Zone. See Section 4.3.1.

The value of the objects (7) key is an array of objects, as defined in Section 5.12. Only object types redirection, delegation, and registrant are available for subject network addresses, and only object type name is available for subject host addresses.

5.9. Address Zone Message Section body

Assertions about addresses can be grouped into zones, where all the assertions within the zone are contained within the zone’s address. These Address Zones are similar to Zones containing assertions about names, but are keyed by network address and restricted in their semantics.

An Address Zone body is a map. Zones MUST contain the content (23), signatures (0), subject-addr (5), and context (6) keys.

Signatures on the Zone are to be verified against the appropriate key for the Zone in the given context, as described in Section 4.1.2.

The value of the subject-addr (5) key is a three element CBOR array. The first element of the array is the address family encoded as an object type, 2 for IPv6 addresses and 3 for IPv4 addresses. The second element is the prefix length encoded as an integer, 0-127 for IPv6 and 0-31 for IPv4. The third element is the address, encoded as in Section 5.12. Only subject network addresses are acceptable for Address Zones.

The value of the content (23) key is an array of Address Assertion bodies as defined in {#cbor-revassert}. The Address Assertions within the content array MUST fall completely within the network designated by the subject-addr value.

The value of the context (6) key is a UTF-8 encoded string containing the name of the context for which the Zone is valid.

5.10. Address Query Message Section body

Queries for assertions about addresses are similar to queries for assertions about names, but have semantic restrictions similar to those for Address Assertions and Address Zones. An address query may have only one context.

An Address Query body is a map. Queries MUST contain the the token (2), subject-addr (5), context (6), and query-types (10) keys. Queries MAY contain query-opts (13) and query-expires (12) keys.

The value of the token (2) key, is a byte array of maximum length 32. Future messages or notifications containing answers to this query MUST contain this token, if present. See Section 5.13.

The value of the subject-addr (5) key is a three-element CBOR array. The first element of the array is the address family encoded as an object type, 2 for IPv6 addresses and 3 for IPv4 addresses. The second element is the prefix length encoded as an integer, 0-128 for IPv6 and 0-32 for IPv4. The third element is the address, encoded as in Section 5.12.

The value of the context (6) key is a UTF-8 encoded string containing the name of the context for which the Query is valid. Unlike queries for names, queries for Address Queries can only pertain to a single context.
See Section 4.3.1 for more.

The value of the query-expires (12) key, if present, is a CBOR integer counting seconds since the UNIX epoch UTC, identified with tag value 1 and encoded as in section 2.4.1 of [RFC7049]. After the query-expires time, the query will have been considered not answered by the original issuer.

The value of the query-opts (13) key, if present, is an array of integers in priority order of the querier’s preferences in tradeoffs in answering the query, as in Table 3. See Section 5.7 for more.

Any Address Assertion relating to an address containing the address queried for is considered to respond to the query, with more-specific prefixes being preferred over less-specific.

5.11. Notification Message Section body

[EDITOR’S NOTE: ensure it is clear everywhere that notifications are message sections too.]

Notification Message Sections contain information about the operation of the RAINS protocol itself. A Notification Message Section body is a map which MUST contain the token (2) and note-type (21) keys and MAY contain the note-data (22) key. The value of the note-type key is encoded as an integer as in the Table 4.

Notification Type Codes
Code Description
100 Connection heartbeat
399 Capability hash not understood
400 Bad message received
403 Inconsistent message received
404 No assertion exists (client protocol only)
413 Message too large
500 Unspecified server error
501 Server not capable
504 No assertion available

Note that the status codes are chosen to be mnemonically similar to status codes for HTTP [RFC7231]. Details of the meaning of each status code are given in Section 6.

The value of the token (2) key is a byte array of maximum length 32, which MUST contain the token of the message or query to which the notification is a response. See Section 5.13.

The value of the note-data (22) key, if present, is a UTF-8 encoded string with additional information about the notification, intended to be displayed to an administrator to help debug the issue identified by the negotiation.

5.12. Object

Objects are encoded as arrays in CBOR, where the first element is the type of the object, encoded as an integer in the following table:

Object type codes
Code Name Description
1 name name associated with subject
2 ip6-addr IPv6 address of subject
3 ip4-addr IPv4 address of subject
4 redirection name of zone authority server
5 delegation public key for zone delgation
6 nameset name set expression for zone
7 cert-info certificate information for name
8 service-info service information for srvname
9 registrar registrar information
10 registrant registrant information
11 infrakey public key for RAINS infrastructure
12 extrakey external public key for subject

A name (1) object contains a name associated with a name as an alias. It is represented as a three-element array. The second element is a fully-qualified name as a UTF-8 encoded string. The third type is an array of object type codes for which the alias is valid, with the same semantics as the query-types (9) key in queries (see Section 5.7).

An ip6-addr (2) object contains an IPv6 address associated with a name. It is represented as a two element array. The second element is a byte array of length 16 containing an IPv6 address in network byte order.

An ip4-addr (3) object contains an IPv4 address associated with a name. It is represented as a two element array. The second element is a byte array of length 4 containing an IPv4 address in network byte order.

A redirection (4) object contains the fully-qualified name of a RAINS authority server for a named zone. It is represented as a two-element array. The second element is a fully-qualified name of an RAINS authority server as a UTF-8 encoded string.

A delegation (5) object contains a public key used to generate signatures on assertions in a named zone, and by which a delegation of a name within a zone to a subordinate zone may be verified. It is represented as an N-element array. The second element is a signature algorithm identifier as in Section 5.14. Additional elements are as defined in Section 5.14 for the given algorithm identifier.

A nameset (6) object contains an expression defining which names are allowed and which names are disallowed in a given zone. It is represented as a two- element array. The second element is a nameset expression to be applied to each name element within the zone without an intervening delegation, as defined in Section 5.12.2

A cert-info (7) object contains an expression binding a certificate or certificate authority to a name, such that connections to the name must either use the bound certificate or a certificate signed by a bound authority. It is represented as an five-element array, as defined in Section 5.12.1.

A service-info (8) object gives information about a named service. Services are named as in [RFC2782]. It is represented as a four-element array. The second element is a fully-qualified name of a host providing the named service as a UTF-8 string. The third element is a transport port number as a positive integer in the range 0-65535. The fourth element is a priority as a positive integer, with lower numbers having higher priority.

A registrar (9) object gives the name and other identifying information of the registrar (the organization which caused the name to be added to the namespace) for organization-level names. It is represented as a UTF-8 string of maximum length 256 bytes containing identifying information chosen by the registrar according to the registry’s policy.

A registrant (10) object gives information about the registrant of an organization-level name. It is represented as a UTF-8 string with a maximum length of 4096 bytes containing this information, with a format chosen by the registrar according to the registry’s policy.

An infrakey (11) object contains a public key used to generate signatures on messages by a named RAINS server, by which a RAINS message signature may be verified by a receiver. It is identical in structure to a delegation object, as defined in Section 5.14. Infrakey signatures are especially useful for clients which delegate verification to their query servers to authenticate the messages sent by the query server.

An extrakey (12) object contains a public key used to generate signatures on assertions in a named zone outside of the normal delegation chain. It is represented as an N-element array, where the second element is a signature algorithm identifier, and the third element is keyspace identifier, as in Section 5.14. Additional elements are as defined in Section 5.14 for the given algorithm identifier. An extrakey may be matched with a public key obtained through other means for additional authentication of an assertion. Extrakeys are different from delegation keys in that they may not be used in the delegation chain: an extrakey signature is valid only on assertions of object types other than delegation.

5.12.1. Certificate information format

A cert-info object contains information about the certificate(s) that can be used to authenticate a transport-layer association with a named entity. It is encoded as a file-element array. The first element is the RAINS object type (7). The second element is the protocol family specifier, describing the cryptographic protocol used to connect, as defined in Table 6. The protocol family defines the format of certificate data to be hashed. The third element is the certificate usage specifier as in Table 7, describing the constraint imposed by the assertion. These are defined to be compatible with Certificate Usages in the TLSA RRTYPE for DANE [RFC6698]. The fourth element is the hash algorithm identifier, defining the hash algorithm used to generate the certificate data. The fifth item is the data itself, whose format is defined by the protocol family and hash algorithm.

Certificate information protocol families
Code Protocol family Certificate format
0 Unspecified Unspecified
1 Transport Layer Security (TLS) [RFC5246] [RFC5280]

Protocol family 0 leaves the protocol family unspecified; client validation and usage of cert-info assertions, and the protocol used to connect, are up to the client, and no information is stored in RAINS. Protocol family 1 specifies Transport Layer Security version 1.2 [RFC5246] or a subsequent version, secured with PKIX [RFC5280] certificates.

Certificate information usage values
Code Certificate usage
2 Trust Anchor Certificate
3 End-Entity Certificate

A trust anchor certificate constraint specifies a certificate that MUST appear as the trust anchor for the certificate presented by the subject of the assertion on a connection attempt. An end-entity certificate constraint specifies a certificate that MUST be presented by the subject of the assertion on a connection attempt.

Certificate information hash algorithms
Code Hash/HMAC Notes
0 None Data contains full certificate
1 sha-256 Data contains SHA-256 hash (32 bytes)
2 sha-512 Data contains SHA-512 hash (64 bytes)
3 sha-384 Data contains SHA-384 hash (48 bytes)

Code 0 is used to store full certificates in RAINS assertions, while other codes are used to store hashes for verification.

For example, in a cert-info object with values [ 7, 1, 3, 3, (data) ], the data would be a 48 SHA-384 hash of the ASN.1 DER-encoded X.509v3 certificate (see Section 4.1 of [RFC5280]) to be presented by the endpoint on a connection attempt with TLS version 1.2 or later.

5.12.2. Name expression format

The nameset expression is represented as a UTF-8 string encoding a modified POSIX Extended Regular Expression format (see POSIX.2) to be applied to each element of a name within the zone. A name containing an element that does not match the valid nameset expression for a zone is not valid within the zone, and the nameset assertion can be used to prove nonexistence.

The POSIX character classes :alnum:, :alpha:, :ascii:, :digit:, :lower:, and :upper: are available in these regular expressions, where:

  • :lower: matches all codepoints within the Unicode general category “Letter, lowercase”
  • :upper: matches all codepoints within the Unicode general category “Letter, uppercase”
  • :alpha: matches all codepoints within the Unicode general category “Letter”.
  • :digit: matches all codepoints within the Unicode general category “Number, decimal digit”
  • :alnum: is the union of :alpha: and :digit:
  • :ascii: matches all codepoints in the range 0x20-0x7f

In addition, each Unicode block is available as a character class, with the syntax :ublkXXXX: where XXXX is a 4 or 5 digit, zero-prefixed hex encoding of the first codepoint in the block. For example, the Cyrillic block is available as :ublk0400:.

Unicode escapes are supported in these regular expressions; the sequence \uXXXX where XXXX is a 4 or 5 digit, possibly zero-prefixed hex encoding of the codepoint, is substituted with that codepoint.

Set operations (intersection and subtraction) are available on character classes. Two character class or range expressions in a bracket expression joined by the sequence && are equivalent to the intersection of the two character classes or ranges. Two character class or range expressions in a bracket expression joined by the sequence – are equivalent to the subtraction of the second character class or range from the first.

For example, the nameset expression:

[[:ublk0400:]&&[:lower:][:digit:]]+

matches any name made up of one or more lowercase Cyrillic letters and digits. The same expression can be implemented with a range instead of a character class:

[\u0400-\u04ff&&[:lower:][:digit:]]+

5.13. Tokens in queries and messages

Messages, queries, and notifications all contain an opaque token (2) key, whose content is a byte array of maximum length 32, and is used to link Messages to the Queries they respond to, and Notifications to the Messages they respond to. Tokens MUST be treated as opaque values by RAINS servers.

A Message sent in response to a Query MUST contain the token in that Query. Otherwise, the Message SHOULD contain a token selected by the server originating it, so that future Notifications can be linked to the message causing it. Likewise, a Notification sent in response to a Message MUST contain the token from the Message causing it.

When a server creates a new query to forward to another server in response to a query it received, it MUST NOT use the same token on the delegated query as on the received query, unless option 6 Enable Tracing is present in the received, in which case it MUST use the same token.

5.14. Signatures, delegation keys, and RAINS infrastructure keys

RAINS supports multiple signature algorithms and hash functions for signing assertions for cryptographic algorithm agility [RFC7696]. A RAINS signature algorithm identifier specifies the signature algorithm; a hash function for generating the HMAC and the format of the encodings of the signature values in Assertions, Shards, Zones, and Messages, as well as of public key values in delegation objects.

RAINS signatures have four common elements: the algorithm identifier, a keyspace identifier, a valid-since timestamp, and a valid-until timestamp. Signatures are represented as an array of these four values followed by additional elements containing the signature data itself, according to the algorithm identifier.

The following algorithms are supported:

Defined signature algorithms
Alg ID Signatures Hash/HMAC Format
1 ed25519 sha-512 See Section 5.14.1
2 ed448 shake256 See Section 5.14.1
3 ecdsa-256 sha-256 See Section 5.14.2
4 ecdsa-384 sha-384 See Section 5.14.2

As noted in Section 5.14.1, support for Algorithm 1, ed25519, is REQUIRED; other algorithms are OPTIONAL.

The keyspace identifier associates the signature with a method for verifying signatures. This facility is used to support signatures on assertions from external sources (the extrakey object type). At present, one keyspace identifier is defined, and support for it is REQUIRED.

Keyspace ID Name Signature Verification Algorithm
0 rains RAINS delegation chain; see Section 5.14

Valid-since and valid-until timestamps are represented as CBOR integers counting seconds since the UNIX epoch UTC, identified with tag value 1 and encoded as in section 2.4.1 of [RFC7049]. A signature MUST have a valid-until timestamp. If a signature has no specified valid-since time (i.e., is valid from the beginning of time until its valid-until timestamp), the valid-since time MAY be null (as in Table 2 in Section 2.3 of [RFC7049]).

Signatures in RAINS are generated over a normalized serialized CBOR object (a Message; or an Assertion, Shard, or Zone section body). To normalize and serialize an object for signing:

  • Serialize the object with a stub for the signature to be generated:
    • Strip all other signatures during serialization by omitting all signatures (0) keys and their values. When signing a shard or zone, the signatures on contained assertions, if present, must be omitted too. When signing a message, the signatures on contained assertions, shards, and zones must be omitted.
    • Add subject zone and context to contained shards and assertions if not present, inheriting them from their containing shard or zone.
    • Create a stub signature within an array within a signatures (0) key at the appropriate place in the object, containing the algorithm ID, timestamps and hash chain token, if present, but a null value in the place of the signature content.
    • Normalize the serialized object by emitting all keys in CBOR maps in ascending numerical order. Note that when serializing anything with a Content array, the order of the content array is preserved.
    • If the serialized object is a Message, it should be tagged with the RAINS tag.
  • Generate a signature on the resulting byte stream according to the algorithm selected.
  • Add the full signature to the signatures array at the appropriate point in the object.

To verify a signature, generate the byte stream as for signing, then verify the signature according to the algorithm selected.

5.14.1. EdDSA signature and public key format

EdDSA public keys consist of a single value, a 32-byte bit string generated as in Section 5.1.5 of [RFC8032] for Ed25519, and a 57-byte bit string generated as in Section 5.2.5 of [RFC8032] for Ed448. The third element in a RAINS delegation object is this bit string encoded as a CBOR byte array. RAINS delegation objects for Ed25519 keys are therefore represented by the array [5, 1, k]; and for Ed448 keys as [5, 2, k].

Ed25519 and Ed448 signatures are are a combination of two non-negative integers, called “R” and “S” in sections 5.1.6 and 5.2.6, respectively, of [RFC8032]. An Ed25519 signature is represented as a 64-byte array containing the the concatenation of R and S, and an Ed448 signature is represented as a 114-byte array containing the concatenation of R and S. RAINS signatures using Ed25519 are therefore the array [1, 0, valid-from, valid-until, R|S]; using Ed448 the array [2, 0, valid-from, valid-until, R|S].

Ed25519 keys are generated as in Section 5.1.5 of [RFC8032], and Ed448 keys as in Section 5.2.5 of [RFC8032]. Ed25519 signatures are generated from a normalized serialized CBOR object as in Section 5.1.6 of [RFC8032], and Ed448 signatures as in section 5.2.6 of [RFC8032].

RAINS Server and Client implementations MUST support Ed25519 signatures for delegation.

5.14.2. ECDSA signature and public key format

ECDSA public keys consist of a single value, called “Q” in [FIPS-186-3]. Q is a simple bit string that represents the uncompressed form of a curve point, concatenated together as “x | y”. The third element in a RAINS delegation object is the Q bit string encoded as a CBOR byte array. RAINS delegation objects for ECDSA-256 public keys are therefore represented as the array [5, 3, Q]; and for ECDSA-384 public keys as [5, 4, Q].

ECDSA signatures are a combination of two non-negative integers, called “r” and “s” in [FIPS-186-3]. A Signature using ECDSA is represented using a four-element CBOR array, with the fourth element being “r | s” such that r is represented as a byte array as described in Section C.2 of [FIPS-186-3], and s represented as a byte array as described in Section C.2 of [FIPS-186-3]. For ECDSA-256 signatures, each integer MUST be represented as a 32-byte array. For ECDSA-384 signatures, each integer MUST be represented as a 48-byte array. RAINS signatures using ECDSA-256 are therefore the array [3, 0, valid-from, valid-until, r|s]; and for ECDSA-384 the array [4, 0, valid-from, valid-until, r|s].

ECDSA-256 signatures and public keys use the P-256 curve as defined in [FIPS-186-3]. ECDSA-384 signatures and public keys use the P-384 curve as defined in [FIPS-186-3].

ECDSA-256 and ECDSA-384 support are primarily meant for compatibility with and migration from existing DNSSEC deployments; see Section 8.5.

5.15. Capabilities

When a RAINS server or client sends the first message in a stream to a peer, it MAY expose optional capabilities to its peer using the capabilities (1) key. This key contains either:

  • an array of uniform resource names specifying capabilities supported by the sending server, taken from the table below, with each name encoded as a UTF-8 string.
  • a SHA-256 hash of the CBOR byte stream derived from normalizing such an array by sorting it in lexicographically increasing order, then serializing it.

This mechanism is inspired by [XEP0115], and is intended to be used to reduce the overhead in exposing common sets of capabilities. Each RAINS server can cache a set of recently-seen or common hashes, and only request the full URN set (using notification code 399) on a cache miss.

The following URNs are presently defined; other URNs will specify future optional features, support for alternate transport protocols and new signature algorithms, etc.

URN Meaning
urn:x-rains:tlssrv Listens for connections on TLS over TCP from other RAINS servers.

Since there are only two defined capabilities at this time, RAINS servers can be implemented with two hard-coded hashes to determine whether a peer is listening or not. The hash presented by a server supporting urn:x-rains:tlssrv is e5365a09be554ae55b855f15264dbc837b04f5831daeb321359e18cdabab5745; the hash presented by a server supporting no capabilities is 76be8b528d0075f7aae98d6fa57a6d3c83ae480a8469e668d7b0af968995ac71.

A RAINS server MUST NOT assume that a peer server supports a given capability unless it has received a message containing that capability from that server. An exception are the capabilities indicating that a server listens for connections using a given transport protocol; servers and clients can also learn this information from RAINS itself (given a redirection assertion for a named zone) or from external configuration values.

6. RAINS Protocol Definition

As noted in Section 5, RAINS is a message-exchange protocol that uses CBOR [RFC7049] as its framing. Since CBOR is self-framing – a CBOR parser can determine when a CBOR object is complete at the point at which it has read its final byte – RAINS requires no external framing. It can therefore run over any streaming, multistreaming, or message-oriented transport protocol. In order to protect query confidentiality, and support rapid deployment over a ubiquitously implemented transport, RAINS is defined in this document to run over persistent TLS 1.2 connections [RFC5246] over TCP [RFC0793] with mutual authentication between servers, and authentication of servers by clients. The TLS certificates of RAINS server peers can be verified as specified in the cert-info assertions for those servers.

RAINS servers MUST support this transport; future transports can be negotiated using the capabilities mechanism after bootstrapping using TLS 1.2. As RAINS is an experimental protocol, RAINS servers listen on port 1022 [RFC4727] for connections from other RAINS servers and clients. RAINS servers should strive to keep connections open to peer servers, unless it is clear that no future messages will be exchanged with those peers, or in the face of resource limitations at either peer. If a RAINS server needs to send a message to another RAINS server to which it does not have an open connection, it attempts to open a connection with that server.

This section describes the operation of the protocol as used among RAINS servers. A simplified version of the protocol for client access is described in Section 7.

6.1. Message processing

Once a transport is established, any server may validly send a message with any content to any other server. A client may send messages containing queries to servers, and a server may sent messages containing anything other than queries to clients.

Upon receipt of a message, a server or client attempts to parse it.

If the server or client cannot parse the message at all, it returns a 400 Bad Message notification to the peer. This notification may have a null token if the token cannot be retrieved from the message.

If the server or client can parse the message, it:

  • notes the token on the message. This token MUST be present on any messages sent in reply to this message.
  • processes any capabilities present, replacing the set of capabilities known for the peer with the set present in the message. If the present capabilities are represented by a hash that the server does not have in its cache, it prepares a notification of type 399 “Capability hash not understood” to send to its peer.
  • splits the contents into its constituent message sections, and verifies that each is acceptable. Specifically, queries are not accepted by clients (see Section 7), and 404 No Assertion Exists notifications are not accepted by servers. If a message contains an unacceptable section, the server or client returns a 400 Bad Message notification to its peer, and ceases processing of the message.

On receipt of an assertion, shard, or zone message section, a server:

  • verifies its consistency (see Section 6.4). If the section is not consistent, it prepares to send a notification of type 403 Inconsistent Message to the peer, and discards the section. Otherwise, it:
  • determines whether it answers an outstanding query; if so, it prepares to forward the section to the server that issued the query.
  • determines whether it is likely to answer a future query, according to its configuration, policy, and query history; if so, it caches the section.

On receipt of an assertion, shard, or zone message section, a client:

  • determines whether it answers an outstanding query; if so, it considers the query answered. It then:
  • determines whether it is likely to answer a future query, according to its configuration, policy, and query history; if so, it caches the section.

On receipt of a query, a server:

  • determines whether it has expired by checking the query-expires value. If so, it drops the query silently. If not, it:
  • determines whether it has a stored assertion, shard, and/or zone message section which answers the query. If so, it prepares to return the most specific such section with the signature of the longest remaining validity to the peer that issued the query. If not, it:
  • checks to see whether the query specifies option 4 (cached answers only). If so, and if option 5 (expired assertions acceptable) is also specified, it then checks to see if it has any cached sections that answer the query on which signatures are expired; otherwise, processing stops. If the query does not specify option 4, delegation proceeds as follows: the server:
  • determines whether it has other non-authoritative servers it can forward the query to, according to its configuration and policy, and in compliance with any query options (see Section 5.7). If so, it prepares to forward the query to those servers, noting the reply for the received query depends on the replies for the forwarded query. If not, it:
  • determines the responsible authority servers for the zone containing the query name in the query for the context requested, and forwards the query to those authority servers, noting the reply for the received query depends on the reply for the forwarded query.

If query delegation fails to return an answer within a configured timeout for a delegated query, the server prepares to send a 504 No assertion available response to the peer from which it received the query.

When a server creates a new query to forward to another server in response to a query it received, it SHOULD NOT use the same token on the delegated query as on the received query, unless option 6 Enable Tracing is present in the received, in which case it MUST use the same token. The Enable Tracing option is designed to allow debugging of query processing across multiple servers, It SHOULD only be enabled by clients designed explicitly for debugging RAINS itself, and MUST NOT be enabled by default by client resolvers.

When a server creates a new query to forward to another server in response to a query it received, and the received query contains a query-expires time, the delegated query MUST contain the same query-expires time. If the received query contains no query-expires time, the delegated query MAY contain a query- expires time of the server’s choosing, according to its configuration.

On receipt of a notification, a server’s behavior depends on the notification type:

  • For type 100 “Connection Heartbeat”, the server does nothing: these null messages are used to keep long-lived connections open in the presence of network behaviors that may drop state for idle connections.
  • For type 399 “Capability hash not understood”, the server prepares to send a full capabilities list on the next message it sends to the peer.
  • For type 504 “No assertion available”, the server checks the token on the message, and prepares to forward the assertion to the associated query.
  • For type 413 “Message too large” the server notes that large messages may not be sent to a peer and tries again (see Section 6.3), or logs the error along with the note-data content.
  • For type 400 “Bad message”, type 403 “Inconsistent message”, type 500 “Server error”, or type 501 “Server not capable”, the server logs the error along with the note-data content, as these notifications generally represent implementation or configuration error conditions which will require human intervention to mitigate.

On receipt of a notification, a client’s behavior depends on the notification type:

  • For type 100 “Connection Heartbeat”, the client does nothing, as above.
  • For type 399 “Capability hash not understood”, the client prepares to send a full capabilities list on the next message it sends to the peer.
  • For type 404 “No assertion exists”, the client takes the query to be unanswerable. It may reissue the query with query option 7 to do the verification of nonexistence again, if the server from which it received the notification is untrusted.
  • For type 413 “Message too large” the client notes that large messages may not be sent to a peer and tries again (see Section 6.3), or logs the error along with the note-data content.
  • For type 400 “Bad message”, type 403 “Inconsistent message”, type 500 “Server error”, or type 501 “Server not capable”, the client logs the error along with the note-data content, as these notifications generally represent implementation or configuration error conditions which will require human intervention to mitigate.

The first message a server or client sends to a peer after a new connection is established SHOULD contain a capabilities section, if the server or client supports any optional capabilities. See Section 5.15.

If the server is configured to keep long-running connections open, due to the presence of network behaviors that may drop state for idle connections, it SHOULD send a message containing a type 100 Connection Heartbeat notification after a configured idle time without any messages containing other content being sent.

6.2. Message Transmission

As noted in Section 6.1 many messages are sent in reply to messages received from peers. Servers may also originate messages on their own, based on their configuration and policy:

  • Proactive queries to retrieve assertions, shards, and zones for which all signatures have expired or will soon expire, for cache management purposes.
  • Proactive push of assertions, shards, and zones to other servers, based on query history or other information indicating those servers may query for the assertions they contain.

6.3. Message Limits

RAINS servers MUST accept messages up to 65536 bytes in length, but MAY accept messages of greater length, subject to resource limitations of the server. A server with resource limitations MUST respond to a message rejected due to length restrictions with a notification of type 413 (Message Too Large). A server that receives a type 413 notification must note that the peer sending the message only accepts messages smaller than the largest message it’s successfully sent that peer, or cap messages to that peer to 65536 bytes in length.

Since a bare assertion with a single ECDSA signature requires on the order of 180 bytes, it is clear that many full zones won’t fit into a single minimum maximum-size message. Authorities are therefore encouraged to publish zones grouped into shards that will fit into 65536-byte messages, to allow servers to reply using these shards when full-zone transfers are not possible due to message size limitations.

6.4. Runtime Consistency Checking

The data model used by the RAINS protocol allows inconsistent information to be asserted, all resulting from misconfigured or misbehaving authority servers. The following types of inconsistency are possible:

  • A lexically complete shard may omit an assertion within its shard-range which is valid at the same time as the shard.
  • A zone may omit an assertion within its zone which is valid at the same time as the zone.
  • An assertion prohibited by its zone’s nameset may be valid at the same time as the zone’s nameset assertion.

RAINS relies on runtime consistency checking to mitigate inconsistency: each server receiving an assertion, shard, or zone SHOULD, subject to resource constraints, ensure that it is consistent with other information it has, and if not, discard all assertions, shards, and zones in its cache, log the error, and send a 403 Inconsistent Message to the source of the message.

6.5. Integrity and Confidentiality Protection

Assertions are not valid unless they contain at least one signature that can be verified from the chain of authorities specified by the name and context on the assertion; integrity protection is built into the information model. The infrastructure key object type allows keys to be associated with RAINS servers in addition to zone authorities, which allows a client to delegate integrity verification of assertions to a trusted query service (see Section 7).

Since the job of an Internet naming service is to provide publicly-available information mapping names to information needed to connect to the services they name, confidentiality protection for assertions is not a goal of the system. Specifically, the information model and the mechanism for proving non-existence of an assertion is not designed to provide resistance against zone enumeration.

On the other hand, confidentiality protection of query information in crucial. Linking naming queries to a specific user can be nearly as useful to build a profile of that user for surveillance purposes as full access to the clear text of that client’s communications [RFC7624]. In this revision, RAINS uses TLS to protect communications between servers and between servers and clients, with certificate information for RAINS infrastructure stored in RAINS itself. Together with hop-by-hop confidentiality protection, query options, proactive caching, default use of non-persistent tokens, and redirection among servers can be used to mix queries and reduce the linkability of query information to specific clients.

7. RAINS Client Protocol

The protocol used by clients to issue queries to and receive responses from an query service is a subset of the full RAINS protocol, with the following differences:

  • Clients only process assertion, shard, zone, and notification sections; sending a query to a client results in a 400 Bad Message notification.
  • Clients never listen for connections; a client must initiate and maintain a transport session to the query server(s) it uses for name resolution.
  • Servers only process query and notification sections when connected to clients; a client sending assertions to a server results in a 400 Bad Message notification.

Since signature verification is resource-intensive, clients delegate signature verification to query servers by default. The query server signs the message containing results for a query using its own key (published as an infrakey object associated with the query server’s name), and a validity time corresponding to the signature it verified with the longest lifetime, stripping other signatures from the reply. This behavior can be disabled by a client by specifying query option 7, allowing the client to do its own verification.

8. Deployment Considerations

The following subsections discuss issues that must be considered in any deployment of RAINS at scale.

8.1. Assertion Lifetime Management

An assertion can contain multiple signatures, each with a different lifetime. Signature lifetimes are equivalent to a time to live in the present DNS: authorities should compute a new signature for each validity period, and make these new signatures available when old ones are expiring.

Since assertion lifetime management is based on a real-time clock expressed in UTC, RAINS servers MUST use a clock synchronization protocol such as NTP [RFC5905].

8.2. Secret Key Management

The secret keys associated with public keys for each RAINS server (via infrakey objects) must be available on that server, whether through a hardware or software security device, so they can sign messages on demand; this is particularly important for query servers. In addition, the secret keys associated with TLS certificates for each server (published via certinfo objects) must be available as well in order to establish TLS sessions.

However, storing zone secret keys (associated via delegation objects) on RAINS servers would represent a more serious operational risk. To keep this from being necessary, authority servers have an additional signer interface, from which they will accept and cache any assertion, shard, or zone for which they are authority servers until at least the end of validity of the last signature, provided the signature is verifiable.

8.3. Unsigned Contained Assertions

Although RAINS supports Shards and Zones containing unsigned assertions, protecting the integrity of those Assertions by the signature on the Shard or Zone, it is RECOMMENDED that authorities sign each Assertion, even those contained within a Shard or Zone, in order to minimize the size of positive answers to queries.

8.4. Query Service Discovery

A client that will not do its own verification must be able to discover the query server(s) it should trust for resolution. Integration with DHCP is left to a future revision of this document.

In any case, clients MUST provide a configuration interface to allow a user to specify (by address or name) and/or constrain (by certificate property) a preferred/trusted query server. This would allow client on an untrusted network to use an untrusted locally-available query server to discover a preferred query server (doing key verification on its own for bootstrapping), before connecting to that query server for normal name resolution.

8.5. Transition using translation between RAINS and DNS information models

Full adoption of RAINS would require changes to every client device (replacing DNS stub resolvers with RAINS clients) and name server on the Internet. In addition, most client software would need to change, as well, to get the full benefits of explicit context in name resolution. This is an unrealistic goal.

RAINS servers can, however, coexist with Domain Name System servers and clients during an indefinite transition period. RAINS assertions can be algorithmically translated into DNS answers, and RAINS queries can be algorithmically translated into DNS queries, by RAINS to DNS gateways, given the mostly compatible information models used by the two.

While DNSSEC and RAINS keys for equivalent ciphersuites are compatible with each other, there is no equivalent to query option 7 for gateways, since the RAINS signatures are generated over the RAINS bytestream for an assertion, not the DNS bytestream. Therefore, RAINS to DNS gateways must provide verification services for DNS clients. DNS over TLS [RFC7858] SHOULD be used between the DNS client and gateway to ensure confidentiality and integrity for queries and answers.

Object type mappings are as follows:

  • Objects of type name can (largely) be represented as CNAME RRs.
  • Objects of type ip6-addr can be represented as AAAA RRs.
  • Objects of type ip4-addr can be represented as A RRs.
  • Objects of type redirection can be represented as NS RRs.
  • Objects of type cert-info can be represented as TLSA RRs
  • Objects of type service-info can be represented as SRV RRs.

There are a few object types without mappings:

  • Objects of type delegation can be represented as DS RRs, and signatures as RRSIG RRs, but since these keys are verified by the gateway, there is no need to represent this information to the client.
  • Objects of type infrakey cannot be represented in DNS, but are irrelevant for DNS translation of RAINS messages, since DNS does not support server signing of responses.
  • Objects of type registrar and registrant cannot be represented in DNS; clients can use WHOIS instead. In addition, RRTYPEs could be added for them in the future if RAINS sees significant deployment with DNS as a front-end protocol.
  • Objects of type nameset cannot be represented in DNS; the current equivalent are the IDNA parameters maintained by IANA (for the DNS root zone only) at https://www.iana.org/assignments/idna-tables-6.3.0/idna-tables-6.3.0.xhtml.

When translating a DNS query from a client to a RAINS query for that client, client options can be set on a per-server, per-client, or per-query basis using some out of band configuration options.

When translating a RAINS assertion to a DNS answer, the gateway can use the time to expiry for the verified signature as the TTL.

There is no method for exposing context information in a DNS query or answer. Therefore, queries and answers at a RAINS gateway are only supported for the global context “.”.

9. Experimental Design and Evaluation

The protocol described in this document is intended primarily as a prototype for discussion, though the goal of the document is to specify RAINS completely enough to allow independent, interoperable implementation of clients an servers. The massive inertia behind the deployment of the present domain name system makes full deployment as a replacement for DNS unlikely. Despite this, there are some criteria by which the success of the RAINS experiment may be judged:

First, deployment in simulated or closed networks, or in alternate Internet architectures such as SCION, allows implementation experience with the features of RAINS which DNS lacks (signatures as a first-order delegation primitive, support for explicit contexts, explicit tradeoffs in queries, runtime availability of registrar/registrant data, and nameset support), which in turn may inform the specification and deployment of these features on the present DNS.

Second, deployment of RAINS “islands” in the present Internet alongside DNS on a per-domain basis would allow for comparison between operational and implementation complexity and efficiency and benefits derived from RAINS’ features, as information for future development of the DNS protocol.

10. IANA Considerations

The present revision of this document has no actions for IANA.

The authors have registered the CBOR tag 15309736 to identify RAINS messages in the CBOR tag registry at https://www.iana.org/assignments/cbor-tags/cbor-tags.xhtml.

RAINS servers currently listen for connections from other servers on Port 1022. Future revisions of this document may specify a different port, registered with IANA via Expert Review [RFC5226].

The symbol table in this document in Section 5.1, the notification code table in Section 5.11, and the signature algorithm table in Section 5.14 may be candidates for IANA registries in future revisions of this document.

The urn:x-rains namespace used by the RAINS capability mechanism in Section 5.15 may be a candidate for replacement with an IANA-registered namespace in a future revision of this document.

11. Security Considerations

This document specifies a new, experimental protocol for Internet name resolution, with mandatory integrity protection for assertions about names built into the information model, and confidentiality for query information protected on a hop-by-hop basis. See especially Section 4.1.2, Section 6.5, Section 5.14, Section 5.12.1, and Section 8.2 for security-relevant details.

12. Acknowledgments

Thanks to Daniele Asoni, Laurent Chuat, Markus Deshon, Christian Fehlmann, Ted Hardie, Joe Hildebrand, Tobias Klausmann, Steve Matsumoto, Adrian Perrig, Raphael Reischuk, Stephen Shirley, Andrew Sullivan, and Suzanne Woolf for the discussions leading to the design of this protocol.

13. References

13.1. Normative References

[FIPS-186-3] NIST, ., "Digital Signature Standard FIPS 186-3", June 2009.
[I-D.trammell-inip-pins] Trammell, B., "Properties of an Ideal Naming Service", Internet-Draft draft-trammell-inip-pins-03, March 2017.
[RFC0793] Postel, J., "Transmission Control Protocol", STD 7, RFC 793, DOI 10.17487/RFC0793, September 1981.
[RFC1918] Rekhter, Y., Moskowitz, B., Karrenberg, D., de Groot, G. and E. Lear, "Address Allocation for Private Internets", BCP 5, RFC 1918, DOI 10.17487/RFC1918, February 1996.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997.
[RFC2782] Gulbrandsen, A., Vixie, P. and L. Esibov, "A DNS RR for specifying the location of services (DNS SRV)", RFC 2782, DOI 10.17487/RFC2782, February 2000.
[RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO 10646", STD 63, RFC 3629, DOI 10.17487/RFC3629, November 2003.
[RFC4193] Hinden, R. and B. Haberman, "Unique Local IPv6 Unicast Addresses", RFC 4193, DOI 10.17487/RFC4193, October 2005.
[RFC4727] Fenner, B., "Experimental Values In IPv4, IPv6, ICMPv4, ICMPv6, UDP, and TCP Headers", RFC 4727, DOI 10.17487/RFC4727, November 2006.
[RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security (TLS) Protocol Version 1.2", RFC 5246, DOI 10.17487/RFC5246, August 2008.
[RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., Housley, R. and W. Polk, "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008.
[RFC7049] Bormann, C. and P. Hoffman, "Concise Binary Object Representation (CBOR)", RFC 7049, DOI 10.17487/RFC7049, October 2013.
[RFC8032] Josefsson, S. and I. Liusvaara, "Edwards-Curve Digital Signature Algorithm (EdDSA)", RFC 8032, DOI 10.17487/RFC8032, January 2017.

13.2. Informative References

[PARSER-BUGS] Bratus, S., Patterson, M. and A. Shubina, "The Bugs We Have To Kill (USENIX login)", August 2015.
[RFC1035] Mockapetris, P., "Domain names - implementation and specification", STD 13, RFC 1035, DOI 10.17487/RFC1035, November 1987.
[RFC4291] Hinden, R. and S. Deering, "IP Version 6 Addressing Architecture", RFC 4291, DOI 10.17487/RFC4291, February 2006.
[RFC4632] Fuller, V. and T. Li, "Classless Inter-domain Routing (CIDR): The Internet Address Assignment and Aggregation Plan", BCP 122, RFC 4632, DOI 10.17487/RFC4632, August 2006.
[RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA Considerations Section in RFCs", BCP 26, RFC 5226, DOI 10.17487/RFC5226, May 2008.
[RFC5905] Mills, D., Martin, J., Burbank, J. and W. Kasch, "Network Time Protocol Version 4: Protocol and Algorithms Specification", RFC 5905, DOI 10.17487/RFC5905, June 2010.
[RFC6605] Hoffman, P. and W. Wijngaards, "Elliptic Curve Digital Signature Algorithm (DSA) for DNSSEC", RFC 6605, DOI 10.17487/RFC6605, April 2012.
[RFC6698] Hoffman, P. and J. Schlyter, "The DNS-Based Authentication of Named Entities (DANE) Transport Layer Security (TLS) Protocol: TLSA", RFC 6698, DOI 10.17487/RFC6698, August 2012.
[RFC7231] Fielding, R. and J. Reschke, "Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content", RFC 7231, DOI 10.17487/RFC7231, June 2014.
[RFC7624] Barnes, R., Schneier, B., Jennings, C., Hardie, T., Trammell, B., Huitema, C. and D. Borkmann, "Confidentiality in the Face of Pervasive Surveillance: A Threat Model and Problem Statement", RFC 7624, DOI 10.17487/RFC7624, August 2015.
[RFC7696] Housley, R., "Guidelines for Cryptographic Algorithm Agility and Selecting Mandatory-to-Implement Algorithms", BCP 201, RFC 7696, DOI 10.17487/RFC7696, November 2015.
[RFC7858] Hu, Z., Zhu, L., Heidemann, J., Mankin, A., Wessels, D. and P. Hoffman, "Specification for DNS over Transport Layer Security (TLS)", RFC 7858, DOI 10.17487/RFC7858, May 2016.
[RFC7871] Contavalli, C., van der Gaast, W., Lawrence, D. and W. Kumari, "Client Subnet in DNS Queries", RFC 7871, DOI 10.17487/RFC7871, May 2016.
[SCION] Barrera, D., Reischuk, R., Szalachowski, P. and A. Perrig, "SCION Five Years Later - Revisiting Scalability, Control, and Isolation Next-Generation Networks (arXiv:1508.01651v1)", August 2015.
[XEP0115] Hildebrand, J., Saint-Andre, P., Troncon, R. and J. Konieczny, "XEP-0115 Entity Capababilities", February 2008.

Appendix A. Directions for future experimentation

The following features were suggested during the design of RAINS, but have been left out of the current revision of the specification to allow additional experimentation with them before they are completely specified.

A.1. Revocation based on hash chains

RAINS assertions are scoped in temporal validity by the lifetimes on their signatures. This is operationally equivalent to TTL in the current DNS. An assertion which becomes invalid can simply not be renewed by its authority. However, very dynamic infrastructures may require impractical numbers of signatures, and could benefit from longer validity times. Allowing an assertion to be revoked would make this possible.

Hash-chain based revocation allows a signature (and the Assertion, Shard, or Zone it protects) to be replaced before it expires. To use hash-chain based revocation, a signing entity generates a hash chain from a known seed using the hash function specified by the signature algorithm in use, and places the Nth value derived therefrom in the hash chain revocation token on a signature. When used, this token appears as a byte array after the signature data in the signature array.

A revocation can be issued by generating a new section and signing it, revealing the N-1st value from the hash chain in the revocation token. To allow a recipient of a revoked section to verify the revocation, the following restrictions on what can replace what apply:

  • An Assertion can only be replaced by another Assertion with the same Subject within the same Context and Zone, containing an Objects array of the same length containing the same types of Objects. To delete Object values, those values can be replaced with Null in the replacing Assertion.
  • A Shard can only be replaced by another Shard with an identical shard-range key, within the same Context and Zone. Incomplete Shards cannot be replaced.
  • A Zone can only be replaced by another Zone with an identical name within the same Context.

Two codepoints have been reserved to support experimentation with this mechanism, as shown in Table 10.

Defined signature algorithms
Code Signatures Hash/HMAC Format Revocation
24 ecdsa-256 sha-256 See Section 5.14.2 hash-chain
25 ecdsa-384 sha-384 See Section 5.14.2 hash-chain

The main open question for experimentation is how to ensure that a revocation is properly propagated through a RAINS infrastructure; this may require protocol changes to work reliably.

To support this experiment, a server must additionally evaluate an assertion it receives to determine whether it replaces any information presently in its cache. If so, it discards the old information, and caches the new section.

Appendix B. Open Issues

  • A method for clients to discover local oracles needs to be specified.
  • Consider making negative answers less expensive by allowing a hash of a shard with a negative answer proof to be sent back, and checked with a “no hashed negative answers” query option. This would increase complexity somewhat, because it would require the (re-)addition of an Answer section, which could contain such a beast.
  • Consider adding semantics to note-data for automated reaction to an error. Specifically, notification codes 400, 403, and 413 could use additional data.

Author's Address

Brian Trammell ETH Zurich Universitaetstrasse 6 Zurich, 8092 Switzerland EMail: ietf@trammell.ch