ADD Working Group D. Liu Internet-Draft Jinan University Intended status: Informational Z. Yan Expires: 21 January 2026 CNNIC G. Geng G. Zeng Jinan University 20 July 2025 Multicast DNS-Based Service Discovery for Encrypted DNS Services draft-liu-add-dnssd-edns-00 Abstract This document defines a multicast DNS (mDNS) and DNS-Based Service Discovery (DNS-SD) mechanism for discovering encrypted DNS services in local networks. It specifies new service types (_dot, _doh, _doq) and associated TXT record parameters to enable zero-configuration discovery of DNS over TLS (DoT), DNS over HTTPS (DoH), and DNS over QUIC (DoQ) resolvers. This extension addresses critical privacy gaps in local networks while maintaining backward compatibility with RFC 6763. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on 21 January 2026. Copyright Notice Copyright (c) 2025 IETF Trust and the persons identified as the document authors. All rights reserved. Liu, et al. Expires 21 January 2026 [Page 1] Internet-Draft EDNS-SD July 2025 This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1.1. The Local Network Privacy Challenge . . . . . . . . . . . 3 1.2. mDNS/DNS-SD as a Solution for Privacy-Aware Discovery . . 3 1.3. Key Use Cases . . . . . . . . . . . . . . . . . . . . . . 3 1.4. Relationship to Existing Standards . . . . . . . . . . . 4 2. Terminology and Requirements . . . . . . . . . . . . . . . . 4 2.1. Requirements Language . . . . . . . . . . . . . . . . . . 4 2.2. Defined Terms . . . . . . . . . . . . . . . . . . . . . . 4 3. Service Type Definitions . . . . . . . . . . . . . . . . . . 5 3.1. Encrypted DNS Service Types . . . . . . . . . . . . . . . 5 3.2. Service Instance Name Format . . . . . . . . . . . . . . 5 4. DNS Resource Records . . . . . . . . . . . . . . . . . . . . 5 4.1. PTR Records (Service Discovery) . . . . . . . . . . . . . 5 4.2. SRV Records (Service Location) . . . . . . . . . . . . . 5 4.3. TXT Records (Service Parameters) . . . . . . . . . . . . 6 5. Discovery Process . . . . . . . . . . . . . . . . . . . . . . 6 5.1. Service Advertisement . . . . . . . . . . . . . . . . . . 6 5.2. Client Discovery . . . . . . . . . . . . . . . . . . . . 7 6. Security Considerations . . . . . . . . . . . . . . . . . . . 7 6.1. Spoofing Countermeasures . . . . . . . . . . . . . . . . 7 6.2. Certificate Validation Models . . . . . . . . . . . . . . 8 6.3. Privacy Implications . . . . . . . . . . . . . . . . . . 8 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 7.1. New DNS-SD Service Types . . . . . . . . . . . . . . . . 8 7.2. TXT Record Key Registry . . . . . . . . . . . . . . . . . 9 8. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 9 8.1. Full DoT Service Advertisement . . . . . . . . . . . . . 9 8.2. DoH Service with Custom Path . . . . . . . . . . . . . . 9 8.3. Client Discovery Sequence . . . . . . . . . . . . . . . . 9 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 10 9.1. Normative References . . . . . . . . . . . . . . . . . . 10 9.2. Informative References . . . . . . . . . . . . . . . . . 11 acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 11 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 11 1. Introduction Liu, et al. Expires 21 January 2026 [Page 2] Internet-Draft EDNS-SD July 2025 1.1. The Local Network Privacy Challenge While encrypted DNS protocols such as DNS over TLS (DoT)[RFC7858], DNS over HTTPS (DoH)[RFC8484], and DNS over QUIC (DoQ)[RFC9250] have gained widespread adoption for public Internet resolution, local network environments often remain vulnerable to surveillance and manipulation of DNS traffic. Many devices and applications in home, enterprise, and industrial networks still rely on plaintext DNS, exposing sensitive metadata such as device activities, service dependencies, and user behavior patterns. Traditional discovery mechanisms (e.g., DHCP, Router Advertisements) lack the flexibility to negotiate fine-grained encrypted DNS configurations and fail in infrastructure-less environments where centralized servers are unavailable. 1.2. mDNS/DNS-SD as a Solution for Privacy-Aware Discovery Multicast DNS (mDNS, [RFC6762]) and DNS-Based Service Discovery (DNS- SD, [RFC6763]) provide an ideal foundation for encrypted DNS service discovery due to their: Zero-configuration operation: Devices autonomously advertise and discover services without requiring a central server. Topology independence: Functions in isolated networks (e.g., home labs, industrial control systems) even without Internet connectivity. Real-time updates: Service availability changes propagate within seconds, unlike DHCP's lease-based delays. Rich parameter negotiation: TXT records allow flexible exchange of protocol details (ports, ALPN preferences, certificate fingerprints). 1.3. Key Use Cases This specification enables: IoT and Smart Home Privacy: Devices (e.g., cameras, voice assistants) automatically discover and use encrypted DNS without manual configuration. Enterprise Network Segmentation: Departments can advertise isolated DNS services (e.g., _dot.finance.corp.local) with policy enforcement. Offline and Air-Gapped Networks: Secure DNS resolution in environments where Internet access is restricted but internal name resolution is still required (e.g., industrial control systems, military networks). Liu, et al. Expires 21 January 2026 [Page 3] Internet-Draft EDNS-SD July 2025 1.4. Relationship to Existing Standards While [RFC9463] provides DHCP/RA-based encrypted DNS discovery, this mDNS-based approach offers complementary advantages: +================+===============+=========================+ | Capability | DHCP/RA | mDNS/DNS-SD (This Spec) | +================+===============+=========================+ | Infrastructure | Requires DHCP | Works without | | | server/router | infrastructure | +----------------+---------------+-------------------------+ | Update Latency | Minutes-hours | Seconds (event-driven) | | | (lease time) | | +----------------+---------------+-------------------------+ | Parameter | Limited by | Rich TXT key-value | | Flexibility | option space | pairs | +----------------+---------------+-------------------------+ | Use Cases | Managed | Ad-hoc/IoT/dynamic | | | networks | networks | +----------------+---------------+-------------------------+ Table 1: Relationship to Existing Standards This document defines new DNS-SD service types (_dot._tcp, _doh._tcp, _doq._udp) and standardized TXT record parameters to enable seamless discovery of encrypted DNS services while maintaining backward compatibility with [RFC6763]. 2. Terminology and Requirements 2.1. Requirements Language Key words: "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", "OPTIONAL" per BCP 14 [RFC2119] [RFC8174] 2.2. Defined Terms * EDNS: Encrypted DNS (DoT, DoH, DoQ collectively) * ADN: Authentication Domain Name (FQDN for certificate validation) * Service Instance: Unique identifier for an EDNS resolver (e.g., Finance DoT._dot._tcp.local) Liu, et al. Expires 21 January 2026 [Page 4] Internet-Draft EDNS-SD July 2025 3. Service Type Definitions 3.1. Encrypted DNS Service Types +==============+==========+===========+=================+ | Service Type | Protocol | Transport | IANA Assignment | +==============+==========+===========+=================+ | _dot._tcp | DoT | TCP | REQUIRED | +--------------+----------+-----------+-----------------+ | _doh._tcp | DoH | TCP | REQUIRED | +--------------+----------+-----------+-----------------+ | _doq._udp | DoQ | UDP | REQUIRED | +--------------+----------+-----------+-----------------+ Table 2: Encrypted DNS Service Types 3.2. Service Instance Name Format .. * Instance: Human-readable identifier (e.g., CorpDNS, HomeGateway) * Service: One of _dot._tcp, _doh._tcp, _doq._udp * Domain: local (default) or custom domain Example: SecurityDoH._doh._tcp.local 4. DNS Resource Records 4.1. PTR Records (Service Discovery) ; Service enumeration _services._dns-sd._udp.local. PTR _dot._tcp.local _services._dns-sd._udp.local. PTR _doh._tcp.local _services._dns-sd._udp.local. PTR _doq._udp.local 4.2. SRV Records (Service Location) .. [Class] [TTL] SRV * Target: Hostname offering the service (A/AAAA must resolve) Example: Liu, et al. Expires 21 January 2026 [Page 5] Internet-Draft EDNS-SD July 2025 HomeDoT._dot._tcp.local. 120 IN SRV 0 5 853 router.home.local. 4.3. TXT Records (Service Parameters) Defined Keys: +===========+============+==============+=========================+ | Key | Format | Description | Example | +===========+============+==============+=========================+ | port | Number | Override | port=784 | | | | default port | | +-----------+------------+--------------+-------------------------+ | path | String | DoH URI path | path=/dns-query | | | | (required | | | | | for DoH) | | +-----------+------------+--------------+-------------------------+ | alpn | Comma-list | Supported | alpn=h2,h3 | | | | ALPN | | | | | protocols | | +-----------+------------+--------------+-------------------------+ | pri | Number | Selection | pri=10 | | | | priority | | | | | (0-65535) | | +-----------+------------+--------------+-------------------------+ | fp_sha256 | Hex string | Certificate | fp_sha256=9F86D0... | | | | SHA-256 | | | | | fingerprint | | +-----------+------------+--------------+-------------------------+ | domain | FQDN | ADN for | domain=dns.corp.example | | | | certificate | | | | | validation | | +-----------+------------+--------------+-------------------------+ Table 3: TXT Records (Service Parameters) Full Example: HomeDoH._doh._tcp.local. 120 IN TXT "port=443" "path=/dns" "alpn=h2" "domain=dns.home.net" 5. Discovery Process 5.1. Service Advertisement 1. EDNS resolver sends mDNS broadcast: Liu, et al. Expires 21 January 2026 [Page 6] Internet-Draft EDNS-SD July 2025 +--------------+ +------------------+ | EDNS Resolver| | Network | +--------------+ +------------------+ | PTR _services._dns-sd._udp -> _doh._tcp | |----------------------------------------->| | SRV HomeDoH._doh._tcp -> router:443 | |----------------------------------------->| | TXT path=/dns alpn=h2 | |----------------------------------------->| Figure 1: EDNS resolver sends mDNS broadcast 5.2. Client Discovery 1. Client queries for service types: ; Query available EDNS services _services._dns-sd._udp.local. IN PTR 2. Query specific instances: ; Query DoH instances _doh._tcp.local. IN PTR 3. Resolve selected service: HomeDoH._doh._tcp.local. IN SRV HomeDoH._doh._tcp.local. IN TXT router.home.local. IN A router.home.local. IN AAAA 6. Security Considerations 6.1. Spoofing Countermeasures * mDNS Response Validation: Clients MUST verify source IP matches query target * Rate Limiting: Implement mDNS response rate limiting Section 11 of [RFC6762] * TLS Enforcement: Clients MUST validate server certificates against ADN or fingerprint Liu, et al. Expires 21 January 2026 [Page 7] Internet-Draft EDNS-SD July 2025 6.2. Certificate Validation Models +=============+===================================+=================+ | Trust Model | Verification Method | Use Case | +=============+===================================+=================+ | Public PKI | ADN (domain= key) + | General-purpose | | | CA validation | networks | +-------------+-----------------------------------+-----------------+ | Fingerprint | fp_sha256 exact | High-security/ | | Pinning | match | IoT devices | +-------------+-----------------------------------+-----------------+ | Private PKI | ADN + custom trust | Enterprise | | | anchors | networks | +-------------+-----------------------------------+-----------------+ Table 4: Certificate Validation Models 6.3. Privacy Implications * Metadata Leakage: mDNS queries reveal client interest in encrypted DNS * Mitigation: Clients SHOULD use service type enumeration (_services._dns-sd) before specific queries 7. IANA Considerations 7.1. New DNS-SD Service Types +==============+==========+===========+===================+ | Service Name | Protocol | Reference | Assignment Policy | +==============+==========+===========+===================+ | _dot | TCP | RFC-TBD | Standard | +--------------+----------+-----------+-------------------+ | _doh | TCP | RFC-TBD | Standard | +--------------+----------+-----------+-------------------+ | _doq | UDP | RFC-TBD | Standard | +--------------+----------+-----------+-------------------+ Table 5: New DNS-SD Service Types Liu, et al. Expires 21 January 2026 [Page 8] Internet-Draft EDNS-SD July 2025 7.2. TXT Record Key Registry +===========+============================+===========+ | Key | Meaning | Reference | +===========+============================+===========+ | port | Transport port | RFC-TBD | +-----------+----------------------------+-----------+ | path | HTTP URI path (DoH) | RFC-TBD | +-----------+----------------------------+-----------+ | alpn | ALPN protocol list | RFC-TBD | +-----------+----------------------------+-----------+ | pri | Service priority | RFC-TBD | +-----------+----------------------------+-----------+ | fp_sha256 | Certificate fingerprint | RFC-TBD | +-----------+----------------------------+-----------+ | domain | Authentication Domain Name | RFC-TBD | +-----------+----------------------------+-----------+ Table 6: TXT Record Key Registry 8. Examples 8.1. Full DoT Service Advertisement ; Service type announcement _services._dns-sd._udp.local. PTR _dot._tcp.local ; Service instance HomeDoT._dot._tcp.local. SRV 0 5 853 router.home.local. HomeDoT._dot._tcp.local. TXT "domain=dns.home.net" "fp_sha256=9F86D08188..." router.home.local. A 192.168.1.1 router.home.local. AAAA fd12:3456::1 8.2. DoH Service with Custom Path OfficeDoH._doh._tcp.local. SRV 0 10 443 dnsgateway.corp.local. OfficeDoH._doh._tcp.local. TXT "path=/internal/dns" "alpn=h2,h3" "pri=5" 8.3. Client Discovery Sequence Liu, et al. Expires 21 January 2026 [Page 9] Internet-Draft EDNS-SD July 2025 +--------+ +----------+ +------------+ +---------+ | Client | | mDNS | | EDNS | | Router | | | | Responder| | Resolver | | | +--------+ +----------+ +------------+ +---------+ | PTR Query | | | |--------------->| | | | PTR Response | | | |<---------------| | | | SRV/TXT Query | | |-------------------------------->| | | SRV/TXT Response | | |<--------------------------------| | | TLS Handshake(validate certificate) | |------------------------------------------------->| | DoT Session Established | |<-------------------------------------------------| Figure 2: Client Discovery Sequence 9. References 9.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, . [RFC6762] Cheshire, S. and M. Krochmal, "Multicast DNS", RFC 6762, DOI 10.17487/RFC6762, February 2013, . [RFC6763] Cheshire, S. and M. Krochmal, "DNS-Based Service Discovery", RFC 6763, DOI 10.17487/RFC6763, February 2013, . [RFC7858] Hu, Z., Zhu, L., Heidemann, J., Mankin, A., Wessels, D., and P. Hoffman, "Specification for DNS over Transport Layer Security (TLS)", RFC 7858, DOI 10.17487/RFC7858, May 2016, . Liu, et al. Expires 21 January 2026 [Page 10] Internet-Draft EDNS-SD July 2025 [RFC8484] Hoffman, P. and P. McManus, "DNS Queries over HTTPS (DoH)", RFC 8484, DOI 10.17487/RFC8484, October 2018, . [RFC9250] Huitema, C., Dickinson, S., and A. Mankin, "DNS over Dedicated QUIC Connections", RFC 9250, DOI 10.17487/RFC9250, May 2022, . 9.2. Informative References [RFC9463] Boucadair, M., Ed., Reddy.K, T., Ed., Wing, D., Cook, N., and T. Jensen, "DHCP and Router Advertisement Options for the Discovery of Network-designated Resolvers (DNR)", RFC 9463, DOI 10.17487/RFC9463, November 2023, . [RFC9460] Schwartz, B., Bishop, M., and E. Nygren, "Service Binding and Parameter Specification via the DNS (SVCB and HTTPS Resource Records)", RFC 9460, DOI 10.17487/RFC9460, November 2023, . [IOT-DNS] ISOC, "IoT Device DNS Privacy Report", 2023. acknowledgements This work is supported by the National Key Research and Development Program of China (No.2023YFB3105700). Authors' Addresses Dongjie Liu Jinan University Email: dongjieliu8917@gmail.com Zhiwei Yan CNNIC Email: yanzhiwei@cnnic.cn Guanggang Geng Jinan University Email: guanggang.geng@gmail.com Guoqiang Zeng Jinan University Liu, et al. Expires 21 January 2026 [Page 11] Internet-Draft EDNS-SD July 2025 Email: zeng.guoqiang5@gmail.com Liu, et al. Expires 21 January 2026 [Page 12]