1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
1479
1480
1481
1482
1483
1484
1485
1486
1487
1488
1489
1490
1491
1492
1493
1494
1495
1496
1497
1498
1499
1500
1501
1502
1503
1504
1505
1506
1507
1508
1509
1510
1511
1512
1513
1514
1515
|
Internet Engineering Task Force (IETF) S. Dickinson
Request for Comments: 8310 Sinodun
Updates: 7858 D. Gillmor
Category: Standards Track ACLU
ISSN: 2070-1721 T. Reddy
McAfee
March 2018
Usage Profiles for DNS over TLS and DNS over DTLS
Abstract
This document discusses usage profiles, based on one or more
authentication mechanisms, which can be used for DNS over Transport
Layer Security (TLS) or Datagram TLS (DTLS). These profiles can
increase the privacy of DNS transactions compared to using only
cleartext DNS. This document also specifies new authentication
mechanisms -- it describes several ways that a DNS client can use an
authentication domain name to authenticate a (D)TLS connection to a
DNS server. Additionally, it defines (D)TLS protocol profiles for
DNS clients and servers implementing DNS over (D)TLS. This document
updates RFC 7858.
Status of This Memo
This is an Internet Standards Track document.
This document is a product of the Internet Engineering Task Force
(IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by the
Internet Engineering Steering Group (IESG). Further information on
Internet Standards is available in Section 2 of RFC 7841.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
https://www.rfc-editor.org/info/rfc8310.
Dickinson, et al. Standards Track [Page 1]
^L
RFC 8310 Usage Profiles for DNS over (D)TLS March 2018
Copyright Notice
Copyright (c) 2018 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Dickinson, et al. Standards Track [Page 2]
^L
RFC 8310 Usage Profiles for DNS over (D)TLS March 2018
Table of Contents
1. Introduction ....................................................4
2. Terminology .....................................................6
3. Scope ...........................................................7
4. Discussion ......................................................8
5. Usage Profiles ..................................................8
5.1. DNS Resolution ............................................11
6. Authentication in DNS over (D)TLS ..............................11
6.1. DNS-over-(D)TLS Startup Configuration Problems ............11
6.2. Credential Verification ...................................12
6.3. Summary of Authentication Mechanisms ......................12
6.4. Combining Authentication Mechanisms .......................15
6.5. Authentication in Opportunistic Privacy ...................15
6.6. Authentication in Strict Privacy ..........................16
6.7. Implementation Guidance ...................................16
7. Sources of Authentication Domain Names .........................17
7.1. Full Direct Configuration .................................17
7.2. Direct Configuration of ADN Only ..........................17
7.3. Dynamic Discovery of ADN ..................................17
7.3.1. DHCP ...............................................18
8. Credential Verification Based on Authentication Domain Name ....18
8.1. Authentication Based on PKIX Certificate ..................18
8.2. DANE ......................................................19
8.2.1. Direct DNS Meta-Queries ............................20
8.2.2. TLS DNSSEC Chain Extension .........................20
9. (D)TLS Protocol Profile ........................................20
10. IANA Considerations ...........................................21
11. Security Considerations .......................................21
11.1. Countermeasures to DNS Traffic Analysis ..................22
12. References ....................................................22
12.1. Normative References .....................................22
12.2. Informative References ...................................24
Appendix A. Server Capability Probing and Caching by DNS Clients ..26
Acknowledgments ...................................................27
Authors' Addresses ................................................27
Dickinson, et al. Standards Track [Page 3]
^L
RFC 8310 Usage Profiles for DNS over (D)TLS March 2018
1. Introduction
DNS privacy issues are discussed in [RFC7626]. The specific issues
described in [RFC7626] that are most relevant to this document are
o Passive attacks that eavesdrop on cleartext DNS transactions on
the wire (Section 2.4 of [RFC7626]) and
o Active attacks that redirect clients to rogue servers to monitor
DNS traffic (Section 2.5.3 of [RFC7626]).
Mitigating these attacks increases the privacy of DNS transactions;
however, many of the other issues raised in [RFC7626] still apply.
Two documents that provide ways to increase DNS privacy between DNS
clients and DNS servers are
o "Specification for DNS over Transport Layer Security (TLS)"
[RFC7858], referred to here as simply "DNS over TLS".
o "DNS over Datagram Transport Layer Security (DTLS)" [RFC8094],
referred to here as simply "DNS over DTLS". Note that [RFC8094]
is an Experimental specification.
Both documents are limited in scope to communications between stub
clients and recursive resolvers, and the same scope is applied to
this document (see Sections 2 and 3). The proposals here might be
adapted or extended in future to be used for recursive clients and
authoritative servers, but this application was out of scope for the
DNS PRIVate Exchange (dprive) Working Group charter at the time this
document was published.
This document specifies two usage profiles (Strict Privacy and
Opportunistic Privacy) for DTLS [RFC6347] and TLS [RFC5246] that
provide improved levels of mitigation for the attacks described above
compared to using only cleartext DNS.
Section 5 presents a generalized discussion of usage profiles by
separating the usage profile, which is based purely on the security
properties it offers the user, from the specific mechanism or
mechanisms that are used for DNS server authentication. The profiles
described are
o A Strict Privacy profile, which requires an encrypted connection
and successful authentication of the DNS server; this mitigates
both passive eavesdropping and client redirection (at the expense
of providing no DNS service if an encrypted, authenticated
connection is not available).
Dickinson, et al. Standards Track [Page 4]
^L
RFC 8310 Usage Profiles for DNS over (D)TLS March 2018
o An Opportunistic Privacy profile, which will attempt, but does not
require, encryption and successful authentication; it therefore
provides limited or no mitigation for such attacks but maximizes
the chance of DNS service.
The above usage profiles attempt authentication of the server using
at least one authentication mechanism. Section 6.4 discusses how to
combine authentication mechanisms to determine the overall
authentication result. Depending on that overall authentication
result (and whether encryption is available), the usage profile will
determine if the connection should proceed, fall back, or fail.
One authentication mechanism is already described in [RFC7858].
[RFC7858] specifies an authentication mechanism for DNS over TLS that
is based on Subject Public Key Info (SPKI) in the context of a
specific case of a Strict Privacy profile using that single
authentication mechanism. Therefore, the "out-of-band key-pinned
privacy profile" described in [RFC7858] would qualify as a "Strict
Privacy profile" that used SPKI pinning for authentication.
This document extends the use of authentication based on SPKI
pin sets, so that it is considered a general authentication mechanism
that can be used with either DNS-over-(D)TLS usage profile. That is,
the mechanism for SPKI pin sets as described in [RFC7858] MAY be used
with DNS over (D)TLS.
This document also describes a number of additional authentication
mechanisms, all of which specify how a DNS client should authenticate
a DNS server based on an "authentication domain name". In
particular, the following topics are described:
o How a DNS client can obtain the combination of an authentication
domain name and IP address for a DNS server. See Section 7.
o What acceptable credentials a DNS server can present to prove its
identity for (D)TLS authentication based on a given authentication
domain name. See Section 8.
o How a DNS client can verify that any given credential matches the
authentication domain name obtained for a DNS server. See
Section 8.
This document defines a (D)TLS protocol profile for use with DNS; see
Section 9. This profile defines the configuration options and
protocol extensions required of both parties to (1) optimize
connection establishment and session resumption for transporting DNS
and (2) support all currently specified authentication mechanisms.
Dickinson, et al. Standards Track [Page 5]
^L
RFC 8310 Usage Profiles for DNS over (D)TLS March 2018
2. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in
BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here.
Several terms are used specifically in the context of this document:
o DNS client: A DNS stub resolver or forwarder. In the case of a
forwarder, the term "DNS client" is used to discuss the side that
sends queries.
o DNS server: A DNS recursive resolver or forwarder. In the case of
a forwarder, the term "DNS server" is used to discuss the side
that responds to queries. Note that, as used in this document,
this term does not apply to authoritative servers.
o Privacy-enabling DNS server: A DNS server that implements
DNS over TLS [RFC7858] and may optionally implement DNS over DTLS
[RFC8094]. The server should also offer at least one of the
credentials described in Section 8 and implement the (D)TLS
profile described in Section 9.
o (D)TLS: Used for brevity; refers to both Transport Layer Security
[RFC5246] and Datagram Transport Layer Security [RFC6347].
Specific terms will be used for any text that applies to either
protocol alone.
o DNS over (D)TLS: Used for brevity; refers to both DNS over TLS
[RFC7858] and DNS over DTLS [RFC8094]. Specific terms will be
used for any text that applies to either protocol alone.
o Authentication domain name: A domain name that can be used to
authenticate a privacy-enabling DNS server. Sources of
authentication domain names are discussed in Section 7.
o SPKI pin sets: [RFC7858] describes the use of cryptographic
digests to "pin" public key information in a manner similar to
HTTP Public Key Pinning (HPKP) [RFC7469]. An SPKI pin set is a
collection of these pins that constrains a DNS server.
Dickinson, et al. Standards Track [Page 6]
^L
RFC 8310 Usage Profiles for DNS over (D)TLS March 2018
o Authentication information: Information a DNS client may use as
the basis of an authentication mechanism. In this context, this
information can be either
* an SPKI pin set or
* an authentication domain name
o Reference identifier: A reference identifier as described in
[RFC6125], constructed by the DNS client when performing TLS
authentication of a DNS server.
o Credential: Information available for a DNS server that proves its
identity for authentication purposes. Credentials discussed here
include
* a PKIX certificate
* a DNSSEC-validated chain to a TLSA record
but may also include SPKI pin sets.
3. Scope
This document is limited to describing
o Usage profiles based on general authentication mechanisms.
o The details of domain-name-based authentication of DNS servers by
DNS clients (as defined in Section 2).
o The (D)TLS profiles needed to support authentication in
DNS over (D)TLS.
As such, the following topics are out of scope for this document:
o Authentication of authoritative servers by recursive resolvers.
o Authentication of DNS clients by DNS servers.
o The details of how to perform authentication based on SPKI
pin sets. This is defined in [RFC7858].
o Any server identifier other than domain names, including IP
addresses, organizational names, country of origin, etc.
Dickinson, et al. Standards Track [Page 7]
^L
RFC 8310 Usage Profiles for DNS over (D)TLS March 2018
4. Discussion
One way to mitigate eavesdropping on cleartext DNS transactions by
passive attackers is to encrypt the query (and response). Such
encryption typically provides integrity protection as a side effect;
this means that on-path attackers cannot simply inject bogus DNS
responses. To also mitigate active attackers pretending to be the
server, the client must authenticate the (D)TLS connection to the
server.
This document discusses usage profiles, which provide differing
levels of attack mitigation to DNS clients, based on the requirements
for authentication and encryption, regardless of the context (for
example, which network the client is connected to). A usage profile
is a concept distinct from a usage policy or usage model; a usage
policy or usage model might dictate which profile should be used in a
particular context (enterprise vs. coffee shop), with a particular
set of DNS servers or with reference to other external factors. A
description of the variety of usage policies is out of scope for this
document but may be the subject of future work.
The term "privacy-enabling DNS server" is used throughout this
document. This is a DNS server that
o MUST implement DNS over TLS [RFC7858].
o MAY implement DNS over DTLS [RFC8094].
o SHOULD offer at least one of the credentials described in
Section 8.
o Implements the (D)TLS profile described in Section 9.
5. Usage Profiles
A DNS client has a choice of usage profiles available to increase the
privacy of DNS transactions. This choice is briefly discussed in
both [RFC7858] and [RFC8094]. These usage profiles are
o Strict Privacy profile: The DNS client requires both an encrypted
and authenticated connection to a privacy-enabling DNS server. A
hard failure occurs if this is not available. This requires the
client to securely obtain authentication information it can use to
authenticate the server. This profile mitigates both passive and
active attacks, thereby providing the client with the best
available privacy for DNS. This profile is discussed in detail in
Section 6.6.
Dickinson, et al. Standards Track [Page 8]
^L
RFC 8310 Usage Profiles for DNS over (D)TLS March 2018
o Opportunistic Privacy profile: The DNS client uses Opportunistic
Security as described in [RFC7435].
* "... the use of cleartext as the baseline communication
security policy, with encryption and authentication negotiated
and applied to the communication when available."
As described in [RFC7435], it might result in
* an encrypted and authenticated connection
* an encrypted connection
* a cleartext connection
depending on the fallback logic of the client, the available
authentication information, and the capabilities of the DNS
server. In all these cases, the DNS client is willing to continue
with a connection to the DNS server and perform resolution of
queries. The use of Opportunistic Privacy is intended to support
incremental deployment of increased privacy with a view to
widespread adoption of the Strict Privacy profile. It should be
employed when the DNS client might otherwise settle for cleartext;
it provides the maximum protection available, depending on the
combination of factors described above. If all the configured DNS
servers are DNS privacy servers, then it can provide protection
against passive attacks and might protect against active ones.
Both profiles can include an initial meta-query (performed using
Opportunistic Privacy) to obtain the IP address for the privacy-
enabling DNS server to which the DNS client will subsequently
connect. The rationale for permitting this for the Strict Privacy
profile is that requiring such meta-queries to also be performed
using the Strict Privacy profile would introduce significant
deployment obstacles. However, it should be noted that in this
scenario an active attack on the meta-query is possible. Such an
attack could result in a Strict Privacy profile client connecting to
a server it cannot authenticate (and therefore not obtaining DNS
service) or an Opportunistic Privacy client connecting to a server
controlled by the attacker. DNSSEC validation can detect the attack
on the meta-query, which may result in the client not obtaining DNS
service (for both usage profiles), depending on its DNSSEC validation
policy. See Section 7.2 for more discussion.
To compare the two usage profiles, Table 1 below shows a successful
Strict Privacy profile alongside the three possible outcomes of an
Opportunistic Privacy profile. In the best-case scenario for the
Opportunistic Privacy profile (an authenticated and encrypted
Dickinson, et al. Standards Track [Page 9]
^L
RFC 8310 Usage Profiles for DNS over (D)TLS March 2018
connection), it is equivalent to the Strict Privacy profile. In the
worst-case scenario, it is equivalent to cleartext. Clients using
the Opportunistic Privacy profile SHOULD try for the best case but
MAY fall back to the intermediate case and, eventually, the worst-
case scenario, in order to obtain a response. One reason to fall
back without trying every available privacy-enabling DNS server is if
latency is more important than attack mitigation; see Appendix A.
The Opportunistic Privacy profile therefore provides varying
protection, depending on what kind of connection is actually used,
including no attack mitigation at all.
Note that there is no requirement in Opportunistic Security to notify
the user regarding what type of connection is actually used; the
"detection" described below is only possible if such connection
information is available. However, if it is available and the user
is informed that an unencrypted connection was used to connect to a
server, then the user should assume (detect) that the connection is
subject to both active and passive attacks, since the DNS queries are
sent in cleartext. This might be particularly useful if a new
connection to a certain server is unencrypted when all previous
connections were encrypted. Similarly, if the user is informed that
an encrypted but unauthenticated connection was used, then the user
can detect that the connection may be subject to active attacks. In
other words, for the cases where no protection is provided against an
attacker (N), it is possible to detect that an attack might be
happening (D). This is discussed in Section 6.5.
+---------------+------------+------------------+-----------------+
| Usage Profile | Connection | Passive Attacker | Active Attacker |
+---------------+------------+------------------+-----------------+
| Strict | A, E | P | P |
| Opportunistic | A, E | P | P |
| Opportunistic | E | P | N, D |
| Opportunistic | | N, D | N, D |
+---------------+------------+------------------+-----------------+
P == Protection; N == No protection; D == Detection is possible;
A == Authenticated connection; E == Encrypted connection
Table 1: Attack Protection by Usage Profile and Type of Attacker
The Strict Privacy profile provides the best attack mitigation and
therefore SHOULD always be implemented in DNS clients that implement
the Opportunistic Privacy profile.
A DNS client that implements DNS over (D)TLS SHOULD NOT be configured
by default to use only cleartext.
Dickinson, et al. Standards Track [Page 10]
^L
RFC 8310 Usage Profiles for DNS over (D)TLS March 2018
The choice between the two profiles depends on a number of factors,
including which is more important to the particular client:
o DNS service, at the cost of no attack mitigation (Opportunistic
Privacy) or
o Best available attack mitigation, at the potential cost of no DNS
service (Strict Privacy).
Additionally, the two profiles require varying levels of
configuration (or a trusted relationship with a provider) and DNS
server capabilities; therefore, DNS clients will need to carefully
select which profile to use based on their communication needs.
A DNS server that implements DNS over (D)TLS SHOULD provide at least
one credential (Section 2) so that those DNS clients that wish to use
the Strict Privacy profile are able to do so.
5.1. DNS Resolution
A DNS client SHOULD select a particular usage profile when resolving
a query. A DNS client MUST NOT fall back from Strict Privacy to
Opportunistic Privacy during the resolution of a given query, as this
could invalidate the protection offered against attackers. It is
anticipated that DNS clients will use a particular usage profile for
all queries to all configured servers until an operational issue or
policy update dictates a change in the profile used.
6. Authentication in DNS over (D)TLS
This section describes authentication mechanisms and how they can be
used in either Strict or Opportunistic Privacy for DNS over (D)TLS.
6.1. DNS-over-(D)TLS Startup Configuration Problems
Many (D)TLS clients use PKIX authentication [RFC6125] based on an
authentication domain name for the server they are contacting. These
clients typically first look up the server's network address in the
DNS before making this connection. Such a DNS client therefore has a
bootstrap problem, as it will typically only know the IP address of
its DNS server.
In this case, before connecting to a DNS server, a DNS client needs
to learn the authentication domain name it should associate with the
IP address of a DNS server for authentication purposes. Sources of
authentication domain names are discussed in Section 7.
Dickinson, et al. Standards Track [Page 11]
^L
RFC 8310 Usage Profiles for DNS over (D)TLS March 2018
One advantage of this domain-name-based approach is that it
encourages the association of stable, human-recognizable identifiers
with secure DNS service providers.
6.2. Credential Verification
Verification of SPKI pin sets is discussed in [RFC7858].
In terms of domain-name-based verification, once an authentication
domain name is known for a DNS server, a choice of authentication
mechanisms can be used for credential verification. Section 8
discusses these mechanisms -- namely, PKIX certificate-based
authentication and DNS-Based Authentication of Named Entities (DANE)
-- in detail.
Note that the use of DANE adds requirements on the ability of the
client to get validated DNSSEC results. This is discussed in more
detail in Section 8.2.
6.3. Summary of Authentication Mechanisms
This section provides an overview of the various authentication
mechanisms. Table 2 below indicates how the DNS client obtains
information to use for authentication for each option: either
statically via direct configuration or dynamically. Of course, the
Opportunistic Privacy profile does not require authentication, and so
a client using that profile may choose to connect to a
privacy-enabling DNS server on the basis of just an IP address.
Dickinson, et al. Standards Track [Page 12]
^L
RFC 8310 Usage Profiles for DNS over (D)TLS March 2018
+---+------------+-------------+------------------------------------+
| # | Static | Dynamically | Short name: Description |
| | Config | Obtained | |
+---+------------+-------------+------------------------------------+
| 1 | SPKI + IP | | SPKI: SPKI pin set(s) and IP |
| | | | address obtained out of band |
| | | | [RFC7858] |
| | | | |
| 2 | ADN + IP | | ADN: ADN and IP address obtained |
| | | | out of band (see Section 7.1) |
| | | | |
| 3 | ADN | IP | ADN only: Opportunistic Privacy |
| | | | meta-queries to a NP DNS server |
| | | | for A/AAAA (see Section 7.2) |
| | | | |
| 4 | | ADN + IP | DHCP: DHCP configuration only (see |
| | | | Section 7.3.1) |
| | | | |
| 5 | [ADN + IP] | [ADN + IP] | DANE: DNSSEC chain obtained via |
| | | TLSA record | Opportunistic Privacy meta-queries |
| | | | to NP DNS server (see Section |
| | | | 8.2.1) |
| | | | |
| 6 | [ADN + IP] | [ADN + IP] | TLS extension: DNSSEC chain |
| | | TLSA record | provided by PE DNS server in TLS |
| | | | DNSSEC chain extension (see |
| | | | Section 8.2.2) |
+---+------------+-------------+------------------------------------+
SPKI == SPKI pin set(s); IP == IP Address;
ADN == Authentication Domain Name; NP == Network-Provided;
PE == Privacy-Enabling; [ ] == Data may be obtained either
statically or dynamically
Table 2: Overview of Authentication Mechanisms
The following summary attempts to present some key attributes of each
of the mechanisms (using the "Short name" from Table 2), indicating
attractive attributes with a "+" and undesirable attributes
with a "-".
1. SPKI
+ Minimal leakage (note that the ADN is always leaked in the
Server Name Indication (SNI) field in the ClientHello in TLS
when communicating with a privacy-enabling DNS server)
- Overhead of ongoing key management required
Dickinson, et al. Standards Track [Page 13]
^L
RFC 8310 Usage Profiles for DNS over (D)TLS March 2018
2. ADN
+ Minimal leakage
+ One-off direct configuration only
3. ADN only
+ Minimal one-off direct configuration; only a human-recognizable
domain name needed
- A/AAAA meta-queries leaked to network-provided DNS server that
may be subject to active attack (attack can be mitigated by
DNSSEC validation)
4. DHCP
+ No static config
- Requires a non-standard or future DHCP option in order to
provide the ADN
- Requires secure and trustworthy connection to DHCP server if
used with a Strict Privacy profile
5. DANE
The ADN and/or IP may be obtained statically or dynamically, and
the relevant attributes of that method apply.
+ DANE options (e.g., matching on entire certificate)
- Requires a DNSSEC-validating stub implementation (the
deployment of which is limited at the time of this writing)
- DNSSEC chain meta-queries leaked to network-provided DNS server
that may be subject to active attack
6. TLS extension
The ADN and/or IP may be obtained statically or dynamically, and
the relevant attributes of that method apply.
+ Reduced latency compared with DANE
+ No network-provided DNS server required if ADN and IP
statically configured
Dickinson, et al. Standards Track [Page 14]
^L
RFC 8310 Usage Profiles for DNS over (D)TLS March 2018
+ DANE options (e.g., matching on entire certificate)
- Requires a DNSSEC-validating stub implementation
6.4. Combining Authentication Mechanisms
This document does not make explicit recommendations about how an
authentication mechanism based on SPKI pin sets should be combined
with a domain-based mechanism from an operator perspective. However,
it can be envisaged that a DNS server operator may wish to make both
an SPKI pin set and an authentication domain name available to allow
clients to choose which mechanism to use. Therefore, the following
text provides guidance on how clients ought to behave if they choose
to configure both, as is possible in HPKP [RFC7469].
A DNS client that is configured with both an authentication domain
name and an SPKI pin set for a DNS server SHOULD match on both a
valid credential for the authentication domain name and a valid SPKI
pin set (if both are available) when connecting to that DNS server.
In this case, the client SHOULD treat individual SPKI pins as
specified in Section 2.6 of [RFC7469] with regard to user-defined
trust anchors. The overall authentication result SHOULD only be
considered successful if both authentication mechanisms are
successful.
6.5. Authentication in Opportunistic Privacy
An Opportunistic Privacy Profile (based on Opportunistic Security
[RFC7435]) that MAY be used for DNS over (D)TLS is described in
[RFC7858] and is further specified in this document.
DNS clients that issue queries under an Opportunistic Privacy profile
and that know authentication information for a given privacy-enabling
DNS server SHOULD try to authenticate the server using the mechanisms
described here. This is useful for detecting (but not preventing)
active attacks, since the fact that authentication information is
available indicates that the server in question is a privacy-enabling
DNS server to which it should be possible to establish an
authenticated and encrypted connection. In this case, whilst a
client cannot know the reason for an authentication failure, from a
security standpoint the client should consider an active attack in
progress and proceed under that assumption. For example, a client
that implements a nameserver selection algorithm that preferentially
uses nameservers that successfully authenticated (see Section 5)
might not continue to use the failing server if there were
alternative servers available.
Dickinson, et al. Standards Track [Page 15]
^L
RFC 8310 Usage Profiles for DNS over (D)TLS March 2018
Attempting authentication is also useful for debugging or diagnostic
purposes if there are means to report the result. This information
can provide a basis for a DNS client to switch to (preferred) Strict
Privacy where it is viable, e.g., where all the configured servers
support DNS over (D)TLS and successfully authenticate.
6.6. Authentication in Strict Privacy
To authenticate a privacy-enabling DNS server, a DNS client needs to
know authentication information for each server it is willing to
contact. This is necessary to protect against active attacks that
attempt to redirect clients to rogue DNS servers.
A DNS client requiring Strict Privacy MUST use either (1) one of the
sources listed in Section 7, to obtain an authentication domain name
for the server it contacts or (2) an SPKI pin set as described in
[RFC7858].
A DNS client requiring Strict Privacy MUST only attempt to connect to
DNS servers for which at least one piece of authentication
information is known. The client MUST use the available verification
mechanisms described in Section 8 to authenticate the server and MUST
abort connections to a server when no verification mechanism
succeeds.
With Strict Privacy, the DNS client MUST NOT commence sending DNS
queries until at least one of the privacy-enabling DNS servers
becomes available.
A privacy-enabling DNS server may be temporarily unavailable when
configuring a network. For example, for clients on networks that
require registration through web-based login (a.k.a. "captive
portals"), such registration may rely on DNS interception and
spoofing. Techniques such as those used by dnssec-trigger
[dnssec-trigger] MAY be used during network configuration, with the
intent to transition to the designated privacy-enabling DNS servers
after captive-portal registration. If using a Strict Privacy
profile, the system MUST alert by some means that the DNS is not
private during such a bootstrap operation.
6.7. Implementation Guidance
Section 9 describes the (D)TLS profile for DNS over (D)TLS.
Additional considerations relating to general implementation
guidelines are discussed in both Section 11 and Appendix A.
Dickinson, et al. Standards Track [Page 16]
^L
RFC 8310 Usage Profiles for DNS over (D)TLS March 2018
7. Sources of Authentication Domain Names
7.1. Full Direct Configuration
DNS clients may be directly and securely provisioned with the
authentication domain name of each privacy-enabling DNS server -- for
example, using a client-specific configuration file or API.
In this case, direct configuration for a DNS client would consist of
both an IP address and an authentication domain name for each DNS
server that were obtained via an out-of-band mechanism.
7.2. Direct Configuration of ADN Only
A DNS client may be configured directly and securely with only the
authentication domain name of each of its privacy-enabling DNS
servers -- for example, using a client-specific configuration file
or API.
A DNS client might learn of a default recursive DNS resolver from an
untrusted source (such as DHCP's DNS Recursive Name Server option
[RFC3646]). It can then use meta-queries performed using an
Opportunistic Privacy profile to an untrusted recursive DNS resolver
to establish the IP address of the intended privacy-enabling DNS
resolver by doing a lookup of A/AAAA records. A DNSSEC-validating
client SHOULD apply the same validation policy to the A/AAAA
meta-queries as it does to other queries. A client that does not
validate DNSSEC SHOULD apply the same policy (if any) to the A/AAAA
meta-queries as it does to other queries. Private DNS resolution can
now be done by the DNS client against the pre-configured privacy-
enabling DNS resolver, using the IP address obtained from the
untrusted DNS resolver.
A DNS client so configured that successfully connects to a privacy-
enabling DNS server MAY choose to locally cache the server host IP
addresses in order to not have to repeat the meta-query.
7.3. Dynamic Discovery of ADN
This section discusses the general case of a DNS client discovering
both the authentication domain name and IP address dynamically. At
the time of this writing, this is not possible by any standard means.
However, since, for example, a future DHCP extension could (in
principle) provide this mechanism, the required security properties
of such mechanisms are outlined here.
Dickinson, et al. Standards Track [Page 17]
^L
RFC 8310 Usage Profiles for DNS over (D)TLS March 2018
When using a Strict Privacy profile, the dynamic discovery technique
used as a source of authentication domain names MUST be considered
secure and trustworthy. This requirement does not apply when using
an Opportunistic Privacy profile, given the security expectation of
that profile.
7.3.1. DHCP
In the typical case today, a DHCP server [RFC2131] [RFC3315] provides
a list of IP addresses for DNS resolvers (see Section 3.8 of
[RFC2132]) but does not provide an authentication domain name for the
DNS resolver, thus preventing the use of most of the authentication
methods described here (all of those that are based on a mechanism
with ADN; see Table 2).
This document does not specify or request any DHCP extension to
provide authentication domain names. However, if one is developed in
future work, the issues outlined in Section 8 of [RFC7227] should be
taken into account, as should the security considerations discussed
in Section 23 of [RFC3315].
This document does not attempt to describe secured and trusted
relationships to DHCP servers, as this is purely a DHCP issue (and
still open, at the time of this writing). Whilst some implementation
work is in progress to secure IPv6 connections for DHCP, IPv4
connections have received little or no implementation attention in
this area.
8. Credential Verification Based on Authentication Domain Name
8.1. Authentication Based on PKIX Certificate
When a DNS client configured with an authentication domain name
connects to its configured DNS server over (D)TLS, the server may
present it with a PKIX certificate. In order to ensure proper
authentication, DNS clients MUST verify the entire certification path
per [RFC5280]. The DNS client additionally uses validation
techniques as described in [RFC6125] to compare the domain name to
the certificate provided.
A DNS client constructs one reference identifier for the server based
on the authentication domain name: a DNS-ID, which is simply the
authentication domain name itself.
If the reference identifier is found (as described in Section 6 of
[RFC6125]) in the PKIX certificate's subjectAltName extension, the
DNS client should accept the certificate for the server.
Dickinson, et al. Standards Track [Page 18]
^L
RFC 8310 Usage Profiles for DNS over (D)TLS March 2018
A compliant DNS client MUST only inspect the certificate's
subjectAltName extension for the reference identifier. In
particular, it MUST NOT inspect the Subject field itself.
8.2. DANE
DANE [RFC6698] provides various mechanisms using DNSSEC to anchor
trust for certificates and raw public keys. However, this requires
the DNS client to have an authentication domain name (which must be
obtained via a trusted source) for the DNS privacy server.
This section assumes a solid understanding of both DANE [RFC6698] and
DANE operations [RFC7671]. A few pertinent issues covered in these
documents are outlined here as useful pointers, but familiarity with
both of these documents in their entirety is expected.
Note that [RFC6698] says
Clients that validate the DNSSEC signatures themselves MUST use
standard DNSSEC validation procedures. Clients that rely on
another entity to perform the DNSSEC signature validation MUST use
a secure mechanism between themselves and the validator.
Note that [RFC7671] covers the following topics:
o Sections 4.1 ("Opportunistic Security and PKIX Usages") and 14
("Security Considerations") of [RFC7671], which both discuss the
use of schemes based on trust anchors and end entities (PKIX-TA(0)
and PKIX-EE(1), respectively) for Opportunistic Security.
o Section 5 ("Certificate-Usage-Specific DANE Updates and
Guidelines") of [RFC7671] -- specifically, Section 5.1 of
[RFC7671], which outlines the combination of certificate usage
DANE-EE(3) and selector SPKI(1) with raw public keys [RFC7250].
Section 5.1 of [RFC7671] also discusses the security implications
of this mode; for example, it discusses key lifetimes and
specifies that validity period enforcement is based solely on the
TLSA RRset properties for this case.
o Section 13 ("Operational Considerations") of [RFC7671], which
discusses TLSA TTLs and signature validity periods.
The specific DANE record for a DNS privacy server would take the form
_853._tcp.[authentication-domain-name] for TLS
_853._udp.[authentication-domain-name] for DTLS
Dickinson, et al. Standards Track [Page 19]
^L
RFC 8310 Usage Profiles for DNS over (D)TLS March 2018
8.2.1. Direct DNS Meta-Queries
The DNS client MAY choose to perform the DNS meta-queries to retrieve
the required DANE records itself. The DNS meta-queries for such DANE
records MAY use the Opportunistic Privacy profile or be in the clear
to avoid trust recursion. The records MUST be validated using DNSSEC
as described in [RFC6698].
8.2.2. TLS DNSSEC Chain Extension
The DNS client MAY offer the TLS extension described in
[TLS-DNSSEC-Chain-Ext]. If the DNS server supports this extension,
it can provide the full chain to the client in the handshake.
If the DNS client offers the TLS DNSSEC chain extension, it MUST be
capable of validating the full DNSSEC authentication chain down to
the leaf. If the supplied DNSSEC chain does not validate, the client
MUST ignore the DNSSEC chain and validate only via other supplied
credentials.
9. (D)TLS Protocol Profile
This section defines the (D)TLS protocol profile of DNS over (D)TLS.
Clients and servers MUST adhere to the (D)TLS implementation
recommendations and security considerations of [RFC7525], except with
respect to the (D)TLS version.
Since encryption of DNS using (D)TLS is a greenfield deployment, DNS
clients and servers MUST implement only (D)TLS 1.2 or later. For
example, implementing (D)TLS 1.3 [TLS-1.3] [DTLS-1.3] is also an
option.
Implementations MUST NOT offer or provide TLS compression, since
compression can leak significant amounts of information, especially
to a network observer capable of forcing the user to do an arbitrary
DNS lookup in the style of the Compression Ratio Info-leak Made Easy
(CRIME) attacks [CRIME].
Dickinson, et al. Standards Track [Page 20]
^L
RFC 8310 Usage Profiles for DNS over (D)TLS March 2018
Implementations compliant with this profile MUST implement the
following items:
o TLS session resumption without server-side state [RFC5077], which
eliminates the need for the server to retain cryptographic state
for longer than necessary. (This statement updates [RFC7858].)
o Raw public keys [RFC7250], which reduce the size of the
ServerHello and can be used by servers that cannot obtain
certificates (e.g., DNS servers on private networks). A client
MUST only indicate support for raw public keys if it has an SPKI
pin set pre-configured (for interoperability reasons).
Implementations compliant with this profile SHOULD implement the
following items:
o TLS False Start [RFC7918], which reduces round trips by allowing
the TLS second flight of messages (ChangeCipherSpec) to also
contain the (encrypted) DNS query.
o The Cached Information Extension [RFC7924], which avoids
transmitting the server's certificate and certificate chain if the
client has cached that information from a previous TLS handshake.
Guidance specific to TLS is provided in [RFC7858], and guidance
specific to DTLS is provided in [RFC8094].
10. IANA Considerations
This document does not require any IANA actions.
11. Security Considerations
Security considerations discussed in [RFC7525], [RFC8094], and
[RFC7858] apply to this document.
DNS clients SHOULD implement (1) support for the mechanisms described
in Section 8.2 and (2) offering a configuration option that limits
authentication to using only those mechanisms (i.e., with no fallback
to pure PKIX-based authentication) such that authenticating solely
via the PKIX infrastructure can be avoided.
Dickinson, et al. Standards Track [Page 21]
^L
RFC 8310 Usage Profiles for DNS over (D)TLS March 2018
11.1. Countermeasures to DNS Traffic Analysis
This section makes suggestions for measures that can reduce the
ability of attackers to infer information pertaining to encrypted
client queries by other means (e.g., via an analysis of encrypted
traffic size or via monitoring of the unencrypted traffic from a DNS
recursive resolver to an authoritative server).
DNS-over-(D)TLS clients and servers SHOULD implement the following
relevant DNS extensions:
o Extension Mechanisms for DNS (EDNS(0)) padding [RFC7830], which
allows encrypted queries and responses to hide their size, making
analysis of encrypted traffic harder.
Guidance on padding policies for EDNS(0) is provided in
[EDNS0-Pad-Policies].
DNS-over-(D)TLS clients SHOULD implement the following relevant DNS
extensions:
o Privacy election per [RFC7871] ("Client Subnet in DNS Queries").
If a DNS client does not include an edns-client-subnet EDNS0
option with SOURCE PREFIX-LENGTH set to 0 in a query, the DNS
server may potentially leak client address information to the
upstream authoritative DNS servers. A DNS client ought to be able
to inform the DNS resolver that it does not want any address
information leaked, and the DNS resolver should honor that
request.
12. References
12.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>.
[RFC5077] Salowey, J., Zhou, H., Eronen, P., and H. Tschofenig,
"Transport Layer Security (TLS) Session Resumption without
Server-Side State", RFC 5077, DOI 10.17487/RFC5077,
January 2008, <https://www.rfc-editor.org/info/rfc5077>.
[RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security
(TLS) Protocol Version 1.2", RFC 5246,
DOI 10.17487/RFC5246, August 2008,
<https://www.rfc-editor.org/info/rfc5246>.
Dickinson, et al. Standards Track [Page 22]
^L
RFC 8310 Usage Profiles for DNS over (D)TLS March 2018
[RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
Housley, R., and W. Polk, "Internet X.509 Public Key
Infrastructure Certificate and Certificate Revocation List
(CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008,
<https://www.rfc-editor.org/info/rfc5280>.
[RFC6125] Saint-Andre, P. and J. Hodges, "Representation and
Verification of Domain-Based Application Service Identity
within Internet Public Key Infrastructure Using X.509
(PKIX) Certificates in the Context of Transport Layer
Security (TLS)", RFC 6125, DOI 10.17487/RFC6125,
March 2011, <https://www.rfc-editor.org/info/rfc6125>.
[RFC6347] Rescorla, E. and N. Modadugu, "Datagram Transport Layer
Security Version 1.2", RFC 6347, DOI 10.17487/RFC6347,
January 2012, <https://www.rfc-editor.org/info/rfc6347>.
[RFC6698] Hoffman, P. and J. Schlyter, "The DNS-Based Authentication
of Named Entities (DANE) Transport Layer Security (TLS)
Protocol: TLSA", RFC 6698, DOI 10.17487/RFC6698,
August 2012, <https://www.rfc-editor.org/info/rfc6698>.
[RFC7250] Wouters, P., Ed., Tschofenig, H., Ed., Gilmore, J.,
Weiler, S., and T. Kivinen, "Using Raw Public Keys in
Transport Layer Security (TLS) and Datagram Transport
Layer Security (DTLS)", RFC 7250, DOI 10.17487/RFC7250,
June 2014, <https://www.rfc-editor.org/info/rfc7250>.
[RFC7525] Sheffer, Y., Holz, R., and P. Saint-Andre,
"Recommendations for Secure Use of Transport Layer
Security (TLS) and Datagram Transport Layer Security
(DTLS)", BCP 195, RFC 7525, DOI 10.17487/RFC7525,
May 2015, <https://www.rfc-editor.org/info/rfc7525>.
[RFC7671] Dukhovni, V. and W. Hardaker, "The DNS-Based
Authentication of Named Entities (DANE) Protocol: Updates
and Operational Guidance", RFC 7671, DOI 10.17487/RFC7671,
October 2015, <https://www.rfc-editor.org/info/rfc7671>.
[RFC7830] Mayrhofer, A., "The EDNS(0) Padding Option", RFC 7830,
DOI 10.17487/RFC7830, May 2016,
<https://www.rfc-editor.org/info/rfc7830>.
[RFC7858] Hu, Z., Zhu, L., Heidemann, J., Mankin, A., Wessels, D.,
and P. Hoffman, "Specification for DNS over Transport
Layer Security (TLS)", RFC 7858, DOI 10.17487/RFC7858,
May 2016, <https://www.rfc-editor.org/info/rfc7858>.
Dickinson, et al. Standards Track [Page 23]
^L
RFC 8310 Usage Profiles for DNS over (D)TLS March 2018
[RFC7918] Langley, A., Modadugu, N., and B. Moeller, "Transport
Layer Security (TLS) False Start", RFC 7918,
DOI 10.17487/RFC7918, August 2016,
<https://www.rfc-editor.org/info/rfc7918>.
[RFC7924] Santesson, S. and H. Tschofenig, "Transport Layer Security
(TLS) Cached Information Extension", RFC 7924,
DOI 10.17487/RFC7924, July 2016,
<https://www.rfc-editor.org/info/rfc7924>.
[RFC8094] Reddy, T., Wing, D., and P. Patil, "DNS over Datagram
Transport Layer Security (DTLS)", RFC 8094,
DOI 10.17487/RFC8094, February 2017,
<https://www.rfc-editor.org/info/rfc8094>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in
RFC 2119 Key Words", BCP 14, RFC 8174,
DOI 10.17487/RFC8174, May 2017,
<https://www.rfc-editor.org/info/rfc8174>.
12.2. Informative References
[CRIME] Rizzo, J. and T. Duong, "The CRIME Attack", Ekoparty
Security Conference, 2012,
<https://www.ekoparty.org/archivo/2012/eko8-CRIME.pdf>.
[dnssec-trigger]
NLnetLabs, "Dnssec-Trigger", December 2017,
<https://www.nlnetlabs.nl/projects/dnssec-trigger/>.
[DTLS-1.3]
Rescorla, E., Tschofenig, H., and N. Modadugu, "The
Datagram Transport Layer Security (DTLS) Protocol
Version 1.3", Work in Progress, draft-ietf-tls-dtls13-26,
March 2018.
[EDNS0-Pad-Policies]
Mayrhofer, A., "Padding Policy for EDNS(0)", Work in
Progress, draft-ietf-dprive-padding-policy-04,
February 2018.
[RFC2131] Droms, R., "Dynamic Host Configuration Protocol",
RFC 2131, DOI 10.17487/RFC2131, March 1997,
<https://www.rfc-editor.org/info/rfc2131>.
[RFC2132] Alexander, S. and R. Droms, "DHCP Options and BOOTP Vendor
Extensions", RFC 2132, DOI 10.17487/RFC2132, March 1997,
<https://www.rfc-editor.org/info/rfc2132>.
Dickinson, et al. Standards Track [Page 24]
^L
RFC 8310 Usage Profiles for DNS over (D)TLS March 2018
[RFC3315] Droms, R., Ed., Bound, J., Volz, B., Lemon, T., Perkins,
C., and M. Carney, "Dynamic Host Configuration Protocol
for IPv6 (DHCPv6)", RFC 3315, DOI 10.17487/RFC3315,
July 2003, <https://www.rfc-editor.org/info/rfc3315>.
[RFC3646] Droms, R., Ed., "DNS Configuration options for Dynamic
Host Configuration Protocol for IPv6 (DHCPv6)", RFC 3646,
DOI 10.17487/RFC3646, December 2003,
<https://www.rfc-editor.org/info/rfc3646>.
[RFC7227] Hankins, D., Mrugalski, T., Siodelski, M., Jiang, S., and
S. Krishnan, "Guidelines for Creating New DHCPv6 Options",
BCP 187, RFC 7227, DOI 10.17487/RFC7227, May 2014,
<https://www.rfc-editor.org/info/rfc7227>.
[RFC7435] Dukhovni, V., "Opportunistic Security: Some Protection
Most of the Time", RFC 7435, DOI 10.17487/RFC7435,
December 2014, <https://www.rfc-editor.org/info/rfc7435>.
[RFC7469] Evans, C., Palmer, C., and R. Sleevi, "Public Key Pinning
Extension for HTTP", RFC 7469, DOI 10.17487/RFC7469,
April 2015, <https://www.rfc-editor.org/info/rfc7469>.
[RFC7626] Bortzmeyer, S., "DNS Privacy Considerations", RFC 7626,
DOI 10.17487/RFC7626, August 2015,
<https://www.rfc-editor.org/info/rfc7626>.
[RFC7871] Contavalli, C., van der Gaast, W., Lawrence, D., and
W. Kumari, "Client Subnet in DNS Queries", RFC 7871,
DOI 10.17487/RFC7871, May 2016,
<https://www.rfc-editor.org/info/rfc7871>.
[TLS-1.3] Rescorla, E., "The Transport Layer Security (TLS) Protocol
Version 1.3", Work in Progress, draft-ietf-tls-tls13-27,
March 2018.
[TLS-DNSSEC-Chain-Ext]
Shore, M., Barnes, R., Huque, S., and W. Toorop, "A DANE
Record and DNSSEC Authentication Chain Extension for TLS",
Work in Progress, draft-ietf-tls-dnssec-chain-
extension-06, January 2018.
Dickinson, et al. Standards Track [Page 25]
^L
RFC 8310 Usage Profiles for DNS over (D)TLS March 2018
Appendix A. Server Capability Probing and Caching by DNS Clients
This section presents a non-normative discussion of how DNS clients
might probe for, and cache capabilities of, privacy-enabling DNS
servers.
Deployment of both DNS over TLS and DNS over DTLS will be gradual.
Not all servers will support one or both of these protocols, and the
well-known port might be blocked by some middleboxes. Clients will
be expected to keep track of servers that support DNS over TLS and/or
DNS over DTLS, as well as those that have been previously
authenticated.
If no server capability information is available, then (unless
otherwise specified by the configuration of the DNS client) DNS
clients that implement both TLS and DTLS should try to authenticate
using both protocols before failing or falling back to an
unauthenticated or cleartext connection. DNS clients using an
Opportunistic Privacy profile should try all available servers
(possibly in parallel) in order to obtain an authenticated and
encrypted connection before falling back. (RATIONALE: This approach
can increase latency while discovering server capabilities but
maximizes the chance of sending the query over an authenticated and
encrypted connection.)
Dickinson, et al. Standards Track [Page 26]
^L
RFC 8310 Usage Profiles for DNS over (D)TLS March 2018
Acknowledgments
Thanks to the authors of both [RFC8094] and [RFC7858] for laying the
groundwork for this document and for reviewing the contents. The
authors would also like to thank John Dickinson, Shumon Huque,
Melinda Shore, Gowri Visweswaran, Ray Bellis, Stephane Bortzmeyer,
Jinmei Tatuya, Paul Hoffman, Christian Huitema, and John Levine for
review and discussion of the ideas presented here.
Authors' Addresses
Sara Dickinson
Sinodun Internet Technologies
Magdalen Centre
Oxford Science Park
Oxford OX4 4GA
United Kingdom
Email: sara@sinodun.com
URI: https://www.sinodun.com/
Daniel Kahn Gillmor
ACLU
125 Broad Street, 18th Floor
New York, NY 10004
United States of America
Email: dkg@fifthhorseman.net
Tirumaleswar Reddy
McAfee, Inc.
Embassy Golf Link Business Park
Bangalore, Karnataka 560071
India
Email: TirumaleswarReddy_Konda@McAfee.com
Dickinson, et al. Standards Track [Page 27]
^L
|