Specification for DNS over Transport Layer Security (TLS)

This document describes the use of Transport Layer Security (TLS) to provide privacy for DNS. Encryption provided by TLS eliminates opportunities for eavesdropping and on-path tampering with DNS queries in the network, such as discussed in RFC 7626. In addition, this document specifies two usage profiles for DNS over TLS and provides advice on performance considerations to minimize overhead from using TCP and TLS with DNS. This document focuses on securing stub-to- recursive traffic, as per the charter of the DPRIVE Working Group. It does not prevent future applications of the protocol to recursive-to- authoritative traffic.

[1]  Bodo Möller,et al.  Transport Layer Security (TLS) False Start , 2016, RFC.

[2]  Hao Zhou,et al.  Transport Layer Security (TLS) Session Resumption without Server-Side State , 2008, RFC.

[3]  Viktor Dukhovni,et al.  Opportunistic Security: Some Protection Most of the Time , 2014, RFC.

[4]  Duane Wessels,et al.  DNS Transport over TCP - Implementation Requirements , 2016, RFC.

[5]  Chris Palmer,et al.  Public Key Pinning Extension for HTTP , 2015, RFC.

[6]  Liang Zhu,et al.  T-DNS: Connection-Oriented DNS to Improve Privacy and Security (abstract with poster) , 2022 .

[7]  John S. Heidemann,et al.  Connection-Oriented DNS to Improve Privacy and Security , 2015, 2015 IEEE Symposium on Security and Privacy.

[8]  Dan Wing,et al.  DNS over DTLS (DNSoD) , 2015 .

[9]  Matthew Dempsky DNSCurve: Link-Level Security for the Domain Name System , 2010 .

[10]  Simon Josefsson,et al.  The Base16, Base32, and Base64 Data Encodings , 2003, RFC.

[11]  Donald E. Eastlake,et al.  US Secure Hash Algorithms (SHA and SHA-based HMAC and HKDF) , 2011, RFC.

[12]  Kireeti Kompella,et al.  Early IANA Allocation of Standards Track Code Points , 2005, RFC.

[13]  Peter Saint-Andre,et al.  Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS) , 2015, RFC.

[14]  Ralph E. Droms,et al.  DNS Configuration options for Dynamic Host Configuration Protocol for IPv6 (DHCPv6) , 2003, RFC.

[15]  Daniel Gillmor,et al.  Authentication and (D)TLS Profile for DNS-over-TLS and DNS-over-DTLS , 2015 .

[16]  Eric Rescorla,et al.  The Transport Layer Security (TLS) Protocol Version 1.1 , 2006, RFC.

[17]  Aziz Mohaisen,et al.  Opportunistic Encryption with DANE Semantics and IPsec: IPSECA , 2015 .

[18]  Paul Wouters,et al.  The edns-tcp-keepalive EDNS0 Option , 2016, RFC.

[19]  Scott Rose,et al.  DNS Security Introduction and Requirements , 2005, RFC.

[20]  Stephen Farrell,et al.  Pervasive Monitoring Is an Attack , 2014, RFC.

[21]  Paul V. Mockapetris,et al.  Domain names: Concepts and facilities , 1983, RFC.

[22]  Alexander Mayrhofer,et al.  The EDNS(0) Padding Option , 2016, RFC.

[23]  Paul V. Mockapetris,et al.  Domain names - implementation and specification , 1987, RFC.

[24]  Stephane Bortzmeyer,et al.  DNS Privacy Considerations , 2015, RFC.

[25]  Scott O. Bradner,et al.  Key words for use in RFCs to Indicate Requirement Levels , 1997, RFC.

[26]  Brian E. Carpenter,et al.  Middleboxes: Taxonomy and Issues , 2002, RFC.

[27]  Stuart Cheshire,et al.  Internet Assigned Numbers Authority (IANA) Procedures for the Management of the Service Name and Transport Protocol Port Number Registry , 2011, RFC.