DNS over Datagram Transport Layer Security (DTLS)
RFC 8094
|
Document |
Type |
|
RFC - Experimental
(February 2017; No errata)
|
|
Authors |
|
Tirumaleswar Reddy.K
,
Dan Wing
,
Prashanth Patil
|
|
Last updated |
|
2018-12-20
|
|
Replaces |
|
draft-wing-dprive-dnsodtls
|
|
Stream |
|
IETF
|
|
Formats |
|
plain text
html
pdf
htmlized
bibtex
|
|
Reviews |
|
|
Stream |
WG state
|
|
Submitted to IESG for Publication
|
|
Document shepherd |
|
Tim Wicinski
|
|
Shepherd write-up |
|
Show
(last changed 2016-09-08)
|
IESG |
IESG state |
|
RFC 8094 (Experimental)
|
|
Consensus Boilerplate |
|
Yes
|
|
Telechat date |
|
|
|
Responsible AD |
|
Terry Manderson
|
|
IESG note |
|
This DTLS solution was considered by the DPRIVE working group as a potential option to use in case that the TLS based approach specified in RFC7858 is shown to have detrimental deployment issues. At the time of writing, it was expected that RFC7858 will be deployed, and so this specification is primarily intended as a backup and has therefore been designated as experimental. This solution should not be deployed in the wild while in this experimental state as an RFC, however experimentation is encouraged.
|
|
Send notices to |
|
"Tim Wicinski" <tjw.ietf@gmail.com>
|
IANA |
IANA review state |
|
Version Changed - Review Needed
|
|
IANA action state |
|
RFC-Ed-Ack
|
Internet Engineering Task Force (IETF) T. Reddy
Request for Comments: 8094 Cisco
Category: Experimental D. Wing
ISSN: 2070-1721
P. Patil
Cisco
February 2017
DNS over Datagram Transport Layer Security (DTLS)
Abstract
DNS queries and responses are visible to network elements on the path
between the DNS client and its server. These queries and responses
can contain privacy-sensitive information, which is valuable to
protect.
This document proposes the use of Datagram Transport Layer Security
(DTLS) for DNS, to protect against passive listeners and certain
active attacks. As latency is critical for DNS, this proposal also
discusses mechanisms to reduce DTLS round trips and reduce the DTLS
handshake size. The proposed mechanism runs over port 853.
Status of This Memo
This document is not an Internet Standards Track specification; it is
published for examination, experimental implementation, and
evaluation.
This document defines an Experimental Protocol for the Internet
community. This document is a product of the Internet Engineering
Task Force (IETF). It represents the consensus of the IETF
community. It has received public review and has been approved for
publication by the Internet Engineering Steering Group (IESG). Not
all documents approved by the IESG are a candidate for any level of
Internet Standard; see Section 2 of RFC 7841.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
http://www.rfc-editor.org/info/rfc8094.
Reddy, et al. Experimental [Page 1]
RFC 8094 DNS over DTLS February 2017
Copyright Notice
Copyright (c) 2017 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction ....................................................3
1.1. Relationship to TCP Queries and to DNSSEC ..................3
1.2. Document Status ............................................4
2. Terminology .....................................................4
3. Establishing and Managing DNS over DTLS Sessions ................5
3.1. Session Initiation .........................................5
3.2. DTLS Handshake and Authentication ..........................5
3.3. Established Sessions .......................................6
4. Performance Considerations ......................................7
5. Path MTU (PMTU) Issues ..........................................7
6. Anycast .........................................................8
7. Usage ...........................................................9
8. IANA Considerations .............................................9
9. Security Considerations .........................................9
10. References ....................................................10
10.1. Normative References .....................................10
10.2. Informative References ...................................11
Acknowledgements ..................................................13
Authors' Addresses ................................................13
Reddy, et al. Experimental [Page 2]
RFC 8094 DNS over DTLS February 2017
1. Introduction
The Domain Name System is specified in [RFC1034] and [RFC1035]. DNS
queries and responses are normally exchanged unencrypted; thus, they
are vulnerable to eavesdropping. Such eavesdropping can result in an
undesired entity learning domain that a host wishes to access, thus
resulting in privacy leakage. The DNS privacy problem is further
discussed in [RFC7626].
This document defines DNS over DTLS, which provides confidential DNS
communication between stub resolvers and recursive resolvers, stub
resolvers and forwarders, and forwarders and recursive resolvers.
DNS over DTLS puts an additional computational load on servers. The
Show full document text