Practical Observations from Encrypted DNS Deployments by Network Operators

Document Type Active Internet-Draft (individual)
Last updated 2020-07-13
Stream (None)
Intended RFC status (None)
Formats plain text pdf htmlized (tools) htmlized bibtex
Stream Stream state (No stream defined)
Consensus Boilerplate Unknown
RFC Editor Note (None)
IESG IESG state I-D Exists
Telechat date
Responsible AD (None)
Send notices to (None)
ADD                                                          A. Campling
Internet-Draft                                    419 Consulting Limited
Intended status: Informational                             N. Kowalewski
Expires: January 14, 2021                               Deutsche Telekom
                                                              G. Scalone
                                                                  C. Box
                                                                BT Group
                                                             A. Winfield
                                                           July 13, 2020

    Practical Observations from Encrypted DNS Deployments by Network


   The following document includes observations regarding a variety of
   implementations of recursive DNS capabilities that are important to
   network operators in terms of delivering DNS services to their
   (several tens of millions of) customers.  It highlights some of the
   challenges that need to be addressed to allow the widespread adoption
   of encrypted DNS by the end-users of network operators.

   The information is intended to aid the development of discovery
   mechanisms for protocols such as DNS-over-HTTPS.  It clearly defines
   problems that need technical solutions to allow the deployment of
   encrypted DNS by the largest number of operators to the largest
   number of users in the shortest possible timeframe with little or no
   disruption to the user experience.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

Campling, et al.        Expires January 14, 2021                [Page 1]
Internet-DraPractical Observations from Encrypted DNS Deploym  July 2020

   This Internet-Draft will expire on January 14, 2021.

Copyright Notice

   Copyright (c) 2020 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   ( in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

1.  Introduction

   The IETF has developed many protocols to improve the security and
   reliability of DNS over UDP or TCP (Do53) [RFC1035] including DNS
   over TLS (DoT) [RFC7858], DNS over HTTPS (DoH) [RFC8484] and DNS
   Security Extensions (DNSSEC) [RFC2535].  To enable the broadest
   adoption of these technologies, there are issues for consideration of
   any discovery solutions that are proposed to the Adaptive DNS
   Discovery [ADD] working group.

   Many network operators, including Internet Service Providers (ISPs),
   whether using fixed or mobile networks, would like to ensure that
   their encrypted DNS services can be seamlessly discovered and used by
   applications and operating systems that support encrypted DNS,
   particularly DoH, in order that encrypted DNS can be deployed to the
   widest possible community of users.  They would particularly like to
   ensure that any proposed DNS discovery mechanisms take into account
   ISP use-cases such as DNS forwarders on CPE (Customer Premises
   Equipment or routers), the use of DNS for CDNs (Content Delivery
   Networks) with local content caches and the non-public nature of most
   ISP DNS services.

   This document has taken observations and experiences from a number of
   network operators that have been actively working on adding support
   for encrypted DNS to their networks.  It is intended to make clear
   the requirements needed by any discovery mechanism developed by the
   ADD group.  It collates and succinctly describes common problems
   faced by existing stakeholders in adopting encrypted DNS mechanisms.
Show full document text