Skip to main content

Unilateral Opportunistic Deployment of Encrypted Recursive-to-Authoritative DNS

Document Type Replaced Internet-Draft (dprive WG)
Expired & archived
Authors Daniel Kahn Gillmor , Joey Salazar
Last updated 2022-02-27 (Latest revision 2022-01-26)
Replaced by draft-ietf-dprive-unilateral-probing
RFC stream Internet Engineering Task Force (IETF)
Intended RFC status (None)
Additional resources Mailing list discussion
Stream WG state Adopted by a WG
Document shepherd (None)
IESG IESG state Replaced by draft-ietf-dprive-unilateral-probing
Consensus boilerplate Unknown
Telechat date (None)
Responsible AD (None)
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft is available in these formats:


This draft sets out steps that DNS servers (recursive resolvers and authoritative servers) can take unilaterally (without any coordination with other peers) to defend DNS query privacy against a passive network monitor. The steps in this draft can be defeated by an active attacker, but should be simpler and less risky to deploy than more powerful defenses. The draft also introduces (but does not try to specify) the semantics of signalling that would permit defense against an active attacker. The goal of this draft is to simplify and speed deployment of opportunistic encrypted transport in the recursive-to-authoritative hop of the DNS ecosystem. With wider easy deployment of the underlying transport on an opportunistic basis, we hope to facilitate the future specification of stronger cryptographic protections against more powerful attacks.


Daniel Kahn Gillmor
Joey Salazar

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)