Skip to main content

Authoritative DNS-over-TLS Operational Considerations

Document Type Expired Internet-Draft (candidate for dprive WG)
Expired & archived
Authors Karl Michael Henderson , Tim April , Jason Livingood
Last updated 2020-02-14 (Latest revision 2019-08-13)
RFC stream Internet Engineering Task Force (IETF)
Intended RFC status (None)
Additional resources Mailing list discussion
Stream WG state Call For Adoption By WG Issued
Document shepherd (None)
IESG IESG state Expired
Consensus boilerplate Unknown
Telechat date (None)
Responsible AD (None)
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft is available in these formats:


DNS over TLS (DoT) has been gaining attention, primarily as a means of communication between stub resolvers and recursive resolvers. There have also been discussions and experiments involving the use of DoT to communicate with authoritative nameservers (Authoritative DNS over TLS or "ADoT"), including communication between recursive and authoritative resolvers. However, we have identified a number of operational concerns with ADoT that have arisen as DNS operators have begun to experiment with and prepare for deploying DoT. These operational concerns need to be addressed prior to ADoT's deployment at scale by DNS operators in order to maintain the stability and resilience of the global DNS. The document also provides some suggested next steps to advance the operator community's understanding of ADoT's operational impact.


Karl Michael Henderson
Tim April
Jason Livingood

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)