Skip to main content

Discovery of Designated Resolvers

The information below is for an old version of the document.
Document Type
This is an older version of an Internet-Draft that was ultimately published as RFC 9462.
Authors Tommy Pauly , Eric Kinnear , Christopher A. Wood , Patrick McManus , Tommy Jensen
Last updated 2022-07-26 (Latest revision 2022-07-05)
Replaces draft-pauly-add-deer
RFC stream Internet Engineering Task Force (IETF)
Additional resources Mailing list discussion
Stream WG state Submitted to IESG for Publication
Document shepherd Andrew Campling
Shepherd write-up Show Last changed 2022-06-14
IESG IESG state Became RFC 9462 (Proposed Standard)
Consensus boilerplate Yes
Telechat date (None)
Needs 2 more YES or NO OBJECTION positions to pass.
Responsible AD Éric Vyncke
Send notices to Andrew.Campling@419.Consulting
IANA IANA review state IANA OK - Actions Needed
ADD                                                             T. Pauly
Internet-Draft                                                E. Kinnear
Intended status: Standards Track                              Apple Inc.
Expires: 6 January 2023                                       C. A. Wood
                                                              P. McManus
                                                               T. Jensen
                                                             5 July 2022

                   Discovery of Designated Resolvers


   This document defines Discovery of Designated Resolvers (DDR), a
   mechanism for DNS clients to use DNS records to discover a resolver's
   encrypted DNS configuration.  An encrypted resolver discovered in
   this manner is referred to as a "Designated Resolver".  This
   mechanism can be used to move from unencrypted DNS to encrypted DNS
   when only the IP address of a resolver is known.  This mechanism is
   designed to be limited to cases where unencrypted resolvers and their
   designated resolvers are operated by the same entity or cooperating
   entities.  It can also be used to discover support for encrypted DNS
   protocols when the name of an encrypted resolver is known.

Discussion Venues

   This note is to be removed before publishing as an RFC.

   Discussion of this document takes place on the Adaptive DNS Discovery
   Working Group mailing list (, which is archived at

   Source for this draft and an issue tracker can be found at

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at

Pauly, et al.            Expires 6 January 2023                 [Page 1]
Internet-Draft                     DDR                         July 2022

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on 6 January 2023.

Copyright Notice

   Copyright (c) 2022 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents (
   license-info) in effect on the date of publication of this document.
   Please review these documents carefully, as they describe your rights
   and restrictions with respect to this document.  Code Components
   extracted from this document must include Revised BSD License text as
   described in Section 4.e of the Trust Legal Provisions and are
   provided without warranty as described in the Revised BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   3
     1.1.  Specification of Requirements . . . . . . . . . . . . . .   3
   2.  Terminology . . . . . . . . . . . . . . . . . . . . . . . . .   3
   3.  DNS Service Binding Records . . . . . . . . . . . . . . . . .   4
   4.  Discovery Using Resolver IP Addresses . . . . . . . . . . . .   5
     4.1.  Use of Designated Resolvers . . . . . . . . . . . . . . .   6
       4.1.1.  Use of Designated Resolvers across network changes  .   7
     4.2.  Verified Discovery  . . . . . . . . . . . . . . . . . . .   7
     4.3.  Opportunistic Discovery . . . . . . . . . . . . . . . . .   8
   5.  Discovery Using Resolver Names  . . . . . . . . . . . . . . .   9
   6.  Deployment Considerations . . . . . . . . . . . . . . . . . .  10
     6.1.  Caching Forwarders  . . . . . . . . . . . . . . . . . . .  10
     6.2.  Certificate Management  . . . . . . . . . . . . . . . . .  10
     6.3.  Server Name Handling  . . . . . . . . . . . . . . . . . .  10
     6.4.  Handling non-DDR queries for  . . . . . . .  11
     6.5.  Interaction with Network-Designated Resolvers . . . . . .  11
   7.  Security Considerations . . . . . . . . . . . . . . . . . . .  11
   8.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .  12
     8.1.  Special Use Domain Name "" . . . . . . . . .  12
   9.  References  . . . . . . . . . . . . . . . . . . . . . . . . .  13
     9.1.  Normative References  . . . . . . . . . . . . . . . . . .  13
     9.2.  Informative References  . . . . . . . . . . . . . . . . .  14
   Appendix A.  Rationale for using SVCB records . . . . . . . . . .  16
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  17

Pauly, et al.            Expires 6 January 2023                 [Page 2]
Internet-Draft                     DDR                         July 2022

1.  Introduction

   When DNS clients wish to use encrypted DNS protocols such as DNS-
   over-TLS (DoT) [RFC7858], DNS-over-QUIC (DoQ) [RFC9250], or DNS-over-
   HTTPS (DoH) [RFC8484], they require additional information beyond the
   IP address of the DNS server, such as the resolver's hostname, non-
   standard ports, or URI templates.  However, common configuration
   mechanisms only provide the resolver's IP address during
   configuration.  Such mechanisms include network provisioning
   protocols like DHCP [RFC2132] [RFC8415] and IPv6 Router Advertisement
   (RA) options [RFC8106], as well as manual configuration.

   This document defines two mechanisms for clients to discover
   designated resolvers using DNS server Service Binding (SVCB,
   [I-D.ietf-dnsop-svcb-https]) records:

   1.  When only an IP address of an Unencrypted Resolver is known, the
       client queries a special use domain name (SUDN) [RFC6761] to
       discover DNS SVCB records associated with one or more Encrypted
       Resolvers the Unencrypted Resolver has designated for use when
       support for DNS encryption is requested (Section 4).

   2.  When the hostname of an Encrypted Resolver is known, the client
       requests details by sending a query for a DNS SVCB record.  This
       can be used to discover alternate encrypted DNS protocols
       supported by a known server, or to provide details if a resolver
       name is provisioned by a network (Section 5).

   Both of these approaches allow clients to confirm that a discovered
   Encrypted Resolver is designated by the originally provisioned
   resolver.  "Designated" in this context means that the resolvers are
   operated by the same entity or cooperating entities; for example, the
   resolvers are accessible on the same IP address, or there is a
   certificate that claims ownership over the IP address for the
   original designating resolver.

1.1.  Specification of Requirements

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "OPTIONAL" in this document are to be interpreted as described in BCP
   14 [RFC2119] [RFC8174] when, and only when, they appear in all
   capitals, as shown here.

2.  Terminology

   This document defines the following terms:

Pauly, et al.            Expires 6 January 2023                 [Page 3]
Internet-Draft                     DDR                         July 2022

   DDR:  Discovery of Designated Resolvers.  Refers to the mechanisms
      defined in this document.

   Designated Resolver:  A resolver, presumably an Encrypted Resolver,
      designated by another resolver for use in its own place.  This
      designation can be verified with TLS certificates.

   Encrypted Resolver:  A DNS resolver using any encrypted DNS
      transport.  This includes current mechanisms such as DoH, DoT, and
      DoQ, as well as future mechanisms.

   Unencrypted Resolver:  A DNS resolver using TCP or UDP port 53
      without encryption.

3.  DNS Service Binding Records

   DNS resolvers can advertise one or more Designated Resolvers that may
   offer support over encrypted channels and are controlled by the same

   When a client discovers Designated Resolvers, it learns information
   such as the supported protocols and ports.  This information is
   provided in ServiceMode Service Binding (SVCB) records for DNS
   Servers, although AliasMode SVCB records can be used to direct
   clients to the needed ServiceMode SVCB record per
   [I-D.ietf-dnsop-svcb-https].  The formatting of these records,
   including the DNS-unique parameters such as "dohpath", are defined by

   The following is an example of an SVCB record describing a DoH server
   discovered by querying for  7200  IN SVCB 1 (
        alpn=h2 dohpath=/dns-query{?dns} )

   The following is an example of an SVCB record describing a DoT server
   discovered by querying for  7200  IN SVCB 1 (
        alpn=dot port=8530 )

   The following is an example of an SVCB record describing a DoQ server
   discovered by querying for  7200  IN SVCB 1 (
        alpn=doq port=8530 )

Pauly, et al.            Expires 6 January 2023                 [Page 4]
Internet-Draft                     DDR                         July 2022

   If multiple Designated Resolvers are available, using one or more
   encrypted DNS protocols, the resolver deployment can indicate a
   preference using the priority fields in each SVCB record

   If the client encounters a mandatory parameter in an SVCB record it
   does not understand, it MUST NOT use that record to discover a
   Designated Resolver.  The client can still use others records in the
   same response if the client can understand all of their mandatory
   parameters.  This allows future encrypted deployments to
   simultaneously support protocols even if a given client is not aware
   of all those protocols.  For example, if the Unencrypted Resolver
   returns three SVCB records, one for DoH, one for DoT, and one for a
   yet-to-exist protocol, a client which only supports DoH and DoT
   should be able to use those records while safely ignoring the third

   To avoid name lookup deadlock, Designated Resolvers SHOULD follow the
   guidance in Section 10 of [RFC8484] regarding the avoidance of DNS-
   based references that block the completion of the TLS handshake.

   This document focuses on discovering DoH, DoT, and DoQ Designated
   Resolvers.  Other protocols can also use the format defined by
   [I-D.ietf-add-svcb-dns].  However, if any such protocol does not
   involve some form of certificate validation, new validation
   mechanisms will need to be defined to support validating designation
   as defined in Section 4.2.

4.  Discovery Using Resolver IP Addresses

   When a DNS client is configured with an Unencrypted Resolver IP
   address, it SHOULD query the resolver for SVCB records for the name
   "" before making other queries.  Specifically, the
   client issues a query for with the SVCB resource
   record type (64) [I-D.ietf-dnsop-svcb-https].

   Because this query is for an SUDN, which no entity can claim
   ownership over, the ServiceMode SVCB response MUST NOT use the "."
   value for the TargetName.  Instead, the domain name used for DoT/DoQ
   or used to construct the DoH template MUST be provided.

   The following is an example of an SVCB record describing a DoH server
   discovered by querying for  7200  IN SVCB 1 (
        alpn=h2 dohpath=/dns-query{?dns} )

Pauly, et al.            Expires 6 January 2023                 [Page 5]
Internet-Draft                     DDR                         July 2022

   The following is an example of an SVCB record describing a DoT server
   discovered by querying for  7200  IN SVCB 1 (
        alpn=dot port=8530 )

   The following is an example of an SVCB record describing a DoQ server
   discovered by querying for  7200  IN SVCB 1 (
        alpn=doq port=8530 )

   If the recursive resolver that receives this query has one or more
   Designated Resolvers, it will return the corresponding SVCB records.
   When responding to these special queries for "", the
   recursive resolver SHOULD include the A and AAAA records for the name
   of the Designated Resolver in the Additional Answers section.  This
   will save the DNS client an additional round trip to retrieve the
   address of the designated resolver; see Section 5 of

   Designated Resolvers SHOULD be accessible using the IP address
   families that are supported by their associated Unencrypted
   Resolvers.  If an Unencrypted Resolver is accessible using an IPv4
   address, it ought to provide an A record for an IPv4 address of the
   Designated Resolver; similarly, if it is accessible using an IPv6
   address, it ought to provide a AAAA record for an IPv6 address of the
   Designated Resolver.  The Designated Resolver can support more
   address families than the Unencrypted Resolver, but it ought not to
   support fewer.  If this is not done, clients that only have
   connectivity over one address family might not be able to access the
   Designated Resolver.

   If the recursive resolver that receives this query has no Designated
   Resolvers, it SHOULD return NODATA for queries to the ""

4.1.  Use of Designated Resolvers

   When a client discovers Designated Resolvers from an Unencrypted
   Resolver IP address, it can choose to use these Designated Resolvers
   either automatically, or based on some other policy, heuristic, or
   user choice.

   This document defines two preferred methods to automatically use
   Designated Resolvers:

Pauly, et al.            Expires 6 January 2023                 [Page 6]
Internet-Draft                     DDR                         July 2022

   *  Verified Discovery (Section 4.2), for when a TLS certificate can
      be used to validate the resolver's identity.

   *  Opportunistic Discovery (Section 4.3), for when a resolver's IP
      address is a private or local address.

   A client MAY additionally use a discovered Designated Resolver
   without either of these methods, based on implementation-specific
   policy or user input.  Details of such policy are out of scope of
   this document.  Clients MUST NOT automatically use a Designated
   Resolver without some sort of validation, such as the two methods
   defined in this document or a future mechanism.

   A client MUST NOT re-use a designation discovered using the IP
   address of one Unencrypted Resolver in place of any other Unencrypted
   Resolver.  Instead, the client SHOULD repeat the discovery process to
   discover the Designated Resolver of the other Unencrypted Resolver.
   In other words, designations are per-resolver and MUST NOT be used to
   configure the client's universal DNS behavior.  This ensures in all
   cases that queries are being sent to a party designated by the
   resolver originally being used.

4.1.1.  Use of Designated Resolvers across network changes

   If a client is configured with the same Unencrypted Resolver IP
   address on multiple different networks, a Designated Resolver that
   has been discovered on one network SHOULD NOT be reused on any of the
   other networks without repeating the discovery process for each

   However, if a given Unencrypted Resolver designates a Designated
   Resolver that does not use a private or local IP address and can be
   verified using the mechanism described in Section 4.2, it MAY be used
   on different network connections so long as the subsequent
   connections over other networks can also be successfully verified
   using the mechanism described in Section 4.2.  This is a tradeoff
   between performance (by having no delay in establishing an encrypted
   DNS connection on the new network) and functionality (if the
   Unencrypted Resolver intends to designate different Designated
   Resolvers based on the network from which clients connect).

4.2.  Verified Discovery

   Verified Discovery is a mechanism that allows automatic use of a
   Designated Resolver that supports DNS encryption that performs a TLS

Pauly, et al.            Expires 6 January 2023                 [Page 7]
Internet-Draft                     DDR                         July 2022

   In order to be considered a verified Designated Resolver, the TLS
   certificate presented by the Designated Resolver needs to pass the
   following checks made by the client:

   1.  The client MUST verify the chain of certificates up to a trust
       anchor as described in Section 6 of [RFC5280].  This SHOULD use
       the default system or application trust anchors.

   2.  The client MUST verify that the certificate contains the IP
       address of the designating Unencrypted Resolver in a
       subjectAltName extension.

   If these checks pass, the client SHOULD use the discovered Designated
   Resolver for any cases in which it would have otherwise used the
   Unencrypted Resolver.

   If these checks fail, the client MUST NOT automatically use the
   discovered Designated Resolver.  Additionally, the client SHOULD
   suppress any further queries for Designated Resolvers using this
   Unencrypted Resolver for the length of time indicated by the SVCB
   record's Time to Live (TTL).

   If the Designated Resolver and the Unencrypted Resolver share an IP
   address, clients MAY choose to opportunistically use the Designated
   Resolver even without this certificate check (Section 4.3).

   If resolving the name of a Designated Resolver from an SVCB record
   yields an IP address that was not presented in the Additional Answers
   section or ipv4hint or ipv6hint fields of the original SVCB query,
   the connection made to that IP address MUST pass the same TLS
   certificate checks before being allowed to replace a previously known
   and validated IP address for the same Designated Resolver name.

4.3.  Opportunistic Discovery

   There are situations where Verified Discovery of encrypted DNS
   configuration over unencrypted DNS is not possible.  This includes
   Unencrypted Resolvers on private IP addresses [RFC1918], Unique Local
   Addresses (ULAs) [RFC4193], and Link Local Addresses [RFC3927]
   [RFC4291], whose identity cannot be confirmed using TLS certificates
   under most conditions.

   Opportunistic Privacy is defined for DoT in Section 4.1 of [RFC7858]
   as a mode in which clients do not validate the name of the resolver
   presented in the certificate.  Opportunistic Privacy similarly
   applies to DoQ [RFC9250].  A client MAY use information from the SVCB
   record for "" with this "opportunistic" approach (not
   validating the names presented in the SubjectAlternativeName field of

Pauly, et al.            Expires 6 January 2023                 [Page 8]
Internet-Draft                     DDR                         July 2022

   the certificate) as long as the IP address of the Encrypted Resolver
   does not differ from the IP address of the Unencrypted Resolver.
   Clients SHOULD use this mode only for resolvers using private or
   local IP addresses.  This approach can be used for any encrypted DNS
   protocol that uses TLS.

5.  Discovery Using Resolver Names

   A DNS client that already knows the name of an Encrypted Resolver can
   use DDR to discover details about all supported encrypted DNS
   protocols.  This situation can arise if a client has been configured
   to use a given Encrypted Resolver, or if a network provisioning
   protocol (such as DHCP or IPv6 Router Advertisements) provides a name
   for an Encrypted Resolver alongside the resolver IP address, such as
   by using Discovery of Network Resolvers (DNR) [I-D.ietf-add-dnr].

   For these cases, the client simply sends a DNS SVCB query using the
   known name of the resolver.  This query can be issued to the named
   Encrypted Resolver itself or to any other resolver.  Unlike the case
   of bootstrapping from an Unencrypted Resolver (Section 4), these
   records SHOULD be available in the public DNS.

   For example, if the client already knows about a DoT server, it can issue an SVCB query for to discover if there are other encrypted
   DNS protocols available.  In the following example, the SVCB answers
   indicate that supports both DoH and DoT, and
   that the DoH server indicates a higher priority than the DoT server.  7200  IN SVCB 1 (
        alpn=h2 dohpath=/dns-query{?dns} )  7200  IN SVCB 1 (
        alpn=dot )

   Clients MUST validate that for any Encrypted Resolver discovered
   using a known resolver name, the TLS certificate of the resolver
   contains the known name in a subjectAltName extension.  In the
   example above, this means that both servers need to have certificates
   that cover the name  Often, the various
   supported encrypted DNS protocols will be specified such that the
   SVCB TargetName matches the known name, as is true in the example
   above.  However, even when the TargetName is different (for example,
   if the DoH server had a TargetName of, the clients
   still check for the original known resolver name in the certificate.

   Note that this resolver validation is not related to the DNS resolver
   that provided the SVCB answer.

Pauly, et al.            Expires 6 January 2023                 [Page 9]
Internet-Draft                     DDR                         July 2022

   As another example, being able to discover a Designated Resolver for
   a known Encrypted Resolver is useful when a client has a DoT
   configuration for but is on a network that
   blocks DoT traffic.  The client can still send a query to any other
   accessible resolver (either the local network resolver or an
   accessible DoH server) to discover if there is a designated DoH
   server for

6.  Deployment Considerations

   Resolver deployments that support DDR are advised to consider the
   following points.

6.1.  Caching Forwarders

   A DNS forwarder SHOULD NOT forward queries for ""
   upstream.  This prevents a client from receiving an SVCB record that
   will fail to authenticate because the forwarder's IP address is not
   in the upstream resolver's Designated Resolver's TLS certificate SAN
   field.  A DNS forwarder which already acts as a completely blind
   forwarder MAY choose to forward these queries when the operator
   expects that this does not apply, either because the operator knows
   that the upstream resolver does have the forwarder's IP address in
   its TLS certificate's SAN field or that the operator expects clients
   of the unencrypted resolver to use the SVCB information

   Operators who choose to forward queries for "" upstream
   should note that client behavior is never guaranteed and use of DDR
   by a resolver does not communicate a requirement for clients to use
   the SVCB record when it cannot be verified.

6.2.  Certificate Management

   Resolver owners that support Verified Discovery will need to list
   valid referring IP addresses in their TLS certificates.  This may
   pose challenges for resolvers with a large number of referring IP

6.3.  Server Name Handling

   Clients MUST NOT use "" as the server name either in the
   TLS Server Name Indication (SNI) ([RFC8446]) for DoT, DoQ, or DoH
   connections, or in the URI host for DoH requests.

   When performing discovery using resolver IP addresses, clients MUST
   use the IP address as the URI host for DoH requests.

Pauly, et al.            Expires 6 January 2023                [Page 10]
Internet-Draft                     DDR                         July 2022

   Note that since IP addresses are not supported by default in the TLS
   SNI, resolvers that support discovery using IP addresses will need to
   be configured to present the appropriate TLS certificate when no SNI
   is present for DoT, DoQ, and DoH.

6.4.  Handling non-DDR queries for

   DNS resolvers that support DDR by responding to queries for SHOULD treat as a locally served
   zone per [RFC6303].  In practice, this means that resolvers SHOULD
   respond to queries of any type other than SVCB for
   with NODATA and queries of any type for any domain name under with NODATA.

6.5.  Interaction with Network-Designated Resolvers

   Discovery of network-designated resolvers (DNR, [I-D.ietf-add-dnr])
   allows a network to provide designation of resolvers directly through
   DHCP [RFC2132] [RFC8415] and IPv6 Router Advertisement (RA) [RFC4861]
   options.  When such indications are present, clients can suppress
   queries for "" to the unencrypted DNS server indicated
   by the network over DHCP or RAs, and the DNR indications SHOULD take
   precedence over those discovered using "" for the same
   resolver if there is a conflict.

   The designated resolver information in DNR might not contain a full
   set of SvcParams needed to connect to an encrypted resolver.  In such
   a case, the client can use an SVCB query using a resolver name, as
   described in Section 5, to the authentication-domain-name (ADN).

7.  Security Considerations

   Since clients can receive DNS SVCB answers over unencrypted DNS, on-
   path attackers can prevent successful discovery by dropping SVCB
   queries or answers, and thus prevent clients from switching to use
   encrypted DNS.  Clients should be aware that it might not be possible
   to distinguish between resolvers that do not have any Designated
   Resolver and such an active attack.  To limit the impact of discovery
   queries being dropped either maliciously or unintentionally, clients
   can re-send their SVCB queries periodically.

   Section 8.2 of [I-D.ietf-add-svcb-dns] describes a second downgrade
   attack where an attacker can block connections to the encrypted DNS
   server, and recommends that clients prevent it by switching to SVCB-
   reliant behavior once SVCB resolution does succeed.  For DDR, this
   means that once a client discovers a compatible Designated Resolver,
   it SHOULD NOT use unencrypted DNS until the SVCB record expires,
   unless verification of the resolver fails.

Pauly, et al.            Expires 6 January 2023                [Page 11]
Internet-Draft                     DDR                         July 2022

   DoH resolvers that allow discovery using DNS SVCB answers over
   unencrypted DNS MUST NOT provide differentiated behavior based on the
   HTTP path alone, since an attacker could modify the "dohpath"
   parameter.  For example, if a DoH resolver provides provides a
   filtering service for one URI path, and a non-filtered service for
   another URI path, an attacker could select which of these services is
   used by modifying the "dohpath" parameter.  These attacks can be
   mitigated by providing separate resolver IP addresses or hostnames.

   While the IP address of the Unencrypted Resolver is often provisioned
   over insecure mechanisms, it can also be provisioned securely, such
   as via manual configuration, a VPN, or on a network with protections
   like RA-Guard [RFC6105].  An attacker might try to direct Encrypted
   DNS traffic to itself by causing the client to think that a
   discovered Designated Resolver uses a different IP address from the
   Unencrypted Resolver.  Such a Designated Resolver might have a valid
   certificate, but be operated by an attacker that is trying to observe
   or modify user queries without the knowledge of the client or

   If the IP address of a Designated Resolver differs from that of an
   Unencrypted Resolver, clients applying Verified Discovery
   (Section 4.2) MUST validate that the IP address of the Unencrypted
   Resolver is covered by the SubjectAlternativeName of the Designated
   Resolver's TLS certificate.

   Clients using Opportunistic Discovery (Section 4.3) MUST be limited
   to cases where the Unencrypted Resolver and Designated Resolver have
   the same IP address.

   The constraints on the use of Designated Resolvers specified here
   apply specifically to the automatic discovery mechanisms defined in
   this document, which are referred to as Verified Discovery and
   Opportunistic Discovery.  Clients MAY use some other mechanism to
   verify and use Designated Resolvers discovered using the DNS SVCB
   record.  However, use of such an alternate mechanism needs to take
   into account the attack scenarios detailed here.

8.  IANA Considerations

8.1.  Special Use Domain Name ""

   This document calls for the addition of "" to the
   Special-Use Domain Names (SUDN) registry established by [RFC6761].
   This will allow resolvers to respond to queries directed at
   themselves rather than a specific domain name.  While this document
   uses "" to return SVCB records indicating designated
   encrypted capability, the name is generic enough to allow future

Pauly, et al.            Expires 6 January 2023                [Page 12]
Internet-Draft                     DDR                         July 2022

   reuse for other purposes where the resolver wishes to provide
   information about itself to the client.

   The "" SUDN is similar to "" in that the
   querying client is not interested in an answer from the authoritative
   "arpa" name servers.  The intent of the SUDN is to allow clients to
   communicate with the Unencrypted Resolver much like ""
   allows for client-to-middlebox communication.  For more context, see
   the rationale behind "" in [RFC8880].

   IANA is requested to add an entry in "Transport-Independent Locally-
   Served DNS Zones" registry for '' with the description
   "DNS Resolver Special-Use Domain", listing this document as the

9.  References

9.1.  Normative References

              Schwartz, B., "Service Binding Mapping for DNS Servers",
              Work in Progress, Internet-Draft, draft-ietf-add-svcb-dns-
              06, 5 July 2022, <

              Schwartz, B., Bishop, M., and E. Nygren, "Service binding
              and parameter specification via the DNS (DNS SVCB and
              HTTPS RRs)", Work in Progress, Internet-Draft, draft-ietf-
              dnsop-svcb-https-10, 24 May 2022,

   [RFC1918]  Rekhter, Y., Moskowitz, B., Karrenberg, D., de Groot, G.
              J., and E. Lear, "Address Allocation for Private
              Internets", BCP 5, RFC 1918, DOI 10.17487/RFC1918,
              February 1996, <>.

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,

   [RFC3927]  Cheshire, S., Aboba, B., and E. Guttman, "Dynamic
              Configuration of IPv4 Link-Local Addresses", RFC 3927,
              DOI 10.17487/RFC3927, May 2005,

Pauly, et al.            Expires 6 January 2023                [Page 13]
Internet-Draft                     DDR                         July 2022

   [RFC4193]  Hinden, R. and B. Haberman, "Unique Local IPv6 Unicast
              Addresses", RFC 4193, DOI 10.17487/RFC4193, October 2005,

   [RFC4291]  Hinden, R. and S. Deering, "IP Version 6 Addressing
              Architecture", RFC 4291, DOI 10.17487/RFC4291, February
              2006, <>.

   [RFC5280]  Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
              Housley, R., and W. Polk, "Internet X.509 Public Key
              Infrastructure Certificate and Certificate Revocation List
              (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008,

   [RFC6303]  Andrews, M., "Locally Served DNS Zones", BCP 163,
              RFC 6303, DOI 10.17487/RFC6303, July 2011,

   [RFC6761]  Cheshire, S. and M. Krochmal, "Special-Use Domain Names",
              RFC 6761, DOI 10.17487/RFC6761, February 2013,

   [RFC7858]  Hu, Z., Zhu, L., Heidemann, J., Mankin, A., Wessels, D.,
              and P. Hoffman, "Specification for DNS over Transport
              Layer Security (TLS)", RFC 7858, DOI 10.17487/RFC7858, May
              2016, <>.

   [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
              2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
              May 2017, <>.

   [RFC8484]  Hoffman, P. and P. McManus, "DNS Queries over HTTPS
              (DoH)", RFC 8484, DOI 10.17487/RFC8484, October 2018,

   [RFC9250]  Huitema, C., Dickinson, S., and A. Mankin, "DNS over
              Dedicated QUIC Connections", RFC 9250,
              DOI 10.17487/RFC9250, May 2022,

9.2.  Informative References

Pauly, et al.            Expires 6 January 2023                [Page 14]
Internet-Draft                     DDR                         July 2022

              Boucadair, M., Reddy, T., Wing, D., Cook, N., and T.
              Jensen, "DHCP and Router Advertisement Options for the
              Discovery of Network-designated Resolvers (DNR)", Work in
              Progress, Internet-Draft, draft-ietf-add-dnr-09, 24 June
              2022, <

              Rescorla, E., Oku, K., Sullivan, N., and C. A. Wood, "TLS
              Encrypted Client Hello", Work in Progress, Internet-Draft,
              draft-ietf-tls-esni-14, 13 February 2022,

              Schinazi, D., Sullivan, N., and J. Kipp, "DoH Preference
              Hints for HTTP", Work in Progress, Internet-Draft, draft-
              schinazi-httpbis-doh-preference-hints-02, 13 July 2020,

   [RFC2132]  Alexander, S. and R. Droms, "DHCP Options and BOOTP Vendor
              Extensions", RFC 2132, DOI 10.17487/RFC2132, March 1997,

   [RFC4861]  Narten, T., Nordmark, E., Simpson, W., and H. Soliman,
              "Neighbor Discovery for IP version 6 (IPv6)", RFC 4861,
              DOI 10.17487/RFC4861, September 2007,

   [RFC5507]  IAB, Faltstrom, P., Ed., Austein, R., Ed., and P. Koch,
              Ed., "Design Choices When Expanding the DNS", RFC 5507,
              DOI 10.17487/RFC5507, April 2009,

   [RFC6105]  Levy-Abegnoli, E., Van de Velde, G., Popoviciu, C., and J.
              Mohacsi, "IPv6 Router Advertisement Guard", RFC 6105,
              DOI 10.17487/RFC6105, February 2011,

   [RFC8106]  Jeong, J., Park, S., Beloeil, L., and S. Madanapalli,
              "IPv6 Router Advertisement Options for DNS Configuration",
              RFC 8106, DOI 10.17487/RFC8106, March 2017,

Pauly, et al.            Expires 6 January 2023                [Page 15]
Internet-Draft                     DDR                         July 2022

   [RFC8415]  Mrugalski, T., Siodelski, M., Volz, B., Yourtchenko, A.,
              Richardson, M., Jiang, S., Lemon, T., and T. Winters,
              "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)",
              RFC 8415, DOI 10.17487/RFC8415, November 2018,

   [RFC8446]  Rescorla, E., "The Transport Layer Security (TLS) Protocol
              Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018,

   [RFC8880]  Cheshire, S. and D. Schinazi, "Special Use Domain Name
              ''", RFC 8880, DOI 10.17487/RFC8880, August
              2020, <>.

Appendix A.  Rationale for using SVCB records

   This mechanism uses SVCB/HTTPS resource records
   [I-D.ietf-dnsop-svcb-https] to communicate that a given domain
   designates a particular Designated Resolver for clients to use in
   place of an Unencrypted Resolver (using a SUDN) or another Encrypted
   Resolver (using its domain name).

   There are various other proposals for how to provide similar
   functionality.  There are several reasons that this mechanism has
   chosen SVCB records:

   *  Discovering encrypted resolver using DNS records keeps client
      logic for DNS self-contained and allows a DNS resolver operator to
      define which resolver names and IP addresses are related to one

   *  Using DNS records also does not rely on bootstrapping with higher-
      level application operations (such as

   *  SVCB records are extensible and allow definition of parameter
      keys.  This makes them a superior mechanism for extensibility as
      compared to approaches such as overloading TXT records.  The same
      keys can be used for discovering Designated Resolvers of different
      transport types as well as those advertised by Unencrypted
      Resolvers or another Encrypted Resolver.

   *  Clients and servers that are interested in privacy of names will
      already need to support SVCB records in order to use Encrypted TLS
      Client Hello [I-D.ietf-tls-esni].  Without encrypting names in
      TLS, the value of encrypting DNS is reduced, so pairing the
      solutions provides the largest benefit.

Pauly, et al.            Expires 6 January 2023                [Page 16]
Internet-Draft                     DDR                         July 2022

   *  Clients that support SVCB will generally send out three queries
      when accessing web content on a dual-stack network: A, AAAA, and
      HTTPS queries.  Discovering a Designated Resolver as part of one
      of these queries, without having to add yet another query,
      minimizes the total number of queries clients send.  While
      [RFC5507] recommends adding new RRTypes for new functionality,
      SVCB provides an extension mechanism that simplifies client

Authors' Addresses

   Tommy Pauly
   Apple Inc.
   One Apple Park Way
   Cupertino, California 95014,
   United States of America

   Eric Kinnear
   Apple Inc.
   One Apple Park Way
   Cupertino, California 95014,
   United States of America

   Christopher A. Wood
   101 Townsend St
   San Francisco,
   United States of America

   Patrick McManus

   Tommy Jensen

Pauly, et al.            Expires 6 January 2023                [Page 17]