Specification for DNS over Datagram Transport Layer Security (DTLS)
draft-ietf-dprive-dnsodtls-10

Document Type Active Internet-Draft (dprive WG)
Last updated 2016-08-16
Replaces draft-wing-dprive-dnsodtls
Stream IETF
Intended RFC status Experimental
Formats plain text pdf html bibtex
Stream WG state In WG Last Call
Document shepherd Tim Wicinski
IESG IESG state I-D Exists
Consensus Boilerplate Unknown
Telechat date
Responsible AD (None)
Send notices to "Tim Wicinski" <tjw.ietf@gmail.com>
DPRIVE                                                          T. Reddy
Internet-Draft                                                   D. Wing
Intended status: Experimental                                   P. Patil
Expires: February 17, 2017                                         Cisco
                                                         August 16, 2016

  Specification for DNS over Datagram Transport Layer Security (DTLS)
                     draft-ietf-dprive-dnsodtls-10

Abstract

   DNS queries and responses are visible to network elements on the path
   between the DNS client and its server.  These queries and responses
   can contain privacy-sensitive information which is valuable to
   protect.  An active attacker can send bogus responses causing
   misdirection of the subsequent connection.

   This document proposes the use of Datagram Transport Layer Security
   (DTLS) for DNS, to protect against passive listeners and certain
   active attacks.  As latency is critical for DNS, this proposal also
   discusses mechanisms to reduce DTLS round trips and reduce DTLS
   handshake size.  The proposed mechanism runs over port 853.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on February 17, 2017.

Copyright Notice

   Copyright (c) 2016 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents

Reddy, et al.           Expires February 17, 2017               [Page 1]
Internet-Draft                DNS over DTLS                  August 2016

   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
     1.1.  Relationship to TCP Queries and to DNSSEC . . . . . . . .   3
   2.  Terminology . . . . . . . . . . . . . . . . . . . . . . . . .   3
   3.  Establishing and Managing DNS-over-DTLS Sessions  . . . . . .   4
     3.1.  Session Initiation  . . . . . . . . . . . . . . . . . . .   4
     3.2.  DTLS Handshake and Authentication . . . . . . . . . . . .   4
     3.3.  Established Sessions  . . . . . . . . . . . . . . . . . .   5
   4.  Performance Considerations  . . . . . . . . . . . . . . . . .   7
   5.  PMTU issues . . . . . . . . . . . . . . . . . . . . . . . . .   8
   6.  Anycast . . . . . . . . . . . . . . . . . . . . . . . . . . .   9
   7.  Usage . . . . . . . . . . . . . . . . . . . . . . . . . . . .   9
   8.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   9
   9.  Security Considerations . . . . . . . . . . . . . . . . . . .   9
   10. Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .  10
   11. References  . . . . . . . . . . . . . . . . . . . . . . . . .  10
     11.1.  Normative References . . . . . . . . . . . . . . . . . .  10
     11.2.  Informative References . . . . . . . . . . . . . . . . .  11
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  12

1.  Introduction

   The Domain Name System is specified in [RFC1034] and [RFC1035].  DNS
   queries and responses are normally exchanged unencrypted and are thus
   vulnerable to eavesdropping.  Such eavesdropping can result in an
   undesired entity learning domains that a host wishes to access, thus
   resulting in privacy leakage.  The DNS privacy problem is further
   discussed in [RFC7626].

   Active attackers have long been successful at injecting bogus
   responses, causing cache poisoning and causing misdirection of the
   subsequent connection (if attacking A or AAAA records).  A popular
   mitigation against that attack is to use ephemeral and random source
   ports for DNS queries [RFC5452].

   This document defines DNS over DTLS (DNS-over-DTLS) which provides
Show full document text