DNS over DTLS (DNSoD)
draft-ietf-dprive-dnsodtls-08

Document Type Active Internet-Draft (dprive WG)
Last updated 2016-07-28
Replaces draft-wing-dprive-dnsodtls
Stream IETF
Intended RFC status Experimental
Formats plain text xml pdf html bibtex
Stream WG state WG Document
Document shepherd Tim Wicinski
IESG IESG state I-D Exists
Consensus Boilerplate Unknown
Telechat date
Responsible AD (None)
Send notices to "Tim Wicinski" <tjw.ietf@gmail.com>
DPRIVE                                                          T. Reddy
Internet-Draft                                                   D. Wing
Intended status: Standards Track                                P. Patil
Expires: January 29, 2017                                          Cisco
                                                           July 28, 2016

                         DNS over DTLS (DNSoD)
                     draft-ietf-dprive-dnsodtls-08

Abstract

   DNS queries and responses are visible to network elements on the path
   between the DNS client and its server.  These queries and responses
   can contain privacy-sensitive information which is valuable to
   protect.  An active attacker can send bogus responses causing
   misdirection of the subsequent connection.

   To counter passive listening and active attacks, this document
   proposes the use of Datagram Transport Layer Security (DTLS) for DNS,
   to protect against passive listeners and certain active attacks.  As
   DNS needs to remain fast, this proposal also discusses mechanisms to
   reduce DTLS round trips and reduce DTLS handshake size.  The proposed
   mechanism runs over port 853.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on January 29, 2017.

Copyright Notice

   Copyright (c) 2016 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

Reddy, et al.           Expires January 29, 2017                [Page 1]
Internet-Draft            DNS over DTLS (DNSoD)                July 2016

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
     1.1.  Relationship to TCP Queries and to DNSSEC . . . . . . . .   3
   2.  Terminology . . . . . . . . . . . . . . . . . . . . . . . . .   3
   3.  Establishing and Managing DNS-over-DTLS Sessions  . . . . . .   3
     3.1.  Session Initiation  . . . . . . . . . . . . . . . . . . .   4
     3.2.  DTLS Handshake and Authentication . . . . . . . . . . . .   4
     3.3.  Established Sessions  . . . . . . . . . . . . . . . . . .   4
   4.  Performance Considerations  . . . . . . . . . . . . . . . . .   6
   5.  Anycast . . . . . . . . . . . . . . . . . . . . . . . . . . .   7
   6.  Usage . . . . . . . . . . . . . . . . . . . . . . . . . . . .   7
   7.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   8
   8.  Security Considerations . . . . . . . . . . . . . . . . . . .   8
   9.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .   8
   10. References  . . . . . . . . . . . . . . . . . . . . . . . . .   9
     10.1.  Normative References . . . . . . . . . . . . . . . . . .   9
     10.2.  Informative References . . . . . . . . . . . . . . . . .  10
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  11

1.  Introduction

   The Domain Name System is specified in [RFC1034] and [RFC1035] . DNS
   queries and responses are normally exchanged unencrypted and are thus
   vulnerable to eavesdropping.  Such eavesdropping can result in an
   undesired entity learning domains that a host wishes to access, thus
   resulting in privacy leakage.  DNS privacy problem is further
   discussed in [RFC7626] .

   Active attackers have long been successful at injecting bogus
   responses, causing cache poisoning and causing misdirection of the
   subsequent connection (if attacking A or AAAA records).  A popular
   mitigation against that attack is to use ephemeral and random source
   ports for DNS queries [RFC5452] .

   This document defines DNS over DTLS (DNSoD, pronounced "dee-enn-sod")
Show full document text