Recursive to Authoritative DNS with Encryption
draft-ietf-dprive-opportunistic-adotq-01

Document Type Active Internet-Draft (dprive WG)
Authors Paul Hoffman  , Peter van Dijk 
Last updated 2021-02-22
Replaces draft-pp-recursive-authoritative-opportunistic
Stream Internent Engineering Task Force (IETF)
Intended RFC status (None)
Formats plain text pdf htmlized (tools) htmlized bibtex
Stream WG state WG Document
On Agenda dprive at IETF-110
Document shepherd No shepherd assigned
IESG IESG state I-D Exists
Consensus Boilerplate Unknown
Telechat date
Responsible AD (None)
Send notices to (None)
Network Working Group                                         P. Hoffman
Internet-Draft                                                     ICANN
Intended status: Experimental                                P. van Dijk
Expires: 26 August 2021                                         PowerDNS
                                                        22 February 2021

             Recursive to Authoritative DNS with Encryption
                draft-ietf-dprive-opportunistic-adotq-01

Abstract

   This document describes a use case and a method for a DNS recursive
   resolver to use either opportunistic encryption (that is, encryption
   with optional authentication) or fully-authenticated encryption when
   communicating with authoritative servers.  The motivating use case
   for this method is that more encryption on the Internet is better,
   some resolver operators will only want to offer fully-authenticated
   encryption when encryption is available, and some resolver operators
   believe that opportunistic encryption is better than no encryption at
   all.  The method described here is optional for both the recursive
   resolver and the authoritative server.  This method supports both
   fully-authenticate encryption and opportunistic encryption using the
   same mechanism for discovery of encryption support and discovery of
   authenticated public keys for the server.

   IMPORTANT NOTE: This version of the document is completely different
   than the earlier version.  It now covers both opportunistic and
   fully-authenticated encryption.  It is in a very rough state, and
   there are many holes in the description.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on 26 August 2021.

Hoffman & van Dijk       Expires 26 August 2021                 [Page 1]
Internet-Draft                    ADoTQ                    February 2021

Copyright Notice

   Copyright (c) 2021 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents (https://trustee.ietf.org/
   license-info) in effect on the date of publication of this document.
   Please review these documents carefully, as they describe your rights
   and restrictions with respect to this document.  Code Components
   extracted from this document must include Simplified BSD License text
   as described in Section 4.e of the Trust Legal Provisions and are
   provided without warranty as described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
     1.1.  Use Case for Opportunistic Encryption . . . . . . . . . .   3
     1.2.  Use Case for Fully-Authenticated Encryption . . . . . . .   3
     1.3.  Summary of Protocol . . . . . . . . . . . . . . . . . . .   4
     1.4.  Definitions . . . . . . . . . . . . . . . . . . . . . . .   4
   2.  Discovering Whether an Authoritative Server Uses ADoT . . . .   5
   3.  Resolving with ADoT . . . . . . . . . . . . . . . . . . . . .   6
     3.1.  Resolver Session Failures . . . . . . . . . . . . . . . .   6
   4.  Serving with ADoT . . . . . . . . . . . . . . . . . . . . . .   7
   5.  Resolvers Reporting Errors to Authoritative Servers . . . . .   7
   6.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   8
   7.  Security Considerations . . . . . . . . . . . . . . . . . . .   8
   8.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .   8
   9.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   8
     9.1.  Normative References  . . . . . . . . . . . . . . . . . .   8
     9.2.  Informative References  . . . . . . . . . . . . . . . . .   9
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .   9

1.  Introduction

   A recursive resolver using traditional DNS over port 53 may wish
   instead to use encrypted communication with authoritative servers in
   order to limit snooping of its DNS traffic by passive or on-path
   attackers.  The recursive resolver can use opportunistic encryption
   (defined in [RFC7435] or fully-authenticated encryption to achieve
   this goal.

   This document describes two use cases for recursive resolvers:
   opportunistic encryption (described in Section 1.1) and fully-
   authenticated encryption described in Section 1.2).  The encryption
Show full document text