Recursive to Authoritative DNS with Encryption
draft-ietf-dprive-opportunistic-adotq-01
Network Working Group P. Hoffman
Internet-Draft ICANN
Intended status: Experimental P. van Dijk
Expires: 26 August 2021 PowerDNS
22 February 2021
Recursive to Authoritative DNS with Encryption
draft-ietf-dprive-opportunistic-adotq-01
Abstract
This document describes a use case and a method for a DNS recursive
resolver to use either opportunistic encryption (that is, encryption
with optional authentication) or fully-authenticated encryption when
communicating with authoritative servers. The motivating use case
for this method is that more encryption on the Internet is better,
some resolver operators will only want to offer fully-authenticated
encryption when encryption is available, and some resolver operators
believe that opportunistic encryption is better than no encryption at
all. The method described here is optional for both the recursive
resolver and the authoritative server. This method supports both
fully-authenticate encryption and opportunistic encryption using the
same mechanism for discovery of encryption support and discovery of
authenticated public keys for the server.
IMPORTANT NOTE: This version of the document is completely different
than the earlier version. It now covers both opportunistic and
fully-authenticated encryption. It is in a very rough state, and
there are many holes in the description.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on 26 August 2021.
Hoffman & van Dijk Expires 26 August 2021 [Page 1]
Internet-Draft ADoTQ February 2021
Copyright Notice
Copyright (c) 2021 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights
and restrictions with respect to this document. Code Components
extracted from this document must include Simplified BSD License text
as described in Section 4.e of the Trust Legal Provisions and are
provided without warranty as described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Use Case for Opportunistic Encryption . . . . . . . . . . 3
1.2. Use Case for Fully-Authenticated Encryption . . . . . . . 3
1.3. Summary of Protocol . . . . . . . . . . . . . . . . . . . 4
1.4. Definitions . . . . . . . . . . . . . . . . . . . . . . . 4
2. Discovering Whether an Authoritative Server Uses ADoT . . . . 5
3. Resolving with ADoT . . . . . . . . . . . . . . . . . . . . . 6
3.1. Resolver Session Failures . . . . . . . . . . . . . . . . 6
4. Serving with ADoT . . . . . . . . . . . . . . . . . . . . . . 7
5. Resolvers Reporting Errors to Authoritative Servers . . . . . 7
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8
7. Security Considerations . . . . . . . . . . . . . . . . . . . 8
8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 8
9. References . . . . . . . . . . . . . . . . . . . . . . . . . 8
9.1. Normative References . . . . . . . . . . . . . . . . . . 8
9.2. Informative References . . . . . . . . . . . . . . . . . 9
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 9
1. Introduction
A recursive resolver using traditional DNS over port 53 may wish
instead to use encrypted communication with authoritative servers in
order to limit snooping of its DNS traffic by passive or on-path
attackers. The recursive resolver can use opportunistic encryption
(defined in [RFC7435] or fully-authenticated encryption to achieve
this goal.
This document describes two use cases for recursive resolvers:
opportunistic encryption (described in Section 1.1) and fully-
authenticated encryption described in Section 1.2). The encryption
Show full document text