Technical Summary
This document sets out steps that DNS servers (recursive resolvers
and authoritative servers) can take unilaterally (without any
coordination with other peers) to defend DNS query privacy against a
passive network monitor. The steps in this document can be defeated
by an active attacker, but should be simpler and less risky to deploy
than more powerful defenses.
The goal of this document is to simplify and speed deployment of
opportunistic encrypted transport in the recursive-to-authoritative
hop of the DNS ecosystem. Wider easy deployment of the underlying
transport on an opportunistic basis may facilitate the future
specification of stronger cryptographic protections against more
powerful attacks.
Working Group Summary
As this document defines new features for DNS message exchanges, there was some
controversy around the potential impact to certain types of DNS servers (e.g.,
distributed authoritative servers). Due to those concerns, the document
describes a set of measurements to be collected once the document is published
as an RFC. Those measurements will allow the WG to determine the overall
operational impact of this type of probing on DNS services supporting this
specification.
Document Quality
This document contains a list of current implementations per RFC 7942.
It has also been reviewed by several directorates (DNS and OPS), leading to some changes.
Personnel
The Document Shepherd for this document is Brian Haberman. The
Responsible Area Director is Éric Vyncke.