Recursive to Authoritative DNS with Opportunistic Encryption
draft-pp-recursive-authoritative-opportunistic-04
|
Document |
Type |
|
Active Internet-Draft (individual)
|
|
Author |
|
Paul Hoffman
|
|
Last updated |
|
2021-01-13
|
|
Stream |
|
(None)
|
|
Intended RFC status |
|
(None)
|
|
Formats |
|
plain text
pdf
htmlized (tools)
htmlized
bibtex
|
Stream |
Stream state |
|
(No stream defined) |
|
Consensus Boilerplate |
|
Unknown
|
|
RFC Editor Note |
|
(None)
|
IESG |
IESG state |
|
I-D Exists
|
|
Telechat date |
|
|
|
Responsible AD |
|
(None)
|
|
Send notices to |
|
(None)
|
Network Working Group P. Hoffman
Internet-Draft ICANN
Intended status: Standards Track 13 January 2021
Expires: 17 July 2021
Recursive to Authoritative DNS with Opportunistic Encryption
draft-pp-recursive-authoritative-opportunistic-04
Abstract
This document describes a use case and a method for a DNS recursive
resolver to use opportunistic encryption (that is, encryption with
optional authentication) when communicating with authoritative
servers. The motivating use case for this method is that more
encryption on the Internet is better, and opportunistic encryption is
better than no encryption at all. The method here is optional for
both the recursive resolver and the authoritative server. Nothing in
this method prevents use cases and methods that can use, or require,
authenticated encryption.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on 17 July 2021.
Copyright Notice
Copyright (c) 2021 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights
and restrictions with respect to this document. Code Components
Hoffman Expires 17 July 2021 [Page 1]
Internet-Draft Opportunistic Recursive to Authoritative January 2021
extracted from this document must include Simplified BSD License text
as described in Section 4.e of the Trust Legal Provisions and are
provided without warranty as described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Use Case . . . . . . . . . . . . . . . . . . . . . . . . 3
1.2. Summary of Protocol . . . . . . . . . . . . . . . . . . . 3
1.3. Definitions . . . . . . . . . . . . . . . . . . . . . . . 4
2. Method for Opportunistic Encryption . . . . . . . . . . . . . 4
2.1. Resolvers . . . . . . . . . . . . . . . . . . . . . . . . 4
2.2. Authoritative Servers . . . . . . . . . . . . . . . . . . 5
3. Discovering Whether an Authoritative Server Uses
Encryption . . . . . . . . . . . . . . . . . . . . . . . 5
4. The Transport Cache . . . . . . . . . . . . . . . . . . . . . 6
5. Authentication . . . . . . . . . . . . . . . . . . . . . . . 7
6. Security Considerations . . . . . . . . . . . . . . . . . . . 8
7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 8
8. References . . . . . . . . . . . . . . . . . . . . . . . . . 8
8.1. Normative References . . . . . . . . . . . . . . . . . . 8
8.2. Informative References . . . . . . . . . . . . . . . . . 9
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 9
1. Introduction
A recursive resolver using traditional DNS over port 53 may wish
instead to use encrypted communication with authoritative servers in
order to prevent passive snooping of its DNS traffic. The recursive
resolver can use opportunistic encryption (defined in [RFC7435] to
achieve this goal.
This document describes a use case and a method for recursive
resolvers to use opportunistic encryption. The use case is described
in Section 1.1. The method uses DNS-over-TLS [RFC7858] (DoT) with
authoritative servers in an efficient manner; it is called "ADoT", as
described in [I-D.ietf-dnsop-rfc8499bis]. (( A later version of this
document will probably also describe the use of DNS-over-QUIC
[I-D.ietf-dprive-dnsoquic] (DoQ). ))
Because opportunistic encryption means encryption with optional
authentication, a resolver using the mechanism described here could
achieve authenticated encryption with some authoritative servers,
depending on how authentication for ADoT is defined. To date, there
have been no definition of how a resolver can take advantage of DNS
features that require authentication of authoritative servers. If
those advantages are defined in the future, this document would need
Show full document text