DNS over Datagram Transport Layer Security (DTLS)
RFC 8094

Document Type RFC - Experimental (February 2017; No errata)
Last updated 2017-02-28
Replaces draft-wing-dprive-dnsodtls
Stream IETF
Formats plain text pdf html bibtex
Reviews
Stream WG state Submitted to IESG for Publication Jul 2015
Document shepherd Tim Wicinski
Shepherd write-up Show (last changed 2016-09-08)
IESG IESG state RFC 8094 (Experimental)
Consensus Boilerplate Yes
Telechat date
Responsible AD Terry Manderson
IESG note This DTLS solution was considered by the DPRIVE working group as a potential option to use in case that the TLS based approach specified in RFC7858 is shown to have detrimental deployment issues. At the time of writing, it was expected that RFC7858 will be deployed, and so this specification is primarily intended as a backup and has therefore been designated as experimental. This solution should not be deployed in the wild while in this experimental state as an RFC, however experimentation is encouraged.
Send notices to "Tim Wicinski" <tjw.ietf@gmail.com>
IANA IANA review state Version Changed - Review Needed
IANA action state RFC-Ed-Ack
Internet Engineering Task Force (IETF)                          T. Reddy
Request for Comments: 8094                                         Cisco
Category: Experimental                                           D. Wing
ISSN: 2070-1721
                                                                P. Patil
                                                                   Cisco
                                                           February 2017

           DNS over Datagram Transport Layer Security (DTLS)

Abstract

   DNS queries and responses are visible to network elements on the path
   between the DNS client and its server.  These queries and responses
   can contain privacy-sensitive information, which is valuable to
   protect.

   This document proposes the use of Datagram Transport Layer Security
   (DTLS) for DNS, to protect against passive listeners and certain
   active attacks.  As latency is critical for DNS, this proposal also
   discusses mechanisms to reduce DTLS round trips and reduce the DTLS
   handshake size.  The proposed mechanism runs over port 853.

Status of This Memo

   This document is not an Internet Standards Track specification; it is
   published for examination, experimental implementation, and
   evaluation.

   This document defines an Experimental Protocol for the Internet
   community.  This document is a product of the Internet Engineering
   Task Force (IETF).  It represents the consensus of the IETF
   community.  It has received public review and has been approved for
   publication by the Internet Engineering Steering Group (IESG).  Not
   all documents approved by the IESG are a candidate for any level of
   Internet Standard; see Section 2 of RFC 7841.

   Information about the current status of this document, any errata,
   and how to provide feedback on it may be obtained at
   http://www.rfc-editor.org/info/rfc8094.

Reddy, et al.                 Experimental                      [Page 1]
RFC 8094                      DNS over DTLS                February 2017

Copyright Notice

   Copyright (c) 2017 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1. Introduction ....................................................3
      1.1. Relationship to TCP Queries and to DNSSEC ..................3
      1.2. Document Status ............................................4
   2. Terminology .....................................................4
   3. Establishing and Managing DNS over DTLS Sessions ................5
      3.1. Session Initiation .........................................5
      3.2. DTLS Handshake and Authentication ..........................5
      3.3. Established Sessions .......................................6
   4. Performance Considerations ......................................7
   5. Path MTU (PMTU) Issues ..........................................7
   6. Anycast .........................................................8
   7. Usage ...........................................................9
   8. IANA Considerations .............................................9
   9. Security Considerations .........................................9
   10. References ....................................................10
      10.1. Normative References .....................................10
      10.2. Informative References ...................................11
   Acknowledgements ..................................................13
   Authors' Addresses ................................................13

Reddy, et al.                 Experimental                      [Page 2]
RFC 8094                      DNS over DTLS                February 2017

1.  Introduction

   The Domain Name System is specified in [RFC1034] and [RFC1035].  DNS
   queries and responses are normally exchanged unencrypted; thus, they
   are vulnerable to eavesdropping.  Such eavesdropping can result in an
   undesired entity learning domain that a host wishes to access, thus
   resulting in privacy leakage.  The DNS privacy problem is further
   discussed in [RFC7626].

   This document defines DNS over DTLS, which provides confidential DNS
Show full document text