draft-bortzmeyer-dprive-rfc7626-bis-00.txt | draft-bortzmeyer-dprive-rfc7626-bis-01.txt | |||
---|---|---|---|---|
dprive S. Bortzmeyer | dprive S. Bortzmeyer | |||
Internet-Draft AFNIC | Internet-Draft AFNIC | |||
Obsoletes: 7626 (if approved) S. Dickinson | Obsoletes: 7626 (if approved) S. Dickinson | |||
Intended status: Informational Sinodun IT | Intended status: Informational Sinodun IT | |||
Expires: January 3, 2019 July 2, 2018 | Expires: January 17, 2019 July 16, 2018 | |||
DNS Privacy Considerations | DNS Privacy Considerations | |||
draft-bortzmeyer-dprive-rfc7626-bis-00 | draft-bortzmeyer-dprive-rfc7626-bis-01 | |||
Abstract | Abstract | |||
This document describes the privacy issues associated with the use of | This document describes the privacy issues associated with the use of | |||
the DNS by Internet users. It is intended to be an analysis of the | the DNS by Internet users. It is intended to be an analysis of the | |||
present situation and does not prescribe solutions. | present situation and does not prescribe solutions. | |||
Status of This Memo | Status of This Memo | |||
This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
provisions of BCP 78 and BCP 79. | provisions of BCP 78 and BCP 79. | |||
Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
This Internet-Draft will expire on January 3, 2019. | This Internet-Draft will expire on January 17, 2019. | |||
Copyright Notice | Copyright Notice | |||
Copyright (c) 2018 IETF Trust and the persons identified as the | Copyright (c) 2018 IETF Trust and the persons identified as the | |||
document authors. All rights reserved. | document authors. All rights reserved. | |||
This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
(https://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
publication of this document. Please review these documents | publication of this document. Please review these documents | |||
carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
described in the Simplified BSD License. | described in the Simplified BSD License. | |||
Table of Contents | Table of Contents | |||
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
skipping to change at page 2, line 29 ¶ | skipping to change at page 2, line 29 ¶ | |||
2.5.3. Rogue Servers . . . . . . . . . . . . . . . . . . . . 13 | 2.5.3. Rogue Servers . . . . . . . . . . . . . . . . . . . . 13 | |||
2.5.4. Authentication of servers . . . . . . . . . . . . . . 13 | 2.5.4. Authentication of servers . . . . . . . . . . . . . . 13 | |||
2.5.5. Blocking of services . . . . . . . . . . . . . . . . 14 | 2.5.5. Blocking of services . . . . . . . . . . . . . . . . 14 | |||
2.6. Re-identification and Other Inferences . . . . . . . . . 14 | 2.6. Re-identification and Other Inferences . . . . . . . . . 14 | |||
2.7. More Information . . . . . . . . . . . . . . . . . . . . 15 | 2.7. More Information . . . . . . . . . . . . . . . . . . . . 15 | |||
3. Actual "Attacks" . . . . . . . . . . . . . . . . . . . . . . 15 | 3. Actual "Attacks" . . . . . . . . . . . . . . . . . . . . . . 15 | |||
4. Legalities . . . . . . . . . . . . . . . . . . . . . . . . . 15 | 4. Legalities . . . . . . . . . . . . . . . . . . . . . . . . . 15 | |||
5. Security Considerations . . . . . . . . . . . . . . . . . . . 16 | 5. Security Considerations . . . . . . . . . . . . . . . . . . . 16 | |||
6. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 16 | 6. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 16 | |||
7. Changelog . . . . . . . . . . . . . . . . . . . . . . . . . . 16 | 7. Changelog . . . . . . . . . . . . . . . . . . . . . . . . . . 16 | |||
8. References . . . . . . . . . . . . . . . . . . . . . . . . . 16 | 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 17 | |||
8.1. Normative References . . . . . . . . . . . . . . . . . . 16 | 8.1. Normative References . . . . . . . . . . . . . . . . . . 17 | |||
8.2. Informative References . . . . . . . . . . . . . . . . . 17 | 8.2. Informative References . . . . . . . . . . . . . . . . . 17 | |||
8.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 22 | 8.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 22 | |||
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 22 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 22 | |||
1. Introduction | 1. Introduction | |||
This document is an analysis of the DNS privacy issues, in the spirit | This document is an analysis of the DNS privacy issues, in the spirit | |||
of Section 8 of [RFC6973]. | of Section 8 of [RFC6973]. | |||
The Domain Name System is specified in [RFC1034], [RFC1035], and many | The Domain Name System is specified in [RFC1034], [RFC1035], and many | |||
later RFCs, which have never been consolidated. It is one of the | later RFCs, which have never been consolidated. It is one of the | |||
most important infrastructure components of the Internet and often | most important infrastructure components of the Internet and often | |||
ignored or misunderstood by Internet users (and even by many | ignored or misunderstood by Internet users (and even by many | |||
professionals). Almost every activity on the Internet starts with a | professionals). Almost every activity on the Internet starts with a | |||
DNS query (and often several). Its use has many privacy implications | DNS query (and often several). Its use has many privacy implications | |||
and this is an attempt at a comprehensive and accurate list. | and this is an attempt at a comprehensive and accurate list. | |||
Let us begin with a simplified reminder of how the DNS works. (See | Let us begin with a simplified reminder of how the DNS works. (See | |||
also [I-D.ietf-dnsop-terminology-bis].) A client, the stub resolver, | also [I-D.ietf-dnsop-terminology-bis]) A client, the stub resolver, | |||
issues a DNS query to a server, called the recursive resolver (also | issues a DNS query to a server, called the recursive resolver (also | |||
called caching resolver or full resolver or recursive name server). | called caching resolver or full resolver or recursive name server). | |||
Let's use the query "What are the AAAA records for www.example.com?" | Let's use the query "What are the AAAA records for www.example.com?" | |||
as an example. AAAA is the QTYPE (Query Type), and www.example.com | as an example. AAAA is the QTYPE (Query Type), and www.example.com | |||
is the QNAME (Query Name). (The description that follows assumes a | is the QNAME (Query Name). (The description that follows assumes a | |||
cold cache, for instance, because the server just started.) The | cold cache, for instance, because the server just started.) The | |||
recursive resolver will first query the root name servers. In most | recursive resolver will first query the root name servers. In most | |||
cases, the root name servers will send a referral. In this example, | cases, the root name servers will send a referral. In this example, | |||
the referral will be to the .com name servers. The resolver repeats | the referral will be to the .com name servers. The resolver repeats | |||
the query to one of the .com name servers. The .com name servers, in | the query to one of the .com name servers. The .com name servers, in | |||
skipping to change at page 14, line 11 ¶ | skipping to change at page 14, line 11 ¶ | |||
Both Strict mode for DNS-over-TLS and DoH require authentication of | Both Strict mode for DNS-over-TLS and DoH require authentication of | |||
the server and therefore as long as the authentication credentials | the server and therefore as long as the authentication credentials | |||
are obtained over a secure channel then using either of these | are obtained over a secure channel then using either of these | |||
transports defeats the attack of re-directing traffic to rogue | transports defeats the attack of re-directing traffic to rogue | |||
servers. Of course attacks on these secure channels are also | servers. Of course attacks on these secure channels are also | |||
possible, but out of the scope of this document. | possible, but out of the scope of this document. | |||
2.5.5. Blocking of services | 2.5.5. Blocking of services | |||
User privacy can also be at risk if there is blocking (by local | User privacy can also be at risk if there is blocking (by local | |||
network operators or more genearl mechanisms) of access to recursive | network operators or more general mechanisms) of access to recursive | |||
servers that offer encrypted transports. For example active blocking | servers that offer encrypted transports. For example active blocking | |||
of port 853 for DNS-over-TLS or of specific IP addresses (e.g. | of port 853 for DNS-over-TLS or of specific IP addresses (e.g. | |||
1.1.1.1) could restrict the resolvers available to the client. | 1.1.1.1) could restrict the resolvers available to the client. | |||
Similarly attacks on such services e.g. DDoS could force users to | Similarly attacks on such services e.g. DDoS could force users to | |||
switch to other services that do not offer encrypted transports for | switch to other services that do not offer encrypted transports for | |||
DNS. | DNS. | |||
2.6. Re-identification and Other Inferences | 2.6. Re-identification and Other Inferences | |||
An observer has access not only to the data he/she directly collects | An observer has access not only to the data he/she directly collects | |||
skipping to change at page 16, line 13 ¶ | skipping to change at page 16, line 13 ¶ | |||
[sidn-entrada]. | [sidn-entrada]. | |||
5. Security Considerations | 5. Security Considerations | |||
This document is entirely about security, more precisely privacy. It | This document is entirely about security, more precisely privacy. It | |||
just lays out the problem; it does not try to set requirements (with | just lays out the problem; it does not try to set requirements (with | |||
the choices and compromises they imply), much less define solutions. | the choices and compromises they imply), much less define solutions. | |||
Possible solutions to the issues described here are discussed in | Possible solutions to the issues described here are discussed in | |||
other documents (currently too many to all be mentioned); see, for | other documents (currently too many to all be mentioned); see, for | |||
instance, 'Recommendations for DNS Privacy Operators' | instance, 'Recommendations for DNS Privacy Operators' | |||
[I-D.dickinson-bcp-op]. | [I-D.dickinson-dprive-bcp-op]. | |||
6. Acknowledgments | 6. Acknowledgments | |||
Thanks to Nathalie Boulvard and to the CENTR members for the original | Thanks to Nathalie Boulvard and to the CENTR members for the original | |||
work that led to this document. Thanks to Ondrej Sury for the | work that led to this document. Thanks to Ondrej Sury for the | |||
interesting discussions. Thanks to Mohsen Souissi and John Heidemann | interesting discussions. Thanks to Mohsen Souissi and John Heidemann | |||
for proofreading and to Paul Hoffman, Matthijs Mekking, Marcos Sanz, | for proofreading and to Paul Hoffman, Matthijs Mekking, Marcos Sanz, | |||
Tim Wicinski, Francis Dupont, Allison Mankin, and Warren Kumari for | Tim Wicinski, Francis Dupont, Allison Mankin, and Warren Kumari for | |||
proofreading, providing technical remarks, and making many | proofreading, providing technical remarks, and making many | |||
readability improvements. Thanks to Dan York, Suzanne Woolf, Tony | readability improvements. Thanks to Dan York, Suzanne Woolf, Tony | |||
Finch, Stephen Farrell, Peter Koch, Simon Josefsson, and Frank Denis | Finch, Stephen Farrell, Peter Koch, Simon Josefsson, and Frank Denis | |||
for good written contributions. And thanks to the IESG members for | for good written contributions. And thanks to the IESG members for | |||
the last remarks. | the last remarks. | |||
7. Changelog | 7. Changelog | |||
draft-borztmeyer-dprive-RFC7626-bis-00: | draft-bortzmeyer-dprive-rfc7626-bis-01 | |||
o Initial commit. Differences to RFC7626: | o Update reference for dickinson-bcp-op to draft-dickinson-dprive- | |||
bcp-op | ||||
* Update many references | draft-borztmeyer-dprive-rfc7626-bis-00: | |||
* Add discussions of encrypted transports including DNS-over-TLS | Initial commit. Differences to RFC7626: | |||
and DoH | ||||
* Add section on DNS payload | o Update many references | |||
* Add section on authentication of servers | o Add discussions of encrypted transports including DNS-over-TLS and | |||
DoH | ||||
* Add section on blocking of services | o Add section on DNS payload | |||
o Add section on authentication of servers | ||||
o Add section on blocking of services | ||||
8. References | 8. References | |||
8.1. Normative References | 8.1. Normative References | |||
[RFC1034] Mockapetris, P., "Domain names - concepts and facilities", | [RFC1034] Mockapetris, P., "Domain names - concepts and facilities", | |||
STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987, | STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987, | |||
<https://www.rfc-editor.org/info/rfc1034>. | <https://www.rfc-editor.org/info/rfc1034>. | |||
[RFC1035] Mockapetris, P., "Domain names - implementation and | [RFC1035] Mockapetris, P., "Domain names - implementation and | |||
specification", STD 13, RFC 1035, DOI 10.17487/RFC1035, | specification", STD 13, RFC 1035, DOI 10.17487/RFC1035, | |||
November 1987, <https://www.rfc-editor.org/info/rfc1035>. | November 1987, <https://www.rfc-editor.org/info/rfc1035>. | |||
[RFC6973] Cooper, A., Tschofenig, H., Aboba, B., Peterson, J., | [RFC6973] Cooper, A., Tschofenig, H., Aboba, B., Peterson, J., | |||
Morris, J., Hansen, M., and R. Smith, "Privacy | Morris, J., Hansen, M., and R. Smith, "Privacy | |||
Considerations for Internet Protocols", RFC 6973, | Considerations for Internet Protocols", RFC 6973, | |||
DOI 10.17487/RFC6973, July 2013, | DOI 10.17487/RFC6973, July 2013, <https://www.rfc- | |||
<https://www.rfc-editor.org/info/rfc6973>. | editor.org/info/rfc6973>. | |||
[RFC7258] Farrell, S. and H. Tschofenig, "Pervasive Monitoring Is an | [RFC7258] Farrell, S. and H. Tschofenig, "Pervasive Monitoring Is an | |||
Attack", BCP 188, RFC 7258, DOI 10.17487/RFC7258, May | Attack", BCP 188, RFC 7258, DOI 10.17487/RFC7258, May | |||
2014, <https://www.rfc-editor.org/info/rfc7258>. | 2014, <https://www.rfc-editor.org/info/rfc7258>. | |||
8.2. Informative References | 8.2. Informative References | |||
[aeris-dns] | [aeris-dns] | |||
Vinot, N., "Vie privee: et le DNS alors?", (In French), | Vinot, N., "Vie privee: et le DNS alors?", (In French), | |||
2015, | 2015, <https://blog.imirhil.fr/vie-privee-et-le-dns- | |||
<https://blog.imirhil.fr/vie-privee-et-le-dns-alors.html>. | alors.html>. | |||
[castillo-garcia] | [castillo-garcia] | |||
Castillo-Perez, S. and J. Garcia-Alfaro, "Anonymous | Castillo-Perez, S. and J. Garcia-Alfaro, "Anonymous | |||
Resolution of DNS Queries", 2008, | Resolution of DNS Queries", 2008, | |||
<http://deic.uab.es/~joaquin/papers/is08.pdf>. | <http://deic.uab.es/~joaquin/papers/is08.pdf>. | |||
[dagon-malware] | [dagon-malware] | |||
Dagon, D., "Corrupted DNS Resolution Paths: The Rise of a | Dagon, D., "Corrupted DNS Resolution Paths: The Rise of a | |||
Malicious Resolution Authority", ISC/OARC Workshop, 2007, | Malicious Resolution Authority", ISC/OARC Workshop, 2007, | |||
<https://www.dns-oarc.net/files/workshop-2007/ | <https://www.dns-oarc.net/files/workshop-2007/Dagon- | |||
Dagon-Resolution-corruption.pdf>. | Resolution-corruption.pdf>. | |||
[darkreading-dns] | [darkreading-dns] | |||
Lemos, R., "Got Malware? Three Signs Revealed In DNS | Lemos, R., "Got Malware? Three Signs Revealed In DNS | |||
Traffic", InformationWeek Dark Reading, May 2013, | Traffic", InformationWeek Dark Reading, May 2013, | |||
<http://www.darkreading.com/analytics/security-monitoring/ | <http://www.darkreading.com/analytics/security-monitoring/ | |||
got-malware-three-signs-revealed-in-dns-traffic/d/ | got-malware-three-signs-revealed-in-dns-traffic/d/ | |||
d-id/1139680>. | d-id/1139680>. | |||
[data-protection-directive] | [data-protection-directive] | |||
European Parliament, "Directive 95/46/EC of the European | European Parliament, "Directive 95/46/EC of the European | |||
skipping to change at page 18, line 15 ¶ | skipping to change at page 18, line 24 ¶ | |||
[day-at-root] | [day-at-root] | |||
Castro, S., Wessels, D., Fomenkov, M., and K. Claffy, "A | Castro, S., Wessels, D., Fomenkov, M., and K. Claffy, "A | |||
Day at the Root of the Internet", ACM SIGCOMM Computer | Day at the Root of the Internet", ACM SIGCOMM Computer | |||
Communication Review, Vol. 38, Number 5, | Communication Review, Vol. 38, Number 5, | |||
DOI 10.1145/1452335.1452341, October 2008, | DOI 10.1145/1452335.1452341, October 2008, | |||
<http://www.sigcomm.org/sites/default/files/ccr/ | <http://www.sigcomm.org/sites/default/files/ccr/ | |||
papers/2008/October/1452335-1452341.pdf>. | papers/2008/October/1452335-1452341.pdf>. | |||
[denis-edns-client-subnet] | [denis-edns-client-subnet] | |||
Denis, F., "Security and privacy issues of edns-client- | Denis, F., "Security and privacy issues of edns-client- | |||
subnet", August 2013, | subnet", August 2013, <https://00f.net/2013/08/07/edns- | |||
<https://00f.net/2013/08/07/edns-client-subnet/>. | client-subnet/>. | |||
[ditl] CAIDA, "A Day in the Life of the Internet (DITL)", 2002, | [ditl] CAIDA, "A Day in the Life of the Internet (DITL)", 2002, | |||
<http://www.caida.org/projects/ditl/>. | <http://www.caida.org/projects/ditl/>. | |||
[dns-footprint] | [dns-footprint] | |||
Stoner, E., "DNS Footprint of Malware", OARC Workshop, | Stoner, E., "DNS Footprint of Malware", OARC Workshop, | |||
October 2010, <https://www.dns-oarc.net/files/workshop- | October 2010, <https://www.dns-oarc.net/files/workshop- | |||
201010/OARC-ers-20101012.pdf>. | 201010/OARC-ers-20101012.pdf>. | |||
[dnschanger] | [dnschanger] | |||
skipping to change at page 19, line 18 ¶ | skipping to change at page 19, line 27 ¶ | |||
<http://www.msit2005.mut.ac.th/msit_media/1_2551/nete4630/ | <http://www.msit2005.mut.ac.th/msit_media/1_2551/nete4630/ | |||
materials/20080718130017Hc.pdf>. | materials/20080718130017Hc.pdf>. | |||
[herrmann-reidentification] | [herrmann-reidentification] | |||
Herrmann, D., Gerber, C., Banse, C., and H. Federrath, | Herrmann, D., Gerber, C., Banse, C., and H. Federrath, | |||
"Analyzing Characteristic Host Access Patterns for Re- | "Analyzing Characteristic Host Access Patterns for Re- | |||
Identification of Web User Sessions", | Identification of Web User Sessions", | |||
DOI 10.1007/978-3-642-27937-9_10, 2012, <http://epub.uni- | DOI 10.1007/978-3-642-27937-9_10, 2012, <http://epub.uni- | |||
regensburg.de/21103/1/Paper_PUL_nordsec_published.pdf>. | regensburg.de/21103/1/Paper_PUL_nordsec_published.pdf>. | |||
[I-D.dickinson-bcp-op] | [I-D.dickinson-dprive-bcp-op] | |||
Dickinson, S., Rijswijk-Deij, R., and A. Mankin, | Dickinson, S., Overeinder, B., Rijswijk-Deij, R., and A. | |||
"Recommendations for DNS Privacy Service Operators", | Mankin, "Recommendations for DNS Privacy Service | |||
draft-dickinson-bcp-op-00 (work in progress), March 2018. | Operators", draft-dickinson-dprive-bcp-op-00 (work in | |||
progress), July 2018. | ||||
[I-D.ietf-dnsop-terminology-bis] | [I-D.ietf-dnsop-terminology-bis] | |||
Hoffman, P., Sullivan, A., and K. Fujiwara, "DNS | Hoffman, P., Sullivan, A., and K. Fujiwara, "DNS | |||
Terminology", draft-ietf-dnsop-terminology-bis-10 (work in | Terminology", draft-ietf-dnsop-terminology-bis-11 (work in | |||
progress), April 2018. | progress), July 2018. | |||
[I-D.ietf-doh-dns-over-https] | [I-D.ietf-doh-dns-over-https] | |||
Hoffman, P. and P. McManus, "DNS Queries over HTTPS | Hoffman, P. and P. McManus, "DNS Queries over HTTPS | |||
(DoH)", draft-ietf-doh-dns-over-https-12 (work in | (DoH)", draft-ietf-doh-dns-over-https-12 (work in | |||
progress), June 2018. | progress), June 2018. | |||
[morecowbell] | [morecowbell] | |||
Grothoff, C., Wachs, M., Ermert, M., and J. Appelbaum, | Grothoff, C., Wachs, M., Ermert, M., and J. Appelbaum, | |||
"NSA's MORECOWBELL: Knell for DNS", GNUnet e.V., January | "NSA's MORECOWBELL: Knell for DNS", GNUnet e.V., January | |||
2015, <https://gnunet.org/morecowbell>. | 2015, <https://gnunet.org/morecowbell>. | |||
skipping to change at page 20, line 30 ¶ | skipping to change at page 20, line 38 ¶ | |||
Security (DNSSEC) Hashed Authenticated Denial of | Security (DNSSEC) Hashed Authenticated Denial of | |||
Existence", RFC 5155, DOI 10.17487/RFC5155, March 2008, | Existence", RFC 5155, DOI 10.17487/RFC5155, March 2008, | |||
<https://www.rfc-editor.org/info/rfc5155>. | <https://www.rfc-editor.org/info/rfc5155>. | |||
[RFC5936] Lewis, E. and A. Hoenes, Ed., "DNS Zone Transfer Protocol | [RFC5936] Lewis, E. and A. Hoenes, Ed., "DNS Zone Transfer Protocol | |||
(AXFR)", RFC 5936, DOI 10.17487/RFC5936, June 2010, | (AXFR)", RFC 5936, DOI 10.17487/RFC5936, June 2010, | |||
<https://www.rfc-editor.org/info/rfc5936>. | <https://www.rfc-editor.org/info/rfc5936>. | |||
[RFC6269] Ford, M., Ed., Boucadair, M., Durand, A., Levis, P., and | [RFC6269] Ford, M., Ed., Boucadair, M., Durand, A., Levis, P., and | |||
P. Roberts, "Issues with IP Address Sharing", RFC 6269, | P. Roberts, "Issues with IP Address Sharing", RFC 6269, | |||
DOI 10.17487/RFC6269, June 2011, | DOI 10.17487/RFC6269, June 2011, <https://www.rfc- | |||
<https://www.rfc-editor.org/info/rfc6269>. | editor.org/info/rfc6269>. | |||
[RFC7413] Cheng, Y., Chu, J., Radhakrishnan, S., and A. Jain, "TCP | [RFC7413] Cheng, Y., Chu, J., Radhakrishnan, S., and A. Jain, "TCP | |||
Fast Open", RFC 7413, DOI 10.17487/RFC7413, December 2014, | Fast Open", RFC 7413, DOI 10.17487/RFC7413, December 2014, | |||
<https://www.rfc-editor.org/info/rfc7413>. | <https://www.rfc-editor.org/info/rfc7413>. | |||
[RFC7525] Sheffer, Y., Holz, R., and P. Saint-Andre, | [RFC7525] Sheffer, Y., Holz, R., and P. Saint-Andre, | |||
"Recommendations for Secure Use of Transport Layer | "Recommendations for Secure Use of Transport Layer | |||
Security (TLS) and Datagram Transport Layer Security | Security (TLS) and Datagram Transport Layer Security | |||
(DTLS)", BCP 195, RFC 7525, DOI 10.17487/RFC7525, May | (DTLS)", BCP 195, RFC 7525, DOI 10.17487/RFC7525, May | |||
2015, <https://www.rfc-editor.org/info/rfc7525>. | 2015, <https://www.rfc-editor.org/info/rfc7525>. | |||
[RFC7624] Barnes, R., Schneier, B., Jennings, C., Hardie, T., | [RFC7624] Barnes, R., Schneier, B., Jennings, C., Hardie, T., | |||
Trammell, B., Huitema, C., and D. Borkmann, | Trammell, B., Huitema, C., and D. Borkmann, | |||
"Confidentiality in the Face of Pervasive Surveillance: A | "Confidentiality in the Face of Pervasive Surveillance: A | |||
Threat Model and Problem Statement", RFC 7624, | Threat Model and Problem Statement", RFC 7624, | |||
DOI 10.17487/RFC7624, August 2015, | DOI 10.17487/RFC7624, August 2015, <https://www.rfc- | |||
<https://www.rfc-editor.org/info/rfc7624>. | editor.org/info/rfc7624>. | |||
[RFC7858] Hu, Z., Zhu, L., Heidemann, J., Mankin, A., Wessels, D., | [RFC7858] Hu, Z., Zhu, L., Heidemann, J., Mankin, A., Wessels, D., | |||
and P. Hoffman, "Specification for DNS over Transport | and P. Hoffman, "Specification for DNS over Transport | |||
Layer Security (TLS)", RFC 7858, DOI 10.17487/RFC7858, May | Layer Security (TLS)", RFC 7858, DOI 10.17487/RFC7858, May | |||
2016, <https://www.rfc-editor.org/info/rfc7858>. | 2016, <https://www.rfc-editor.org/info/rfc7858>. | |||
[RFC7871] Contavalli, C., van der Gaast, W., Lawrence, D., and W. | [RFC7871] Contavalli, C., van der Gaast, W., Lawrence, D., and W. | |||
Kumari, "Client Subnet in DNS Queries", RFC 7871, | Kumari, "Client Subnet in DNS Queries", RFC 7871, | |||
DOI 10.17487/RFC7871, May 2016, | DOI 10.17487/RFC7871, May 2016, <https://www.rfc- | |||
<https://www.rfc-editor.org/info/rfc7871>. | editor.org/info/rfc7871>. | |||
[RFC7873] Eastlake 3rd, D. and M. Andrews, "Domain Name System (DNS) | [RFC7873] Eastlake 3rd, D. and M. Andrews, "Domain Name System (DNS) | |||
Cookies", RFC 7873, DOI 10.17487/RFC7873, May 2016, | Cookies", RFC 7873, DOI 10.17487/RFC7873, May 2016, | |||
<https://www.rfc-editor.org/info/rfc7873>. | <https://www.rfc-editor.org/info/rfc7873>. | |||
[RFC7929] Wouters, P., "DNS-Based Authentication of Named Entities | [RFC7929] Wouters, P., "DNS-Based Authentication of Named Entities | |||
(DANE) Bindings for OpenPGP", RFC 7929, | (DANE) Bindings for OpenPGP", RFC 7929, | |||
DOI 10.17487/RFC7929, August 2016, | DOI 10.17487/RFC7929, August 2016, <https://www.rfc- | |||
<https://www.rfc-editor.org/info/rfc7929>. | editor.org/info/rfc7929>. | |||
[ripe-atlas-turkey] | [ripe-atlas-turkey] | |||
Aben, E., "A RIPE Atlas View of Internet Meddling in | Aben, E., "A RIPE Atlas View of Internet Meddling in | |||
Turkey", March 2014, | Turkey", March 2014, | |||
<https://labs.ripe.net/Members/emileaben/ | <https://labs.ripe.net/Members/emileaben/a-ripe-atlas- | |||
a-ripe-atlas-view-of-internet-meddling-in-turkey>. | view-of-internet-meddling-in-turkey>. | |||
[sidn-entrada] | [sidn-entrada] | |||
Hesselman, C., Jansen, J., Wullink, M., Vink, K., and M. | Hesselman, C., Jansen, J., Wullink, M., Vink, K., and M. | |||
Simon, "A privacy framework for 'DNS big data' | Simon, "A privacy framework for 'DNS big data' | |||
applications", November 2014, | applications", November 2014, | |||
<https://www.sidnlabs.nl/uploads/tx_sidnpublications/ | <https://www.sidnlabs.nl/uploads/tx_sidnpublications/ | |||
SIDN_Labs_Privacyraamwerk_Position_Paper_V1.4_ENG.pdf>. | SIDN_Labs_Privacyraamwerk_Position_Paper_V1.4_ENG.pdf>. | |||
[thomas-ditl-tcp] | [thomas-ditl-tcp] | |||
Thomas, M. and D. Wessels, "An Analysis of TCP Traffic in | Thomas, M. and D. Wessels, "An Analysis of TCP Traffic in | |||
End of changes. 27 change blocks. | ||||
42 lines changed or deleted | 48 lines changed or added | |||
This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ |