draft-ietf-dprive-dns-over-tls-02.txt   draft-ietf-dprive-dns-over-tls-03.txt 
Network Working Group Z. Hu Network Working Group Z. Hu
Internet-Draft L. Zhu Internet-Draft L. Zhu
Intended status: Standards Track J. Heidemann Intended status: Standards Track J. Heidemann
Expires: June 9, 2016 USC/Information Sciences Expires: July 7, 2016 USC/Information Sciences
Institute Institute
A. Mankin A. Mankin
D. Wessels D. Wessels
Verisign Labs Verisign Labs
P. Hoffman P. Hoffman
ICANN ICANN
December 7, 2015 January 4, 2016
DNS over TLS: Initiation and Performance Considerations DNS over TLS: Initiation and Performance Considerations
draft-ietf-dprive-dns-over-tls-02 draft-ietf-dprive-dns-over-tls-03
Abstract Abstract
This document describes the use of TLS to provide privacy for DNS. This document describes the use of TLS to provide privacy for DNS.
Encryption provided by TLS eliminates opportunities for eavesdropping Encryption provided by TLS eliminates opportunities for eavesdropping
and on-path tampering with DNS queries in the network, such as and on-path tampering with DNS queries in the network, such as
discussed in RFC 7258. In addition, this document specifies two discussed in RFC 7258. In addition, this document specifies two
usage profiles for DNS-over-TLS and provides advice on performance usage profiles for DNS-over-TLS and provides advice on performance
considerations to minimize overhead from using TCP and TLS with DNS. considerations to minimize overhead from using TCP and TLS with DNS.
skipping to change at page 1, line 49 skipping to change at page 1, line 49
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on June 9, 2016. This Internet-Draft will expire on July 7, 2016.
Copyright Notice Copyright Notice
Copyright (c) 2015 IETF Trust and the persons identified as the Copyright (c) 2016 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
skipping to change at page 7, line 38 skipping to change at page 7, line 38
between DNS clients and servers (e.g., stub-to-recursive in between DNS clients and servers (e.g., stub-to-recursive in
enterprise networks, actively-maintained contractual service enterprise networks, actively-maintained contractual service
relationships, or a client using a public DNS resolver). The result relationships, or a client using a public DNS resolver). The result
of this profile is that the client has strong guarantees about the of this profile is that the client has strong guarantees about the
privacy of its DNS data by connecting only to servers it can privacy of its DNS data by connecting only to servers it can
authenticate. authenticate.
In this profile, clients authenticate servers by matching a set of In this profile, clients authenticate servers by matching a set of
Subject Public Key Info (SPKI) Fingerprints in an analogous manner to Subject Public Key Info (SPKI) Fingerprints in an analogous manner to
that described in [RFC7469]. With this out-of-band key-pinned that described in [RFC7469]. With this out-of-band key-pinned
privacy profile, client administrators MUST deploy a pinset privacy profile, client administrators SHOULD deploy a backup pin
containing two or more pins (specific to the service being pinned) along with the primary pin, for the reasons explained in [RFC7469].
using a secure out-of-band (i.e., non-DNS) mechanism. This minimum A backup pin is especially helpful in the event of a key rollover, so
pinset size is required for key rollover, so that a server operator that a server operator does not have to coordinate key transitions
does not have to coordinate key transitions with all its clients with all its clients simultaneously. After a change of keys on the
simultaneously. After a change of keys on the server, an updated server, an updated pinset SHOULD be distributed to all clients in
pinset should be distributed to all clients in some secure way in some secure way in preparation for future key rollover. The
preparation for future key rollover. The mechanism for out-of-band mechanism for out-of-band pinset update is out of scope for this
pinset update is out of scope for this document. document.
Such a client will only use DNS servers for which an SPKI Fingerprint Such a client will only use DNS servers for which an SPKI Fingerprint
pinset has been provided. The possession of trusted pre-deployed pinset has been provided. The possession of trusted pre-deployed
pinset allows the client to detect and prevent person-in-the-middle pinset allows the client to detect and prevent person-in-the-middle
and downgrade attacks. and downgrade attacks.
However, a configured DNS server may be temporarily unavailable when However, a configured DNS server may be temporarily unavailable when
configuring a network. For example, for clients on networks that configuring a network. For example, for clients on networks that
require authentication through web-based login, such authentication require authentication through web-based login, such authentication
may rely on DNS interception and spoofing. Techniques such as those may rely on DNS interception and spoofing. Techniques such as those
skipping to change at page 13, line 23 skipping to change at page 13, line 23
Daniel Kahn Gillmor Daniel Kahn Gillmor
ACLU ACLU
125 Broad Street, 18th Floor 125 Broad Street, 18th Floor
New York, NY 10004 New York, NY 10004
USA USA
11. Acknowledgments 11. Acknowledgments
The authors would like to thank Stephane Bortzmeyer, John Dickinson, The authors would like to thank Stephane Bortzmeyer, John Dickinson,
Brian Haberman, Shumon Huque, Kim-Minh Kaplan, Simon Joseffson, Simon Brian Haberman, Christian Huitema, Shumon Huque, Kim-Minh Kaplan,
Kelley, Warren Kumari, John Levine, Ilari Liusvaara, Bill Manning, Simon Joseffson, Simon Kelley, Warren Kumari, John Levine, Ilari
George Michaelson, Eric Osterweil, Jinmei Tatuya, Tim Wicinski, and Liusvaara, Bill Manning, George Michaelson, Eric Osterweil, Jinmei
Glen Wiley for reviewing this Internet-draft. They also thank Nikita Tatuya, Tim Wicinski, and Glen Wiley for reviewing this Internet-
Somaiya for early work on this idea. draft. They also thank Nikita Somaiya for early work on this idea.
Work by Zi Hu, Liang Zhu, and John Heidemann on this document is Work by Zi Hu, Liang Zhu, and John Heidemann on this document is
partially sponsored by the U.S. Dept. of Homeland Security (DHS) partially sponsored by the U.S. Dept. of Homeland Security (DHS)
Science and Technology Directorate, HSARPA, Cyber Security Division, Science and Technology Directorate, HSARPA, Cyber Security Division,
BAA 11-01-RIKA and Air Force Research Laboratory, Information BAA 11-01-RIKA and Air Force Research Laboratory, Information
Directorate under agreement number FA8750-12-2-0344, and contract Directorate under agreement number FA8750-12-2-0344, and contract
number D08PC75599. number D08PC75599.
12. References 12. References
 End of changes. 7 change blocks. 
19 lines changed or deleted 19 lines changed or added

This html diff was produced by rfcdiff 1.42. The latest version is available from http://tools.ietf.org/tools/rfcdiff/