| < draft-ietf-dnsop-dns-tcp-requirements-14.txt | draft-ietf-dnsop-dns-tcp-requirements-15.txt > | |||
|---|---|---|---|---|
| Domain Name System Operations J.T. Kristoff | Domain Name System Operations J.T. Kristoff | |||
| Internet-Draft DataPlane.org | Internet-Draft DataPlane.org | |||
| Updates: 1123, 1536 (if approved) D. Wessels | Updates: 1123, 1536 (if approved) D. Wessels | |||
| Intended status: Best Current Practice Verisign | Intended status: Best Current Practice Verisign | |||
| Expires: 10 June 2022 7 December 2021 | Expires: 10 July 2022 6 January 2022 | |||
| DNS Transport over TCP - Operational Requirements | DNS Transport over TCP - Operational Requirements | |||
| draft-ietf-dnsop-dns-tcp-requirements-14 | draft-ietf-dnsop-dns-tcp-requirements-15 | |||
| Abstract | Abstract | |||
| This document updates RFC 1123 and RFC 1536. This document requires | This document updates RFC 1123 and RFC 1536. This document requires | |||
| the operational practice of permitting DNS messages to be carried | the operational practice of permitting DNS messages to be carried | |||
| over TCP on the Internet as a Best Current Practice. This | over TCP on the Internet as a Best Current Practice. This | |||
| operational requirement is aligned with the implementation | operational requirement is aligned with the implementation | |||
| requirements in RFC 7766. The use of TCP includes both DNS over | requirements in RFC 7766. The use of TCP includes both DNS over | |||
| unencrypted TCP, as well as over an encrypted TLS session. The | unencrypted TCP, as well as over an encrypted TLS session. The | |||
| document also considers the consequences of this form of DNS | document also considers the consequences of this form of DNS | |||
| skipping to change at page 1, line 39 ¶ | skipping to change at page 1, line 39 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on 10 June 2022. | This Internet-Draft will expire on 10 July 2022. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2021 IETF Trust and the persons identified as the | Copyright (c) 2022 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents (https://trustee.ietf.org/ | Provisions Relating to IETF Documents (https://trustee.ietf.org/ | |||
| license-info) in effect on the date of publication of this document. | license-info) in effect on the date of publication of this document. | |||
| Please review these documents carefully, as they describe your rights | Please review these documents carefully, as they describe your rights | |||
| and restrictions with respect to this document. Code Components | and restrictions with respect to this document. Code Components | |||
| extracted from this document must include Revised BSD License text as | extracted from this document must include Revised BSD License text as | |||
| described in Section 4.e of the Trust Legal Provisions and are | described in Section 4.e of the Trust Legal Provisions and are | |||
| provided without warranty as described in the Revised BSD License. | provided without warranty as described in the Revised BSD License. | |||
| skipping to change at page 2, line 33 ¶ | skipping to change at page 2, line 33 ¶ | |||
| 4.2. Connection Management . . . . . . . . . . . . . . . . . . 12 | 4.2. Connection Management . . . . . . . . . . . . . . . . . . 12 | |||
| 4.3. Connection Termination . . . . . . . . . . . . . . . . . 13 | 4.3. Connection Termination . . . . . . . . . . . . . . . . . 13 | |||
| 4.4. DNS-over-TLS . . . . . . . . . . . . . . . . . . . . . . 13 | 4.4. DNS-over-TLS . . . . . . . . . . . . . . . . . . . . . . 13 | |||
| 4.5. Defaults and Recommended Limits . . . . . . . . . . . . . 14 | 4.5. Defaults and Recommended Limits . . . . . . . . . . . . . 14 | |||
| 5. DNS over TCP Filtering Risks . . . . . . . . . . . . . . . . 15 | 5. DNS over TCP Filtering Risks . . . . . . . . . . . . . . . . 15 | |||
| 5.1. Truncation, Retries, and Timeouts . . . . . . . . . . . . 15 | 5.1. Truncation, Retries, and Timeouts . . . . . . . . . . . . 15 | |||
| 5.2. DNS Root Zone KSK Rollover . . . . . . . . . . . . . . . 16 | 5.2. DNS Root Zone KSK Rollover . . . . . . . . . . . . . . . 16 | |||
| 6. Logging and Monitoring . . . . . . . . . . . . . . . . . . . 16 | 6. Logging and Monitoring . . . . . . . . . . . . . . . . . . . 16 | |||
| 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 17 | 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 17 | |||
| 8. Security Considerations . . . . . . . . . . . . . . . . . . . 17 | 8. Security Considerations . . . . . . . . . . . . . . . . . . . 17 | |||
| 9. Privacy Considerations . . . . . . . . . . . . . . . . . . . 17 | 9. Privacy Considerations . . . . . . . . . . . . . . . . . . . 18 | |||
| 10. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 18 | 10. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 18 | |||
| 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 18 | 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 18 | |||
| 11.1. Normative References . . . . . . . . . . . . . . . . . . 18 | 11.1. Normative References . . . . . . . . . . . . . . . . . . 18 | |||
| 11.2. Informative References . . . . . . . . . . . . . . . . . 19 | 11.2. Informative References . . . . . . . . . . . . . . . . . 19 | |||
| Appendix A. Standards Related to DNS Transport over TCP . . . . 26 | Appendix A. Standards Related to DNS Transport over TCP . . . . 27 | |||
| A.1. IETF RFC 1035 - DOMAIN NAMES - IMPLEMENTATION AND | A.1. IETF RFC 1035 - DOMAIN NAMES - IMPLEMENTATION AND | |||
| SPECIFICATION . . . . . . . . . . . . . . . . . . . . . 26 | SPECIFICATION . . . . . . . . . . . . . . . . . . . . . 27 | |||
| A.2. IETF RFC 1536 - Common DNS Implementation Errors and | A.2. IETF RFC 1536 - Common DNS Implementation Errors and | |||
| Suggested Fixes . . . . . . . . . . . . . . . . . . . . 27 | Suggested Fixes . . . . . . . . . . . . . . . . . . . . 27 | |||
| A.3. IETF RFC 1995 - Incremental Zone Transfer in DNS . . . . 27 | A.3. IETF RFC 1995 - Incremental Zone Transfer in DNS . . . . 27 | |||
| A.4. IETF RFC 1996 - A Mechanism for Prompt Notification of Zone | A.4. IETF RFC 1996 - A Mechanism for Prompt Notification of Zone | |||
| Changes (DNS NOTIFY) . . . . . . . . . . . . . . . . . . 27 | Changes (DNS NOTIFY) . . . . . . . . . . . . . . . . . . 27 | |||
| A.5. IETF RFC 2181 - Clarifications to the DNS | A.5. IETF RFC 2181 - Clarifications to the DNS | |||
| Specification . . . . . . . . . . . . . . . . . . . . . 27 | Specification . . . . . . . . . . . . . . . . . . . . . 27 | |||
| A.6. IETF RFC 2694 - DNS extensions to Network Address | A.6. IETF RFC 2694 - DNS extensions to Network Address | |||
| Translators (DNS_ALG) . . . . . . . . . . . . . . . . . 27 | Translators (DNS_ALG) . . . . . . . . . . . . . . . . . 28 | |||
| A.7. IETF RFC 3225 - Indicating Resolver Support of DNSSEC . . 27 | A.7. IETF RFC 3225 - Indicating Resolver Support of DNSSEC . . 28 | |||
| A.8. IETF RFC 3226 - DNSSEC and IPv6 A6 aware server/resolver | A.8. IETF RFC 3226 - DNSSEC and IPv6 A6 aware server/resolver | |||
| message size requirements . . . . . . . . . . . . . . . 28 | message size requirements . . . . . . . . . . . . . . . 28 | |||
| A.9. IETF RFC 4472 - Operational Considerations and Issues with | A.9. IETF RFC 4472 - Operational Considerations and Issues with | |||
| IPv6 DNS . . . . . . . . . . . . . . . . . . . . . . . . 28 | IPv6 DNS . . . . . . . . . . . . . . . . . . . . . . . . 28 | |||
| A.10. IETF RFC 5452 - Measures for Making DNS More Resilient | A.10. IETF RFC 5452 - Measures for Making DNS More Resilient | |||
| against Forged Answers . . . . . . . . . . . . . . . . . 28 | against Forged Answers . . . . . . . . . . . . . . . . . 28 | |||
| A.11. IETF RFC 5507 - Design Choices When Expanding the DNS . . 28 | A.11. IETF RFC 5507 - Design Choices When Expanding the DNS . . 29 | |||
| A.12. IETF RFC 5625 - DNS Proxy Implementation Guidelines . . . 28 | A.12. IETF RFC 5625 - DNS Proxy Implementation Guidelines . . . 29 | |||
| A.13. IETF RFC 5936 - DNS Zone Transfer Protocol (AXFR) . . . . 29 | A.13. IETF RFC 5936 - DNS Zone Transfer Protocol (AXFR) . . . . 29 | |||
| A.14. IETF RFC 7534 - AS112 Nameserver Operations . . . . . . . 29 | A.14. IETF RFC 7534 - AS112 Nameserver Operations . . . . . . . 29 | |||
| A.15. IETF RFC 6762 - Multicast DNS . . . . . . . . . . . . . . 29 | A.15. IETF RFC 6762 - Multicast DNS . . . . . . . . . . . . . . 29 | |||
| A.16. IETF RFC 6891 - Extension Mechanisms for DNS (EDNS(0)) . 29 | A.16. IETF RFC 6891 - Extension Mechanisms for DNS (EDNS(0)) . 29 | |||
| A.17. IETF RFC 6950 - Architectural Considerations on Application | A.17. IETF RFC 6950 - Architectural Considerations on Application | |||
| Features in the DNS . . . . . . . . . . . . . . . . . . 29 | Features in the DNS . . . . . . . . . . . . . . . . . . 30 | |||
| A.18. IETF RFC 7477 - Child-to-Parent Synchronization in DNS . 29 | A.18. IETF RFC 7477 - Child-to-Parent Synchronization in DNS . 30 | |||
| A.19. IETF RFC 7720 - DNS Root Name Service Protocol and | A.19. IETF RFC 7720 - DNS Root Name Service Protocol and | |||
| Deployment Requirements . . . . . . . . . . . . . . . . 30 | Deployment Requirements . . . . . . . . . . . . . . . . 30 | |||
| A.20. IETF RFC 7766 - DNS Transport over TCP - Implementation | A.20. IETF RFC 7766 - DNS Transport over TCP - Implementation | |||
| Requirements . . . . . . . . . . . . . . . . . . . . . . 30 | Requirements . . . . . . . . . . . . . . . . . . . . . . 30 | |||
| A.21. IETF RFC 7828 - The edns-tcp-keepalive EDNS(0) Option . . 30 | A.21. IETF RFC 7828 - The edns-tcp-keepalive EDNS(0) Option . . 30 | |||
| A.22. IETF RFC 7858 - Specification for DNS over Transport Layer | A.22. IETF RFC 7858 - Specification for DNS over Transport Layer | |||
| Security (TLS) . . . . . . . . . . . . . . . . . . . . . 30 | Security (TLS) . . . . . . . . . . . . . . . . . . . . . 31 | |||
| A.23. IETF RFC 7873 - Domain Name System (DNS) Cookies . . . . 30 | A.23. IETF RFC 7873 - Domain Name System (DNS) Cookies . . . . 31 | |||
| A.24. IETF RFC 7901 - CHAIN Query Requests in DNS . . . . . . . 31 | A.24. IETF RFC 7901 - CHAIN Query Requests in DNS . . . . . . . 31 | |||
| A.25. IETF RFC 8027 - DNSSEC Roadblock Avoidance . . . . . . . 31 | A.25. IETF RFC 8027 - DNSSEC Roadblock Avoidance . . . . . . . 31 | |||
| A.26. IETF RFC 8094 - DNS over Datagram Transport Layer Security | A.26. IETF RFC 8094 - DNS over Datagram Transport Layer Security | |||
| (DTLS) . . . . . . . . . . . . . . . . . . . . . . . . . 31 | (DTLS) . . . . . . . . . . . . . . . . . . . . . . . . . 32 | |||
| A.27. IETF RFC 8162 - Using Secure DNS to Associate Certificates | A.27. IETF RFC 8162 - Using Secure DNS to Associate Certificates | |||
| with Domain Names for S/MIME . . . . . . . . . . . . . . 31 | with Domain Names for S/MIME . . . . . . . . . . . . . . 32 | |||
| A.28. IETF RFC 8324 - DNS Privacy, Authorization, Special Uses, | A.28. IETF RFC 8324 - DNS Privacy, Authorization, Special Uses, | |||
| Encoding, Characters, Matching, and Root Structure: Time for | Encoding, Characters, Matching, and Root Structure: Time for | |||
| Another Look? . . . . . . . . . . . . . . . . . . . . . 31 | Another Look? . . . . . . . . . . . . . . . . . . . . . 32 | |||
| A.29. IETF RFC 8467 - Padding Policies for Extension Mechanisms | A.29. IETF RFC 8467 - Padding Policies for Extension Mechanisms | |||
| for DNS (EDNS(0)) . . . . . . . . . . . . . . . . . . . 32 | for DNS (EDNS(0)) . . . . . . . . . . . . . . . . . . . 32 | |||
| A.30. IETF RFC 8482 - Providing Minimal-Sized Responses to DNS | A.30. IETF RFC 8482 - Providing Minimal-Sized Responses to DNS | |||
| Queries That Have QTYPE=ANY . . . . . . . . . . . . . . 32 | Queries That Have QTYPE=ANY . . . . . . . . . . . . . . 32 | |||
| A.31. IETF RFC 8483 - Yeti DNS Testbed . . . . . . . . . . . . 32 | A.31. IETF RFC 8483 - Yeti DNS Testbed . . . . . . . . . . . . 33 | |||
| A.32. IETF RFC 8484 - DNS Queries over HTTPS (DoH) . . . . . . 32 | A.32. IETF RFC 8484 - DNS Queries over HTTPS (DoH) . . . . . . 33 | |||
| A.33. IETF RFC 8490 - DNS Stateful Operations . . . . . . . . . 32 | A.33. IETF RFC 8490 - DNS Stateful Operations . . . . . . . . . 33 | |||
| A.34. IETF RFC 8501 - Reverse DNS in IPv6 for Internet Service | A.34. IETF RFC 8501 - Reverse DNS in IPv6 for Internet Service | |||
| Providers . . . . . . . . . . . . . . . . . . . . . . . 33 | Providers . . . . . . . . . . . . . . . . . . . . . . . 33 | |||
| A.35. IETF RFC 8806 - Running a Root Server Local to a | A.35. IETF RFC 8806 - Running a Root Server Local to a | |||
| Resolver . . . . . . . . . . . . . . . . . . . . . . . . 33 | Resolver . . . . . . . . . . . . . . . . . . . . . . . . 33 | |||
| A.36. IETF RFC 8906 - A Common Operational Problem in DNS | A.36. IETF RFC 8906 - A Common Operational Problem in DNS | |||
| Servers: Failure to Communicate . . . . . . . . . . . . 33 | Servers: Failure to Communicate . . . . . . . . . . . . 33 | |||
| A.37. IETF RFC 8932 - Recommendations for DNS Privacy Service | A.37. IETF RFC 8932 - Recommendations for DNS Privacy Service | |||
| Operators . . . . . . . . . . . . . . . . . . . . . . . 33 | Operators . . . . . . . . . . . . . . . . . . . . . . . 34 | |||
| A.38. IETF RFC 8945 - Secret Key Transaction Authentication for | A.38. IETF RFC 8945 - Secret Key Transaction Authentication for | |||
| DNS (TSIG) . . . . . . . . . . . . . . . . . . . . . . . 33 | DNS (TSIG) . . . . . . . . . . . . . . . . . . . . . . . 34 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 33 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 34 | |||
| 1. Introduction | 1. Introduction | |||
| DNS messages are delivered using UDP or TCP communications. While | DNS messages are delivered using UDP or TCP communications. While | |||
| most DNS transactions are carried over UDP, some operators have been | most DNS transactions are carried over UDP, some operators have been | |||
| led to believe that any DNS over TCP traffic is unwanted or | led to believe that any DNS over TCP traffic is unwanted or | |||
| unnecessary for general DNS operation. When DNS over TCP has been | unnecessary for general DNS operation. When DNS over TCP has been | |||
| restricted, a variety of communication failures and debugging | restricted, a variety of communication failures and debugging | |||
| challenges often arise. As DNS and new naming system features have | challenges often arise. As DNS and new naming system features have | |||
| evolved, TCP as a transport has become increasingly important for the | evolved, TCP as a transport has become increasingly important for the | |||
| skipping to change at page 14, line 5 ¶ | skipping to change at page 14, line 5 ¶ | |||
| describing how this works. Although DNS-over-TLS utilizes TCP port | describing how this works. Although DNS-over-TLS utilizes TCP port | |||
| 853 instead of port 53, this document applies equally well to DNS- | 853 instead of port 53, this document applies equally well to DNS- | |||
| over-TLS. Note, however, DNS-over-TLS is only defined between stubs | over-TLS. Note, however, DNS-over-TLS is only defined between stubs | |||
| and recursives at the time of this writing. | and recursives at the time of this writing. | |||
| The use of TLS places even stronger operational burdens on DNS | The use of TLS places even stronger operational burdens on DNS | |||
| clients and servers. Cryptographic functions for authentication and | clients and servers. Cryptographic functions for authentication and | |||
| encryption require additional processing. Unoptimized connection | encryption require additional processing. Unoptimized connection | |||
| setup with TLS 1.3 [RFC8446] takes one additional round-trip compared | setup with TLS 1.3 [RFC8446] takes one additional round-trip compared | |||
| to TCP. Connection setup times can be reduced with TCP Fast Open, | to TCP. Connection setup times can be reduced with TCP Fast Open, | |||
| and TLS False Start [RFC7918]. TLS session resumption does not | and TLS False Start [RFC7918] for TLS 1.2. TLS 1.3 session | |||
| reduce round-trip latency because no application profile for use of | resumption does not reduce round-trip latency because no application | |||
| TLS 0-RTT data with DNS has been published at the time of this | profile for use of TLS 0-RTT data with DNS has been published at the | |||
| writing. However, TLS session resumption can reduce the number of | time of this writing. However, TLS session resumption can reduce the | |||
| cryptographic operations. | number of cryptographic operations, and in TLS 1.2, session | |||
| resumption does reduce the number of additional round trips from two | ||||
| to one. | ||||
| 4.5. Defaults and Recommended Limits | 4.5. Defaults and Recommended Limits | |||
| A survey of features and defaults was conducted for popular open | A survey of features and defaults was conducted for popular open | |||
| source DNS server implementations at the time of writing. This | source DNS server implementations at the time of writing. This | |||
| section documents those defaults and makes recommendations for | section documents those defaults and makes recommendations for | |||
| configurable limits that can be used in the absence of any other | configurable limits that can be used in the absence of any other | |||
| information. Any recommended values in this document are only | information. Any recommended values in this document are only | |||
| intended as a starting point for administrators that are unsure what | intended as a starting point for administrators that are unsure what | |||
| sorts of limits might be reasonable. Operators SHOULD use | sorts of limits might be reasonable. Operators SHOULD use | |||
| skipping to change at page 17, line 11 ¶ | skipping to change at page 17, line 11 ¶ | |||
| As an alternative to packet capture, some DNS server software | As an alternative to packet capture, some DNS server software | |||
| supports dnstap [dnstap] as an integrated monitoring protocol | supports dnstap [dnstap] as an integrated monitoring protocol | |||
| intended to facilitate wide-scale DNS monitoring. | intended to facilitate wide-scale DNS monitoring. | |||
| 7. IANA Considerations | 7. IANA Considerations | |||
| This memo includes no request to IANA. | This memo includes no request to IANA. | |||
| 8. Security Considerations | 8. Security Considerations | |||
| This document, providing operational requirements, is the companion | ||||
| to the implementation requirements of DNS over TCP, provided in | ||||
| [RFC7766]. The security considerations from [RFC7766] still apply. | ||||
| Ironically, returning truncated DNS over UDP answers in order to | Ironically, returning truncated DNS over UDP answers in order to | |||
| induce a client query to switch to DNS over TCP has become a common | induce a client query to switch to DNS over TCP has become a common | |||
| response to source address spoofed, DNS denial-of-service attacks | response to source address spoofed, DNS denial-of-service attacks | |||
| [RRL]. Historically, operators have been wary of TCP-based attacks, | [RRL]. Historically, operators have been wary of TCP-based attacks, | |||
| but in recent years, UDP-based flooding attacks have proven to be the | but in recent years, UDP-based flooding attacks have proven to be the | |||
| most common protocol attack on the DNS. Nevertheless, a high rate of | most common protocol attack on the DNS. Nevertheless, a high rate of | |||
| short-lived DNS transactions over TCP may pose challenges. In fact, | short-lived DNS transactions over TCP may pose challenges. In fact, | |||
| [DAI21] details a class of IP fragmentation attacks on DNS | [DAI21] details a class of IP fragmentation attacks on DNS | |||
| transactions if the IP Identifier field (16 bits in IPv4 and 32 bits | transactions if the IP Identifier field (16 bits in IPv4 and 32 bits | |||
| in IPv6) can be predicted and a system is coerced to fragment rather | in IPv6) can be predicted and a system is coerced to fragment rather | |||
| skipping to change at page 17, line 37 ¶ | skipping to change at page 17, line 41 ¶ | |||
| series of documents such as [RFC4953], [RFC4987], [RFC5927], and | series of documents such as [RFC4953], [RFC4987], [RFC5927], and | |||
| [RFC5961]. | [RFC5961]. | |||
| As mentioned in Section 6, applications that implement TCP stream | As mentioned in Section 6, applications that implement TCP stream | |||
| reassembly need to limit the amount of memory allocated to connection | reassembly need to limit the amount of memory allocated to connection | |||
| tracking. A failure to do so could lead to a total failure of the | tracking. A failure to do so could lead to a total failure of the | |||
| logging or monitoring application. Imposition of resource limits | logging or monitoring application. Imposition of resource limits | |||
| creates a tradeoff between allowing some stream reassembly to | creates a tradeoff between allowing some stream reassembly to | |||
| continue and allowing some evasion attacks to succeed. | continue and allowing some evasion attacks to succeed. | |||
| This document recommends that DNS Servers enable TFO when possible. | ||||
| [RFC7413] recommends that a pool of servers behind a load balancer | ||||
| with shared server IP address also share the key used to generate | ||||
| Fast Open cookies, to prevent inordinate fallback to the 3WHS. This | ||||
| guidance remains accurate, but comes with a caveat: compromise of one | ||||
| server would reveal this group-shared key, and allow for attacks | ||||
| involving the other servers in the pool by forging invalid Fast Open | ||||
| cookies. | ||||
| 9. Privacy Considerations | 9. Privacy Considerations | |||
| Since DNS over both UDP and TCP uses the same underlying message | Since DNS over both UDP and TCP uses the same underlying message | |||
| format, the use of one transport instead of the other does not change | format, the use of one transport instead of the other does not change | |||
| the privacy characteristics of the message content (i.e., the name | the privacy characteristics of the message content (i.e., the name | |||
| being queried). A number of protocols have recently been developed | being queried). A number of protocols have recently been developed | |||
| to provide DNS privacy, including DNS over TLS [RFC7858], DNS over | to provide DNS privacy, including DNS over TLS [RFC7858], DNS over | |||
| DTLS [RFC8094], DNS over HTTPS [RFC8484], with even more on the way. | DTLS [RFC8094], DNS over HTTPS [RFC8484], with even more on the way. | |||
| Because TCP is somewhat more complex than UDP, some characteristics | Because TCP is somewhat more complex than UDP, some characteristics | |||
| End of changes. 20 change blocks. | ||||
| 29 lines changed or deleted | 44 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||