| < draft-ietf-dprive-dns-over-tls-02.txt | draft-ietf-dprive-dns-over-tls-03.txt > | |||
|---|---|---|---|---|
| Network Working Group Z. Hu | Network Working Group Z. Hu | |||
| Internet-Draft L. Zhu | Internet-Draft L. Zhu | |||
| Intended status: Standards Track J. Heidemann | Intended status: Standards Track J. Heidemann | |||
| Expires: June 9, 2016 USC/Information Sciences | Expires: July 7, 2016 USC/Information Sciences | |||
| Institute | Institute | |||
| A. Mankin | A. Mankin | |||
| D. Wessels | D. Wessels | |||
| Verisign Labs | Verisign Labs | |||
| P. Hoffman | P. Hoffman | |||
| ICANN | ICANN | |||
| December 7, 2015 | January 4, 2016 | |||
| DNS over TLS: Initiation and Performance Considerations | DNS over TLS: Initiation and Performance Considerations | |||
| draft-ietf-dprive-dns-over-tls-02 | draft-ietf-dprive-dns-over-tls-03 | |||
| Abstract | Abstract | |||
| This document describes the use of TLS to provide privacy for DNS. | This document describes the use of TLS to provide privacy for DNS. | |||
| Encryption provided by TLS eliminates opportunities for eavesdropping | Encryption provided by TLS eliminates opportunities for eavesdropping | |||
| and on-path tampering with DNS queries in the network, such as | and on-path tampering with DNS queries in the network, such as | |||
| discussed in RFC 7258. In addition, this document specifies two | discussed in RFC 7258. In addition, this document specifies two | |||
| usage profiles for DNS-over-TLS and provides advice on performance | usage profiles for DNS-over-TLS and provides advice on performance | |||
| considerations to minimize overhead from using TCP and TLS with DNS. | considerations to minimize overhead from using TCP and TLS with DNS. | |||
| skipping to change at page 1, line 49 ¶ | skipping to change at page 1, line 49 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on June 9, 2016. | This Internet-Draft will expire on July 7, 2016. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2015 IETF Trust and the persons identified as the | Copyright (c) 2016 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| skipping to change at page 7, line 38 ¶ | skipping to change at page 7, line 38 ¶ | |||
| between DNS clients and servers (e.g., stub-to-recursive in | between DNS clients and servers (e.g., stub-to-recursive in | |||
| enterprise networks, actively-maintained contractual service | enterprise networks, actively-maintained contractual service | |||
| relationships, or a client using a public DNS resolver). The result | relationships, or a client using a public DNS resolver). The result | |||
| of this profile is that the client has strong guarantees about the | of this profile is that the client has strong guarantees about the | |||
| privacy of its DNS data by connecting only to servers it can | privacy of its DNS data by connecting only to servers it can | |||
| authenticate. | authenticate. | |||
| In this profile, clients authenticate servers by matching a set of | In this profile, clients authenticate servers by matching a set of | |||
| Subject Public Key Info (SPKI) Fingerprints in an analogous manner to | Subject Public Key Info (SPKI) Fingerprints in an analogous manner to | |||
| that described in [RFC7469]. With this out-of-band key-pinned | that described in [RFC7469]. With this out-of-band key-pinned | |||
| privacy profile, client administrators MUST deploy a pinset | privacy profile, client administrators SHOULD deploy a backup pin | |||
| containing two or more pins (specific to the service being pinned) | along with the primary pin, for the reasons explained in [RFC7469]. | |||
| using a secure out-of-band (i.e., non-DNS) mechanism. This minimum | A backup pin is especially helpful in the event of a key rollover, so | |||
| pinset size is required for key rollover, so that a server operator | that a server operator does not have to coordinate key transitions | |||
| does not have to coordinate key transitions with all its clients | with all its clients simultaneously. After a change of keys on the | |||
| simultaneously. After a change of keys on the server, an updated | server, an updated pinset SHOULD be distributed to all clients in | |||
| pinset should be distributed to all clients in some secure way in | some secure way in preparation for future key rollover. The | |||
| preparation for future key rollover. The mechanism for out-of-band | mechanism for out-of-band pinset update is out of scope for this | |||
| pinset update is out of scope for this document. | document. | |||
| Such a client will only use DNS servers for which an SPKI Fingerprint | Such a client will only use DNS servers for which an SPKI Fingerprint | |||
| pinset has been provided. The possession of trusted pre-deployed | pinset has been provided. The possession of trusted pre-deployed | |||
| pinset allows the client to detect and prevent person-in-the-middle | pinset allows the client to detect and prevent person-in-the-middle | |||
| and downgrade attacks. | and downgrade attacks. | |||
| However, a configured DNS server may be temporarily unavailable when | However, a configured DNS server may be temporarily unavailable when | |||
| configuring a network. For example, for clients on networks that | configuring a network. For example, for clients on networks that | |||
| require authentication through web-based login, such authentication | require authentication through web-based login, such authentication | |||
| may rely on DNS interception and spoofing. Techniques such as those | may rely on DNS interception and spoofing. Techniques such as those | |||
| skipping to change at page 13, line 23 ¶ | skipping to change at page 13, line 23 ¶ | |||
| Daniel Kahn Gillmor | Daniel Kahn Gillmor | |||
| ACLU | ACLU | |||
| 125 Broad Street, 18th Floor | 125 Broad Street, 18th Floor | |||
| New York, NY 10004 | New York, NY 10004 | |||
| USA | USA | |||
| 11. Acknowledgments | 11. Acknowledgments | |||
| The authors would like to thank Stephane Bortzmeyer, John Dickinson, | The authors would like to thank Stephane Bortzmeyer, John Dickinson, | |||
| Brian Haberman, Shumon Huque, Kim-Minh Kaplan, Simon Joseffson, Simon | Brian Haberman, Christian Huitema, Shumon Huque, Kim-Minh Kaplan, | |||
| Kelley, Warren Kumari, John Levine, Ilari Liusvaara, Bill Manning, | Simon Joseffson, Simon Kelley, Warren Kumari, John Levine, Ilari | |||
| George Michaelson, Eric Osterweil, Jinmei Tatuya, Tim Wicinski, and | Liusvaara, Bill Manning, George Michaelson, Eric Osterweil, Jinmei | |||
| Glen Wiley for reviewing this Internet-draft. They also thank Nikita | Tatuya, Tim Wicinski, and Glen Wiley for reviewing this Internet- | |||
| Somaiya for early work on this idea. | draft. They also thank Nikita Somaiya for early work on this idea. | |||
| Work by Zi Hu, Liang Zhu, and John Heidemann on this document is | Work by Zi Hu, Liang Zhu, and John Heidemann on this document is | |||
| partially sponsored by the U.S. Dept. of Homeland Security (DHS) | partially sponsored by the U.S. Dept. of Homeland Security (DHS) | |||
| Science and Technology Directorate, HSARPA, Cyber Security Division, | Science and Technology Directorate, HSARPA, Cyber Security Division, | |||
| BAA 11-01-RIKA and Air Force Research Laboratory, Information | BAA 11-01-RIKA and Air Force Research Laboratory, Information | |||
| Directorate under agreement number FA8750-12-2-0344, and contract | Directorate under agreement number FA8750-12-2-0344, and contract | |||
| number D08PC75599. | number D08PC75599. | |||
| 12. References | 12. References | |||
| End of changes. 7 change blocks. | ||||
| 19 lines changed or deleted | 19 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||