< draft-ietf-dprive-dns-over-tls-04.txt   draft-ietf-dprive-dns-over-tls-05.txt >
Network Working Group Z. Hu Network Working Group Z. Hu
Internet-Draft L. Zhu Internet-Draft L. Zhu
Intended status: Standards Track J. Heidemann Intended status: Standards Track J. Heidemann
Expires: July 24, 2016 USC/Information Sciences Expires: July 25, 2016 USC/Information Sciences
Institute Institute
A. Mankin A. Mankin
D. Wessels D. Wessels
Verisign Labs Verisign Labs
P. Hoffman P. Hoffman
ICANN ICANN
January 21, 2016 January 22, 2016
DNS over TLS: Initiation and Performance Considerations DNS over TLS: Initiation and Performance Considerations
draft-ietf-dprive-dns-over-tls-04 draft-ietf-dprive-dns-over-tls-05
Abstract Abstract
This document describes the use of TLS to provide privacy for DNS. This document describes the use of TLS to provide privacy for DNS.
Encryption provided by TLS eliminates opportunities for eavesdropping Encryption provided by TLS eliminates opportunities for eavesdropping
and on-path tampering with DNS queries in the network, such as and on-path tampering with DNS queries in the network, such as
discussed in RFC 7258. In addition, this document specifies two discussed in RFC 7258. In addition, this document specifies two
usage profiles for DNS-over-TLS and provides advice on performance usage profiles for DNS-over-TLS and provides advice on performance
considerations to minimize overhead from using TCP and TLS with DNS. considerations to minimize overhead from using TCP and TLS with DNS.
skipping to change at page 1, line 49 skipping to change at page 1, line 49
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on July 24, 2016. This Internet-Draft will expire on July 25, 2016.
Copyright Notice Copyright Notice
Copyright (c) 2016 IETF Trust and the persons identified as the Copyright (c) 2016 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 3, line 26 skipping to change at page 3, line 26
and server. DNS Security Extensions (DNSSEC), [RFC4033] provide and server. DNS Security Extensions (DNSSEC), [RFC4033] provide
_response integrity_ by defining mechanisms to cryptographically sign _response integrity_ by defining mechanisms to cryptographically sign
zones, allowing end-users (or their first-hop resolver) to verify zones, allowing end-users (or their first-hop resolver) to verify
replies are correct. By intention, DNSSEC does not protect request replies are correct. By intention, DNSSEC does not protect request
and response privacy. Traditionally, either privacy was not and response privacy. Traditionally, either privacy was not
considered a requirement for DNS traffic, or it was assumed that considered a requirement for DNS traffic, or it was assumed that
network traffic was sufficiently private, however these perceptions network traffic was sufficiently private, however these perceptions
are evolving due to recent events [RFC7258]. are evolving due to recent events [RFC7258].
Other work that has offered the potential to encrypt between DNS Other work that has offered the potential to encrypt between DNS
clients and servers includes DNSCurve [dempsky-dnscurve], clients and servers includes DNSCurve [dempsky-dnscurve], DNSCrypt
ConfidentialDNS [I-D.confidentialdns] and IPSECA [I-D.ipseca]. In [dnscrypt-website], ConfidentialDNS [I-D.confidentialdns] and IPSECA
addition to the present draft, the DPRIVE working group has recently [I-D.ipseca]. In addition to the present draft, the DPRIVE working
adopted a DNS-over-DTLS [draft-ietf-dprive-dnsodtls] proposal. group has recently adopted a DNS-over-DTLS
[draft-ietf-dprive-dnsodtls] proposal.
This document describes using DNS-over-TLS on a well-known port and This document describes using DNS-over-TLS on a well-known port and
also offers advice on performance considerations to minimize also offers advice on performance considerations to minimize
overheads from using TCP and TLS with DNS. overheads from using TCP and TLS with DNS.
Initiation of DNS-over-TLS is very straightforward. By establishing Initiation of DNS-over-TLS is very straightforward. By establishing
a connection over a well-known port, clients and servers expect and a connection over a well-known port, clients and servers expect and
agree to negotiate a TLS session to secure the channel. Deployment agree to negotiate a TLS session to secure the channel. Deployment
will be gradual. Not all servers will support DNS-over-TLS and the will be gradual. Not all servers will support DNS-over-TLS and the
well-known port might be blocked by some firewalls. Clients will be well-known port might be blocked by some firewalls. Clients will be
skipping to change at page 16, line 46 skipping to change at page 16, line 46
<http://tools.ietf.org/html/draft-dempsky-dnscurve-01>. <http://tools.ietf.org/html/draft-dempsky-dnscurve-01>.
[dgr-dprive-dtls-and-tls-profiles] [dgr-dprive-dtls-and-tls-profiles]
Dickinson, S., Gillmor, D., and T. Reddy, Dickinson, S., Gillmor, D., and T. Reddy,
"Authentication and (D)TLS Profile for DNS-over-TLS and "Authentication and (D)TLS Profile for DNS-over-TLS and
DNS-over-DTLS", draft-dgr-dprive-dtls-and-tls-profiles-00 DNS-over-DTLS", draft-dgr-dprive-dtls-and-tls-profiles-00
(work in progress), December 2015, <https:// (work in progress), December 2015, <https://
tools.ietf.org/html/ tools.ietf.org/html/
draft-dgr-dprive-dtls-and-tls-profiles-00>. draft-dgr-dprive-dtls-and-tls-profiles-00>.
[dnscrypt-website]
Denis, F., "DNSCrypt", December 2015,
<https://www.dnscrypt.org/>.
[dnssec-trigger] [dnssec-trigger]
NLnet Labs, "Dnssec-Trigger", May 2014, NLnet Labs, "Dnssec-Trigger", May 2014,
<https://www.nlnetlabs.nl/projects/dnssec-trigger/>. <https://www.nlnetlabs.nl/projects/dnssec-trigger/>.
[draft-ietf-dprive-dnsodtls] [draft-ietf-dprive-dnsodtls]
Reddy, T., Wing, D., and P. Patil, "DNS over DTLS Reddy, T., Wing, D., and P. Patil, "DNS over DTLS
(DNSoD)", draft-ietf-dprive-dnsodtls-01 (work in (DNSoD)", draft-ietf-dprive-dnsodtls-01 (work in
progress), June 2015, <https://tools.ietf.org/html/ progress), June 2015, <https://tools.ietf.org/html/
draft-ietf-dprive-dnsodtls-01>. draft-ietf-dprive-dnsodtls-01>.
 End of changes. 6 change blocks. 
8 lines changed or deleted 13 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/