| < draft-ietf-dprive-dnsoquic-00.txt | draft-ietf-dprive-dnsoquic-01.txt > | |||
|---|---|---|---|---|
| Network Working Group C. Huitema | Network Working Group C. Huitema | |||
| Internet-Draft Private Octopus Inc. | Internet-Draft Private Octopus Inc. | |||
| Intended status: Standards Track A. Mankin | Intended status: Standards Track A. Mankin | |||
| Expires: October 29, 2020 Salesforce | Expires: April 23, 2021 Salesforce | |||
| S. Dickinson | S. Dickinson | |||
| Sinodun IT | Sinodun IT | |||
| April 27, 2020 | October 20, 2020 | |||
| Specification of DNS over Dedicated QUIC Connections | Specification of DNS over Dedicated QUIC Connections | |||
| draft-ietf-dprive-dnsoquic-00 | draft-ietf-dprive-dnsoquic-01 | |||
| Abstract | Abstract | |||
| This document describes the use of QUIC to provide transport privacy | This document describes the use of QUIC to provide transport privacy | |||
| for DNS. The encryption provided by QUIC has similar properties to | for DNS. The encryption provided by QUIC has similar properties to | |||
| that provided by TLS, while QUIC transport eliminates the head-of- | that provided by TLS, while QUIC transport eliminates the head-of- | |||
| line blocking issues inherent with TCP and provides more efficient | line blocking issues inherent with TCP and provides more efficient | |||
| error corrections than UDP. DNS over QUIC (DoQ) has privacy | error corrections than UDP. DNS over QUIC (DoQ) has privacy | |||
| properties similar to DNS over TLS (DoT) specified in RFC7858, and | properties similar to DNS over TLS (DoT) specified in RFC7858, and | |||
| latency characteristics similar to classic DNS over UDP. | latency characteristics similar to classic DNS over UDP. | |||
| Status of This Memo | Status of This Memo | |||
| This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
| provisions of BCP 78 and BCP 79. | provisions of BCP 78 and BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on October 29, 2020. | This Internet-Draft will expire on April 23, 2021. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2020 IETF Trust and the persons identified as the | Copyright (c) 2020 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (https://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| described in the Simplified BSD License. | described in the Simplified BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| skipping to change at page 15, line 10 ¶ | skipping to change at page 15, line 10 ¶ | |||
| However, the server will always be able to link the resumed session | However, the server will always be able to link the resumed session | |||
| to the initial session. This creates a virtual long duration | to the initial session. This creates a virtual long duration | |||
| session. The series of queries in that session can be used by the | session. The series of queries in that session can be used by the | |||
| server to identify the client. | server to identify the client. | |||
| Enabling the server to link client sessions through session resume is | Enabling the server to link client sessions through session resume is | |||
| probably not a large additional risk if the client's connectivity did | probably not a large additional risk if the client's connectivity did | |||
| not change between the sessions, since the two sessions can probably | not change between the sessions, since the two sessions can probably | |||
| be correlated by comparing the IP addresses. On the other hand, if | be correlated by comparing the IP addresses. On the other hand, if | |||
| the addresses did change, the client SHOULD consider whether the | the addresses did change, the client SHOULD consider whether the | |||
| linkability risk exceeds the privacy benefits. This evaluation will | linkability risk exceeds the performance benefits. This evaluation | |||
| obviously depend on the level of trust between stub and recursive. | will obviously depend on the level of trust between stub and | |||
| recursive. | ||||
| 7.3. Traffic Analysis | 7.3. Traffic Analysis | |||
| Even though QUIC packets are encrypted, adversaries can gain | Even though QUIC packets are encrypted, adversaries can gain | |||
| information from observing packet lengths, in both queries and | information from observing packet lengths, in both queries and | |||
| responses, as well as packet timing. Many DNS requests are emitted | responses, as well as packet timing. Many DNS requests are emitted | |||
| by web browsers. Loading a specific web page may require resolving | by web browsers. Loading a specific web page may require resolving | |||
| dozen of DNS names. If an application adopts a simple mapping of one | dozen of DNS names. If an application adopts a simple mapping of one | |||
| query or response per packet, or "one QUIC STREAM frame per packet", | query or response per packet, or "one QUIC STREAM frame per packet", | |||
| then the succession of packet lengths may provide enough information | then the succession of packet lengths may provide enough information | |||
| skipping to change at page 16, line 41 ¶ | skipping to change at page 16, line 43 ¶ | |||
| Thanks to Tony Finch for an extensive review of the initial version | Thanks to Tony Finch for an extensive review of the initial version | |||
| of this draft. | of this draft. | |||
| 10. References | 10. References | |||
| 10.1. Normative References | 10.1. Normative References | |||
| [I-D.ietf-dnsop-terminology-ter] | [I-D.ietf-dnsop-terminology-ter] | |||
| Hoffman, P., "Terminology for DNS Transports and | Hoffman, P., "Terminology for DNS Transports and | |||
| Location", draft-ietf-dnsop-terminology-ter-01 (work in | Location", draft-ietf-dnsop-terminology-ter-02 (work in | |||
| progress), February 2020. | progress), August 2020. | |||
| [I-D.ietf-quic-tls] | [I-D.ietf-quic-tls] | |||
| Thomson, M. and S. Turner, "Using TLS to Secure QUIC", | Thomson, M. and S. Turner, "Using TLS to Secure QUIC", | |||
| draft-ietf-quic-tls-27 (work in progress), February 2020. | draft-ietf-quic-tls-31 (work in progress), September 2020. | |||
| [I-D.ietf-quic-transport] | [I-D.ietf-quic-transport] | |||
| Iyengar, J. and M. Thomson, "QUIC: A UDP-Based Multiplexed | Iyengar, J. and M. Thomson, "QUIC: A UDP-Based Multiplexed | |||
| and Secure Transport", draft-ietf-quic-transport-27 (work | and Secure Transport", draft-ietf-quic-transport-31 (work | |||
| in progress), February 2020. | in progress), September 2020. | |||
| [RFC1034] Mockapetris, P., "Domain names - concepts and facilities", | [RFC1034] Mockapetris, P., "Domain names - concepts and facilities", | |||
| STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987, | STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987, | |||
| <https://www.rfc-editor.org/info/rfc1034>. | <https://www.rfc-editor.org/info/rfc1034>. | |||
| [RFC1035] Mockapetris, P., "Domain names - implementation and | [RFC1035] Mockapetris, P., "Domain names - implementation and | |||
| specification", STD 13, RFC 1035, DOI 10.17487/RFC1035, | specification", STD 13, RFC 1035, DOI 10.17487/RFC1035, | |||
| November 1987, <https://www.rfc-editor.org/info/rfc1035>. | November 1987, <https://www.rfc-editor.org/info/rfc1035>. | |||
| [RFC6891] Damas, J., Graff, M., and P. Vixie, "Extension Mechanisms | [RFC6891] Damas, J., Graff, M., and P. Vixie, "Extension Mechanisms | |||
| for DNS (EDNS(0))", STD 75, RFC 6891, | for DNS (EDNS(0))", STD 75, RFC 6891, | |||
| DOI 10.17487/RFC6891, April 2013, | DOI 10.17487/RFC6891, April 2013, <https://www.rfc- | |||
| <https://www.rfc-editor.org/info/rfc6891>. | editor.org/info/rfc6891>. | |||
| [RFC7301] Friedl, S., Popov, A., Langley, A., and E. Stephan, | [RFC7301] Friedl, S., Popov, A., Langley, A., and E. Stephan, | |||
| "Transport Layer Security (TLS) Application-Layer Protocol | "Transport Layer Security (TLS) Application-Layer Protocol | |||
| Negotiation Extension", RFC 7301, DOI 10.17487/RFC7301, | Negotiation Extension", RFC 7301, DOI 10.17487/RFC7301, | |||
| July 2014, <https://www.rfc-editor.org/info/rfc7301>. | July 2014, <https://www.rfc-editor.org/info/rfc7301>. | |||
| [RFC7766] Dickinson, J., Dickinson, S., Bellis, R., Mankin, A., and | [RFC7766] Dickinson, J., Dickinson, S., Bellis, R., Mankin, A., and | |||
| D. Wessels, "DNS Transport over TCP - Implementation | D. Wessels, "DNS Transport over TCP - Implementation | |||
| Requirements", RFC 7766, DOI 10.17487/RFC7766, March 2016, | Requirements", RFC 7766, DOI 10.17487/RFC7766, March 2016, | |||
| <https://www.rfc-editor.org/info/rfc7766>. | <https://www.rfc-editor.org/info/rfc7766>. | |||
| skipping to change at page 17, line 43 ¶ | skipping to change at page 17, line 48 ¶ | |||
| [RFC7873] Eastlake 3rd, D. and M. Andrews, "Domain Name System (DNS) | [RFC7873] Eastlake 3rd, D. and M. Andrews, "Domain Name System (DNS) | |||
| Cookies", RFC 7873, DOI 10.17487/RFC7873, May 2016, | Cookies", RFC 7873, DOI 10.17487/RFC7873, May 2016, | |||
| <https://www.rfc-editor.org/info/rfc7873>. | <https://www.rfc-editor.org/info/rfc7873>. | |||
| [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | |||
| 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | |||
| May 2017, <https://www.rfc-editor.org/info/rfc8174>. | May 2017, <https://www.rfc-editor.org/info/rfc8174>. | |||
| [RFC8310] Dickinson, S., Gillmor, D., and T. Reddy, "Usage Profiles | [RFC8310] Dickinson, S., Gillmor, D., and T. Reddy, "Usage Profiles | |||
| for DNS over TLS and DNS over DTLS", RFC 8310, | for DNS over TLS and DNS over DTLS", RFC 8310, | |||
| DOI 10.17487/RFC8310, March 2018, | DOI 10.17487/RFC8310, March 2018, <https://www.rfc- | |||
| <https://www.rfc-editor.org/info/rfc8310>. | editor.org/info/rfc8310>. | |||
| [RFC8484] Hoffman, P. and P. McManus, "DNS Queries over HTTPS | [RFC8484] Hoffman, P. and P. McManus, "DNS Queries over HTTPS | |||
| (DoH)", RFC 8484, DOI 10.17487/RFC8484, October 2018, | (DoH)", RFC 8484, DOI 10.17487/RFC8484, October 2018, | |||
| <https://www.rfc-editor.org/info/rfc8484>. | <https://www.rfc-editor.org/info/rfc8484>. | |||
| 10.2. Informative References | 10.2. Informative References | |||
| [DNS0RTT] Kahn Gillmor, D., "DNS + 0-RTT", Message to DNS-Privacy WG | [DNS0RTT] Kahn Gillmor, D., "DNS + 0-RTT", Message to DNS-Privacy WG | |||
| mailing list, April 2016, <https://www.ietf.org/mail- | mailing list, April 2016, <https://www.ietf.org/mail- | |||
| archive/web/dns-privacy/current/msg01276.html>. | archive/web/dns-privacy/current/msg01276.html>. | |||
| [I-D.ietf-dprive-phase2-requirements] | [I-D.ietf-dprive-phase2-requirements] | |||
| Livingood, J., Mayrhofer, A., and B. Overeinder, "DNS | Livingood, J., Mayrhofer, A., and B. Overeinder, "DNS | |||
| Privacy Requirements for Exchanges between Recursive | Privacy Requirements for Exchanges between Recursive | |||
| Resolvers and Authoritative Servers", draft-ietf-dprive- | Resolvers and Authoritative Servers", draft-ietf-dprive- | |||
| phase2-requirements-00 (work in progress), December 2019. | phase2-requirements-01 (work in progress), June 2020. | |||
| [I-D.ietf-dprive-rfc7626-bis] | [I-D.ietf-dprive-rfc7626-bis] | |||
| Bortzmeyer, S. and S. Dickinson, "DNS Privacy | Wicinski, T., "DNS Privacy Considerations", draft-ietf- | |||
| Considerations", draft-ietf-dprive-rfc7626-bis-04 (work in | dprive-rfc7626-bis-07 (work in progress), October 2020. | |||
| progress), January 2020. | ||||
| [I-D.ietf-dprive-xfr-over-tls] | [I-D.ietf-dprive-xfr-over-tls] | |||
| Zhang, H., Aras, P., Toorop, W., Dickinson, S., and A. | Toorop, W., Dickinson, S., Sahib, S., Aras, P., and A. | |||
| Mankin, "DNS Zone Transfer-over-TLS", draft-ietf-dprive- | Mankin, "DNS Zone Transfer-over-TLS", draft-ietf-dprive- | |||
| xfr-over-tls-00 (work in progress), November 2019. | xfr-over-tls-02 (work in progress), July 2020. | |||
| [I-D.ietf-quic-http] | [I-D.ietf-quic-http] | |||
| Bishop, M., "Hypertext Transfer Protocol Version 3 | Bishop, M., "Hypertext Transfer Protocol Version 3 | |||
| (HTTP/3)", draft-ietf-quic-http-27 (work in progress), | (HTTP/3)", draft-ietf-quic-http-31 (work in progress), | |||
| February 2020. | September 2020. | |||
| [I-D.ietf-quic-recovery] | [I-D.ietf-quic-recovery] | |||
| Iyengar, J. and I. Swett, "QUIC Loss Detection and | Iyengar, J. and I. Swett, "QUIC Loss Detection and | |||
| Congestion Control", draft-ietf-quic-recovery-27 (work in | Congestion Control", draft-ietf-quic-recovery-31 (work in | |||
| progress), March 2020. | progress), September 2020. | |||
| [RFC1885] Conta, A. and S. Deering, "Internet Control Message | [RFC1885] Conta, A. and S. Deering, "Internet Control Message | |||
| Protocol (ICMPv6) for the Internet Protocol Version 6 | Protocol (ICMPv6) for the Internet Protocol Version 6 | |||
| (IPv6)", RFC 1885, DOI 10.17487/RFC1885, December 1995, | (IPv6)", RFC 1885, DOI 10.17487/RFC1885, December 1995, | |||
| <https://www.rfc-editor.org/info/rfc1885>. | <https://www.rfc-editor.org/info/rfc1885>. | |||
| [RFC5936] Lewis, E. and A. Hoenes, Ed., "DNS Zone Transfer Protocol | [RFC5936] Lewis, E. and A. Hoenes, Ed., "DNS Zone Transfer Protocol | |||
| (AXFR)", RFC 5936, DOI 10.17487/RFC5936, June 2010, | (AXFR)", RFC 5936, DOI 10.17487/RFC5936, June 2010, | |||
| <https://www.rfc-editor.org/info/rfc5936>. | <https://www.rfc-editor.org/info/rfc5936>. | |||
| [RFC7626] Bortzmeyer, S., "DNS Privacy Considerations", RFC 7626, | [RFC7626] Bortzmeyer, S., "DNS Privacy Considerations", RFC 7626, | |||
| DOI 10.17487/RFC7626, August 2015, | DOI 10.17487/RFC7626, August 2015, <https://www.rfc- | |||
| <https://www.rfc-editor.org/info/rfc7626>. | editor.org/info/rfc7626>. | |||
| [RFC7828] Wouters, P., Abley, J., Dickinson, S., and R. Bellis, "The | [RFC7828] Wouters, P., Abley, J., Dickinson, S., and R. Bellis, "The | |||
| edns-tcp-keepalive EDNS0 Option", RFC 7828, | edns-tcp-keepalive EDNS0 Option", RFC 7828, | |||
| DOI 10.17487/RFC7828, April 2016, | DOI 10.17487/RFC7828, April 2016, <https://www.rfc- | |||
| <https://www.rfc-editor.org/info/rfc7828>. | editor.org/info/rfc7828>. | |||
| [RFC7830] Mayrhofer, A., "The EDNS(0) Padding Option", RFC 7830, | [RFC7830] Mayrhofer, A., "The EDNS(0) Padding Option", RFC 7830, | |||
| DOI 10.17487/RFC7830, May 2016, | DOI 10.17487/RFC7830, May 2016, <https://www.rfc- | |||
| <https://www.rfc-editor.org/info/rfc7830>. | editor.org/info/rfc7830>. | |||
| [RFC8094] Reddy, T., Wing, D., and P. Patil, "DNS over Datagram | [RFC8094] Reddy, T., Wing, D., and P. Patil, "DNS over Datagram | |||
| Transport Layer Security (DTLS)", RFC 8094, | Transport Layer Security (DTLS)", RFC 8094, | |||
| DOI 10.17487/RFC8094, February 2017, | DOI 10.17487/RFC8094, February 2017, <https://www.rfc- | |||
| <https://www.rfc-editor.org/info/rfc8094>. | editor.org/info/rfc8094>. | |||
| [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol | [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol | |||
| Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, | Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, | |||
| <https://www.rfc-editor.org/info/rfc8446>. | <https://www.rfc-editor.org/info/rfc8446>. | |||
| [RFC8467] Mayrhofer, A., "Padding Policies for Extension Mechanisms | [RFC8467] Mayrhofer, A., "Padding Policies for Extension Mechanisms | |||
| for DNS (EDNS(0))", RFC 8467, DOI 10.17487/RFC8467, | for DNS (EDNS(0))", RFC 8467, DOI 10.17487/RFC8467, | |||
| October 2018, <https://www.rfc-editor.org/info/rfc8467>. | October 2018, <https://www.rfc-editor.org/info/rfc8467>. | |||
| [RFC8490] Bellis, R., Cheshire, S., Dickinson, J., Dickinson, S., | [RFC8490] Bellis, R., Cheshire, S., Dickinson, J., Dickinson, S., | |||
| End of changes. 22 change blocks. | ||||
| 35 lines changed or deleted | 35 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||