idnits 2.17.1 

draft-ietf-dprive-bcp-op-05.txt:

  Checking boilerplate required by RFC 5378 and the IETF Trust (see
  https://trustee.ietf.org/license-info):
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/checklist :
  ----------------------------------------------------------------------------

  == There are 1 instance of lines with non-RFC6890-compliant IPv4 addresses
     in the document.  If these are example addresses, they should be changed.


  Miscellaneous warnings:
  ----------------------------------------------------------------------------

  == The copyright year in the IETF Trust and authors Copyright Line does not
     match the current year

  == The document seems to lack the recommended RFC 2119 boilerplate, even if
     it appears to use RFC 2119 keywords -- however, there's a paragraph with
     a matching beginning. Boilerplate error?

     (The document does seem to have the reference to RFC 2119 which the
     ID-Checklist requires).
  -- The document date (October 31, 2019) is 1637 days in the past.  Is this
     intentional?


  Checking references for intended status: Best Current Practice
  ----------------------------------------------------------------------------

     (See RFCs 3967 and 4897 for information about using normative references
     to lower-maturity documents in RFCs)

  -- Looks like a reference, but probably isn't: '1' on line 1366

  -- Looks like a reference, but probably isn't: '2' on line 1368

  -- Looks like a reference, but probably isn't: '3' on line 1371

  -- Looks like a reference, but probably isn't: '4' on line 1373

  -- Looks like a reference, but probably isn't: '5' on line 1375

  -- Looks like a reference, but probably isn't: '6' on line 1377

  -- Looks like a reference, but probably isn't: '7' on line 1379

  -- Looks like a reference, but probably isn't: '8' on line 1381

  -- Looks like a reference, but probably isn't: '9' on line 1383

  -- Looks like a reference, but probably isn't: '10' on line 1386

  -- Looks like a reference, but probably isn't: '11' on line 1388

  -- Looks like a reference, but probably isn't: '12' on line 1390

  -- Looks like a reference, but probably isn't: '13' on line 1393

  -- Looks like a reference, but probably isn't: '14' on line 1395

  -- Looks like a reference, but probably isn't: '15' on line 1397

  -- Looks like a reference, but probably isn't: '16' on line 1545

  -- Looks like a reference, but probably isn't: '17' on line 1551

  -- Looks like a reference, but probably isn't: '18' on line 1561

  -- Looks like a reference, but probably isn't: '19' on line 1574

  -- Looks like a reference, but probably isn't: '20' on line 1591

  -- Looks like a reference, but probably isn't: '21' on line 1592

  -- Looks like a reference, but probably isn't: '22' on line 1595

  -- Looks like a reference, but probably isn't: '23' on line 1607

  -- Looks like a reference, but probably isn't: '24' on line 1622

  -- Looks like a reference, but probably isn't: '25' on line 1622

  -- Looks like a reference, but probably isn't: '26' on line 1626

  -- Looks like a reference, but probably isn't: '27' on line 1628

  -- Looks like a reference, but probably isn't: '28' on line 1635

  ** Downref: Normative reference to an Informational RFC: RFC 6973

  ** Obsolete normative reference: RFC 7525 (Obsoleted by RFC 9325)

  ** Obsolete normative reference: RFC 7816 (Obsoleted by RFC 9156)

  ** Downref: Normative reference to an Informational RFC: RFC 7871

  ** Downref: Normative reference to an Informational RFC: RFC 8404

  ** Downref: Normative reference to an Experimental RFC: RFC 8467

  == Outdated reference: A later version (-15) exists of
     draft-ietf-dnsop-dns-tcp-requirements-04

  == Outdated reference: A later version (-15) exists of
     draft-ietf-httpbis-bcp56bis-08

  -- Obsolete informational reference (is this intentional?): RFC 5077
     (Obsoleted by RFC 8446)

  -- Obsolete informational reference (is this intentional?): RFC 7706
     (Obsoleted by RFC 8806)

  -- Obsolete informational reference (is this intentional?): RFC 8499
     (Obsoleted by RFC 9499)


     Summary: 6 errors (**), 0 flaws (~~), 5 warnings (==), 32 comments (--).

     Run idnits with the --verbose option for more detailed information about
     the items above.

--------------------------------------------------------------------------------


2	dprive                                                      S. Dickinson
3	Internet-Draft                                                Sinodun IT
4	Intended status: Best Current Practice                     B. Overeinder
5	Expires: May 3, 2020                                R. van Rijswijk-Deij
6	                                                              NLnet Labs
7	                                                               A. Mankin
8	                                                              Salesforce
9	                                                        October 31, 2019

11	           Recommendations for DNS Privacy Service Operators
12	                      draft-ietf-dprive-bcp-op-05

14	Abstract

16	   This document presents operational, policy and security
17	   considerations for DNS recursive resolver operators who choose to
18	   offer DNS Privacy services.  With these recommendations, the operator
19	   can make deliberate decisions regarding which services to provide,
20	   and how the decisions and alternatives impact the privacy of users.

22	   This document also presents a framework to assist writers of a DNS
23	   Recursive Operator Privacy Statement (analogous to DNS Security
24	   Extensions (DNSSEC) Policies and DNSSEC Practice Statements described
25	   in RFC6841).

27	Status of This Memo

29	   This Internet-Draft is submitted in full conformance with the
30	   provisions of BCP 78 and BCP 79.

32	   Internet-Drafts are working documents of the Internet Engineering
33	   Task Force (IETF).  Note that other groups may also distribute
34	   working documents as Internet-Drafts.  The list of current Internet-
35	   Drafts is at http://datatracker.ietf.org/drafts/current/.

37	   Internet-Drafts are draft documents valid for a maximum of six months
38	   and may be updated, replaced, or obsoleted by other documents at any
39	   time.  It is inappropriate to use Internet-Drafts as reference
40	   material or to cite them other than as "work in progress."

42	   This Internet-Draft will expire on May 3, 2020.

44	Copyright Notice

46	   Copyright (c) 2019 IETF Trust and the persons identified as the
47	   document authors.  All rights reserved.

49	   This document is subject to BCP 78 and the IETF Trust's Legal
50	   Provisions Relating to IETF Documents
51	   (http://trustee.ietf.org/license-info) in effect on the date of
52	   publication of this document.  Please review these documents
53	   carefully, as they describe your rights and restrictions with respect
54	   to this document.  Code Components extracted from this document must
55	   include Simplified BSD License text as described in Section 4.e of
56	   the Trust Legal Provisions and are provided without warranty as
57	   described in the Simplified BSD License.

59	Table of Contents

61	   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   3
62	   2.  Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . .   5
63	   3.  Privacy related documents . . . . . . . . . . . . . . . . . .   5
64	   4.  Terminology . . . . . . . . . . . . . . . . . . . . . . . . .   6
65	   5.  Recommendations for DNS privacy services  . . . . . . . . . .   6
66	     5.1.  On the wire between client and server . . . . . . . . . .   7
67	       5.1.1.  Transport recommendations . . . . . . . . . . . . . .   7
68	       5.1.2.  Authentication of DNS privacy services  . . . . . . .   8
69	       5.1.3.  Protocol recommendations  . . . . . . . . . . . . . .   9
70	       5.1.4.  DNSSEC  . . . . . . . . . . . . . . . . . . . . . . .  11
71	       5.1.5.  Availability  . . . . . . . . . . . . . . . . . . . .  11
72	       5.1.6.  Service options . . . . . . . . . . . . . . . . . . .  12
73	       5.1.7.  Impact on DNS Privacy Service Operators . . . . . . .  12
74	       5.1.8.  Limitations of using a pure TLS proxy . . . . . . . .  13
75	     5.2.  Data at rest on the server  . . . . . . . . . . . . . . .  13
76	       5.2.1.  Data handling . . . . . . . . . . . . . . . . . . . .  13
77	       5.2.2.  Data minimization of network traffic  . . . . . . . .  14
78	       5.2.3.  IP address pseudonymization and anonymization methods  15
79	       5.2.4.  Pseudonymization, anonymization or discarding of
80	               other correlation data  . . . . . . . . . . . . . . .  17
81	       5.2.5.  Cache snooping  . . . . . . . . . . . . . . . . . . .  17
82	     5.3.  Data sent onwards from the server . . . . . . . . . . . .  18
83	       5.3.1.  Protocol recommendations  . . . . . . . . . . . . . .  18
84	       5.3.2.  Client query obfuscation  . . . . . . . . . . . . . .  19
85	       5.3.3.  Data sharing  . . . . . . . . . . . . . . . . . . . .  19
86	   6.  DNS Recursive Operator Privacy (DROP) statement . . . . . . .  20
87	     6.1.  Recommended contents of a DROP statement  . . . . . . . .  20
88	       6.1.1.  Policy  . . . . . . . . . . . . . . . . . . . . . . .  20
89	       6.1.2.  Practice  . . . . . . . . . . . . . . . . . . . . . .  21
90	     6.2.  Current policy and privacy statements . . . . . . . . . .  22
91	     6.3.  Enforcement/accountability  . . . . . . . . . . . . . . .  23
92	   7.  IANA considerations . . . . . . . . . . . . . . . . . . . . .  23
93	   8.  Security considerations . . . . . . . . . . . . . . . . . . .  23
94	   9.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .  23
95	   10. Contributors  . . . . . . . . . . . . . . . . . . . . . . . .  24
96	   11. Changelog . . . . . . . . . . . . . . . . . . . . . . . . . .  24
97	   12. References  . . . . . . . . . . . . . . . . . . . . . . . . .  26
98	     12.1.  Normative References . . . . . . . . . . . . . . . . . .  26
99	     12.2.  Informative References . . . . . . . . . . . . . . . . .  28
100	     12.3.  URIs . . . . . . . . . . . . . . . . . . . . . . . . . .  29
101	   Appendix A.  Documents  . . . . . . . . . . . . . . . . . . . . .  31
102	     A.1.  Potential increases in DNS privacy  . . . . . . . . . . .  31
103	     A.2.  Potential decreases in DNS privacy  . . . . . . . . . . .  31
104	     A.3.  Related operational documents . . . . . . . . . . . . . .  32
105	   Appendix B.  IP address techniques  . . . . . . . . . . . . . . .  32
106	     B.1.  Google Analytics non-prefix filtering . . . . . . . . . .  33
107	     B.2.  dnswasher . . . . . . . . . . . . . . . . . . . . . . . .  33
108	     B.3.  Prefix-preserving map . . . . . . . . . . . . . . . . . .  34
109	     B.4.  Cryptographic Prefix-Preserving Pseudonymisation  . . . .  34
110	     B.5.  Top-hash Subtree-replicated Anonymisation . . . . . . . .  34
111	     B.6.  ipcipher  . . . . . . . . . . . . . . . . . . . . . . . .  35
112	     B.7.  Bloom filters . . . . . . . . . . . . . . . . . . . . . .  35
113	   Appendix C.  Example DROP statement . . . . . . . . . . . . . . .  35
114	     C.1.  Policy  . . . . . . . . . . . . . . . . . . . . . . . . .  36
115	     C.2.  Practice  . . . . . . . . . . . . . . . . . . . . . . . .  38
116	   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  40

118	1.  Introduction

120	   The Domain Name System (DNS) is at the core of the Internet; almost
121	   every activity on the Internet starts with a DNS query (and often
122	   several).  However the DNS was not originally designed with strong
123	   security or privacy mechanisms.  A number of developments have taken
124	   place in recent years which aim to increase the privacy of the DNS
125	   system and these are now seeing some deployment.  This latest
126	   evolution of the DNS presents new challenges to operators and this
127	   document attempts to provide an overview of considerations for
128	   privacy focused DNS services.

130	   In recent years there has also been an increase in the availability
131	   of "public resolvers" [RFC8499] which users may prefer to use instead
132	   of the default network resolver because they offer a specific feature
133	   (e.g. good reachability, encrypted transport, strong privacy policy,
134	   filtering (or lack of), etc.).  These open resolvers have tended to
135	   be at the forefront of adoption of privacy related enhancements but
136	   it is anticipated that operators of other resolver services will
137	   follow.

139	   Whilst protocols that encrypt DNS messages on the wire provide
140	   protection against certain attacks, the resolver operator still has
141	   (in principle) full visibility of the query data and transport
142	   identifiers for each user.  Therefore, a trust relationship exists.
143	   The ability of the operator to provide a transparent, well
144	   documented, and secure privacy service will likely serve as a major
145	   differentiating factor for privacy conscious users if they make an
146	   active selection of which resolver to use.

148	   It should also be noted that the choice of a user to configure a
149	   single resolver (or a fixed set of resolvers) and an encrypted
150	   transport to use in all network environments has both advantages and
151	   disadvantages.  For example the user has a clear expectation of which
152	   resolvers have visibility of their query data however this resolver/
153	   transport selection may provide an added mechanism to track them as
154	   they move across network environments.  Commitments from operators to
155	   minimize such tracking are also likely to play a role in user
156	   selection of resolvers.

158	   More recently the global legislative landscape with regard to
159	   personal data collection, retention, and pseudonymization has seen
160	   significant activity.  It is an untested area that simply using a DNS
161	   resolution service constitutes consent from the user for the operator
162	   to process their query data.  The impact of recent legislative
163	   changes on data pertaining to the users of both Internet Service
164	   Providers and public DNS resolvers is not fully understood at the
165	   time of writing.

167	   This document has two main goals:

169	   o  To provide operational and policy guidance related to DNS over
170	      encrypted transports and to outline recommendations for data
171	      handling for operators of DNS privacy services.

173	   o  To introduce the DNS Recursive Operator Privacy (DROP) statement
174	      and present a framework to assist writers of this document.  A
175	      DROP statement is a document that an operator can publish
176	      outlining their operational practices and commitments with regard
177	      to privacy thereby providing a means for clients to evaluate the
178	      privacy properties of a given DNS privacy service.  In particular,
179	      the framework identifies the elements that should be considered in
180	      formulating a DROP statement.  This document does not, however,
181	      define a particular Privacy statement, nor does it seek to provide
182	      legal advice or recommendations as to the contents.

184	   A desired operational impact is that all operators (both those
185	   providing resolvers within networks and those operating large anycast
186	   services) can demonstrate their commitment to user privacy thereby
187	   driving all DNS resolution services to a more equitable footing.
188	   Choices for users would (in this ideal world) be driven by other
189	   factors e.g. differing security policies or minor difference in
190	   operator policy rather than gross disparities in privacy concerns.

192	   Community insight [or judgment?] about operational practices can
193	   change quickly, and experience shows that a Best Current Practice
194	   (BCP) document about privacy and security is a point-in-time
195	   statement.  Readers are advised to seek out any errata or updates
196	   that apply to this document.

198	2.  Scope

200	   "DNS Privacy Considerations" [I-D.bortzmeyer-dprive-rfc7626-bis]
201	   describes the general privacy issues and threats associated with the
202	   use of the DNS by Internet users and much of the threat analysis here
203	   is lifted from that document and from [RFC6973].  However this
204	   document is limited in scope to best practice considerations for the
205	   provision of DNS privacy services by servers (recursive resolvers) to
206	   clients (stub resolvers or forwarders).  Privacy considerations
207	   specifically from the perspective of an end user, or those for
208	   operators of authoritative nameservers are out of scope.

210	   This document includes (but is not limited to) considerations in the
211	   following areas (taken from [I-D.bortzmeyer-dprive-rfc7626-bis]):

213	   1.  Data "on the wire" between a client and a server

215	   2.  Data "at rest" on a server (e.g. in logs)

217	   3.  Data "sent onwards" from the server (either on the wire or shared
218	       with a third party)

220	   Whilst the issues raised here are targeted at those operators who
221	   choose to offer a DNS privacy service, considerations for areas 2 and
222	   3 could equally apply to operators who only offer DNS over
223	   unencrypted transports but who would like to align with privacy best
224	   practice.

226	3.  Privacy related documents

228	   There are various documents that describe protocol changes that have
229	   the potential to either increase or decrease the privacy of the DNS.
230	   Note this does not imply that some documents are good or bad, better
231	   or worse, just that (for example) some features may bring functional
232	   benefits at the price of a reduction in privacy and conversely some
233	   features increase privacy with an accompanying increase in
234	   complexity.  A selection of the most relevant documents are listed in
235	   Appendix A for reference.

237	4.  Terminology

239	   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
240	   "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
241	   "OPTIONAL" in this document are to be interpreted as described in BCP
242	   14 [RFC2119] and [RFC8174] when, and only when, they appear in all
243	   capitals, as shown here.

245	   DNS terminology is as described in [RFC8499] with one modification:
246	   we restate the clause in the original definition of Privacy-enabling
247	   DNS server in [RFC8310] to include the requirement that a DNS over
248	   (D)TLS server should also offer at least one of the credentials
249	   described in Section 8 and implement the (D)TLS profile described in
250	   Section 9 of [RFC8310].

252	   Other Terms:

254	   o  DROP: DNS Recursive Operator Privacy statement, see Section 6.

256	   o  DNS privacy service: The service that is offered via a privacy-
257	      enabling DNS server and is documented either in an informal
258	      statement of policy and practice with regard to users privacy or a
259	      formal DROP statement.

261	5.  Recommendations for DNS privacy services

263	   We describe two classes of threats:

265	   o  'Privacy Considerations for Internet Protocols' [RFC6973] Threats

267	      *  Privacy terminology, threats to privacy and mitigations as
268	         described in Sections 3, 5 and 6 of [RFC6973].

270	   o  DNS Privacy Threats

272	      *  These are threats to the users and operators of DNS privacy
273	         services that are not directly covered by [RFC6973].  These may
274	         be more operational in nature such as certificate management or
275	         service availability issues.

277	   We describe three classes of actions that operators of DNS privacy
278	   services can take:

280	   o  Threat mitigation for well understood and documented privacy
281	      threats to the users of the service and in some cases to the
282	      operators of the service.

284	   o  Optimization of privacy services from an operational or management
285	      perspective

287	   o  Additional options that could further enhance the privacy and
288	      usability of the service

290	   This document does not specify policy only best practice, however for
291	   DNS Privacy services to be considered compliant with these best
292	   practice guidelines they SHOULD implement (where appropriate) all:

294	   o  Threat mitigations to be minimally compliant

296	   o  Optimizations to be moderately compliant

298	   o  Additional options to be maximally compliant

300	5.1.  On the wire between client and server

302	   In this section we consider both data on the wire and the service
303	   provided to the client.

305	5.1.1.  Transport recommendations

307	   [RFC6973] Threats:

309	   o  Surveillance:

311	      *  Passive surveillance of traffic on the wire
312	         [I-D.bortzmeyer-dprive-rfc7626-bis] Section 2.4.2.

314	   DNS Privacy Threats:

316	   o  Active injection of spurious data or traffic

318	   Mitigations:

320	   A DNS privacy service can mitigate these threats by providing service
321	   over one or more of the following transports

323	   o  DNS-over-TLS [RFC7858] and [RFC8310]

325	   o  DoH [RFC8484]

327	   It is noted that a DNS privacy service can also be provided over DNS-
328	   over-DTLS [RFC8094], however this is an Experimental specification
329	   and there are no known implementations at the time of writing.

331	   It is also noted that DNS privacy service might be provided over
332	   IPSec, DNSCrypt or VPNs.  However, use of these transports for DNS
333	   are not standardized and any discussion of best practice for
334	   providing such a service is out of scope for this document.

336	   Whilst encryption of DNS traffic can protect against active injection
337	   this does not diminish the need for DNSSEC, see Section 5.1.4.

339	5.1.2.  Authentication of DNS privacy services

341	   [RFC6973] Threats:

343	   o  Surveillance:

345	      *  Active attacks that can redirect traffic to rogue servers
346	         [I-D.bortzmeyer-dprive-rfc7626-bis] Section 2.5.3.

348	   Mitigations:

350	   DNS privacy services should ensure clients can authenticate the
351	   server.  Note that this, in effect, commits the DNS privacy service
352	   to a public identity users will trust.

354	   When using DNS-over-TLS clients that select a 'Strict Privacy' usage
355	   profile [RFC8310] (to mitigate the threat of active attack on the
356	   client) require the ability to authenticate the DNS server.  To
357	   enable this, DNS privacy services that offer DNS-over-TLS should
358	   provide credentials in the form of either X.509 certificates
359	   [RFC5280] or SPKI pin sets [RFC8310].

361	   When offering DoH [RFC8484], HTTPS requires authentication of the
362	   server as part of the protocol.

364	5.1.2.1.  Certificate management

366	   Anecdotal evidence to date highlights the management of certificates
367	   as one of the more challenging aspects for operators of traditional
368	   DNS resolvers that choose to additionally provide a DNS privacy
369	   service as management of such credentials is new to those DNS
370	   operators.

372	   It is noted that SPKI pin set management is described in [RFC7858]
373	   but that key pinning mechanisms in general have fallen out of favor
374	   operationally for various reasons such as the logistical overhead of
375	   rolling keys.

377	   DNS Privacy Threats:

379	   o  Invalid certificates, resulting in an unavailable service.

381	   o  Mis-identification of a server by a client e.g. typos in URLs or
382	      authentication domain names

384	   Mitigations:

386	   It is recommended that operators:

388	   o  Follow the guidance in Section 6.5 of [RFC7525] with regards to
389	      certificate revocation

391	   o  Choose a short, memorable authentication name for the service

393	   o  Automate the generation, publication and renewal of certificates.
394	      For example, ACME [RFC8555] provides a mechanism to actively
395	      manage certificates through automation and has been implemented by
396	      a number of certificate authorities.

398	   o  Monitor certificates to prevent accidental expiration of
399	      certificates

401	5.1.3.  Protocol recommendations

403	5.1.3.1.  DNS-over-TLS

405	   DNS Privacy Threats:

407	   o  Known attacks on TLS such as those described in [RFC7457]

409	   o  Traffic analysis, for example: [Pitfalls-of-DNS-Encryption]

411	   o  Potential for client tracking via transport identifiers

413	   o  Blocking of well known ports (e.g. 853 for DNS-over-TLS)

415	   Mitigations:

417	   In the case of DNS-over-TLS, TLS profiles from Section 9 and the
418	   Countermeasures to DNS Traffic Analysis from section 11.1 of
419	   [RFC8310] provide strong mitigations.  This includes but is not
420	   limited to:

422	   o  Adhering to [RFC7525]

424	   o  Implementing only (D)TLS 1.2 or later as specified in [RFC8310]
425	   o  Implementing EDNS(0) Padding [RFC7830] using the guidelines in
426	      [RFC8467] or a successor specification.

428	   o  Servers should not degrade in any way the query service level
429	      provided to clients that do not use any form of session resumption
430	      mechanism, such as TLS session resumption [RFC5077] with TLS 1.2,
431	      section 2.2 of RFC8446, or Domain Name System (DNS) Cookies
432	      [RFC7873].

434	   o  A DNS-over-TLS privacy service on both port 853 and 443.  This
435	      practice may not be possible if e.g. the operator deploys DoH on
436	      the same IP address.

438	   Optimizations:

440	   o  Concurrent processing of pipelined queries, returning responses as
441	      soon as available, potentially out of order as specified in
442	      [RFC7766].  This is often called 'OOOR' - out-of-order responses.
443	      (Providing processing performance similar to HTTP multiplexing)

445	   o  Management of TLS connections to optimize performance for clients
446	      using either

448	      *  [RFC7766] and EDNS(0) Keepalive [RFC7828] and/or

450	      *  DNS Stateful Operations [RFC8490]

452	5.1.3.2.  DoH

454	   DNS Privacy Threats:

456	   o  Known attacks on TLS such as those described in [RFC7457]

458	   o  Traffic analysis, for example: DNS Privacy not so private: the
459	      traffic analysis perspective [1]

461	   o  Potential for client tracking via transport identifiers

463	   Mitigations:

465	   o  Clients must be able to forego the use of HTTP Cookies [RFC6265]
466	      and still use the service

468	   o  Clients should not be required to include any headers beyond the
469	      absolute minimum to obtain service from a DoH server.  (See
470	      Section 6.1 of [I-D.ietf-httpbis-bcp56bis].)

472	5.1.4.  DNSSEC

474	   DNS Privacy Threats:

476	   o  Users may be directed to bogus IP addresses for e.g. websites
477	      where they might reveal personal information to attackers.

479	   Mitigations:

481	   o  All DNS privacy services must offer a DNS privacy service that
482	      performs DNSSEC validation.  In addition they must be able to
483	      provide the DNSSEC RRs to the client so that it can perform its
484	      own validation.

486	   The addition of encryption to DNS does not remove the need for DNSSEC
487	   [RFC4033] - they are independent and fully compatible protocols, each
488	   solving different problems.  The use of one does not diminish the
489	   need nor the usefulness of the other.

491	   While the use of an authenticated and encrypted transport protects
492	   origin authentication and data integrity between a client and a DNS
493	   privacy service it provides no proof (for a non-validating client)
494	   that the data provided by the DNS privacy service was actually DNSSEC
495	   authenticated.  As with cleartext DNS the user is still solely
496	   trusting the AD bit (if present) set by the resolver.

498	   It should also be noted that the use of an encrypted transport for
499	   DNS actually solves many of the practical issues encountered by DNS
500	   validating clients e.g.  interference by middleboxes with cleartext
501	   DNS payloads is completely avoided.  In this sense a validating
502	   client that uses a DNS privacy service which supports DNSSEC has a
503	   far simpler task in terms of DNS Roadblock avoidance.

505	5.1.5.  Availability

507	   DNS Privacy Threats:

509	   o  A failed DNS privacy service could force the user to switch
510	      providers, fallback to cleartext or accept no DNS service for the
511	      outage.

513	   Mitigations:

515	   A DNS privacy service must be engineered for high availability.
516	   Particular care should to be taken to protect DNS privacy services
517	   against denial-of-service attacks, as experience has shown that
518	   unavailability of DNS resolving because of attacks is a significant
519	   motivation for users to switch services.  See, for example
520	   Section IV-C of Passive Observations of a Large DNS Service: 2.5
521	   Years in the Life of Google [2].

523	   Techniques such as those described in Section 10 of [RFC7766] can be
524	   of use to operators to defend against such attacks.

526	5.1.6.  Service options

528	   DNS Privacy Threats:

530	   o  Unfairly disadvantaging users of the privacy service with respect
531	      to the services available.  This could force the user to switch
532	      providers, fallback to cleartext or accept no DNS service for the
533	      outage.

535	   Mitigations:

537	   A DNS privacy service should deliver the same level of service as
538	   offered on un-encrypted channels in terms of such options as
539	   filtering (or lack thereof), DNSSEC validation, etc.

541	5.1.7.  Impact on DNS Privacy Service Operators

543	   DNS Privacy Threats:

545	   o  Increased use of encryption impacts operator ability to manage
546	      their network [RFC8404]

548	   Many monitoring solutions for DNS traffic rely on the plain text
549	   nature of this traffic and work by intercepting traffic on the wire,
550	   either using a separate view on the connection between clients and
551	   the resolver, or as a separate process on the resolver system that
552	   inspects network traffic.  Such solutions will no longer function
553	   when traffic between clients and resolvers is encrypted.  There are,
554	   however, legitimate reasons for operators to inspect DNS traffic,
555	   e.g. to monitor for network security threats.  Operators may
556	   therefore need to invest in alternative means of monitoring that
557	   relies on either the resolver software directly, or exporting DNS
558	   traffic from the resolver using e.g. dnstap [3].

560	   Optimization:

562	   When implementing alternative means for traffic monitoring, operators
563	   of a DNS privacy service should consider using privacy conscious
564	   means to do so (see, for example, the discussion on the use of Bloom
565	   Filters in the #documents appendix in this document).

567	5.1.8.  Limitations of using a pure TLS proxy

569	   DNS Privacy Threats:

571	   o  Limited ability to manage or monitor incoming connections using
572	      DNS specific techniques

574	   o  Misconfiguration of the target server could lead to data leakage
575	      if the proxy to target server path is not encrypted.

577	   Optimization:

579	   Some operators may choose to implement DNS-over-TLS using a TLS proxy
580	   (e.g.  nginx [4], haproxy [5] or stunnel [6]) in front of a DNS
581	   nameserver because of proven robustness and capacity when handling
582	   large numbers of client connections, load balancing capabilities and
583	   good tooling.  Currently, however, because such proxies typically
584	   have no specific handling of DNS as a protocol over TLS or DTLS using
585	   them can restrict traffic management at the proxy layer and at the
586	   DNS server.  For example, all traffic received by a nameserver behind
587	   such a proxy will appear to originate from the proxy and DNS
588	   techniques such as ACLs, RRL or DNS64 will be hard or impossible to
589	   implement in the nameserver.

591	   Operators may choose to use a DNS aware proxy such as dnsdist [7]
592	   which offer custom options (similar to that proposed in
593	   [I-D.bellis-dnsop-xpf]) to add source information to packets to
594	   address this shortcoming.  It should be noted that such options
595	   potentially significantly increase the leaked information in the
596	   event of a misconfiguration.

598	5.2.  Data at rest on the server

600	5.2.1.  Data handling

602	   [RFC6973] Threats:

604	   o  Surveillance

606	   o  Stored data compromise

608	   o  Correlation

610	   o  Identification

612	   o  Secondary use

614	   o  Disclosure
615	   Other Threats

617	   o  Contravention of legal requirements not to process user data?

619	   Mitigations:

621	   The following are common activities for DNS service operators and in
622	   all cases should be minimized or completely avoided if possible for
623	   DNS privacy services.  If data is retained it should be encrypted and
624	   either aggregated, pseudonymized or anonymized whenever possible.  In
625	   general the principle of data minimization described in [RFC6973]
626	   should be applied.

628	   o  Transient data (e.g. that is used for real time monitoring and
629	      threat analysis which might be held only memory) should be
630	      retained for the shortest possible period deemed operationally
631	      feasible.

633	   o  The retention period of DNS traffic logs should be only those
634	      required to sustain operation of the service and, to the extent
635	      that such exists, meet regulatory requirements.

637	   o  DNS privacy services should not track users except for the
638	      particular purpose of detecting and remedying technically
639	      malicious (e.g.  DoS) or anomalous use of the service.

641	   o  Data access should be minimized to only those personnel who
642	      require access to perform operational duties.  It should also be
643	      limited to anonymized or pseudonymized data were operationally
644	      feasible, with access to full logs (if any are held) only
645	      permitted when necessary.

647	   Optimizations:

649	   o  Consider use of full disk encryption for logs and data capture
650	      storage.

652	5.2.2.  Data minimization of network traffic

654	   Data minimization refers to collecting, using, disclosing, and
655	   storing the minimal data necessary to perform a task, and this can be
656	   achieved by removing or obfuscating privacy-sensitive information in
657	   network traffic logs.  This is typically personal data, or data that
658	   can be used to link a record to an individual, but may also include
659	   revealing other confidential information, for example on the
660	   structure of an internal corporate network.

662	   The problem of effectively ensuring that DNS traffic logs contain no
663	   or minimal privacy-sensitive information is not one that currently
664	   has a generally agreed solution or any Standards to inform this
665	   discussion.  This section presents and overview of current techniques
666	   to simply provide reference on the current status of this work.

668	   Research into data minimization techniques (and particularly IP
669	   address pseudonymization/anonymization) was sparked in the late
670	   1990s/early 2000s, partly driven by the desire to share significant
671	   corpuses of traffic captures for research purposes.  Several
672	   techniques reflecting different requirements in this area and
673	   different performance/resource tradeoffs emerged over the course of
674	   the decade.  Developments over the last decade have been both a
675	   blessing and a curse; the large increase in size between an IPv4 and
676	   an IPv6 address, for example, renders some techniques impractical,
677	   but also makes available a much larger amount of input entropy, the
678	   better to resist brute force re-identification attacks that have
679	   grown in practicality over the period.

681	   Techniques employed may be broadly categorized as either
682	   anonymization or pseudonymization.  The following discussion uses the
683	   definitions from [RFC6973] Section 3, with additional observations
684	   from van Dijkhuizen et al. [8]

686	   o  Anonymization.  To enable anonymity of an individual, there must
687	      exist a set of individuals that appear to have the same
688	      attribute(s) as the individual.  To the attacker or the observer,
689	      these individuals must appear indistinguishable from each other.

691	   o  Pseudonymization.  The true identity is deterministically replaced
692	      with an alternate identity (a pseudonym).  When the
693	      pseudonymization schema is known, the process can be reversed, so
694	      the original identity becomes known again.

696	   In practice there is a fine line between the two; for example, how to
697	   categorize a deterministic algorithm for data minimization of IP
698	   addresses that produces a group of pseudonyms for a single given
699	   address.

701	5.2.3.  IP address pseudonymization and anonymization methods

703	   As [I-D.bortzmeyer-dprive-rfc7626-bis] makes clear, the big privacy
704	   risk in DNS is connecting DNS queries to an individual and the major
705	   vector for this in DNS traffic is the client IP address.

707	   There is active discussion in the space of effective pseudonymization
708	   of IP addresses in DNS traffic logs, however there seems to be no
709	   single solution that is widely recognized as suitable for all or most
710	   use cases.  There are also as yet no standards for this that are
711	   unencumbered by patents.

713	   The following table presents a high level comparison of various
714	   techniques employed or under development today and classifies them
715	   according to categorization of technique and other properties.
716	   Appendix B provides a more detailed survey of these techniques and
717	   definitions for the categories and properties listed below.  The list
718	   of techniques includes the main techniques in current use, but does
719	   not claim to be comprehensive.

721	       +---------------------------+----+---+----+---+----+---+---+
722	       | Categorisation/Property   | GA | d | TC | C | TS | i | B |
723	       +---------------------------+----+---+----+---+----+---+---+
724	       | Anonymisation             | X  | X | X  |   |    |   | X |
725	       | Pseudoanonymisation       |    |   |    | X | X  | X |   |
726	       | Format preserving         | X  | X | X  | X | X  | X |   |
727	       | Prefix preserving         |    |   | X  | X | X  |   |   |
728	       | Replacement               |    |   | X  |   |    |   |   |
729	       | Filtering                 | X  |   |    |   |    |   |   |
730	       | Generalisation            |    |   |    |   |    |   | X |
731	       | Enumeration               |    | X |    |   |    |   |   |
732	       | Reordering/Shuffling      |    |   | X  |   |    |   |   |
733	       | Random substitution       |    |   | X  |   |    |   |   |
734	       | Crytpographic permutation |    |   |    | X | X  | X |   |
735	       | IPv6 issues               |    |   |    |   | X  |   |   |
736	       | CPU intensive             |    |   |    | X |    |   |   |
737	       | Memory intensive          |    |   | X  |   |    |   |   |
738	       | Security concerns         |    |   |    |   |    | X |   |
739	       +---------------------------+----+---+----+---+----+---+---+

741	                   Table 1: Classification of techniques

743	   GA = Google Analytics, d = dnswasher, TC = TCPdpriv, C = CryptoPAn,
744	   TS = TSA, i = ipcipher, B = Bloom filter

746	   The choice of which method to use for a particular application will
747	   depend on the requirements of that application and consideration of
748	   the threat analysis of the particular situation.

750	   For example, a common goal is that distributed packet captures must
751	   be in an existing data format such as PCAP [pcap] or C-DNS [RFC8618]
752	   that can be used as input to existing analysis tools.  In that case,
753	   use of a format-preserving technique is essential.  This, though, is
754	   not cost-free - several authors (e.g.  Brenker & Arnes [9]) have
755	   observed that, as the entropy in an IPv4 address is limited, given a
756	   de-identified log from a target, if an attacker is capable of
757	   ensuring packets are captured by the target and the attacker can send
758	   forged traffic with arbitrary source and destination addresses to
759	   that target, any format-preserving pseudonymization is vulnerable to
760	   an attack along the lines of a cryptographic chosen plaintext attack.

762	5.2.4.  Pseudonymization, anonymization or discarding of other
763	        correlation data

765	   DNS Privacy Threats:

767	   o  Fingerprinting of the client OS via various means including: IP
768	      TTL/Hoplimit, TCP parameters (e.g. window size, ECN support,
769	      SACK), OS specific DNS query patterns (e.g. for network
770	      connectivity, captive portal detection or OS specific updates).

772	   o  Fingerprinting of the client application or TLS library by e.g.
773	      TLS version/Cipher suite combinations or other connection
774	      parameters.

776	   o  Correlation of queries on multiple TCP session originating from
777	      the same IP address

779	   o  Correlating of queries on multiple TLS sessions originating from
780	      the same client, including via session resumption mechanisms

782	   o  Resolvers _might_ receive client identifiers e.g.  MAC addresses
783	      in EDNS(0) options - some CPE devices are known to add them.

785	   o  HTTP headers (e.g., User-Agent, Accept, Accept-Encoding)

787	   Mitigations:

789	   o  Data minimization or discarding of such correlation data.

791	5.2.5.  Cache snooping

793	   [RFC6973] Threats:

795	   o  Surveillance:

797	      *  Profiling of client queries by malicious third parties

799	   Mitigations:

801	   o  See ISC Knowledge database on cache snooping [10] for an example
802	      discussion on defending against cache snooping

804	5.3.  Data sent onwards from the server

806	   In this section we consider both data sent on the wire in upstream
807	   queries and data shared with third parties.

809	5.3.1.  Protocol recommendations

811	   [RFC6973] Threats:

813	   o  Surveillance:

815	      *  Transmission of identifying data upstream.

817	   Mitigations:

819	   As specified in [RFC8310] for DNS-over-TLS but applicable to any DNS
820	   Privacy services the server should:

822	   o  Implement QNAME minimization [RFC7816]

824	   o  Honor a SOURCE PREFIX-LENGTH set to 0 in a query containing the
825	      EDNS(0) Client Subnet (ECS) option and not send an ECS option in
826	      upstream queries.

828	   Optimizations:

830	   o  The server should either

832	      *  not use the ECS option in upstream queries at all, or

834	      *  offer alternative services, one that sends ECS and one that
835	         does not.

837	   If operators do offer a service that sends the ECS options upstream
838	   they should use the shortest prefix that is operationally feasible
839	   and ideally use a policy of whitelisting upstream servers to send ECS
840	   to in order to minimize data leakage.  Operators should make clear in
841	   any policy statement what prefix length they actually send and the
842	   specific policy used.

844	   Whitelisting has the benefit that not only does the operator know
845	   which upstream servers can use ECS but also allows the operator to
846	   decide which upstream servers apply privacy policies that the
847	   operator is happy with.  However some operators consider whitelisting
848	   to incur significant operational overhead compared to dynamic
849	   detection of ECS on authoritative servers.

851	   Additional options:

853	   o  Aggressive Use of DNSSEC-Validated Cache [RFC8198] to reduce the
854	      number of queries to authoritative servers to increase privacy.

856	   o  Run a copy of the root zone on loopback [RFC7706] to avoid making
857	      queries to the root servers that might leak information.

859	5.3.2.  Client query obfuscation

861	   Additional options:

863	   Since queries from recursive resolvers to authoritative servers are
864	   performed using cleartext (at the time of writing), resolver services
865	   need to consider the extent to which they may be directly leaking
866	   information about their client community via these upstream queries
867	   and what they can do to mitigate this further.  Note, that even when
868	   all the relevant techniques described above are employed there may
869	   still be attacks possible, e.g.  [Pitfalls-of-DNS-Encryption].  For
870	   example, a resolver with a very small community of users risks
871	   exposing data in this way and OUGHT obfuscate this traffic by mixing
872	   it with 'generated' traffic to make client characterization harder.
873	   The resolver could also employ aggressive pre-fetch techniques as a
874	   further measure to counter traffic analysis.

876	   At the time of writing there are no standardized or widely recognized
877	   techniques to perform such obfuscation or bulk pre-fetches.

879	   Another technique that particularly small operators may consider is
880	   forwarding local traffic to a larger resolver (with a privacy policy
881	   that aligns with their own practices) over an encrypted protocol so
882	   that the upstream queries are obfuscated among those of the large
883	   resolver.

885	5.3.3.  Data sharing

887	   [RFC6973] Threats:

889	   o  Surveillance

891	   o  Stored data compromise

893	   o  Correlation

895	   o  Identification

897	   o  Secondary use

899	   o  Disclosure
900	   DNS Privacy Threats:

902	   o  Contravention of legal requirements not to process user data

904	   Mitigations:

906	   Operators should not provide identifiable data to third-parties
907	   without explicit consent from clients (we take the stance here that
908	   simply using the resolution service itself does not constitute
909	   consent).

911	   Operators should consider including specific guidelines for the
912	   collection of aggregated and/or anonymized data for research
913	   purposes, within or outside of their own organization.  This can
914	   benefit not only the operator (through inclusion in novel research)
915	   but also the wider Internet community.  See SURFnet's policy [11] on
916	   data sharing for research as an example.

918	6.  DNS Recursive Operator Privacy (DROP) statement

920	   The following section outlines the recommended contents of a DROP
921	   statement an operator might choose to publish.  An example statement
922	   for a specific scenario is provided for guidance only in Appendix C.

924	6.1.  Recommended contents of a DROP statement

926	6.1.1.  Policy

928	   1.  Treatment of IP addresses.  Make an explicit statement that IP
929	       addresses are treated as PII.

931	   2.  Data collection and sharing.  Specify clearly what data
932	       (including IP addresses) is:

934	       *  Collected and retained by the operator, and for what period it
935	          is retained

937	       *  Shared with partners

939	       *  Shared, sold or rented to third-parties

941	       and in each case whether it is aggregated, pseudonymized or
942	       anonymized and the conditions of data transfer.

944	   3.  Exceptions.  Specify any exceptions to the above, for example
945	       technically malicious or anomalous behavior.

947	   4.  Associated entities.  Declare any partners, third-party
948	       affiliations or sources of funding.

950	   5.  Correlation.  Whether user DNS data is correlated or combined
951	       with any other personal information held by the operator.

953	   6.  Result filtering.  This section should explain whether the
954	       operator filters, edits or alters in any way the replies that it
955	       receives from the authoritative servers for each DNS zone, before
956	       forwarding them to the clients.  For each category listed below,
957	       the operator should also specify how the filtering lists are
958	       created and managed, whether it employs any third-party sources
959	       for such lists, and which ones.

961	       *  Specify if any replies are being filtered out or altered for
962	          network and computer security reasons (e.g. preventing
963	          connections to malware-spreading websites or botnet control
964	          servers)

966	       *  Specify if any replies are being filtered out or altered for
967	          mandatory legal reasons, due to applicable legislation or
968	          binding orders by courts and other public authorities

970	       *  Specify if any replies are being filtered out or altered for
971	          voluntary legal reasons, due to an internal policy by the
972	          operator aiming at reducing potential legal risks

974	       *  Specify if any replies are being filtered out or altered for
975	          any other reason, including commercial ones

977	6.1.2.  Practice

979	   This section should explain the current operational practices of the
980	   service.

982	   1.  Deviations.  Specify any temporary or permanent deviations from
983	       the policy for operational reasons.

985	   2.  Client facing capabilities.  With reference to section Section 5
986	       provide specific details of which capabilities are provided on
987	       which client facing addresses and ports:

989	       1.  For DoT, specify the authentication name to be used (if any)

991	       2.  For DoT, specify the SPKI pin sets to be used (if any) and
992	           policy for rolling keys

994	   3.  Upstream capabilities.  With reference to section Section 5.3
995	       provide specific details of which capabilities are provided
996	       upstream for data sent to authoritative servers.

998	   4.  Support.  Provide contact/support information for the service.

1000	   5.  Jurisdiction.  This section should communicate the applicable
1001	       jurisdictions and law enforcement regimes under which the service
1002	       is being provided.

1004	       1.  Specify the operator entity or entities that will control the
1005	           data and be responsible for their treatment, and their legal
1006	           place of business.

1008	       2.  Specify, either directly or by pointing to the applicable
1009	           privacy policy, the relevant privacy laws that apply to the
1010	           treatment of the data, the rights that users enjoy in regard
1011	           to their own personal information that is treated by the
1012	           service, and how they can contact the operator to enforce
1013	           them.

1015	       3.  Additionally specify the countries in which the servers
1016	           handling the DNS requests and the data are located (if the
1017	           operator applies a geolocation policy so that requests from
1018	           certain countries are only served by certain servers, this
1019	           should be specified as well).

1021	       4.  Specify whether the operator has any agreement in place with
1022	           law enforcement agencies, or other public and private parties
1023	           dealing with security and intelligence, to give them access
1024	           to the servers and/or to the data.

1026	6.2.  Current policy and privacy statements

1028	   A tabular comparison of existing policy and privacy statements from
1029	   various DNS Privacy service operators based loosely on the proposed
1030	   DROP structure can be found on dnsprivacy.org [12].

1032	   We note that the existing set of policies vary widely in style,
1033	   content and detail and it is not uncommon for the full text for a
1034	   given operator to equate to more than 10 pages of moderate font sized
1035	   A4 text.  It is a non-trivial task today for a user to extract a
1036	   meaningful overview of the different services on offer.

1038	   It is also noted that Mozilla have published a Security/DoH-resolver
1039	   policy [13], which describes the minimum set of policy requirements
1040	   that a party must satisfy to be considered as a potential partner for
1041	   Mozilla's Trusted Recursive Resolver (TRR) program.

1043	6.3.  Enforcement/accountability

1045	   Transparency reports may help with building user trust that operators
1046	   adhere to their policies and practices.

1048	   Independent monitoring or analysis could be performed where possible
1049	   of:

1051	   o  ECS, QNAME minimization, EDNS(0) padding, etc.

1053	   o  Filtering

1055	   o  Uptime

1057	   This is by analogy with e.g. several TLS or website analysis tools
1058	   that are currently available e.g.  SSL Labs [14] or Internet.nl [15].

1060	   Additionally operators could choose to engage the services of a third
1061	   party auditor to verify their compliance with their published DROP
1062	   statement.

1064	7.  IANA considerations

1066	   None

1068	8.  Security considerations

1070	   Security considerations for DNS-over-TCP are given in [RFC7766], many
1071	   of which are generally applicable to session based DNS.

1073	9.  Acknowledgements

1075	   Many thanks to Amelia Andersdotter for a very thorough review of the
1076	   first draft of this document and Stephen Farrell for a thorough
1077	   review at WGLC and for suggesting the inclusion of an example DROP
1078	   statement.  Thanks to John Todd for discussions on this topic, and to
1079	   Stephane Bortzmeyer, Puneet Sood and Vittorio Bertola for review.
1080	   Thanks to Daniel Kahn Gillmor, Barry Green, Paul Hoffman, Dan York,
1081	   John Reed, Lorenzo Colitti for comments at the mic.  Thanks to
1082	   Loganaden Velvindron for useful updates to the text.

1084	   Sara Dickinson thanks the Open Technology Fund for a grant to support
1085	   the work on this document.

1087	10.  Contributors

1089	   The below individuals contributed significantly to the document:

1091	   John Dickinson
1092	   Sinodun Internet Technologies
1093	   Magdalen Centre
1094	   Oxford Science Park
1095	   Oxford OX4 4GA
1096	   United Kingdom

1098	   Jim Hague
1099	   Sinodun Internet Technologies
1100	   Magdalen Centre
1101	   Oxford Science Park
1102	   Oxford OX4 4GA
1103	   United Kingdom

1105	11.  Changelog

1107	   draft-ietf-dprive-bcp-op-05

1109	   o  Remove some text on consent:

1111	      *  Paragraph 2 in section 5.3.3

1113	      *  Item 6 in the DROP Practice statement (and example)

1115	   o  Remove .onion and TLSA options

1117	   o  Include ACME as a reference for certificate management

1119	   o  Update text on session resumption usage

1121	   o  Update section 5.2.4 on client fingerprinting

1123	   draft-ietf-dprive-bcp-op-04

1125	   o  Change DPPPS to DROP (DNS Recursive Operator Privacy) statement

1127	   o  Update structure of DROP slightly

1129	   o  Add example DROP statement

1131	   o  Add text about restricting access to full logs

1133	   o  Move table in section 5.2.3 from SVG to inline table
1134	   o  Fix many editorial and reference nits

1136	   draft-ietf-dprive-bcp-op-03

1138	   o  Add paragraph about operational impact

1140	   o  Move DNSSEC requirement out of the Appendix into main text as a
1141	      privacy threat that should be mitigated

1143	   o  Add TLS version/Cipher suite as tracking threat

1145	   o  Add reference to Mozilla TRR policy

1147	   o  Remove several TODOs and QUESTIONS.

1149	   draft-ietf-dprive-bcp-op-02

1151	   o  Change 'open resolver' for 'public resolver'

1153	   o  Minor editorial changes

1155	   o  Remove recommendation to run a separate TLS 1.3 service

1157	   o  Move TLSA to purely a optimisation in Section 5.2.1

1159	   o  Update reference on minimal DoH headers.

1161	   o  Add reference on user switching provider after service issues in
1162	      Section 5.1.4

1164	   o  Add text in Section 5.1.6 on impact on operators.

1166	   o  Add text on additional threat to TLS proxy use (Section 5.1.7)

1168	   o  Add reference in Section 5.3.1 on example policies.

1170	   draft-ietf-dprive-bcp-op-01

1172	   o  Many minor editorial fixes

1174	   o  Update DoH reference to RFC8484 and add more text on DoH

1176	   o  Split threat descriptions into ones directly referencing RFC6973
1177	      and other DNS Privacy threats

1179	   o  Improve threat descriptions throughout
1180	   o  Remove reference to the DNSSEC TLS Chain Extension draft until new
1181	      version submitted.

1183	   o  Clarify use of whitelisting for ECS

1185	   o  Re-structure the DPPPS, add Result filtering section.

1187	   o  Remove the direct inclusion of privacy policy comparison, now just
1188	      reference dnsprivacy.org and an example of such work.

1190	   o  Add an appendix briefly discussing DNSSEC

1192	   o  Update affiliation of 1 author

1194	   draft-ietf-dprive-bcp-op-00

1196	   o  Initial commit of re-named document after adoption to replace
1197	      draft-dickinson-dprive-bcp-op-01

1199	12.  References

1201	12.1.  Normative References

1203	   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
1204	              Requirement Levels", BCP 14, RFC 2119,
1205	              DOI 10.17487/RFC2119, March 1997, <https://www.rfc-
1206	              editor.org/info/rfc2119>.

1208	   [RFC6265]  Barth, A., "HTTP State Management Mechanism", RFC 6265,
1209	              DOI 10.17487/RFC6265, April 2011, <https://www.rfc-
1210	              editor.org/info/rfc6265>.

1212	   [RFC6973]  Cooper, A., Tschofenig, H., Aboba, B., Peterson, J.,
1213	              Morris, J., Hansen, M., and R. Smith, "Privacy
1214	              Considerations for Internet Protocols", RFC 6973,
1215	              DOI 10.17487/RFC6973, July 2013, <https://www.rfc-
1216	              editor.org/info/rfc6973>.

1218	   [RFC7525]  Sheffer, Y., Holz, R., and P. Saint-Andre,
1219	              "Recommendations for Secure Use of Transport Layer
1220	              Security (TLS) and Datagram Transport Layer Security
1221	              (DTLS)", BCP 195, RFC 7525, DOI 10.17487/RFC7525, May
1222	              2015, <https://www.rfc-editor.org/info/rfc7525>.

1224	   [RFC7766]  Dickinson, J., Dickinson, S., Bellis, R., Mankin, A., and
1225	              D. Wessels, "DNS Transport over TCP - Implementation
1226	              Requirements", RFC 7766, DOI 10.17487/RFC7766, March 2016,
1227	              <https://www.rfc-editor.org/info/rfc7766>.

1229	   [RFC7816]  Bortzmeyer, S., "DNS Query Name Minimisation to Improve
1230	              Privacy", RFC 7816, DOI 10.17487/RFC7816, March 2016,
1231	              <https://www.rfc-editor.org/info/rfc7816>.

1233	   [RFC7828]  Wouters, P., Abley, J., Dickinson, S., and R. Bellis, "The
1234	              edns-tcp-keepalive EDNS0 Option", RFC 7828,
1235	              DOI 10.17487/RFC7828, April 2016, <https://www.rfc-
1236	              editor.org/info/rfc7828>.

1238	   [RFC7830]  Mayrhofer, A., "The EDNS(0) Padding Option", RFC 7830,
1239	              DOI 10.17487/RFC7830, May 2016, <https://www.rfc-
1240	              editor.org/info/rfc7830>.

1242	   [RFC7858]  Hu, Z., Zhu, L., Heidemann, J., Mankin, A., Wessels, D.,
1243	              and P. Hoffman, "Specification for DNS over Transport
1244	              Layer Security (TLS)", RFC 7858, DOI 10.17487/RFC7858, May
1245	              2016, <https://www.rfc-editor.org/info/rfc7858>.

1247	   [RFC7871]  Contavalli, C., van der Gaast, W., Lawrence, D., and W.
1248	              Kumari, "Client Subnet in DNS Queries", RFC 7871,
1249	              DOI 10.17487/RFC7871, May 2016, <https://www.rfc-
1250	              editor.org/info/rfc7871>.

1252	   [RFC7873]  Eastlake 3rd, D. and M. Andrews, "Domain Name System (DNS)
1253	              Cookies", RFC 7873, DOI 10.17487/RFC7873, May 2016,
1254	              <https://www.rfc-editor.org/info/rfc7873>.

1256	   [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
1257	              2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
1258	              May 2017, <https://www.rfc-editor.org/info/rfc8174>.

1260	   [RFC8310]  Dickinson, S., Gillmor, D., and T. Reddy, "Usage Profiles
1261	              for DNS over TLS and DNS over DTLS", RFC 8310,
1262	              DOI 10.17487/RFC8310, March 2018, <https://www.rfc-
1263	              editor.org/info/rfc8310>.

1265	   [RFC8404]  Moriarty, K., Ed. and A. Morton, Ed., "Effects of
1266	              Pervasive Encryption on Operators", RFC 8404,
1267	              DOI 10.17487/RFC8404, July 2018, <https://www.rfc-
1268	              editor.org/info/rfc8404>.

1270	   [RFC8467]  Mayrhofer, A., "Padding Policies for Extension Mechanisms
1271	              for DNS (EDNS(0))", RFC 8467, DOI 10.17487/RFC8467,
1272	              October 2018, <https://www.rfc-editor.org/info/rfc8467>.

1274	   [RFC8484]  Hoffman, P. and P. McManus, "DNS Queries over HTTPS
1275	              (DoH)", RFC 8484, DOI 10.17487/RFC8484, October 2018,
1276	              <https://www.rfc-editor.org/info/rfc8484>.

1278	12.2.  Informative References

1280	   [I-D.bellis-dnsop-xpf]
1281	              Bellis, R., Dijk, P., and R. Gacogne, "DNS X-Proxied-For",
1282	              draft-bellis-dnsop-xpf-04 (work in progress), March 2018.

1284	   [I-D.bortzmeyer-dprive-rfc7626-bis]
1285	              Bortzmeyer, S. and S. Dickinson, "DNS Privacy
1286	              Considerations", draft-bortzmeyer-dprive-rfc7626-bis-02
1287	              (work in progress), January 2019.

1289	   [I-D.ietf-dnsop-dns-tcp-requirements]
1290	              Kristoff, J. and D. Wessels, "DNS Transport over TCP -
1291	              Operational Requirements", draft-ietf-dnsop-dns-tcp-
1292	              requirements-04 (work in progress), June 2019.

1294	   [I-D.ietf-httpbis-bcp56bis]
1295	              Nottingham, M., "Building Protocols with HTTP", draft-
1296	              ietf-httpbis-bcp56bis-08 (work in progress), November
1297	              2018.

1299	   [pcap]     tcpdump.org, "PCAP", 2016, <http://www.tcpdump.org/>.

1301	   [Pitfalls-of-DNS-Encryption]
1302	              Shulman, H., "Pretty Bad Privacy: Pitfalls of DNS
1303	              Encryption", 2014, <https://dl.acm.org/
1304	              citation.cfm?id=2665959>.

1306	   [RFC4033]  Arends, R., Austein, R., Larson, M., Massey, D., and S.
1307	              Rose, "DNS Security Introduction and Requirements",
1308	              RFC 4033, DOI 10.17487/RFC4033, March 2005,
1309	              <https://www.rfc-editor.org/info/rfc4033>.

1311	   [RFC5077]  Salowey, J., Zhou, H., Eronen, P., and H. Tschofenig,
1312	              "Transport Layer Security (TLS) Session Resumption without
1313	              Server-Side State", RFC 5077, DOI 10.17487/RFC5077,
1314	              January 2008, <https://www.rfc-editor.org/info/rfc5077>.

1316	   [RFC5280]  Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
1317	              Housley, R., and W. Polk, "Internet X.509 Public Key
1318	              Infrastructure Certificate and Certificate Revocation List
1319	              (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008,
1320	              <https://www.rfc-editor.org/info/rfc5280>.

1322	   [RFC6235]  Boschi, E. and B. Trammell, "IP Flow Anonymization
1323	              Support", RFC 6235, DOI 10.17487/RFC6235, May 2011,
1324	              <https://www.rfc-editor.org/info/rfc6235>.

1326	   [RFC7457]  Sheffer, Y., Holz, R., and P. Saint-Andre, "Summarizing
1327	              Known Attacks on Transport Layer Security (TLS) and
1328	              Datagram TLS (DTLS)", RFC 7457, DOI 10.17487/RFC7457,
1329	              February 2015, <https://www.rfc-editor.org/info/rfc7457>.

1331	   [RFC7706]  Kumari, W. and P. Hoffman, "Decreasing Access Time to Root
1332	              Servers by Running One on Loopback", RFC 7706,
1333	              DOI 10.17487/RFC7706, November 2015, <https://www.rfc-
1334	              editor.org/info/rfc7706>.

1336	   [RFC8094]  Reddy, T., Wing, D., and P. Patil, "DNS over Datagram
1337	              Transport Layer Security (DTLS)", RFC 8094,
1338	              DOI 10.17487/RFC8094, February 2017, <https://www.rfc-
1339	              editor.org/info/rfc8094>.

1341	   [RFC8198]  Fujiwara, K., Kato, A., and W. Kumari, "Aggressive Use of
1342	              DNSSEC-Validated Cache", RFC 8198, DOI 10.17487/RFC8198,
1343	              July 2017, <https://www.rfc-editor.org/info/rfc8198>.

1345	   [RFC8490]  Bellis, R., Cheshire, S., Dickinson, J., Dickinson, S.,
1346	              Lemon, T., and T. Pusateri, "DNS Stateful Operations",
1347	              RFC 8490, DOI 10.17487/RFC8490, March 2019,
1348	              <https://www.rfc-editor.org/info/rfc8490>.

1350	   [RFC8499]  Hoffman, P., Sullivan, A., and K. Fujiwara, "DNS
1351	              Terminology", BCP 219, RFC 8499, DOI 10.17487/RFC8499,
1352	              January 2019, <https://www.rfc-editor.org/info/rfc8499>.

1354	   [RFC8555]  Barnes, R., Hoffman-Andrews, J., McCarney, D., and J.
1355	              Kasten, "Automatic Certificate Management Environment
1356	              (ACME)", RFC 8555, DOI 10.17487/RFC8555, March 2019,
1357	              <https://www.rfc-editor.org/info/rfc8555>.

1359	   [RFC8618]  Dickinson, J., Hague, J., Dickinson, S., Manderson, T.,
1360	              and J. Bond, "Compacted-DNS (C-DNS): A Format for DNS
1361	              Packet Capture", RFC 8618, DOI 10.17487/RFC8618, September
1362	              2019, <https://www.rfc-editor.org/info/rfc8618>.

1364	12.3.  URIs

1366	   [1] https://petsymposium.org/2018/files/hotpets/4-siby.pdf

1368	   [2] http://tma.ifip.org/2018/wp-content/uploads/sites/3/2018/06/
1369	       tma2018_paper30.pdf

1371	   [3] http://dnstap.info

1373	   [4] https://nginx.org/

1375	   [5] https://www.haproxy.org/

1377	   [6] https://kb.isc.org/article/AA-01386/0/DNS-over-TLS.html

1379	   [7] https://dnsdist.org

1381	   [8] https://doi.org/10.1145/3182660

1383	   [9] https://pdfs.semanticscholar.org/7b34/12c951cebe71cd2cddac5fda164
1384	       fb2138a44.pdf

1386	   [10] https://kb.isc.org/docs/aa-00482

1388	   [11] https://surf.nl/datasharing

1390	   [12] https://dnsprivacy.org/wiki/display/DP/
1391	        Comparison+of+policy+and+privacy+statements

1393	   [13] https://wiki.mozilla.org/Security/DOH-resolver-policy

1395	   [14] https://www.ssllabs.com/ssltest/

1397	   [15] https://internet.nl

1399	   [16] https://support.google.com/analytics/answer/2763052?hl=en

1401	   [17] https://www.conversionworks.co.uk/blog/2017/05/19/anonymize-ip-
1402	        geo-impact-test/

1404	   [18] https://github.com/edmonds/pdns/blob/master/pdns/dnswasher.cc

1406	   [19] http://ita.ee.lbl.gov/html/contrib/tcpdpriv.html

1408	   [20] http://an.kaist.ac.kr/~sbmoon/paper/intl-journal/2004-cn-
1409	        anon.pdf

1411	   [21] https://www.cc.gatech.edu/computing/Telecomm/projects/cryptopan/

1413	   [22] http://mharvan.net/talks/noms-ip_anon.pdf

1415	   [23] http://www.ecs.umass.edu/ece/wolf/pubs/ton2007.pdf

1417	   [24] https://medium.com/@bert.hubert/on-ip-address-encryption-
1418	        security-analysis-with-respect-for-privacy-dabe1201b476

1420	   [25] https://github.com/PowerDNS/ipcipher

1422	   [26] https://github.com/veorq/ipcrypt

1424	   [27] https://www.ietf.org/mail-archive/web/cfrg/current/msg09494.html

1426	   [28] http://dl.ifip.org/db/conf/im/im2019/189282.pdf

1428	Appendix A.  Documents

1430	   This section provides an overview of some DNS privacy related
1431	   documents, however, this is neither an exhaustive list nor a
1432	   definitive statement on the characteristic of the document.

1434	A.1.  Potential increases in DNS privacy

1436	   These documents are limited in scope to communications between stub
1437	   clients and recursive resolvers:

1439	   o  'Specification for DNS over Transport Layer Security (TLS)'
1440	      [RFC7858], referred to here as 'DNS-over-TLS'.

1442	   o  'DNS over Datagram Transport Layer Security (DTLS)' [RFC8094],
1443	      referred to here as 'DNS-over-DTLS'.  Note that this document has
1444	      the Category of Experimental.

1446	   o  'DNS Queries over HTTPS (DoH)' [RFC8484] referred to here as DoH.

1448	   o  'Usage Profiles for DNS over TLS and DNS over DTLS' [RFC8310]

1450	   o  'The EDNS(0) Padding Option' [RFC7830] and 'Padding Policy for
1451	      EDNS(0)' [RFC8467]

1453	   These documents apply to recursive to authoritative DNS but are
1454	   relevant when considering the operation of a recursive server:

1456	   o  'DNS Query Name minimization to Improve Privacy' [RFC7816]
1457	      referred to here as 'QNAME minimization'

1459	A.2.  Potential decreases in DNS privacy

1461	   These documents relate to functionality that could provide increased
1462	   tracking of user activity as a side effect:

1464	   o  'Client Subnet in DNS Queries' [RFC7871]

1466	   o  'Domain Name System (DNS) Cookies' [RFC7873])

1468	   o  'Transport Layer Security (TLS) Session Resumption without Server-
1469	      Side State' [RFC5077] referred to here as simply TLS session
1470	      resumption.

1472	   o  'A DNS Packet Capture Format' [RFC8618]

1474	   o  Passive DNS [RFC8499]

1476	   Note that depending on the specifics of the implementation [RFC8484]
1477	   may also provide increased tracking.

1479	A.3.  Related operational documents

1481	   o  'DNS Transport over TCP - Implementation Requirements' [RFC7766]

1483	   o  'Operational requirements for DNS-over-TCP'
1484	      [I-D.ietf-dnsop-dns-tcp-requirements]

1486	   o  'The edns-tcp-keepalive EDNS0 Option' [RFC7828]

1488	   o  'DNS Stateful Operations' [RFC8490]

1490	Appendix B.  IP address techniques

1492	   Data minimization methods may be categorized by the processing used
1493	   and the properties of their outputs.  The following builds on the
1494	   categorization employed in [RFC6235]:

1496	   o  Format-preserving.  Normally when encrypting, the original data
1497	      length and patterns in the data should be hidden from an attacker.
1498	      Some applications of de-identification, such as network capture
1499	      de-identification, require that the de-identified data is of the
1500	      same form as the original data, to allow the data to be parsed in
1501	      the same way as the original.

1503	   o  Prefix preservation.  Values such as IP addresses and MAC
1504	      addresses contain prefix information that can be valuable in
1505	      analysis, e.g. manufacturer ID in MAC addresses, subnet in IP
1506	      addresses.  Prefix preservation ensures that prefixes are de-
1507	      identified consistently; e.g. if two IP addresses are from the
1508	      same subnet, a prefix preserving de-identification will ensure
1509	      that their de-identified counterparts will also share a subnet.
1510	      Prefix preservation may be fixed (i.e. based on a user selected
1511	      prefix length identified in advance to be preserved ) or general.

1513	   o  Replacement.  A one-to-one replacement of a field to a new value
1514	      of the same type, for example using a regular expression.

1516	   o  Filtering.  Removing (and thus truncating) or replacing data in a
1517	      field.  Field data can be overwritten, often with zeros, either
1518	      partially (grey marking) or completely (black marking).

1520	   o  Generalization.  Data is replaced by more general data with
1521	      reduced specificity.  One example would be to replace all TCP/UDP
1522	      port numbers with one of two fixed values indicating whether the
1523	      original port was ephemeral (>=1024) or non-ephemeral (>1024).
1524	      Another example, precision degradation, reduces the accuracy of
1525	      e.g. a numeric value or a timestamp.

1527	   o  Enumeration.  With data from a well-ordered set, replace the first
1528	      data item data using a random initial value and then allocate
1529	      ordered values for subsequent data items.  When used with
1530	      timestamp data, this preserves ordering but loses precision and
1531	      distance.

1533	   o  Reordering/shuffling.  Preserving the original data, but
1534	      rearranging its order, often in a random manner.

1536	   o  Random substitution.  As replacement, but using randomly generated
1537	      replacement values.

1539	   o  Cryptographic permutation.  Using a permutation function, such as
1540	      a hash function or cryptographic block cipher, to generate a
1541	      replacement de-identified value.

1543	B.1.  Google Analytics non-prefix filtering

1545	   Since May 2010, Google Analytics has provided a facility [16] that
1546	   allows website owners to request that all their users IP addresses
1547	   are anonymized within Google Analytics processing.  This very basic
1548	   anonymization simply sets to zero the least significant 8 bits of
1549	   IPv4 addresses, and the least significant 80 bits of IPv6 addresses.
1550	   The level of anonymization this produces is perhaps questionable.
1551	   There are some analysis results [17] which suggest that the impact of
1552	   this on reducing the accuracy of determining the user's location from
1553	   their IP address is less than might be hoped; the average discrepancy
1554	   in identification of the user city for UK users is no more than 17%.

1556	   Anonymization: Format-preserving, Filtering (grey marking).

1558	B.2.  dnswasher

1560	   Since 2006, PowerDNS have included a de-identification tool dnswasher
1561	   [18] with their PowerDNS product.  This is a PCAP filter that
1562	   performs a one-to-one mapping of end user IP addresses with an
1563	   anonymized address.  A table of user IP addresses and their de-
1564	   identified counterparts is kept; the first IPv4 user addresses is
1565	   translated to 0.0.0.1, the second to 0.0.0.2 and so on.  The de-
1566	   identified address therefore depends on the order that addresses
1567	   arrive in the input, and running over a large amount of data the
1568	   address translation tables can grow to a significant size.

1570	   Anonymization: Format-preserving, Enumeration.

1572	B.3.  Prefix-preserving map

1574	   Used in TCPdpriv [19], this algorithm stores a set of original and
1575	   anonymised IP address pairs.  When a new IP address arrives, it is
1576	   compared with previous addresses to determine the longest prefix
1577	   match.  The new address is anonymized by using the same prefix, with
1578	   the remainder of the address anonymized with a random value.  The use
1579	   of a random value means that TCPdrpiv is not deterministic; different
1580	   anonymized values will be generated on each run.  The need to store
1581	   previous addresses means that TCPdpriv has significant and unbounded
1582	   memory requirements, and because of the need to allocated anonymized
1583	   addresses sequentially cannot be used in parallel processing.

1585	   Anonymization: Format-preserving, prefix preservation (general).

1587	B.4.  Cryptographic Prefix-Preserving Pseudonymisation

1589	   Cryptographic prefix-preserving pseudonymisation was originally
1590	   proposed as an improvement to the prefix-preserving map implemented
1591	   in TCPdpriv, described in Xu et al. [20] and implemented in the
1592	   Crypto-PAn tool [21].  Crypto-PAn is now frequently used as an
1593	   acronym for the algorithm.  Initially it was described for IPv4
1594	   addresses only; extension for IPv6 addresses was proposed in Harvan &
1595	   Schoenwaelder [22] and implemented in snmpdump.  This uses a
1596	   cryptographic algorithm rather than a random value, and thus
1597	   pseudonymity is determined uniquely by the encryption key, and is
1598	   deterministic.  It requires a separate AES encryption for each output
1599	   bit, so has a non-trivial calculation overhead.  This can be
1600	   mitigated to some extent (for IPv4, at least) by pre-calculating
1601	   results for some number of prefix bits.

1603	   Pseudonymization: Format-preserving, prefix preservation (general).

1605	B.5.  Top-hash Subtree-replicated Anonymisation

1607	   Proposed in Ramaswamy & Wolf [23], Top-hash Subtree-replicated
1608	   Anonymisation (TSA) originated in response to the requirement for
1609	   faster processing than Crypto-PAn.  It used hashing for the most
1610	   significant byte of an IPv4 address, and a pre-calculated binary tree
1611	   structure for the remainder of the address.  To save memory space,
1612	   replication is used within the tree structure, reducing the size of
1613	   the pre-calculated structures to a few Mb for IPv4 addresses.
1614	   Address pseudonymization is done via hash and table lookup, and so
1615	   requires minimal computation.  However, due to the much increased
1616	   address space for IPv6, TSA is not memory efficient for IPv6.

1618	   Pseudonymization: Format-preserving, prefix preservation (general).

1620	B.6.  ipcipher

1622	   A recently-released proposal from PowerDNS [24], ipcipher [25] is a
1623	   simple pseudonymization technique for IPv4 and IPv6 addresses.  IPv6
1624	   addresses are encrypted directly with AES-128 using a key (which may
1625	   be derived from a passphrase).  IPv4 addresses are similarly
1626	   encrypted, but using a recently proposed encryption ipcrypt [26]
1627	   suitable for 32bit block lengths.  However, the author of ipcrypt has
1628	   since indicated [27] that it has low security, and further analysis
1629	   has revealed it is vulnerable to attack.

1631	   Pseudonymization: Format-preserving, cryptographic permutation.

1633	B.7.  Bloom filters

1635	   van Rijswijk-Deij et al. [28] have recently described work using
1636	   Bloom filters to categorize query traffic and record the traffic as
1637	   the state of multiple filters.  The goal of this work is to allow
1638	   operators to identify so-called Indicators of Compromise (IOCs)
1639	   originating from specific subnets without storing information about,
1640	   or be able to monitor the DNS queries of an individual user.  By
1641	   using a Bloom filter, it is possible to determine with a high
1642	   probability if, for example, a particular query was made, but the set
1643	   of queries made cannot be recovered from the filter.  Similarly, by
1644	   mixing queries from a sufficient number of users in a single filter,
1645	   it becomes practically impossible to determine if a particular user
1646	   performed a particular query.  Large numbers of queries can be
1647	   tracked in a memory-efficient way.  As filter status is stored, this
1648	   approach cannot be used to regenerate traffic, and so cannot be used
1649	   with tools used to process live traffic.

1651	   Anonymized: Generalization.

1653	Appendix C.  Example DROP statement

1655	   The following example DROP statement is very loosely based on some
1656	   elements of published privacy statements for some public resolvers,
1657	   with additional fields populated to illustrate the what the full
1658	   contents of a DROP statement might look like.  This should not be
1659	   interpreted as

1661	   o  having been reviewed or approved by any operator in any way
1662	   o  having any legal standing or validity at all

1664	   o  being complete or exhaustive

1666	   This is a purely hypothetical example of a DROP statement to outline
1667	   example contents - in this case for a public resolver operator
1668	   providing a basic DNS Privacy service via one IP address and one DoH
1669	   URI with security based filtering.  It does aim to meet minimal
1670	   compliance as specified in Section 5.

1672	C.1.  Policy

1674	   1.  Treatment of IP addresses.  Many nations classify IP addresses as
1675	       Personally-Identifiable Information (PII), and we take a
1676	       conservative approach in treating IP addresses as PII in all
1677	       jurisdictions in which our systems reside.

1679	   2.  Data collection and sharing.

1681	       1.  IP addresses.  Our normal course of data management does not
1682	           have any IP address information or other PII logged to disk
1683	           or transmitted out of the location in which the query was
1684	           received.  We may aggregate certain counters to larger
1685	           network block levels for statistical collection purposes, but
1686	           those counters do not maintain specific IP address data nor
1687	           is the format or model of data stored capable of being
1688	           reverse-engineered to ascertain what specific IP addresses
1689	           made what queries.

1691	       2.  Data collected in logs.  We do keep some generalized location
1692	           information (at the city/metropolitan area level) so that we
1693	           can conduct debugging and analyze abuse phenomena.  We also
1694	           use the collected information for the creation and sharing of
1695	           telemetry (timestamp, geolocation, number of hits, first
1696	           seen, last seen) for contributors, public publishing of
1697	           general statistics of use of system (protections, threat
1698	           types, counts, etc.)  When you use our DNS Services, here is
1699	           the full list of items that are
1700	           included in our logs:

1702	           +  Request domain name, e.g. example.net

1704	           +  Record type of requested domain, e.g.  A, AAAA, NS, MX,
1705	              TXT, etc.

1707	           +  Transport protocol on which the request arrived, i.e. UDP,
1708	              TCP, DoT,
1709	              DoH

1711	           +  Origin IP general geolocation information: i.e. geocode,
1712	              region ID, city ID, and metro code

1714	           +  IP protocol version - IPv4 or IPv6

1716	           +  Response code sent, e.g.  SUCCESS, SERVFAIL, NXDOMAIN,
1717	              etc.

1719	           +  Absolute arrival time

1721	           +  Name of the specific instance that processed this request

1723	           +  IP address of the specific instance to which this request
1724	              was addressed (no relation to the requestor's IP address)

1726	           We may keep the following data as summary information,
1727	           including all the above EXCEPT for data about the DNS record
1728	           requested:

1730	           +  Currently-advertised BGP-summarized IP prefix/netmask of
1731	              apparent client origin

1733	           +  Autonomous system number (BGP ASN) of apparent client
1734	              origin

1736	           All the above data may be kept in full or partial form in
1737	           permanent archives.

1739	       3.  Sharing of data.  Except as described in this document, we do
1740	           not intentionally share, sell, or rent individual personal
1741	           information associated with the requestor (i.e. source IP
1742	           address or any other information that can positively identify
1743	           the client using our infrastructure) with anyone without your
1744	           consent.  We generate and share high level anonymized
1745	           aggregate statistics including threat metrics on threat type,
1746	           geolocation, and if available, sector, as well as other
1747	           vertical metrics including performance metrics on our DNS
1748	           Services (i.e. number of threats blocked, infrastructure
1749	           uptime) when available with the our threat intelligence (TI)
1750	           partners, academic researchers, or the public.  Our DNS
1751	           Services share anonymized data on specific domains queried
1752	           (records such as domain, timestamp, geolocation, number of
1753	           hits, first seen, last seen) with its threat intelligence
1754	           partners.  Our DNS Services also builds, stores, and may
1755	           share certain DNS data streams which store high level
1756	           information about domain resolved, query types, result codes,
1757	           and timestamp.  These streams do not contain IP address
1758	           information of requestor and cannot be correlated to IP
1759	           address or other PII.  We do not and never will share any of
1760	           its data with marketers, nor will it use this data for
1761	           demographic analysis.

1763	   3.  Exceptions.  There are exceptions to this storage model: In the
1764	       event of events or observed behaviors which we deem malicious or
1765	       anomalous, we may utilize more detailed logging to collect more
1766	       specific IP address data in the process of normal network defence
1767	       and mitigation.  This collection and transmission off-site will
1768	       be limited to IP addresses that we determine are involved in the
1769	       event.

1771	   4.  Associated entities.  Details of our Threat Intelligence partners
1772	       can be found at our website page (insert link).

1774	   5.  Correlation of Data.  We do not correlate or combine information
1775	       from our logs with any personal information that you have
1776	       provided us for other services, or with your specific IP address.

1778	   6.  Result filtering.

1780	       1.  Filtering.  We utilise cyber threat intelligence about
1781	           malicious domains from a variety of public and private
1782	           sources and blocks access to those malicious domains when
1783	           your system attempts to contact them.  An NXDOMAIN is
1784	           returned for blocked sites.

1786	           1.  Censorship.  We will not provide a censoring component
1787	               and will limit our actions solely to the blocking of
1788	               malicious domains around phishing, malware, and exploit
1789	               kit domains.

1791	           2.  Accidental blocking.  We implement whitelisting
1792	               algorithms to make sure legitimate domains are not
1793	               blocked by accident.  However, in the rare case of
1794	               blocking a legitimate domain, we work with the users to
1795	               quickly whitelist that domain.  Please use our support
1796	               form (insert link) if you believe we are blocking a
1797	               domain in error.

1799	C.2.  Practice

1801	   1.  Deviations from Policy.  None currently in place.

1803	   2.  Client facing capabilities.

1805	       1.  We offer UDP and TCP DNS on port 53 on (insert IP address)
1806	       2.  We offer DNS-over-TLS as specified in RFC7858 on (insert IP
1807	           address).  It is available on port 853 and port 443.  We also
1808	           implement RFC7766.

1810	           1.  The DoT authentication name used is (insert domain name).

1812	           2.  We do not publish SPKI pin sets.

1814	       3.  We offer DNS-over-HTTPS as specified in RFC8484 on (insert
1815	           URI template).  Both POST and GET are supported.

1817	       4.  Both services offer TLS 1.2 and TLS 1.3.

1819	       5.  Both services pad DNS responses according to RFC8467.

1821	       6.  Both services provide DNSSEC validation.

1823	   3.  Upstream capabilities.

1825	       1.  Our servers implement QNAME minimisation.

1827	       2.  Our servers do not send ECS upstream.

1829	   4.  Support.  Support information for this service is available at
1830	       (insert link).

1832	   5.  Jurisdiction.

1834	       1.  We operate as the legal entity (insert entity) registered in
1835	           (insert country) as (insert company identifier e.g Company
1836	           Number).  Our Headquarters are located at (insert address).

1838	       2.  As such we operate under (insert country) law.  For details
1839	           of our company privacy policy see (insert link).  For
1840	           questions on this policy and enforcement contact our Data
1841	           Protection Officer on (insert email address).

1843	       3.  We operate servers in the following countries (insert list).

1845	       4.  We have no agreements in place with law enforcement agencies
1846	           to give them access to the data.  Apart from as stated in the
1847	           Policy section of this document with regard to cyber threat
1848	           intelligence, we have no agreements in place with other
1849	           public and private parties dealing with security and
1850	           intelligence, to give them access to the servers and/or to
1851	           the data.

1853	Authors' Addresses

1855	   Sara Dickinson
1856	   Sinodun IT
1857	   Magdalen Centre
1858	   Oxford Science Park
1859	   Oxford  OX4 4GA
1860	   United Kingdom

1862	   Email: sara@sinodun.com

1864	   Benno J. Overeinder
1865	   NLnet Labs
1866	   Science Park 400
1867	   Amsterdam  1098 XH
1868	   The Netherlands

1870	   Email: benno@nlnetLabs.nl

1872	   Roland M. van Rijswijk-Deij
1873	   NLnet Labs
1874	   Science Park 400
1875	   Amsterdam  1098 XH
1876	   The Netherlands

1878	   Email: roland@nlnetLabs.nl

1880	   Allison Mankin
1881	   Salesforce

1883	   Email: allison.mankin@gmail.com