Specification for DNS over Transport Layer Security
RFC 7858, “Specification for DNS over Transport Layer Security”, is a Proposed Standard document published in May 2016 by Z. Hu, L. Zhu, J. Heidemann, A. Mankin, D. Wessels, P. Hoffman. It has since been updated by RFC 8310. The canonical text is published by the RFC Editor.
Abstract
This document describes the use of Transport Layer Security (TLS) to provide privacy for DNS. Encryption provided by TLS eliminates opportunities for eavesdropping and on-path tampering with DNS queries in the network, such as discussed in RFC 7626. In addition, this document specifies two usage profiles for DNS over TLS and provides advice on performance considerations to minimize overhead from using TCP and TLS with DNS.
This document focuses on securing stub-to-recursive traffic, as per the charter of the DPRIVE Working Group. It does not prevent future applications of the protocol to recursive-to-authoritative traffic.
What “Proposed Standard” means
An entry-level standards-track specification: stable, peer-reviewed and a solid basis for implementation, though it may still evolve before becoming an Internet Standard.
The canonical text of RFC 7858 is hosted at rfc-editor.org. Available in TXT,HTML.
- RFC 7857 Updates to Network Address Translation Behavioral Requirements
- RFC 7859 Identity-Based Signatures for Mobile Ad Hoc Network Routing Protocols
- RFC 7856 Softwire Mesh Management Information Base
- RFC 7860 HMAC-SHA-2 Authentication Protocols in User-Based Security Model for SNMPv3
- RFC 7855 Source Packet Routing in Networking Problem Statement and Requirements
- RFC 7861 Remote Procedure Call Security Version 3
- RFC 7854 BGP Monitoring Protocol
- RFC 7862 Network File System Version 4 Minor Version 2 Protocol