]> Citrix Systems, Inc.

United States of America danwing@gmail.com

Nokia

Bangalore Karnataka India kondtir@gmail.com

Open-Xchange

United Kingdom neil.cook@noware.co.uk

Orange

Rennes 35000 France mohamed.boucadair@orange.com

Internet DNS Operations Working Group Customer experience Informed decision transparency enriched feedback DNS filtering is widely deployed for various reasons, including network security. However, filtered DNS responses lack structured information for end users to understand the reason for the filtering. Existing mechanisms to provide explanatory details to end users cause harm especially if the blocked DNS response is for HTTPS resources. This document updates RFC 8914 by signaling client support for structuring the EXTRA-TEXT field of the Extended DNS Error to provide details on the DNS filtering. Such details can be parsed by the client and displayed, logged, or used for other purposes. About This Document The latest revision of this draft can be found at . Status information for this document may be found at . Discussion of this document takes place on the dnsop Working Group mailing list (), which is archived at . Subscribe at . Source for this draft and an issue tracker can be found at .

Introduction DNS filters are deployed for a variety of reasons, e.g., endpoint security, parental filtering, and filtering required by law enforcement. Network-based security solutions such as firewalls and Intrusion Prevention Systems (IPS) rely upon network traffic inspection to implement perimeter-based security policies and operate by filtering DNS responses. In a home network, DNS filtering is used for the same reasons as above and additionally for parental control. Internet Service Providers (ISPs) typically block access to some DNS domains due to a requirement imposed by an external entity (e.g., law enforcement agency) also performed using DNS-based content filtering. Users of DNS services that perform filtering may wish to receive more explanatory information about such a filtering to resolve problems with the filter -- for example to contact the administrator to allowlist a DNS domain that was erroneously filtered or to understand the reason a particular domain was filtered. With that information, a user can choose to use another network, open a trouble ticket with the DNS administrator to resolve erroneous filtering, log the information, etc. For the DNS filtering mechanisms described in , the DNS server can return extended error codes Blocked, Filtered, or Forged Answer defined in . However, these codes only explain that filtering occurred but lack detail for the user to diagnose erroneous filterings. No matter which type of response is generated (forged IP address(es), NXDOMAIN or empty answer, even with an extended error code), the user who triggered the DNS query has little chance to understand which entity filtered the query, how to report a mistake in the filter, or why the entity filtered it at all. This document describes a mechanism to provide such detail. One of the other benefits of the approach described in this document is to eliminate the need to "spoof" block pages for HTTPS resources. This is achieved since clients implementing this approach would be able to display a meaningful error message, and would not need to connect to such a block page. This approach thus avoids the need to install a local root certificate authority on those IT-managed devices. This document describes a format for computer-parsable data in the EXTRA-TEXT field of . It updates which says the information in EXTRA-TEXT field is intended for human consumption (not automated parsing). This document does not recommend DNS filtering but provides a mechanism for better transparency to explain to the users why some DNS queries are filtered.

Conventions and Definitions The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here. This document uses terms defined in DNS Terminology . "Requestor" refers to the side that sends a request. "Responder" refers to an authoritative, recursive resolver or other DNS component that responds to questions. "Encrypted DNS" refers to any encrypted scheme to convey DNS messages, for example, DNS-over-HTTPS , DNS-over-TLS , or DNS-over-QUIC . The document refers to an Extended DNS Error (EDE) using its purpose, not its INFO-CODE as per Table 3 of . "Forged Answer", "Blocked", and "Filtered" are thus used to refer to "Forged Answer (4)", "Blocked (15)", and "Filtered (17)".

DNS Filtering Techniques and Their Limitations DNS responses can be filtered by sending, e.g., a bogus (also called "forged") response, NXDOMAIN error, or empty answer. Also, clients can be informed that filtering has occured by sending an Extended DNS Error code defined in . Each of these methods have advantages and disadvantages that are discussed below:

1. The DNS response is forged to provide a list of IP addresses that points to an HTTP(S) server alerting the end user about the reason for blocking access to the requested domain (e.g., malware). When an HTTP(S) enabled domain name is blocked, the network security device (e.g., Customer Premises Equipment (CPE) or firewall) presents a block page instead of the HTTP response from the content provider hosting that domain. If an HTTP enabled domain name is blocked, the network security device intercepts the HTTP request and returns a block page over HTTP. If an HTTPS enabled domain is blocked, the block page is also served over HTTPS. In order to return a block page over HTTPS, man in the middle (MITM) is enabled on endpoints by generating a local root certificate and an accompanying (local) public/private key pair. The local root certificate is installed on the endpoint while the network security device stores a copy of the private key. During the TLS handshake, the on-path network security device modifies the certificate provided by the server and (re)signs it using the private key from the local root certificate.
   • However, configuring the local root certificate on endpoints is not a viable option in several deployments like home networks, schools, Small Office/Home Office (SOHO), or Small/Medium Enterprise (SME). In these cases, the typical behavior is that the filtered DNS response points to a server that will display the block page. If the client is using HTTPS (via a web browser or another application) this results in a certificate validation error which gives no information to the end-user about the reason for the DNS filtering.
   • Enterprise networks do not assume that all the connected devices are managed by the IT team or Mobile Device Management (MDM) devices, especially in the quite common Bring Your Own Device (BYOD) scenario. In addition, the local root certificate cannot be installed on IoT devices without a device management tool.
   • An end user does not know why the connection was prevented and, consequently, may repeatedly try to reach the domain but with no success. Frustrated, the end user may switch to an alternate network that offers no DNS filtering against malware and phishing, potentially compromising both security and privacy. Furthermore, certificate errors train users to click through certificate errors, which is a bad security practice. To eliminate the need for an end user to click through certificate errors, an end user may manually install a local root certificate on a host device. Doing so, however, is also a bad security practice as it creates a security vulnerability that may be exploited by a MITM attack. When a manually installed local root certificate expires, the user has to (again) manually install the new local root certificate.
2. The DNS response is forged to provide a NXDOMAIN response to cause the DNS lookup to terminate in failure. In this case, an end user does not know why the domain cannot be reached and may repeatedly try to reach the domain but with no success. Frustrated, the end user may use insecure connections to reach the domain, potentially compromising both security and privacy.
3. The extended error codes Blocked and Filtered defined in can be returned by a DNS server to provide additional information about the cause of a DNS error.
4. These extended error codes do not suffer from the limitations discussed in bullets (1) and (2), but the user still does not know the exact reason nor is aware of the exact entity blocking the access to the domain. For example, a DNS server may block access to a domain based on the content category such as "Malware" to protect the endpoint from malicious software, "Phishing" to prevent the user from revealing sensitive information to the attacker, etc. A user may need to know the contact details of the IT/InfoSec team to raise a complaint.

I-JSON in EXTRA-TEXT Field DNS servers that are compliant with this specification and have received an indication that the client also supports this specification as per send data in the EXTRA-TEXT field encoded using the Internet JSON (I-JSON) message format .

• Note that was based on , but was replaced by .

This document defines the following JSON names:

c: (contact)

The contact details of the IT/InfoSec team to report mis-classified DNS filtering. This information is important for transparency and also to ease unblocking a legitimate domain name that got blocked due to wrong classification.

This field is structured as an array of contact URIs, using 'tel' or 'sips' or 'mailto' schemes. At least one contact URI MUST be included.

New contact URI schemes may be added to the IANA registry following the instructions in .

This field is mandatory.

j: (justification)

'UTF-8'-encoded textual justification for this particular DNS filtering. The field should be treated only as diagnostic information for IT staff.

Whether the information provided in the "j" name is meaningful or considered as garbage data (including empty values) is local to each IT teams. Returning garbage data would indicate that a DNS server is misbehaving. Note also that the provided justification is useful for cross-validation with another DNS server.

This field is mandatory.

s: (suberror)

The suberror code for this particular DNS filtering.

This field is optional.

o: (organization)

'UTF-8'-encoded human-friendly name of the organization that filtered this particular DNS query.

This field is optional.

New JSON names can be defined in the IANA registry introduced in . Such names MUST consist only of lower-case ASCII characters, digits, and hyphens (that is, Unicode characters U+0061 through 007A, U+0030 through U+0039, and U+002D). Also, these names MUST be 63 characters or shorter and it is RECOMMENDED they be as short as possible. The text in the "j" and "o" names can include international characters. If the text is displayed in a language not known to the end user, browser extensions to translate to user's native language can be used. To reduce DNS message size the generated JSON SHOULD be as short as possible: short domain names, concise text in the values for the "j" and "o" names, and minified JSON (that is, without spaces or line breaks between JSON elements). The JSON data can be parsed to display to the user, logged, or otherwise used to assist the end-user or IT staff with troubleshooting and diagnosing the cause of the DNS filtering.

• An alternate design for conveying the suberror would be to define new EDE codes for these errors. However, such design is suboptimal because it requires replicating an error code for each EDE code to which the suberror applies (e.g., "Malware" suberror in would consume three EDE codes).

Protocol Operation

Client Generating Request When generating a DNS query the client includes the EDE option () in the OPT pseudo-RR to elicit the EDE option in the DNS response. It MUST use an OPTION-LENGTH of 2, the INFO-CODE field set to "0" (Other Error), and an empty EXTRA-TEXT field. This signal indicates that the client desires that the server responds in accordance with the present specification.

Server Generating Response When the DNS server filters its DNS response to a query (e.g., A or AAAA record query), the DNS response MAY contain an empty answer, NXDOMAIN, or (less ideally) forged response, as desired by the DNS server. In addition, if the query contained the OPT pseudo-RR the DNS server MAY return more detail in the EXTRA-TEXT field as described in . Servers may decide to return small TTL values in filtered DNS responses (e.g., 2 seconds) to handle domain category and reputation updates. Because the DNS client signals its EDE support () and because EDE support is signaled via a non-cached OPT resource record () the EDE-aware DNS server can tailor its filtered response to be most appropriate to that client's EDE support. If EDE support is signaled in the query as per , the server MUST NOT return the "Forged Answer" extended error code because the client can take advantage of EDE's more sophisticated error reporting (e.g., "Filtered", "Blocked"). Continuing to send "Forged Answer" even to an EDE-supporting client will cause the persistence of the drawbacks described in .

Client Processing Response On receipt of a DNS response with an EDE option from a DNS responder, the following ordered actions are performed on the EXTRA-TEXT field:

• Servers which don't support this specification might use plain text in the EXTRA-TEXT field. Requestors SHOULD properly handle both plaintext and JSON text in the EXTRA-TEXT field. The requestor verifies that the field contains valid JSON. If not, the requestor MUST consider the server does not support this specification and stop processing rest of the actions defined in this section, but may instead choose to treat EXTRA-TEXT as per .
• The response MUST be received over an encrypted DNS channel. If not, the requestor MUST discard data in the EXTRA-TEXT field.
• The DNS response MUST also contain an extended error code of "Blocked by Upstream Server", "Blocked" or "Filtered" , otherwise the EXTRA-TEXT field is discarded.
• If either of the mandatory JSON names "c" and "j" are missing or have empty values in the EXTRA-TEXT field, the entire JSON is discarded.
• If the "c" field contains any URI scheme not registered in the registry, it MUST be discarded.
• If a DNS client has enabled opportunistic privacy profile () for DoT, the DNS client will either fall back to an encrypted connection without authenticating the DNS server provided by the local network or fall back to clear text DNS, and cannot exchange encrypted DNS messages. Both of these fallback mechanisms adversely impact security and privacy. If the DNS client has enabled opportunistic privacy profile for DoT and the identity of the DNS server cannot be verified but the connection is encrypted, the DNS client MUST ignore the "c", "j", and "o" fields but MAY process the "s" field and other parts of the response.
• Opportunistic discovery , where only the IP address is validated, the DNS client MUST ignore the "c", "j", and "o" fields but MAY process the "s" field and other parts of the response.
• If a DNS client has enabled strict privacy profile () for DoT, the DNS client requires an encrypted connection and successful authentication of the DNS server. In doing so, this mitigates both passive eavesdropping and client redirection (at the expense of providing no DNS service if an encrypted, authenticated connection is not available). If the DNS client has enabled strict privacy profile for DoT, the DNS client MAY process the EXTRA-TEXT field of the DNS response.
• When a forwarder receives an EDE option, whether or not (and how) to pass along JSON information in the EXTRA-TEXT on to their client is implementation dependent . Implementations MAY choose to not forward the JSON information, or they MAY choose to create a new EDE option that conveys the information in the "c", "s", and "j" fields encoded in the JSON object.
• The application that triggered the DNS request may have a local policy to override the contact information (e.g., redirect all complaint calls to a single contact point). In such a case, the content of the "c" attribute can be ignored.

• Note that the strict and opportunistic privacy profiles as defined in only apply to DoT; there has been no such distinction made for DoH.

New Sub-Error Codes Definition The document defines the following new IANA-registered Sub-Error codes.

Reserved

• Number: 0
• Meaning: Reserved. This sub-error code value MUST NOT be sent. If received, it has no meaning.
• Applicability: This code should never be used.
• Reference: This-Document
• Change Controller: IETF

Network Operator Policy

• Number: 5
• Meaning: Network Operator Policy. The code indicates that the request was filtered according to policy determined by the operator of the local network.
• Applicability: Blocked
• Reference: This-Document
• Change Controller: IETF

DNS Operator Policy

• Number: 6
• Meaning: DNS Operator Policy. The code indicates that the request was filtered according to policy determined by the operator of the DNS server.
• Applicability: Blocked
• Reference: This-Document
• Change Controller: IETF

Extended DNS Error Code TBA1 - Blocked by Upstream DNS Server The DNS server (e.g., a DNS forwarder) is unable to respond to the request because the domain is on a blocklist due to an internal security policy imposed by an upstream DNS server. This error code is useful in deployments where a network-provided DNS forwarder is configured to use an external resolver that filters malicious domains. Typically, when the DNS forwarder receives a Blocked (15) error code from the upstream DNS server, it will replace it with "Blocked by Upstream DNS Server" (TBA1) before forwarding the reply to the DNS client.

Examples An example showing the nameserver at 'ns.example.net' that filtered a DNS "A" record query for 'example.org' is provided in .

JSON Returned in EXTRA-TEXT Field of Extended DNS Error Response

In the same content is shown with minified JSON (no whitespace, no blank lines) with '\' line wrapping per .

Minified Response

Security Considerations Security considerations in apply to this document, except the guard against using EDE content to alter DNS protocol processing. The guard is relaxed in the current specification as it mandates encryption and recommends the use of an authenticated connection to the DNS server, while assumes that EDE information is unauthenticated and sent over clear text. To minimize impact of active on-path attacks on the DNS channel, the client validates the response as described in . A client might choose to display the information in the "c", "j", and "o" fields if and only if the encrypted resolver has sufficient reputation, according to some local policy (e.g., user configuration, administrative configuration, or a built-in list of respectable resolvers). This limits the ability of a malicious encrypted resolver to cause harm. For example, an end user can use the details in the "c" field to contact an attacker to solve the problem of being unable to reach a domain. The attacker can mislead the end user to install malware or spyware to compromise the device security posture or mislead the end user to reveal personal data. If the client decides not to display all of the information in the EXTRA-TEXT field, it can be logged for diagnostics purpose and the client can only display the resolver hostname that blocked the domain, error description for the EDE code and the suberror description for the "s" field to the end-user. When displaying the free-form text of "j" and "o", the browser MUST NOT make any of those elements into actionable (clickable) links and these fields need to be rendered as text, not as HTML. The contact details of "c" can be made into clickable links to provide a convenient way for users to initiate, e.g., voice calls. The client might choose to display the contact details only when the identity of the DNS server is verified. An attacker might inject (or modify) the EDE EXTRA-TEXT field with a DNS proxy or DNS forwarder that is unaware of EDE. Such a DNS proxy or DNS forwarder will forward that attacker-controlled EDE option. To prevent such an attack, clients can be configured to process EDE from explicitly configured DNS servers or utilize RESINFO .

IANA Considerations This document requests four IANA actions as described in the following subsections.

• Note to the RFC Editor: Please replace RFCXXXX with the RFC number assigned to this document and "TBA1" with the value assigned by IANA.

Media Type Registration This document requests IANA to register the "application/json+structured-dns-error" media type in the "Media Types" registry . This registration follows the procedures specified in :

New Registry for JSON Names This document requests IANA to create a new registry, entitled "EXTRA-TEXT JSON Names" under "Domain Name System (DNS) Parameters, Extended DNS Error Codes" registry . The registration request for a new JSON name must include the following fields:

JSON Name:

Specifies the name of an attribute that is present in the JSON data enclosed in EXTRA-TEXT field. The name must follow the guidelines in .

Short description:

Includes a short description of the requested JSON name.

Mandatory (Y/N?):

Indicates whether this attribute is mandatory or optional.

Specification:

Provides a pointer to the reference document that specifies the attribute.

The registry is initially populated with the following values: Initial JSON Names Registry

JSON Name	Full JSON Name	Description	Mandatory	Specification
c	contact	The contact details of the IT/InfoSec team to report mis-classified DNS filtering	Y	of RFCXXXX
j	justification	UTF-8-encoded textual justification for a particular DNS filtering	Y	of RFCXXXX
s	suberror	the suberror code for this particular DNS filtering	N	of RFCXXXX
o	organization	UTF-8-encoded human-friendly name of the organization that filtered this particular DNS query	N	of RFCXXXX

New JSON names are registered via IETF Review ().

New Registry for Contact URI Scheme This document requests IANA to create a new registry, entitled "Contact URI Schemes" under "Domain Name System (DNS) Parameters, Extended DNS Error Codes" registry . The registration request for a new Contact URI scheme has to include the following fields:

• Name: URI scheme name.
• Meaning: Provides a short description of the scheme.
• Reference: Provides a pointer to an IETF-approved specification that defines the URI scheme.
• Change Controller: Indicates the person or entity, with contact information if appropriate.

The Contact URI scheme registry is initially be populated with the following schemes:

Name	Meaning	Reference	Change Controller
sips	SIP Call		IETF
tel	Telephone Number		IETF
mailto	Internet mail		IETF

New Contact URI schemes are registered via IETF Review ().

New Registry for DNS SubError Codes This document requests IANA to create a new registry, entitled "SubError Codes" under "Domain Name System (DNS) Parameters, Extended DNS Error Codes" registry . The registration request for a new suberror codes MUST include the following fields:

• Number: Is the wire format suberror code (range 0-255).
• Meaning: Provides a short description of the sub-error.
• Applicability: Indicates which RFC8914 error codes apply to this sub-error code.
• Reference: Provides a pointer to an IETF-approved specification that registered the code and/or an authoritative specification that describes the meaning of this code.
• Change Controller: Indicates the person or entity, with contact information if appropriate.

The SubError Code registry is initially be populated with the following suberror codes: Initial SubError Code Registry

Number	Meaning	RFC8914 error code applicability	Reference	Change Controller
0	Reserved	Not used	of this document	IETF
1	Malware	"Blocked", "Blocked by Upstream Server", "Filtered"	Section 5.5 of	IETF
2	Phishing	"Blocked", "Blocked by Upstream Server", "Filtered"	Section 5.5 of	IETF
3	Spam	"Blocked", "Blocked by Upstream Server", "Filtered"	Page 289 of	IETF
4	Spyware	"Blocked", "Blocked by Upstream Server", "Filtered"	Page 291 of	IETF
5	Network operator policy	"Blocked"	of this document	IETF
6	DNS operator policy	"Blocked"	of this document	IETF

New SubError Codes are registered via IETF Review ().

New Extended DNS Error Code IANA is requested to assign the following Extended DNS Error code from the "Domain Name System (DNS) Parameters, Extended DNS Error Codes" registry : New DNS Error Code

INFO-CODE	Purose	Reference
TBA1	Blocked by Upstream Server	RFCXXXX

References Normative References This document defines an extensible method to return additional information about the cause of DNS errors. Though created primarily to extend SERVFAIL to provide additional information about the cause of DNS and DNSSEC failures, the Extended DNS Errors option defined in this document allows all response types to contain extended error information. Extended DNS Error information does not change the processing of RCODEs. In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings. I-JSON (short for "Internet JSON") is a restricted profile of JSON designed to maximize interoperability and increase confidence that software can process it successfully with predictable results. JavaScript Object Notation (JSON) is a lightweight, text-based, language-independent data interchange format. It was derived from the ECMAScript Programming Language Standard. JSON defines a small set of formatting rules for the portable representation of structured data. This document removes inconsistencies with other specifications of JSON, repairs specification errors, and offers experience-based interoperability guidance. This document specifies the URI (Uniform Resource Identifier) scheme "tel". The "tel" URI describes resources identified by telephone numbers. This document obsoletes RFC 2806. [STANDARDS-TRACK] This document provides clarifications and guidelines concerning the use of the SIPS URI scheme in the Session Initiation Protocol (SIP). It also makes normative changes to SIP. [STANDARDS-TRACK] The Internet today is in need of a standardized form for the transmission of internationalized "text" information, paralleling the specifications for the use of ASCII that date from the early days of the ARPANET. This document specifies that format, using UTF-8 with normalization and specific line-ending sequences. [STANDARDS-TRACK] The Domain Name System's wire protocol includes a number of fixed fields whose range has been or soon will be exhausted and does not allow requestors to advertise their capabilities to responders. This document describes backward-compatible mechanisms for allowing the protocol to grow. This document updates the Extension Mechanisms for DNS (EDNS(0)) specification (and obsoletes RFC 2671) based on feedback from deployment experience in several implementations. It also obsoletes RFC 2673 ("Binary Labels in the Domain Name System") and adds considerations on the use of extended labels in the DNS. This document discusses usage profiles, based on one or more authentication mechanisms, which can be used for DNS over Transport Layer Security (TLS) or Datagram TLS (DTLS). These profiles can increase the privacy of DNS transactions compared to using only cleartext DNS. This document also specifies new authentication mechanisms -- it describes several ways that a DNS client can use an authentication domain name to authenticate a (D)TLS connection to a DNS server. Additionally, it defines (D)TLS protocol profiles for DNS clients and servers implementing DNS over (D)TLS. This document updates RFC 7858. This document defines procedures for the specification and registration of media types for use in HTTP, MIME, and other Internet protocols. This memo documents an Internet Best Current Practice. Many protocols make use of points of extensibility that use constants to identify various protocol parameters. To ensure that the values in these fields do not have conflicting uses and to promote interoperability, their allocations are often coordinated by a central record keeper. For IETF protocols, that role is filled by the Internet Assigned Numbers Authority (IANA). To make assignments in a given registry prudently, guidance describing the conditions under which new values should be assigned, as well as when and how modifications to existing values can be made, is needed. This document defines a framework for the documentation of these guidelines by specification authors, in order to assure that the provided guidance for the IANA Considerations is clear and addresses the various issues that are likely in the operation of a registry. This is the third edition of this document; it obsoletes RFC 5226. This document defines the format of Uniform Resource Identifiers (URIs) to identify resources that are reached using Internet mail. It adds better internationalization and compatibility with Internationalized Resource Identifiers (IRIs; RFC 3987) to the previous syntax of 'mailto' URIs (RFC 2368). [STANDARDS-TRACK] This document extends the Incident Object Description Exchange Format (IODEF) defined in RFC 5070 to support the reporting of phishing events, which is a particular type of fraud. These extensions are flexible enough to support information gleaned from activities throughout the entire electronic fraud cycle -- from receipt of the phishing lure to the disablement of the collection site. Both simple reporting and complete forensic reporting are possible, as is consolidating multiple incidents. [STANDARDS-TRACK] This Glossary provides definitions, abbreviations, and explanations of terminology for information system security. The 334 pages of entries offer recommendations to improve the comprehensibility of written material that is generated in the Internet Standards Process (RFC 2026). The recommendations follow the principles that such writing should (a) use the same term or definition whenever the same concept is mentioned; (b) use terms in their plainest, dictionary sense; (c) use terms that are already well-established in open publications; and (d) avoid terms that either favor a particular vendor or favor a particular technology or mechanism over other, competing techniques that already exist or could be developed. This memo provides information for the Internet community. Informative References IANA IANA The Domain Name System (DNS) is defined in literally dozens of different RFCs. The terminology used by implementers and developers of DNS protocols, and by operators of DNS systems, has sometimes changed in the decades since the DNS was first defined. This document gives current definitions for many of the terms used in the DNS in a single document. This document obsoletes RFC 7719 and updates RFC 2308. This document defines a protocol for sending DNS queries and getting DNS responses over HTTPS. Each DNS query-response pair is mapped into an HTTP exchange. This document describes the use of Transport Layer Security (TLS) to provide privacy for DNS. Encryption provided by TLS eliminates opportunities for eavesdropping and on-path tampering with DNS queries in the network, such as discussed in RFC 7626. In addition, this document specifies two usage profiles for DNS over TLS and provides advice on performance considerations to minimize overhead from using TCP and TLS with DNS. This document focuses on securing stub-to-recursive traffic, as per the charter of the DPRIVE Working Group. It does not prevent future applications of the protocol to recursive-to-authoritative traffic. This document describes the use of QUIC to provide transport confidentiality for DNS. The encryption provided by QUIC has similar properties to those provided by TLS, while QUIC transport eliminates the head-of-line blocking issues inherent with TCP and provides more efficient packet-loss recovery than UDP. DNS over QUIC (DoQ) has privacy properties similar to DNS over TLS (DoT) specified in RFC 7858, and latency characteristics similar to classic DNS over UDP. This specification describes the use of DoQ as a general-purpose transport for DNS and includes the use of DoQ for stub to recursive, recursive to authoritative, and zone transfer scenarios. JavaScript Object Notation (JSON) is a lightweight, text-based, language-independent data interchange format. It was derived from the ECMAScript Programming Language Standard. JSON defines a small set of formatting rules for the portable representation of structured data. This document removes inconsistencies with other specifications of JSON, repairs specification errors, and offers experience-based interoperability guidance. Apple Inc. Apple Inc. Cloudflare Fastly Microsoft This document defines Discovery of Designated Resolvers (DDR), a mechanism for DNS clients to use DNS records to discover a resolver's encrypted DNS configuration. An encrypted DNS resolver discovered in this manner is referred to as a "Designated Resolver". This mechanism can be used to move from unencrypted DNS to encrypted DNS when only the IP address of a resolver is known. This mechanism is designed to be limited to cases where unencrypted DNS resolvers and their designated resolvers are operated by the same entity or cooperating entities. It can also be used to discover support for encrypted DNS protocols when the name of an encrypted DNS resolver is known. This document provides guidelines for the implementation of DNS proxies, as found in broadband gateways and other similar network devices. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. This document defines two strategies for handling long lines in width-bounded text content. One strategy, called the "single backslash" strategy, is based on the historical use of a single backslash ('\') character to indicate where line-folding has occurred, with the continuation occurring with the first character that is not a space character (' ') on the next line. The second strategy, called the "double backslash" strategy, extends the first strategy by adding a second backslash character to identify where the continuation begins and is thereby able to handle cases not supported by the first strategy. Both strategies use a self-describing header enabling automated reconstitution of the original content. Nokia Orange This document specifies a method for DNS resolvers to publish information about themselves. DNS clients can use the resolver information to identify the capabilities of DNS resolvers. How such an information is then used by DNS clients is out of the scope of the document.

Interoperation with RPZ Servers This appendix provides a non-normative guidance for operation with an Response Policy Zones (RPZ) server that indicates filtering with a NXDOMAIN response with the Recursion Available bit cleared (RA=0). This guidance is provided to ease interoperation with RPZ. When a DNS client supports this specification, it includes the EDE option in its DNS query. If the server does not support this specification and is performing RPZ filtering, the server ignores the EDE option in the DNS query and replies with NXDOMAIN and RA=0. The DNS client can continue to accept such responses. If the server does support this specification and is performing RPZ filtering, the server can use the EDE option in the query to identify an EDE-aware client and respond appropriately (that is, by generating a response described in ) as NXDOMAIN and RA=0 are not necessary when generating a response to such a client.

Implementation Status

• Note to the RFC Editor: please remove this appendix prior publication.

At IETF#116, Gianpaolo Scalone (Vodafone) and Ralf Weber (Akamai) presented an implementation of this specification. More details can be found at .

Acknowledgements Thanks to Vittorio Bertola, Wes Hardaker, Ben Schwartz, Erid Orth, Viktor Dukhovni, Warren Kumari, Paul Wouters, John Levine, Bob Harold, and Mukund Sivaraman for the comments. Thanks to Ralf Weber and Gianpaolo Scalone for sharing details about their implementation. Thanks Di Ma and Matt Brown for the DNS directorate reviews, and Joseph Salowey for the Security directorate review.