]> Inria

abhishek.mishra@inria.fr

UCL

andrew.losty.23@ucl.ac.uk

UCL

a.mandalari@ucl.ac.uk

Infoblox

jmozley@infoblox.com

INSA-Lyon & Inria

mathieu.cunche@inria.fr

ops iotops This document outlines guidance for Internet of Things (IoT) manufacturers regarding the implementation of DNS stub resolver software on devices, and for the management zones used for purposes such as device configuration and software upgrades. It aims to mitigate security threats, enhance privacy, and to address operational security challenges. DNS resolution between devices and management zone servers depends upon DNS services within operator networks, and these services and operator networks can be impacted by device behavior. Hence this document also provides guidance to network operators that deploy IoT devices to mitigate the specific risks identified in this document and take advantage of improved DNS security mechanisms provided by manufacturers. The latest revision of this draft can be found at . Status information for this document may be found at . Source for this draft and an issue tracker can be found at .

Introduction Research into the DNS behavior of IoT devices shows widespread non-compliance with protocol standards, gaps in protocol support, and security vulnerabilities. This leads to unpredictable operational behavior and exposes devices to fingerprinting and denial-of-service attacks. This document provides DNS guidance across the IoT resolution path (device, resolver, and authoritative infrastructure), with primary emphasis on device behavior aimed at IoT manufacturers. While the guidance in this document may apply to any device using DNS, this document considers IoT devices as a specific case where targeted recommendations are useful for the following reasons: The recommendations address specific IoT-related security concerns not seen in the DNS behavior of general-purpose operating systems IoT devices have different resource characteristics from general-purpose devices, such as constrained power consumption, meaning incorrect software implementations can have an increased operational impact on device functionality IoT devices do not typically have end point security agents installed on them that are widely used on general purpose operating systems There are many DNS RFCs, and this document can be used to identify those related to specific security issues observed through research into IoT devices, with the aim of making it easier to address these vulnerabilities IoT devices may be deployed at scale on dedicated networks, and these recommendations will be useful to network security teams in mitigating vulnerabilities, especially where device behavior cannot be changed post-deployment Manufacturers may use standard software distributions aimed at IoT devices without considering DNS behavior and the guidelines here can be used as part of the criteria to evaluate these distributions IoT devices typically perform the same set of DNS queries on start-up, which makes them both more vulnerable because of this predictable behavior and also more prone to network fingerprinting This document is primarily concerned with device-to-cloud communication , but DNS may be used in other IoT device communication patterns. Hence recommendations apply to any deployment type where DNS is used, but decisions on implementation will be proportionate to the associated security risks and operational considerations. For example the implementation of {#configuring-resolvers} and would be appropriate to any implementation, whereas may not be proportionate in industrial automation environments where devices do not encrypt other types of traffic . DNS terminology in this document conforms to . In this context, Stub Resolver refers to the IoT device, and Resolver refers to the DNS server used by the IoT device.

Conventions and Definitions The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.

Guidance for IoT Device Manufacturers The following guidance specifies expected behavior for IoT device stub resolvers to ensure secure, privacy-preserving, and operationally efficient DNS resolution.

Configuration of DNS servers used by IoT Stub Resolvers IoT devices have been observed to fall back to hard-coded IP addresses for DNS resolvers, such as well-known open resolvers, or ignore addresses assigned to them via automated configuration methods such as DHCP Option 6. This may result in an insecure communication channel, and the open resolvers used in these hard-coded configurations may be blocked by network policy, preventing the device from functioning correctly. DNS resolvers on devices MUST be configurable via network configuration protocols. Stub resolvers MUST NOT fall back to hard-coded resolvers. Devices SHOULD use the following priority order for selecting a resolver. The first one that results in a valid DNS response SHOULD be selected. Manual user configuration Device management software IPv6 Router Advertisement (RA) , DHCPv6 (if M=1 bit in RA), IPv4 DHCP . When encrypted resolver options are present in DHCP and IPv6 Router Advertisements , then they SHOULD be used. If the selected resolver is a plain IP address (e.g. from option 3) this implies unencrypted DNS. In such cases Discovery of Designated Resolvers (DDR) SHOULD be performed to upgrade to encrypted access, where available.

Source Port and Transaction ID Randomization Some IoT devices have been observed to have insufficient or no randomization in the source ports of DNS queries or DNS transaction IDs making them vulnerable to spoofed responses. A combination of Source Port and Transaction ID is used, amongst other criteria, by the stub resolver when accepting a DNS response. IoT devices MUST undergo adequate Source Port and Transaction ID randomization in their DNS queries as a mitigation against cache poisoning from spoofed responses. Having both of these values correctly randomized decreases the chances of a successful spoofed attack. Stub resolvers MUST follow the recommendations of as described in Section 4.5 to ensure Source Port randomization and Transaction ID randomization.

Handling of TTL Values IoT devices have been observed making unexpectedly high numbers of DNS queries even when DNS record Time-To-Live values (TTLs) would mean this should be unnecessary. Devices have also been observed issuing DNS queries at fixed, highly predictable intervals for the same domain names, regardless of operational changes or TTL values. Unnecessary queries may lead to a drain of power in resource-constrained IoT devices. Conversely, very high TTLs may impact device operations such as communicating with management servers, receiving software updates, or other changes, which may lead to security issues. Deterministic query behavior that ignores TTL values increases the risk of device fingerprinting by adversaries who can profile query timing to identify specific device models or firmware versions. Manufacturers MUST configure the records in authoritative zones with TTL values appropriate to the use of the records by devices, ensuring the TTL is not too low so as to cause unnecessary queries for frequently used names, but not high enough to cause operational issues, such as when the IP address of an A record in a management zone changes. IoT devices MUST cache DNS responses and SHOULD honor TTLs when caching. If for operational reasons this is not ideal, then minimum and maximum TTLs MAY be configurable on the device but MUST NOT be hardcoded values. Where device stub resolvers cannot be configured with minimum and maximum TTL values, this MAY be mitigated by setting these on the network resolver. If certain device operational requirements necessitate periodic revalidation of critical domains (e.g. management servers), these repeated queries SHOULD use non-deterministic inter-query timing to avoid fixed intervals that could enable traffic fingerprinting. In the event of resolution failure (e.g., no response from the resolver), devices SHOULD implement back-off strategies to limit unnecessary query traffic, also see .

Support of EDNS(0) Devices have been observed having limited support for EDNS(0), causing them to revert to TCP for queries over 512 bytes, affecting the device's efficiency. Other research findings include increased processing overhead and devices failing to maintain their network connectivity when responses to DNS requests exceed 512 bytes. IoT devices MUST support EDNS(0) and send a supported UDP packet size via OPT 41 . To avoid fragmentation of UDP packets, which may be dropped by intervening networks, manufacturers MUST follow guidance in , although device configuration MAY allow this to be configurable. Although the networks to which IoT devices connect may support larger packet sizes, the nature of these devices in being deployed on many network types, and DNS queries traversing networks controlled by different operators, means it is operationally more effective to use a smaller size that avoids fragmentation. In addition, IoT devices MUST support using both TCP and UDP for queries, and support switching to TCP when a TC bit is returned from the resolver .

Improve Device Behavior in Response to Resolution Problems When resolving domain names, IoT devices may not receive a response from a resolver. As a result, surges in the number of queries and retries have been observed, or an increase in queries using an alternate protocol (more aggressively querying via IPv6 rather than IPv4). Device software MUST implement DNS resolution algorithms that bound the number and rate of queries sent from the device stub resolver to its configured resolvers. This will be implementation specific, but manufacturers should consider implementing the recommendations for resolvers detailed in section 3.2 which recommends the caching of resolution failures for at least 1 second. If supported by the stub-resolver implementation on device operating systems the use of serve-stale on the IoT device may mitigate the impact of failed resolution, such as when authoritative servers are unavailable. This will reduce the impact of surges in DNS traffic if the network resolver is unreachable and it may allow the device to maintain ongoing communication with endpoints for which previously valid DNS data remain usable.

Compliance with Encrypted DNS Standards The majority of IoT devices use unencrypted DNS over port 53, which means this traffic can be captured and is open to interception and manipulation. Encrypted DNS protocols are not mandated for compliance with DNS standards, but the use of encrypted DNS may be mandated by some regulators and advised by competent authorities in deployment guidelines. Encrypted DNS support is widely deployed and it is possible for IoT devices to discover DNS resolver support for this as described in . IoT devices SHOULD support encrypted DNS protocols such as DNS over TLS (DoT) , DNS over QUIC (DoQ) , or DNS over HTTPS (DoH) . This enhances privacy by preventing passive observation of DNS queries, improves security by mitigating adversary-in-the-middle (AiTM) attacks, and enables compatibility with resolvers that require encrypted transport. To mitigate against fingerprinting of IoT devices, DNS queries can be padded as detailed in and .

Use of DNSSEC IoT devices can be induced to contact an adversary server or make large volumes of DNS queries via spoofed responses to queries. It would be difficult for manufacturers to mitigate this by implementing checks of data received via DNS queries, such as validating IP addresses in the A/AAAA record RDATA as this does not reliably prevent malicious redirection. In addition, any validation of this type does not address the problem of AiTM attacks targeting DNS query responses. DNSSEC can be implemented by manufacturers to mitigate AiTM attacks on DNS query responses. Note that manufacturers MUST have signed public zones used for device management and services so that validation can take place. This improves security when devices do not perform local validation, as many network operators deploy validating resolvers. Manufacturers MAY improve device security by utilizing DNSSEC validation on the stub resolver. When supported, devices typically follow one of two models for validation (see ) by setting a combination of the DO and CD bits in DNS queries: Stub-resolver checking for validation - the stub resolver checks for the Authenticated Data (AD) bit in the response, which is suitable for constrained devices but requires explicit trust in the upstream resolver performing correct DNSSEC validation Stub-resolver performing full validation - local cryptographic checks of DNSSEC related records, providing stronger assurance Both models improve security over unvalidated queries, but manufacturers should weigh the security considerations, such as trust assumptions, against the operational feasibility when determining which approach to adopt. Manufacturers should consider the type of network the device is likely to be deployed on, such as a home network vs. other environments, in determining the likelihood of DNSSEC validation being available on the network and thus deciding if the device should rely on a validating resolver or be independently capable of performing DNSSEC validation. The deployment options are summarised below, with two constituting the typical deployment scenarios: DO Bit CD Bit Resolver Validated? DNSSEC RRs Returned? Notes Y Y N Y Resolver does not validate. DNSSEC data returned. Stub-resolver performing full validation deployment. Y N Y Y Resolver validates. DNSSEC data returned. Stub-resolver can use AD bit to check validation. N Y N N Resolver does not validate. No DNSSEC data returned. Do not use. N N Y N Resolver validates. No DNSSEC data. Stub-resolver checking for validation deployment.

Stub-resolver Checking for Validation Where a manufacturer does utilize DNSSEC validation on the device the minimum implementation will be a stub resolver checking the AD bit to see if the answer has been validated. Relying solely on the AD bit assumes that the upstream resolver is trustworthy and uncompromised. Manufacturers may implement a testing mechanism to determine if the network resolver supports DNSSEC enabling the device to utilize validation when available in a network that supports it, or falls back to unvalidated queries. Any such test of the resolver will only validate that it supports DNSSEC, given that the resolver is performing the validation it must be explicitly trusted. In order to check that a DNS query has been validated a stub resolver MUST check the Authenticated Data (AD) bit in responses to determine whether data was validated by the resolver it is using. When checking for the AD bit stub resolvers MUST treat DNSSEC validation failures as fatal. Responses that fail validation MUST NOT be used for name resolution.

Stub-resolver Performing Full Validation A device stub resolver can perform validation itself in cases where the network resolver does not validate queries or the device does not trust the network resolver to do so. Considerations for device manufacturers in implementing full validation include: Devices performing local validation gain end-to-end trust but at higher computational cost Devices should cache results including validation outcomes to reduce repeated computation Devices need to be shipped with a root trust anchor and have a mechanism to securely update this To implement full local validation stub resolvers MUST conform to section 4.9. In practice it is likely to be easier for manufacturers to implement a minimum footprint validating recursive server on the device, configured to forward queries to the network resolver(s), rather than develop this capability in any stub resolver.

Guidance for Manufacturer Authoritative DNS Zones Manufacturers use public authoritative DNS zones for purposes such as device configuration, control and upgrades.

Zone Signing Zones supporting the management and data collection of devices MUST be DNSSEC signed in order to support the behavior described in and . The zones used for these purposes SHOULD be publicly listed for network operators to use in securing their networks as described in .

TTL Values As stated in manufacturers MUST configure TTL values for management zone records that are appropriate for device operations, considering a balance between avoiding excessive query traffic, maintaining continuous operation in the event the resolver is unreachable, and accommodating potential changes in RDATA such as management IP addresses.

Guidance for Network Operators Most IoT devices do not have specific security software agents installed on them, as is typically the case with general-purpose operating systems, and supply chain vulnerabilities may mean that these devices are compromised before reaching the consumer. Network operators can use DNS resolvers to mitigate these risks, although this will vary depending on policy. These networks may be public, without restrictions on DNS usage, or may be private networks that could be dedicated to IoT devices where operators implement more security controls to mitigate these risks. Manufacturers should be aware of network operator DNS deployment options as devices will use these resolvers, even though this infrastructure is not under manufacturer's control. As some aspects of DNS security rely on the resolution process between stub resolver, resolver, and authoritative servers, as well as DNS record types (notably DNSSEC). It is also necessary for network operators to implement DNS in such a way as to support some of the recommendations in .

Resolvers Supporting DNSSEC In order to support improving device DNS security as described in resolvers SHOULD be configured to validate DNS responses using DNSSEC.

Blocking of Unmanaged or Malicious DNS Traffic Private network operators may block DNS traffic to any resolvers other than those managed by the operator, so that traffic is not bypassing any DNS security controls such as response policy zones or DNS traffic logging. This is more likely to be the case on enterprise or other private networks rather than service providers that don't want to limit customers using alternate resolvers. Where operators have networks dedicated to IoT devices, they MAY limit DNS resolution to only domain names used by those IoT devices to mitigate any impact in the event of a compromise to the device. Manufacturers SHOULD provide domain names used for communication to facilitate this and other security measures used to secure devices and identify those that are compromised. Manufacturer Usage Descriptions (MUDs) can provide details of domain names used in device operations that can then be added to DNS security controls.

Availability Providers SHOULD optimize resolver configurations to mitigate the security and operational risks identified in this document, provided that such optimizations do not adversely affect the operation of other DNS clients. Network operators SHOULD optimize DNS resolver configurations through the use of serve-stale mechanisms, as specified in . This is particularly recommended in environments dedicated to supporting IoT devices, in order to minimize operational disruption during DNS resolution failures. Furthermore, network operators MUST provide dual-stack DNS resolvers for IoT devices configured with both IPv4 and IPv6 connectivity, rather than limiting resolver support to IPv4 only. DNS queries are most commonly transported over UDP, and compromised devices have been used in DoS attacks by sending queries with forged source addresses. Therefore, network operators MUST implement network ingress filtering. Network operators SHOULD implement DNS Response Rate Limiting (RRL) on resolvers to mitigate high query volumes from devices causing DoS attacks against DNS infrastructure.

Security Considerations IoT devices are often deployed at scale, operate under resource constraints, and typically lack host-based security controls. Consequently, weaknesses in DNS behavior can increase exposure to spoofing, on-path attacks, amplification, and fingerprinting. The recommendations in this document improve the security properties of DNS resolution by promoting correct protocol behavior, reducing unnecessary or anomalous query traffic, and supporting the use of authenticated and integrity-protected data (e.g., DNSSEC) and encrypted transport. The effectiveness of these measures depends on coordinated deployment across stub resolvers, recursive resolvers, and authoritative servers. Partial deployment may reduce the benefits of some mechanisms. Residual risks remain, including device compromise outside the DNS layer, misconfiguration, or reliance on untrusted upstream resolvers. In addition, the use of encrypted DNS may limit network-based inspection and policy enforcement. This document does not introduce new protocols or mechanisms; it reduces the attack surface and improves the predictability and resilience of DNS interactions in IoT environments.

IANA Considerations This document has no IANA actions.

In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings. The current Internet climate poses serious threats to the Domain Name System. In the interim period before the DNS protocol can be secured more fully, measures can already be taken to harden the DNS to make 'spoofing' a recursing nameserver many orders of magnitude harder. Even a cryptographically secured DNS benefits from having the ability to discard bogus responses quickly, as this potentially saves large amounts of computation. By describing certain behavior that has previously not been standardized, this document sets out how to make the DNS more resilient against accepting incorrect responses. This document updates RFC 2181. [STANDARDS-TRACK] The Domain Name System's wire protocol includes a number of fixed fields whose range has been or soon will be exhausted and does not allow requestors to advertise their capabilities to responders. This document describes backward-compatible mechanisms for allowing the protocol to grow. This document updates the Extension Mechanisms for DNS (EDNS(0)) specification (and obsoletes RFC 2671) based on feedback from deployment experience in several implementations. It also obsoletes RFC 2673 ("Binary Labels in the Domain Name System") and adds considerations on the use of extended labels in the DNS. The widely deployed Extension Mechanisms for DNS (EDNS(0)) feature in the DNS enables a DNS receiver to indicate its received UDP message size capacity, which supports the sending of large UDP responses by a DNS server. Large DNS/UDP messages are more likely to be fragmented, and IP fragmentation has exposed weaknesses in application protocols. It is possible to avoid IP fragmentation in DNS by limiting the response size where possible and signaling the need to upgrade from UDP to TCP transport where necessary. This document describes techniques to avoid IP fragmentation in DNS. This RFC is the revised specification of the protocol and format used in the implementation of the Domain Name System. It obsoletes RFC-883. This memo documents the details of the domain name client - server communication. This paper discusses a simple, effective, and straightforward method for using ingress traffic filtering to prohibit DoS (Denial of Service) attacks which use forged IP addresses to be propagated from 'behind' an Internet Service Provider's (ISP) aggregation point. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. The term "Internet of Things" (IoT) denotes a trend where a large number of embedded devices employ communication services offered by Internet protocols. Many of these devices, often called "smart objects", are not directly operated by humans but exist as components in buildings or vehicles, or are spread out in the environment. Following the theme "Everything that can be connected will be connected", engineers and researchers designing smart object networks need to decide how to achieve this in practice. This document offers guidance to engineers designing Internet- connected smart objects. This document defines the use of cipher suites for TLS 1.3 based on Hashed Message Authentication Code (HMAC). Using these cipher suites provides server and, optionally, mutual authentication and data authenticity, but not data confidentiality. Cipher suites with these properties are not of general applicability, but there are use cases, specifically in Internet of Things (IoT) and constrained environments, that do not require confidentiality of exchanged messages while still requiring integrity protection, server authentication, and optional client authentication. This document gives examples of such use cases, with the caveat that prior to using these integrity-only cipher suites, a threat model for the situation at hand is needed, and a threat analysis must be performed within that model to determine whether the use of integrity-only cipher suites is appropriate. The approach described in this document is not endorsed by the IETF and does not have IETF consensus, but it is presented here to enable interoperable implementation of a reduced-security mechanism that provides authentication and message integrity without supporting confidentiality. The Domain Name System (DNS) is defined in literally dozens of different RFCs. The terminology used by implementers and developers of DNS protocols, and by operators of DNS systems, has changed in the decades since the DNS was first defined. This document gives current definitions for many of the terms used in the DNS in a single document. This document updates RFC 2308 by clarifying the definitions of "forwarder" and "QNAME". It obsoletes RFC 8499 by adding multiple terms and clarifications. Comprehensive lists of changed and new definitions can be found in Appendices A and B. This document specifies IPv6 Router Advertisement (RA) options (called "DNS RA options") to allow IPv6 routers to advertise a list of DNS Recursive Server Addresses and a DNS Search List to IPv6 hosts. This document, which obsoletes RFC 6106, defines a higher default value of the lifetime of the DNS RA options to reduce the likelihood of expiry of the options on links with a relatively high rate of packet loss. This document describes the Dynamic Host Configuration Protocol for IPv6 (DHCPv6): an extensible mechanism for configuring nodes with network configuration parameters, IP addresses, and prefixes. Parameters can be provided statelessly, or in combination with stateful assignment of one or more IPv6 addresses and/or IPv6 prefixes. DHCPv6 can operate either in place of or in addition to stateless address autoconfiguration (SLAAC). This document updates the text from RFC 3315 (the original DHCPv6 specification) and incorporates prefix delegation (RFC 3633), stateless DHCPv6 (RFC 3736), an option to specify an upper bound for how long a client should wait before refreshing information (RFC 4242), a mechanism for throttling DHCPv6 clients when DHCPv6 service is not available (RFC 7083), and relay agent handling of unknown messages (RFC 7283). In addition, this document clarifies the interactions between models of operation (RFC 7550). As such, this document obsoletes RFC 3315, RFC 3633, RFC 3736, RFC 4242, RFC 7083, RFC 7283, and RFC 7550. This document specifies the current set of DHCP options. Future options will be specified in separate RFCs. The current list of valid options is also available in ftp://ftp.isi.edu/in-notes/iana/assignments. [STANDARDS-TRACK] This document specifies new DHCP and IPv6 Router Advertisement options to discover encrypted DNS resolvers (e.g., DNS over HTTPS, DNS over TLS, and DNS over QUIC). Particularly, it allows a host to learn an Authentication Domain Name together with a list of IP addresses and a set of service parameters to reach such encrypted DNS resolvers. This document defines Discovery of Designated Resolvers (DDR), a set of mechanisms for DNS clients to use DNS records to discover a resolver's encrypted DNS configuration. An Encrypted DNS Resolver discovered in this manner is referred to as a "Designated Resolver". These mechanisms can be used to move from unencrypted DNS to encrypted DNS when only the IP address of a resolver is known. These mechanisms are designed to be limited to cases where Unencrypted DNS Resolvers and their Designated Resolvers are operated by the same entity or cooperating entities. It can also be used to discover support for encrypted DNS protocols when the name of an Encrypted DNS Resolver is known. In the DNS, resolvers employ caching to reduce both latency for end users and load on authoritative name servers. The process of resolution may result in one of three types of responses: (1) a response containing the requested data, (2) a response indicating the requested data does not exist, or (3) a non-response due to a resolution failure in which the resolver does not receive any useful information regarding the data's existence. This document concerns itself only with the third type. RFC 2308 specifies requirements for DNS negative caching. There, caching of TYPE 2 responses is mandatory and caching of TYPE 3 responses is optional. This document updates RFC 2308 to require negative caching for DNS resolution failures. RFC 4035 allows DNSSEC validation failure caching. This document updates RFC 4035 to require caching for DNSSEC validation failures. RFC 4697 prohibits aggressive requerying for NS records at a failed zone's parent zone. This document updates RFC 4697 to expand this requirement to all query types and to all ancestor zones. This document defines a method (serve-stale) for recursive resolvers to use stale DNS data to avoid outages when authoritative nameservers cannot be reached to refresh expired data. One of the motivations for serve-stale is to make the DNS more resilient to DoS attacks and thereby make them less attractive as an attack vector. This document updates the definitions of TTL from RFCs 1034 and 1035 so that data can be kept in the cache beyond the TTL expiry; it also updates RFC 2181 by interpreting values with the high-order bit set as being positive, rather than 0, and suggests a cap of 7 days. This document describes the use of Transport Layer Security (TLS) to provide privacy for DNS. Encryption provided by TLS eliminates opportunities for eavesdropping and on-path tampering with DNS queries in the network, such as discussed in RFC 7626. In addition, this document specifies two usage profiles for DNS over TLS and provides advice on performance considerations to minimize overhead from using TCP and TLS with DNS. This document focuses on securing stub-to-recursive traffic, as per the charter of the DPRIVE Working Group. It does not prevent future applications of the protocol to recursive-to-authoritative traffic. This document describes the use of QUIC to provide transport confidentiality for DNS. The encryption provided by QUIC has similar properties to those provided by TLS, while QUIC transport eliminates the head-of-line blocking issues inherent with TCP and provides more efficient packet-loss recovery than UDP. DNS over QUIC (DoQ) has privacy properties similar to DNS over TLS (DoT) specified in RFC 7858, and latency characteristics similar to classic DNS over UDP. This specification describes the use of DoQ as a general-purpose transport for DNS and includes the use of DoQ for stub to recursive, recursive to authoritative, and zone transfer scenarios. This document defines a protocol for sending DNS queries and getting DNS responses over HTTPS. Each DNS query-response pair is mapped into an HTTP exchange. This document specifies the EDNS(0) "Padding" option, which allows DNS clients and servers to pad request and response messages by a variable number of octets. RFC 7830 specifies the "Padding" option for Extension Mechanisms for DNS (EDNS(0)) but does not specify the actual padding length for specific applications. This memo lists the possible options ("padding policies"), discusses the implications of each option, and provides a recommended (experimental) option. This document describes the DNS Security Extensions (commonly called "DNSSEC") that are specified in RFCs 4033, 4034, and 4035, as well as a handful of others. One purpose is to introduce all of the RFCs in one place so that the reader can understand the many aspects of DNSSEC. This document does not update any of those RFCs. A second purpose is to state that using DNSSEC for origin authentication of DNS data is the best current practice. A third purpose is to provide a single reference for other documents that want to refer to DNSSEC. This document is part of a family of documents that describe the DNS Security Extensions (DNSSEC). The DNS Security Extensions are a collection of new resource records and protocol modifications that add data origin authentication and data integrity to the DNS. This document describes the DNSSEC protocol modifications. This document defines the concept of a signed zone, along with the requirements for serving and resolving by using DNSSEC. These techniques allow a security-aware resolver to authenticate both DNS resource records and authoritative DNS error indications. This document obsoletes RFC 2535 and incorporates changes from all updates to RFC 2535. [STANDARDS-TRACK]

Acknowledgments We thank the researchers, reviewers, and engineers who contributed to the analysis and testing process. The authors thank Mohamed Boucadair, Chris Box, Ross Gibson, Eliot Lear, Martine Sophie Lenders, Jim Reid, Michael Richardson and Hannes Tschofenig for their contributions, questions and comments.