RFC 9539

Unilateral Opportunistic Deployment of Encrypted Recursive-to-Authoritative DNS, February 2024

File formats:

icon for HTML icon for text file icon for v3pdf icon for XML icon for inline errata
Also available: XML file for editing
D. K. Gillmor, Ed.
J. Salazar, Ed.
P. Hoffman, Ed.
dprive (int)

Cite this RFC: TXT  |  XML  |   BibTeX

DOI:  https://doi.org/10.17487/RFC9539

Discuss this RFC: Send questions or comments to the mailing list dns-privacy@ietf.org

Other actions: View Errata  |  Submit Errata  |  Find IPR Disclosures from the IETF  |  View History of RFC 9539


This document sets out steps that DNS servers (recursive resolvers and authoritative servers) can take unilaterally (without any coordination with other peers) to defend DNS query privacy against a passive network monitor. The protections provided by the guidance in this document can be defeated by an active attacker, but they should be simpler and less risky to deploy than more powerful defenses.

The goal of this document is to simplify and speed up deployment of opportunistic encrypted transport in the recursive-to-authoritative hop of the DNS ecosystem. Wider easy deployment of the underlying encrypted transport on an opportunistic basis may facilitate the future specification of stronger cryptographic protections against more-powerful attacks.

For the definition of Status, see RFC 2026.

For the definition of Stream, see RFC 8729.

Advanced Search