| Internet-Draft | DNS Transport Signaling | October 2025 |
| Stenstam, et al. | Expires 23 April 2026 | [Page] |
This document proposes a mechanism for authoritative DNS servers to signal their support for alternative transport protocols (e.g., DNS over TLS (DoT), DNS over HTTPS (DoH) and DNS over QUIC (DoQ)). This signaling may either be provided within the Additional section of authoritative DNS responses or be the result of direct DNS queries.¶
The former, "opportunistic mode" is hint-based and aims to enable resolvers to discover alternative transports efficiently and then opportunistically upgrade connections to the authoritative, thereby improving privacy, security, and performance for subsequent interactions. The mechanism is designed to not require any protocol change or additional queries. It is safe, backward-compatible, and effective even when DNSSEC validation of the hint is not possible or desired.¶
In certain circumstances and with additional overhead it is also possible to use direct queries to securely obtain authentication information for the authoritative that can then be used to authenticate an encrypted connection.¶
It is also possible to establish a "validated mode" where the communication between the resolver and the authoritative server is provably both secure and authentic. Validated mode may not always be possible, depending on whether the resolver is able to DNSSEC validate the signal or not. When Validated mode is possible it does provide a stronger and more trustworthy connection.¶
This document proposes an improvement to the opportunistic (but blind) testing of alternative transports suggested in RFC9539 by providing a mechanism by which a responding authoritative server may signal what alternative transports it supports.¶
TO BE REMOVED: This document is being collaborated on in Github at: https://github.com/johanix/draft-johani-dnsop-transport-signaling. The most recent working version of the document, open issues, etc, should all be available there. The authors (gratefully) accept pull requests.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 23 April 2026.¶
Copyright (c) 2025 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
The Domain Name System (DNS) primarily relies on UDP and TCP for communication between resolvers and authoritative servers. While these protocols are well-established, there is a growing interest in leveraging modern transport protocols like DNS over TLS (DoT) [RFC7858], DNS over HTTPS (DoH) [RFC9461] and DNS over QUIC (DoQ) [RFC9250] to enhance privacy, security, and performance.¶
Clients of authoritative servers (recursive resolvers) may employ various policies (usage profiles) when attempting to connect to an authoritative. Two policies are described for the stub to recursive case in RFC8310, Strict and Opportunistic which are also applicable here:¶
Strict mode relies on the client having securely discovered authentication information (e.g. a name or SPKI) for the server and then choosing to hard fail if an authenticated encrypted connection cannot be established. This protects against active attack on the resulting connection (however a denial-of-service attack is possible).¶
Opportunistic mode ([RFC7435]) starts with cleartext as a baseline with upgrade to encrypted transport and authentication of the connection when available. This is a best effort attempt to set up an encrypted DNS transport connection. This can provide enhanced privacy against a passive attacker. However an active attacker may be able to force a downgrade to unencrypted DNS.¶
Opportunistic mode can proceed based on, for example, probing of server capabilities (as in [RFC9539]) however a mechanism to signal such capabilities has a number of advantages.¶
Existing efforts to signal service connection information, such as the SVCB and HTTPS DNS records [RFC9460] [RFC9461], primarily focus on service discovery mechanisms where a client explicitly queries for these records, often from a parent zone. While robust, this approach can introduce additional latency and requires explicit configuration at the parent zone level.¶
This document proposes a new hint-based "DNS Transport Signaling" (DTS) mechanism. DTS, aka an "DTS Hint" allows an authoritative DNS nameserver to directly convey its transport capabilities as a hint within the Additional section of responses to queries where it identifies itself as an authoritative nameserver for the requested zone. This direct, in-band signaling provides a low-latency discovery path, even when a formal, validated signal is not available. Furthermore, this is achieved without any changes to the DNS Protocol.¶
The information conveyed by this hint alone signals only the capabilities of the authoritative nameserver serving the zone. It does not, therefore, establish a full chain of trust directly to the zone itself and should be considered as insecure. It should not be used as a basis of a Strict policy, only to enable Opportunistic transport. However, receiving such a signal enables resolvers to immediately attempt to establish an opportunistically encrypted connection to the resolver without further queries being required.¶
The focus of this document is the hint-based signaling of transport capabilities, however Section 6.2 outlines in detail the specific requirements for how DNSSEC signed authoritatives can provide, and willing resolvers can directly query for, a set of records than can securely provide authentication information for an authoritative nameserver that a resolver could then use to implement a Strict usage policy.¶
The above text discusses discovery of transport signals and authentication information in queries made by the recursive resolver. Those queries may or may not occur over encrypted or authenticated connections. Only when all the connections are authenticated are all the queries protected from active surveillance. If all the connections are opportunistically encrypted then the queries are protected from passive surveillance. Otherwise they may occur in cleartext, or a combination of circumstances may exist.¶
Such queries leak the name of the zone that the resolver wishes to ultimately query which in itself can be sensitive. During the early stages of the incremental rollout of technologies such as recursive to authoritative encrypted connections it is unlikely that fully confidential discovery will be possible due to the nature of the DNS hierarchy. However, if large TLDs and/or those hosted by large CDNs support encrypted transports a significant number of queries from busy resolvers to discovery information on TLD child zones (and below) could be performed confidentially thereby greatly improving the privacy over the current situation.¶
An attempt at utilizing more modern, and in particular, more private transports between resolvers and authoritative nameservers was introduced in [RFC9539]. The idea there was to opportunistically try to send the query to the authoritative nameserver over multiple transports with no prior knowledge of whether a transport was supported in the receiving end or not.¶
The drawback with that approach is that without any significant deployment of authoritative support the resolver end will mostly spend cycles and traffic on a wasted effort. For this reason their deployment has been limited.¶
Furthermore, in Appendix B of [RFC9539] requirements for improving the defense against an active attacker are listed. The first requirement is:¶
A signaling mechanism that tells the recursive resolver that the authoritative server intends to offer authenticated encryption.¶
This document aims to provide exactly such a mechanism while staying within the current DNS protocol. Therefore the DNS transport signaling provided will be hint-based, and as such fit well as an improvement to [RFC9539].¶
See Appendix A for the rationale for using the Additional section for the transport signaling hint.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals.¶
Authoritative Nameserver (Auth Server): A DNS server that holds the authoritative zone data for a specific domain.¶
Recursive Nameserver (Resolver): A DNS server that processes user queries, performing iterative lookups to authoritative servers to resolve domain names.¶
DTS Hint: An SVCB record included in the Additional section of an authoritative DNS response, intended to signal the responding authoritative nameserver's transport capabilities.¶
SVCB Record: Service Binding record, as defined in [RFC9460].¶
This document describes a mechanism of DNS transport signaling intended to result in improved communication between the resolver and the authoritative nameserver. This DNS transport signal is provided via an SVCB record that describes the transport capabilities of the authoritative server.¶
In the easiest case the resolver will be able to communicate securely with the authoritative server using an encrypted channel (like DoQ or DoT), but the resolver does not have the identity of the authoritative server proven. This is referred to as "opportunistic mode" and is essentially equivalent to the communication used today over UDP/TCP with the addition of privacy.¶
The second level of communication is when the resolver is able to verify the identity of the authoritative server via validation of a DNSSEC signature over the DNS transport signal (which is contained in an SVCB record). This is referred to as "validated mode" and is equivalent to the opportunistic mode plus knowledge that the DNS transport signal provably describes the authoritative server that the resolver is communicating with.¶
In opportunistic mode, the authoritative server and the recursive resolver make a best effort attempt to set up an encrypted DNS transport connection. This provides enhanced privacy against a passive attacker. However an active attacker may be able to force a downgrade to unencrypted DNS.¶
This section looks at the various configurations that need to be supported.¶
For opportunistic mode to be possible, the authoritative server needs to provide the recursive resolver with the DNS transport signaling record even when the recursive resolver does not explicitly ask for it (i.e. as a hint, in the Additional Section). For example by adding it to the result of an A or AAAA query for a name server. The recursive resolver accepts such a record and uses it to set up a secure transport.¶
There are three zones that matter in this analysis: the parent zone, the child zone, and the zone that contains the name server addresses and transport signaling records. Note that the name server addresses may be located in the child zone. And some of the three zones may be served by the same name server.¶
The parent zone contains the delegation NS RRset for the child which is not DNSSEC signed. Therefore it does not matter if the parent zone is DNSSEC signed or not in terms of validating the child’s NS RRset.¶
For the child zone there are also two possibilities, the child zone is DNSSEC secure or not.¶
For the nameserver transport signaling there are two possibilities: either the zone that holds the nameserver information is DNSSEC secure or it is DNSSEC insecure (i.e. the signaling needs to be learned opportunistically and later possibly be validated by direct query to the SVCB owner name).¶
There are cases where validated transport signaling is unavailable. One case is when the zone that holds the nameserver records is not DNSSEC secure. In that case obtaining transport signaling in a validated way is not possible without additional trust.¶
Another case is where the parent zone does not provide a path that allows validating the child’s NS RRset and the child zone is not DNSSEC secure. In that case obtaining a list of the child's nameservers in a validated way is impossible.¶
The remaining cases can be analysed as follows.¶
If the zone that holds the nameserver records is DNSSEC secure then it is often sufficient if the nameserver adds DNS transport signaling along with an A or AAAA response (including signatures).¶
If no signed signaling is received opportunistically then the resolver SHOULD issue an explicit query for the SVCB RRset at the SVCB owner name (_dns.{nameserver FQDN}) to obtain a validated signal or a secure denial of existence.¶
Opportunistic mode applies when the DTS Hint (the SVCB record) for the authoritative nameserver is received opportunistically in the Additional section as part of the response to a DNS query for something else. The hint may or may not be DNSSEC-signed and may or may not be successfully validated by the resolver.¶
If the SVCB record and its signatures are DNSSEC-validated, the resolver MAY treat it equivalently to Validated mode for the corresponding data.¶
If the SVCB record is not validated (e.g., unsigned, or validation fails), then:¶
The resolver MAY use only positive "alpn" entries to attempt a transport upgrade (e.g., dot, doq).¶
The resolver MUST ignore the negative transport signal "-do53", if present.¶
The resolver MUST ignore ipv4hint, ipv6hint, tlsa, and any other parameters that affect addressing or authentication.¶
The resolver MUST be prepared to immediately fall back to traditional UDP/TCP (Do53) upon failure or timeout.¶
Opportunistic mode enables low-latency discovery without requiring changes at parent zones or prior configuration, while containing risk by limiting use of unvalidated data to only positive upgrade attempts.¶
Validated mode applies when the resolver explicitly queries for the SVCB RRset at the SVCB owner name for the nameserver (i.e., _dns.{nameserver FQDN}) and obtains a DNSSEC-signed response that is successfully validated to the appropriate trust anchor.¶
The resolver MUST issue a direct query for the SVCB RRset at _dns.{nameserver FQDN}.¶
The resolver MUST successfully DNSSEC-validate the SVCB RRset and its RRSIGs.¶
When validated, the resolver MAY use all fields of the SVCB RDATA for connection establishment and policy decisions, including:¶
alpn: positive transport signals (e.g., dot, doq) and the negative transport signal "-do53" (if present).¶
ipv4hint / ipv6hint: address hints for the authoritative nameserver.¶
tlsa: a new SVCB parameter defined by this document that conveys the TLSA record to authenticate TLS/QUIC connections to the authoritative nameserver.¶
If a validated SVCB contains the explicit negative transport signal "-do53", the resolver SHOULD honor it. The "-do53" signal indicates that legacy UDP/TCP is NOT supported by this authoritative nameserver and the resolver SHOULD attempt only other advertised transports (if any). If all transport alternatives fail in the validated case the resolver SHOULD treat that server as unreachable and prefer other authoritative servers for the zone.¶
Validated transport signals MUST take precedence over Opportunistic transport signals.¶
A validated Opportunistic transport signal is equivalent to a Validated transport signal for policy and usage purposes.¶
An Opportunistic (unvalidated) transport signal MUST NOT be used to enforce negative transport policy ("-do53"), alter addressing ("ipv4hint/ipv6hint"), or bootstrap authentication material ("tlsa").¶
Resolvers MAY cache Validated-mode SVCB information according to its TTL and MAY use the EDNS(0) No-DTS option to avoid redundant hints when sufficient information is cached.¶
In Opportunistic mode, resolvers MAY cache positive "alpn" results subject to local policy (see Resolver Caching Strategies). When a resolver has sufficient cached information, it SHOULD set No-DTS to reduce response size and limit unnecessary hints.¶
Opportunistic:¶
Validated:¶
MAY use: alpn: "doq", "dot", "h2", "h3", "-do53", ipv4hint, ipv6hint, tlsa, and other defined parameters.¶
Implementation note: - Existing resolvers that do not understand the alpn="-do53" token or the new "tlsa" parameter will ignore them and remain interoperable. Clients implementing this specification MUST follow the above mode-dependent processing and precedence rules.¶
The core of this proposal is for an authoritative nameserver to include a DNS transport signal in the form of an SVCB record in the Additional section of its responses under specific conditions.¶
This consists of three parts. The first two are the behaviour of the authoritative nameserver receiving the query and the behaviour of the recursive nameserver receiving the response. The final part is a new EDNS(0) option that defines an OPT-OUT capability.¶
Recursive nameservers adopting this mechanism SHOULD implement the following logic:¶
OPT-OUT Possibility: If the resolver already thinks that it knows the transport capabilities of the authoritative nameserver it is about to send a query to it may opt out from DNS transport signaling by including an EDNS(0) "No-DTS" option in the query.¶
It is important to be aware that using the No-DTS option consistently will make the resolver blind to any changes in the transport signals, which is clearly not acceptable. Hence any use of "No-DTS" should be restricted to only be used within the TTL of an already received and parsed DTS Hint.¶
Opportunistic Parsing: When receiving an authoritative DNS response, the resolver SHOULD parse the Additional section for SVCB records.¶
Owner Check: If an SVCB record is found whose owner name matches the "_dns" label followed by an authoritative nameserver name for the zone to which the query belongs, the resolver MAY consider this an DTS Hint.¶
DNSSEC Validation (Optional but Recommended):¶
The resolver SHOULD attempt to DNSSEC validate the DTS Hint. This involves validating the SVCB record itself and its corresponding RRSIG (if present) against the DNSSEC chain of trust for the zone that owns the SVCB record (e.g., dnsprovider.com for _dns.ns.dnsprovider.com).¶
If validation succeeds: The DTS Hint is considered a trusted signal. The resolver MAY then use all the transport signals provided in the SVCB record when deciding on alternative transport choices for subsequent queries to that specific authoritative nameserver.¶
If validation fails, or no RRSIG is present: The DTS Hint MUST be treated as an unvalidated hint. The resolver MAY still opportunistically attempt to use the signaled alternative transports, but MUST be prepared for immediate fallback to traditional transports (UDP/TCP) if the connection fails. This is particularly relevant for scenarios like vanity names (e.g., ns.customer.com where customer.com is an unsigned zone, but the underlying server ns.dnsprovider.com is capable).¶
Prioritization: * Any DNSSEC-validated SVCB record found via explicit query (e.g., _dns.ns.example.com for a queried domain) MUST take precedence over any unvalidated DTS Hint.¶
The DTS Hint is a mechanism to discover capabilities opportunistically, not to override trusted delegation or service configuration.¶
Fallback: Resolvers MUST always be prepared to fall back to traditional UDP/TCP transport if an attempt to use an alternative transport based on an DTS Hint (especially an unvalidated one) fails or times out.¶
If an unvalidated opportunistic transport signal has been received the resolver may choose to upgrade that signal, either immediately or when the transport signal is close to expiration from the resolver cache. An upgraded transport signal allows the resolver to operate in Validated mode, and then use all the information in the SVCB record (including "-do53", ipv4hint/ipv6hint, and tlsa).¶
Resolvers implementing the DNS DTS Hint mechanism have several options for caching the transport signals received via DTS Hints.¶
A suggested primary strategy is to set the EDNS(0) No-DTS option when no transport signaling information is needed. This may be because the resolver already knows the authoritative nameserver's transport capabilities from a previous response (with a TTL that has not expired) or for some other reason.¶
The primary caching strategy SHOULD be "Standard DNS Cache", i.e. treat the SVCB record like any other DNS record, caching it according to its TTL. This is the simplest approach and will simply cause the resolver to fall back to UDP for one query if the transport signal data has expired.¶
For a more detailed analysis of possible caching logic, see [RFC9539], section 4.¶
Note that the resolver always has the option of not using the EDNS(0) No-DTS option whenever the cache entry is getting close to expiry.¶
Given the variety of deployment scenarios and operational requirements, this document does not mandate a specific caching strategy. Implementers SHOULD choose a strategy that best fits their operational needs, considering factors such as:¶
The importance of minimizing connection attempts¶
The impact of failed connection attempts¶
The computational cost of different caching strategies¶
The memory requirements of maintaining cache state¶
The chosen strategy SHOULD be documented in the implementation's configuration options to allow operators to make informed decisions about its use.¶
To provide a mechanism for resolvers to explicitly opt out of receiving transport signals, this document defines a new EDNS(0) option called "No-DTS". When included in a query, this option signals to the authoritative server that the resolver does not want to receive any transport signals in the response.¶
The typical use case is to set the EDNS(0) No-DTS option when the resolver already has the transport information it needs.¶
The EDNS(0) No-DTS option is structured as follows:¶
1 1 1 1 1 1
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5
+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
0: | OPTION-CODE |
+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
2: | OPTION-LENGTH |
+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
¶
Field definition details:¶
OPTION-CODE: 2 octets / 16 bits (defined in [RFC6891]) contains the value TBD for No-DTS.¶
OPTION-LENGTH: 2 octets / 16 bits (defined in [RFC6891]) contains the length of the payload in octets. For the No-DTS option, this value MUST be 0 as there is no payload.¶
When an authoritative server receives a query containing the EDNS(0) No-DTS option, it SHOULD NOT include any DTS Hints in the response, regardless of whether it would normally do so based on the conditions described in Section 5.1.¶
This option provides a clean way for resolvers to opt out of receiving transport signals, which may be useful in scenarios where:¶
The resolver has recently established transport preferences for a particular authoritative server and that transport signal has not expired.¶
The resolver does not support or does not want to use alternative transports¶
The resolver wants to minimize response sizes¶
The resolver is operating in an environment where transport signals are not needed or desired¶
The No-DTS option is designed to be a simple, lightweight mechanism that can be used to disable transport signaling without affecting the normal operation of DNS resolution.¶
The idea to use an SVCB alpn parameter for transport signaling originated with the work on DELEG [I-D.draft-ietf-deleg]. The current document uses the same data format, but as an opportunistic addition to the Additional section rather than as integral part of a changed delegation mechanism.¶
Both mechanisms have distinct use cases, and pros and cons. The major advantage of the DELEG mechanism is that it cannot be spoofed or filtered, as it is an integral part of an upcoming protocol change.¶
The opportunistic mechanism described here has the major advantage of being available immediately without any changes to the DNS protocol. Furthermore, as it is a signal directly from an authoritative nameserver, a single DTS Hint may allow the recipient recursive nameserver to upgrade the transport used for all the zones served by that authoritative nameserver (which may be millions) without the need to make any changes to the zones, nor to the parent zones.¶
Given the current DNS landscape with a limited number of very large providers of authoritative DNS service and a limited number of large providers of recursive DNS service the opportunistic model described here has the potential of enabling upgrading the transport for a significant fraction of the DNS traffic with a limited amount of effort.¶
Spoofing of Unvalidated Hints: An DTS Hint that cannot be DNSSEC validated (e.g., for ns.example.com where example.com is unsigned) is susceptible to spoofing by an on-path attacker. Such an attacker could insert a fake SVCB record advertising a non-existing transport, thereby denying connection over that transport. However, since the hint is opportunistic and not required for DNS resolution, the worst-case scenario is that the resolver attempts a connection that fails and then falls back to traditional transports. Security for the actual DNS data remains unaffected. The cryptographic validation of TLS/QUIC (via X.509 certificates) for DoT/DoQ would still protect the integrity and privacy of the connection itself.¶
DNSSEC Validation: When a DTS Hint is signed by DNSSEC (e.g., the ns.dnsprovider.net SVCB record from a signed dnsprovider.net zone), it provides a trusted signal. Resolvers SHOULD leverage DNSSEC validation to distinguish between trusted and unvalidated hints.¶
No New Attack Vectors: This mechanism does not introduce new attack vectors for DNS data itself, as it primarily concerns transport discovery. It relies on the existing security properties of DoT, DoH and DoQ for actual session security.¶
Safe Rollout: As existing recursive nameservers carefully avoid data in the Additional section that they do not need, the DTS Hint will be ignored by everyone except recursive nameservers that understand the DTS Hint.¶
No-DTS enables a downgrade attack: If an attacker is able to inject a No-DTS option to an outbound query then no transport signal will be provided. However, this is a consequence of the opportunistic nature of the DTS Hint and not worse than not being able to do transport signaling at all.¶
Response Size: Including an SVCB record in the Additional section will increase the size of UDP responses. Authoritative server operators should consider the potential for UDP fragmentation or TCP fallback if responses become excessively large, though a single SVCB record is typically small. Recursive nameservers should usually set the EDNS(0) No-DTS when they already have the transport signaling information.¶
Server Configuration: Authoritative server implementations will need configuration options to enable this feature and manage the identities list.¶
Rollout Strategy: This mechanism supports a gradual rollout. Authoritative servers can begin sending hints without requiring changes from resolvers, and resolvers can begin processing hints without requiring all authoritative servers to implement the feature.¶
Monitoring: As there is extremely limited data on effects of alternative DNS transports for communication resolver to authoritative nameserver it is strongly suggested that monitoring (of use, resource consumption, etc) is considered.¶
This document defines a new EDNS(0) option, entitled "No-DTS", assigned a value of TBD in the "DNS EDNS0 Option Codes" registry.¶
+-------+--------------------------+----------+----------------------+ | Value | Name | Status | Reference | +-------+--------------------------+----------+----------------------+ | TBD | No-DTS | Standard | ( This document ) | +-------+--------------------------+----------+----------------------+¶
Note to the RFC Editor: In this section, please replace occurrences of "(This document)" with a proper reference.¶
This document requests registration of a new SVCB/HTTPS parameter in the "SVCB and HTTPS Parameters" registry:¶
+-------+--------+--------------------+----------------------+ | Key | Name | Meaning | Reference | +-------+--------+--------------------+----------------------+ | TBD | tlsa | Carries TLSA data | ( This document ) | +-------+--------+--------------------+----------------------+¶
Presentation and wire format: The value carries one or more TLSA RRs associated with the nameserver endpoint. Exact encoding and size limits are defined by this document (TBD). Use of this parameter is appropriate only when the containing SVCB RRset is DNSSEC-validated (see Section 3).¶
This document updates the "alpn" SVCB parameter with one additional token, "-do53", used to signal lack of support for UDP/TCP, i.e. a negative transport capability. Note that at present support for UDP/TCP is required for authoritative nameservers.¶
The "-do53" token has two use cases. The first is for temporary service interruptions (i.e. a busy nameserver that only supports UDP/TCP transport may signal alpn="-do53" prior to being offline for maintenance). The second is for a future where a significant fraction of authoritative DNS traffic has migrated to encrypted transports and it may be reasonable to not support every transport at every nameserver.¶
IANA is requested to add the "-do53" token to the list of defined tokens for the "SVCB and HTTPS Parameters" registry entry for "alpn" and reference this document. A new ALPN ID must be allocated for "-do53".¶
Many people have commented and contributed to this document in different ways. In no particular order and with a significant risk of forgetting someone: The participants of the DELEG Working Group, Peter Thomassen, Christian Elmerot, John Todd, Peter Koch, Willem Toorop, Peter van Dijk.¶
Note to the RFC Editor: Please remove this entire section before publication.¶
When designing a mechanism that relies on sending new information in DNS responses without changing the current DNS protocol, the Additional section has the major advantage of being ignored by legacy software. This property makes it possible to essentially deploy the proposed mechanism immediately, as it will not cause problems with existing DNS infrastructure.¶
Existing authoritative nameservers will not provide any DTS Hint in the Additional section.¶
Existing resolvers will actively ignore any DTS Hint in the Additional section.¶
Only DNS nameservers (authoritative or recursive) that are aware of the proposed mechanism will use it.¶
The downside is that it is not possible to strictly rely on anything specific being present in the Additional section, as it may be stripped off by a middle man or even by the sending nameserver (eg. due to packet size constraints). For this reason it is not possible to provide more than an opportunistic transport signal when the signal is not explicitly queried for.¶
This is usually a major issue and the primary reason that data in the Additional section is actively ignored by resolvers. In this particular case, though, even an untrusted transport signal is better than no signal at all. Furthermore, the only effect of a forged or otherwise incorrect transport signal is a, typically failed, connection attempt to an authoritative nameserver that does not support the advertised transport. This will cause immediate fallback to "Do53", i.e. traditional DNS over UDP/TCP and the non-availability of the advertised transport will be remembered by the resolver (for some suitable time).¶
Hence, using the Additional section for opportunistic transport
signaling has vastly more benefits than drawbacks.¶
If the transport signal is present in the Additional section, it may or may not be possible to validate it (if it has a DNSSEC signature).¶
This is necessary to bee able to trust more sensitive signals. A positive signal inserted by an on-path attacker (eg. claiming DoQ support when this is false) would not be catastrophic. However, a false negative alpn="-do53" signal (eg. claiming no Do53 support while such support is present) would be potentially catastrophic. For this reason (ability to trust more sensitive signals) the connection between resolver and authoritative server must be in Validated Mode.¶
This appendix defines a presentation-time extension to the SVCB "alpn" parameter that allows an authoritative nameserver to signal explicit non-support of a transport by prefixing an existing ALPN token with a hyphen ("-"). For example, "-do53" indicates that legacy UDP/TCP transport is not supported.¶
Processing rules: - The "-do53" negative token is only actionable when the SVCB RRset is DNSSEC-validated (Validated mode). In these cases, resolvers SHOULD honor the "-do53" token when selecting transports. - In Opportunistic (unvalidated) mode, resolvers MUST ignore the "-do53" negative token.¶
Examples: - alpn="dot,doq" -> Indicates support for DoT and DoQ. - alpn="-do53,dot" -> Indicates no Do53; use DoT (validated modes only). - alpn="-do53,doq,dot" -> Indicates no Do53; prefer DoQ/DoT (validated modes only).¶
Interoperability considerations: - Implementations that do not understand the alpn "-do53" negative token will ignore it per SVCB parameter processing and remain interoperable. - This alpn token does not alter on-the-wire encoding for ALPN; it is a presentation-layer convention. IANA considerations for documentation of this convention are provided in Section 11.3.¶
Initial public draft¶