draft-ietf-dprive-bcp-op-02.html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" 
  "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html lang="en" xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head profile="http://www.w3.org/2006/03/hcard http://dublincore.org/documents/2008/08/04/dc-html/">
  <meta http-equiv="Content-Type" content="text/html; charset=us-ascii" />

  <title>Recommendations for DNS Privacy Service Operators</title>

  <style type="text/css" title="Xml2Rfc (sans serif)">
  /*<![CDATA[*/
	  a {
	  text-decoration: none;
	  }
      /* info code from SantaKlauss at http://www.madaboutstyle.com/tooltip2.html */
      a.info {
          /* This is the key. */
          position: relative;
          z-index: 24;
          text-decoration: none;
      }
      a.info:hover {
          z-index: 25;
          color: #FFF; background-color: #900;
      }
      a.info span { display: none; }
      a.info:hover span.info {
          /* The span will display just on :hover state. */
          display: block;
          position: absolute;
          font-size: smaller;
          top: 2em; left: -5em; width: 15em;
          padding: 2px; border: 1px solid #333;
          color: #900; background-color: #EEE;
          text-align: left;
      }
	  a.smpl {
	  color: black;
	  }
	  a:hover {
	  text-decoration: underline;
	  }
	  a:active {
	  text-decoration: underline;
	  }
	  address {
	  margin-top: 1em;
	  margin-left: 2em;
	  font-style: normal;
	  }
	  body {
	  color: black;
	  font-family: verdana, helvetica, arial, sans-serif;
	  font-size: 10pt;
	  max-width: 55em;
	  
	  }
	  cite {
	  font-style: normal;
	  }
	  dd {
	  margin-right: 2em;
	  }
	  dl {
	  margin-left: 2em;
	  }
	
	  ul.empty {
	  list-style-type: none;
	  }
	  ul.empty li {
	  margin-top: .5em;
	  }
	  dl p {
	  margin-left: 0em;
	  }
	  dt {
	  margin-top: .5em;
	  }
	  h1 {
	  font-size: 14pt;
	  line-height: 21pt;
	  page-break-after: avoid;
	  }
	  h1.np {
	  page-break-before: always;
	  }
	  h1 a {
	  color: #333333;
	  }
	  h2 {
	  font-size: 12pt;
	  line-height: 15pt;
	  page-break-after: avoid;
	  }
	  h3, h4, h5, h6 {
	  font-size: 10pt;
	  page-break-after: avoid;
	  }
	  h2 a, h3 a, h4 a, h5 a, h6 a {
	  color: black;
	  }
	  img {
	  margin-left: 3em;
	  }
	  li {
	  margin-left: 2em;
	  margin-right: 2em;
	  }
	  ol {
	  margin-left: 2em;
	  margin-right: 2em;
	  }
	  ol p {
	  margin-left: 0em;
	  }
	  p {
	  margin-left: 2em;
	  margin-right: 2em;
	  }
	  pre {
	  margin-left: 3em;
	  background-color: lightyellow;
	  padding: .25em;
	  }
	  pre.text2 {
	  border-style: dotted;
	  border-width: 1px;
	  background-color: #f0f0f0;
	  width: 69em;
	  }
	  pre.inline {
	  background-color: white;
	  padding: 0em;
	  }
	  pre.text {
	  border-style: dotted;
	  border-width: 1px;
	  background-color: #f8f8f8;
	  width: 69em;
	  }
	  pre.drawing {
	  border-style: solid;
	  border-width: 1px;
	  background-color: #f8f8f8;
	  padding: 2em;
	  }
	  table {
	  margin-left: 2em;
	  }
	  table.tt {
	  vertical-align: top;
	  }
	  table.full {
	  border-style: outset;
	  border-width: 1px;
	  }
	  table.headers {
	  border-style: outset;
	  border-width: 1px;
	  }
	  table.tt td {
	  vertical-align: top;
	  }
	  table.full td {
	  border-style: inset;
	  border-width: 1px;
	  }
	  table.tt th {
	  vertical-align: top;
	  }
	  table.full th {
	  border-style: inset;
	  border-width: 1px;
	  }
	  table.headers th {
	  border-style: none none inset none;
	  border-width: 1px;
	  }
	  table.left {
	  margin-right: auto;
	  }
	  table.right {
	  margin-left: auto;
	  }
	  table.center {
	  margin-left: auto;
	  margin-right: auto;
	  }
	  caption {
	  caption-side: bottom;
	  font-weight: bold;
	  font-size: 9pt;
	  margin-top: .5em;
	  }
	
	  table.header {
	  border-spacing: 1px;
	  width: 95%;
	  font-size: 10pt;
	  color: white;
	  }
	  td.top {
	  vertical-align: top;
	  }
	  td.topnowrap {
	  vertical-align: top;
	  white-space: nowrap; 
	  }
	  table.header td {
	  background-color: gray;
	  width: 50%;
	  }
	  table.header a {
	  color: white;
	  }
	  td.reference {
	  vertical-align: top;
	  white-space: nowrap;
	  padding-right: 1em;
	  }
	  thead {
	  display:table-header-group;
	  }
	  ul.toc, ul.toc ul {
	  list-style: none;
	  margin-left: 1.5em;
	  margin-right: 0em;
	  padding-left: 0em;
	  }
	  ul.toc li {
	  line-height: 150%;
	  font-weight: bold;
	  font-size: 10pt;
	  margin-left: 0em;
	  margin-right: 0em;
	  }
	  ul.toc li li {
	  line-height: normal;
	  font-weight: normal;
	  font-size: 9pt;
	  margin-left: 0em;
	  margin-right: 0em;
	  }
	  li.excluded {
	  font-size: 0pt;
	  }
	  ul p {
	  margin-left: 0em;
	  }
	
	  .comment {
	  background-color: yellow;
	  }
	  .center {
	  text-align: center;
	  }
	  .error {
	  color: red;
	  font-style: italic;
	  font-weight: bold;
	  }
	  .figure {
	  font-weight: bold;
	  text-align: center;
	  font-size: 9pt;
	  }
	  .filename {
	  color: #333333;
	  font-weight: bold;
	  font-size: 12pt;
	  line-height: 21pt;
	  text-align: center;
	  }
	  .fn {
	  font-weight: bold;
	  }
	  .hidden {
	  display: none;
	  }
	  .left {
	  text-align: left;
	  }
	  .right {
	  text-align: right;
	  }
	  .title {
	  color: #990000;
	  font-size: 18pt;
	  line-height: 18pt;
	  font-weight: bold;
	  text-align: center;
	  margin-top: 36pt;
	  }
	  .vcardline {
	  display: block;
	  }
	  .warning {
	  font-size: 14pt;
	  background-color: yellow;
	  }
	
	
	  @media print {
	  .noprint {
		display: none;
	  }
	
	  a {
		color: black;
		text-decoration: none;
	  }
	
	  table.header {
		width: 90%;
	  }
	
	  td.header {
		width: 50%;
		color: black;
		background-color: white;
		vertical-align: top;
		font-size: 12pt;
	  }
	
	  ul.toc a::after {
		content: leader('.') target-counter(attr(href), page);
	  }
	
	  ul.ind li li a {
		content: target-counter(attr(href), page);
	  }
	
	  .print2col {
		column-count: 2;
		-moz-column-count: 2;
		column-fill: auto;
	  }
	  }
	
	  @page {
	  @top-left {
		   content: "Internet-Draft"; 
	  } 
	  @top-right {
		   content: "December 2010"; 
	  } 
	  @top-center {
		   content: "Abbreviated Title";
	  } 
	  @bottom-left {
		   content: "Doe"; 
	  } 
	  @bottom-center {
		   content: "Expires June 2011"; 
	  } 
	  @bottom-right {
		   content: "[Page " counter(page) "]"; 
	  } 
	  }
	
	  @page:first { 
		@top-left {
		  content: normal;
		}
		@top-right {
		  content: normal;
		}
		@top-center {
		  content: normal;
		}
	  }
  /*]]>*/
  </style>

  <link href="#rfc.toc" rel="Contents"/>
<link href="#rfc.section.1" rel="Chapter" title="1 Introduction"/>
<link href="#rfc.section.2" rel="Chapter" title="2 Scope"/>
<link href="#rfc.section.3" rel="Chapter" title="3 Privacy related documents"/>
<link href="#rfc.section.4" rel="Chapter" title="4 Terminology"/>
<link href="#rfc.section.5" rel="Chapter" title="5 Recommendations for DNS privacy services"/>
<link href="#rfc.section.5.1" rel="Chapter" title="5.1 On the wire between client and server"/>
<link href="#rfc.section.5.1.1" rel="Chapter" title="5.1.1 Transport recommendations"/>
<link href="#rfc.section.5.1.2" rel="Chapter" title="5.1.2 Authentication of DNS privacy services"/>
<link href="#rfc.section.5.1.3" rel="Chapter" title="5.1.3 Protocol recommendations"/>
<link href="#rfc.section.5.1.4" rel="Chapter" title="5.1.4 Availability"/>
<link href="#rfc.section.5.1.5" rel="Chapter" title="5.1.5 Service options"/>
<link href="#rfc.section.5.1.6" rel="Chapter" title="5.1.6 Impact on Operators"/>
<link href="#rfc.section.5.1.7" rel="Chapter" title="5.1.7 Limitations of using a pure TLS proxy"/>
<link href="#rfc.section.5.2" rel="Chapter" title="5.2 Data at rest on the server"/>
<link href="#rfc.section.5.2.1" rel="Chapter" title="5.2.1 Data handling"/>
<link href="#rfc.section.5.2.2" rel="Chapter" title="5.2.2 Data minimization of network traffic"/>
<link href="#rfc.section.5.2.3" rel="Chapter" title="5.2.3 IP address pseudonymization and anonymization methods"/>
<link href="#rfc.section.5.2.4" rel="Chapter" title="5.2.4 Pseudonymization, anonymization or discarding of other correlation data"/>
<link href="#rfc.section.5.2.5" rel="Chapter" title="5.2.5 Cache snooping"/>
<link href="#rfc.section.5.3" rel="Chapter" title="5.3 Data sent onwards from the server"/>
<link href="#rfc.section.5.3.1" rel="Chapter" title="5.3.1 Protocol recommendations"/>
<link href="#rfc.section.5.3.2" rel="Chapter" title="5.3.2 Client query obfuscation"/>
<link href="#rfc.section.5.3.3" rel="Chapter" title="5.3.3 Data sharing"/>
<link href="#rfc.section.6" rel="Chapter" title="6 DNS privacy policy and practice statement"/>
<link href="#rfc.section.6.1" rel="Chapter" title="6.1 Recommended contents of a DPPPS"/>
<link href="#rfc.section.6.1.1" rel="Chapter" title="6.1.1 Policy"/>
<link href="#rfc.section.6.1.2" rel="Chapter" title="6.1.2 Practice"/>
<link href="#rfc.section.6.2" rel="Chapter" title="6.2 Current policy and privacy statements"/>
<link href="#rfc.section.6.3" rel="Chapter" title="6.3 Enforcement/accountability"/>
<link href="#rfc.section.7" rel="Chapter" title="7 IANA considerations"/>
<link href="#rfc.section.8" rel="Chapter" title="8 Security considerations"/>
<link href="#rfc.section.9" rel="Chapter" title="9 Acknowledgements"/>
<link href="#rfc.section.10" rel="Chapter" title="10 Contributors"/>
<link href="#rfc.section.11" rel="Chapter" title="11 Changelog"/>
<link href="#rfc.references" rel="Chapter" title="12 References"/>
<link href="#rfc.references.1" rel="Chapter" title="12.1 Normative References"/>
<link href="#rfc.references.2" rel="Chapter" title="12.2 Informative References"/>
<link href="#rfc.appendix.A" rel="Chapter" title="A Documents"/>
<link href="#rfc.appendix.A.1" rel="Chapter" title="A.1 Potential increases in DNS privacy"/>
<link href="#rfc.appendix.A.2" rel="Chapter" title="A.2 Potential decreases in DNS privacy"/>
<link href="#rfc.appendix.A.3" rel="Chapter" title="A.3 Related operational documents"/>
<link href="#rfc.appendix.B" rel="Chapter" title="B Encryption and DNSSEC"/>
<link href="#rfc.appendix.C" rel="Chapter" title="C IP address techniques"/>
<link href="#rfc.appendix.C.1" rel="Chapter" title="C.1 Google Analytics non-prefix filtering"/>
<link href="#rfc.appendix.C.2" rel="Chapter" title="C.2 dnswasher"/>
<link href="#rfc.appendix.C.3" rel="Chapter" title="C.3 Prefix-preserving map"/>
<link href="#rfc.appendix.C.4" rel="Chapter" title="C.4 Cryptographic Prefix-Preserving Pseudonymisation"/>
<link href="#rfc.appendix.C.5" rel="Chapter" title="C.5 Top-hash Subtree-replicated Anonymisation"/>
<link href="#rfc.appendix.C.6" rel="Chapter" title="C.6 ipcipher"/>
<link href="#rfc.appendix.C.7" rel="Chapter" title="C.7 Bloom filters"/>
<link href="#rfc.authors" rel="Chapter"/>


  <meta name="generator" content="xml2rfc version 2.5.1 - http://tools.ietf.org/tools/xml2rfc" />
  <link rel="schema.dct" href="http://purl.org/dc/terms/" />

  <meta name="dct.creator" content="Dickinson, S., Overeinder, B., van Rijswijk-Deij, R., and A. Mankin" />
  <meta name="dct.identifier" content="urn:ietf:id:draft-ietf-dprive-bcp-op-02" />
  <meta name="dct.issued" scheme="ISO8601" content="2019-3-11" />
  <meta name="dct.abstract" content="This document presents operational, policy and security considerations for DNS operators who choose to offer DNS Privacy services. With these recommendations, the operator can make deliberate decisions regarding which services to provide, and how the decisions and alternatives impact the privacy of users.  " />
  <meta name="description" content="This document presents operational, policy and security considerations for DNS operators who choose to offer DNS Privacy services. With these recommendations, the operator can make deliberate decisions regarding which services to provide, and how the decisions and alternatives impact the privacy of users.  " />

</head>

<body>

  <table class="header">
    <tbody>
    
    	<tr>
  <td class="left">dprive</td>
  <td class="right">S. Dickinson</td>
</tr>
<tr>
  <td class="left">Internet-Draft</td>
  <td class="right">Sinodun IT</td>
</tr>
<tr>
  <td class="left">Intended status: Best Current Practice</td>
  <td class="right">B. Overeinder</td>
</tr>
<tr>
  <td class="left">Expires: September 12, 2019</td>
  <td class="right">R. van Rijswijk-Deij</td>
</tr>
<tr>
  <td class="left"></td>
  <td class="right">NLnet Labs</td>
</tr>
<tr>
  <td class="left"></td>
  <td class="right">A. Mankin</td>
</tr>
<tr>
  <td class="left"></td>
  <td class="right">Salesforce</td>
</tr>
<tr>
  <td class="left"></td>
  <td class="right">March 11, 2019</td>
</tr>

    	
    </tbody>
  </table>

  <p class="title">Recommendations for DNS Privacy Service Operators<br />
  <span class="filename">draft-ietf-dprive-bcp-op-02</span></p>
  
  <h1 id="rfc.abstract">
  <a href="#rfc.abstract">Abstract</a>
</h1>
<p>This document presents operational, policy and security considerations for DNS operators who choose to offer DNS Privacy services. With these recommendations, the operator can make deliberate decisions regarding which services to provide, and how the decisions and alternatives impact the privacy of users.  </p>
<p>This document also presents a framework to assist writers of DNS Privacy Policy and Practices Statements (analogous to DNS Security Extensions (DNSSEC) Policies and DNSSEC Practice Statements described in <a href="#RFC6841">[RFC6841]</a>).  </p>
<h1 id="rfc.status">
  <a href="#rfc.status">Status of This Memo</a>
</h1>
<p>This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.</p>
<p>Internet-Drafts are working documents of the Internet Engineering Task Force (IETF).  Note that other groups may also distribute working documents as Internet-Drafts.  The list of current Internet-Drafts is at http://datatracker.ietf.org/drafts/current/.</p>
<p>Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time.  It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."</p>
<p>This Internet-Draft will expire on September 12, 2019.</p>
<h1 id="rfc.copyrightnotice">
  <a href="#rfc.copyrightnotice">Copyright Notice</a>
</h1>
<p>Copyright (c) 2019 IETF Trust and the persons identified as the document authors.  All rights reserved.</p>
<p>This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document.  Please review these documents carefully, as they describe your rights and restrictions with respect to this document.  Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.</p>

  
  <hr class="noprint" />
  <h1 class="np" id="rfc.toc"><a href="#rfc.toc">Table of Contents</a></h1>
  <ul class="toc">

  	<li>1.   <a href="#rfc.section.1">Introduction</a></li>
<li>2.   <a href="#rfc.section.2">Scope</a></li>
<li>3.   <a href="#rfc.section.3">Privacy related documents</a></li>
<li>4.   <a href="#rfc.section.4">Terminology</a></li>
<li>5.   <a href="#rfc.section.5">Recommendations for DNS privacy services</a></li>
<ul><li>5.1.   <a href="#rfc.section.5.1">On the wire between client and server</a></li>
<ul><li>5.1.1.   <a href="#rfc.section.5.1.1">Transport recommendations</a></li>
<li>5.1.2.   <a href="#rfc.section.5.1.2">Authentication of DNS privacy services</a></li>
<li>5.1.3.   <a href="#rfc.section.5.1.3">Protocol recommendations</a></li>
<li>5.1.4.   <a href="#rfc.section.5.1.4">Availability</a></li>
<li>5.1.5.   <a href="#rfc.section.5.1.5">Service options</a></li>
<li>5.1.6.   <a href="#rfc.section.5.1.6">Impact on Operators</a></li>
<li>5.1.7.   <a href="#rfc.section.5.1.7">Limitations of using a pure TLS proxy</a></li>
</ul><li>5.2.   <a href="#rfc.section.5.2">Data at rest on the server</a></li>
<ul><li>5.2.1.   <a href="#rfc.section.5.2.1">Data handling</a></li>
<li>5.2.2.   <a href="#rfc.section.5.2.2">Data minimization of network traffic</a></li>
<li>5.2.3.   <a href="#rfc.section.5.2.3">IP address pseudonymization and anonymization methods</a></li>
<li>5.2.4.   <a href="#rfc.section.5.2.4">Pseudonymization, anonymization or discarding of other correlation data</a></li>
<li>5.2.5.   <a href="#rfc.section.5.2.5">Cache snooping</a></li>
</ul><li>5.3.   <a href="#rfc.section.5.3">Data sent onwards from the server</a></li>
<ul><li>5.3.1.   <a href="#rfc.section.5.3.1">Protocol recommendations</a></li>
<li>5.3.2.   <a href="#rfc.section.5.3.2">Client query obfuscation</a></li>
<li>5.3.3.   <a href="#rfc.section.5.3.3">Data sharing</a></li>
</ul></ul><li>6.   <a href="#rfc.section.6">DNS privacy policy and practice statement</a></li>
<ul><li>6.1.   <a href="#rfc.section.6.1">Recommended contents of a DPPPS</a></li>
<ul><li>6.1.1.   <a href="#rfc.section.6.1.1">Policy</a></li>
<li>6.1.2.   <a href="#rfc.section.6.1.2">Practice</a></li>
</ul><li>6.2.   <a href="#rfc.section.6.2">Current policy and privacy statements</a></li>
<li>6.3.   <a href="#rfc.section.6.3">Enforcement/accountability</a></li>
</ul><li>7.   <a href="#rfc.section.7">IANA considerations</a></li>
<li>8.   <a href="#rfc.section.8">Security considerations</a></li>
<li>9.   <a href="#rfc.section.9">Acknowledgements</a></li>
<li>10.   <a href="#rfc.section.10">Contributors</a></li>
<li>11.   <a href="#rfc.section.11">Changelog</a></li>
<li>12.   <a href="#rfc.references">References</a></li>
<ul><li>12.1.   <a href="#rfc.references.1">Normative References</a></li>
<li>12.2.   <a href="#rfc.references.2">Informative References</a></li>
</ul><li>Appendix A.   <a href="#rfc.appendix.A">Documents</a></li>
<ul><li>A.1.   <a href="#rfc.appendix.A.1">Potential increases in DNS privacy</a></li>
<li>A.2.   <a href="#rfc.appendix.A.2">Potential decreases in DNS privacy</a></li>
<li>A.3.   <a href="#rfc.appendix.A.3">Related operational documents</a></li>
</ul><li>Appendix B.   <a href="#rfc.appendix.B">Encryption and DNSSEC</a></li>
<li>Appendix C.   <a href="#rfc.appendix.C">IP address techniques</a></li>
<ul><li>C.1.   <a href="#rfc.appendix.C.1">Google Analytics non-prefix filtering</a></li>
<li>C.2.   <a href="#rfc.appendix.C.2">dnswasher</a></li>
<li>C.3.   <a href="#rfc.appendix.C.3">Prefix-preserving map</a></li>
<li>C.4.   <a href="#rfc.appendix.C.4">Cryptographic Prefix-Preserving Pseudonymisation</a></li>
<li>C.5.   <a href="#rfc.appendix.C.5">Top-hash Subtree-replicated Anonymisation</a></li>
<li>C.6.   <a href="#rfc.appendix.C.6">ipcipher</a></li>
<li>C.7.   <a href="#rfc.appendix.C.7">Bloom filters</a></li>
</ul><li><a href="#rfc.authors">Authors' Addresses</a></li>


  </ul>

  <h1 id="rfc.section.1"><a href="#rfc.section.1">1.</a> <a href="#introduction" id="introduction">Introduction</a></h1>
<p id="rfc.section.1.p.1">The Domain Name System (DNS) is at the core of the Internet; almost every activity on the Internet starts with a DNS query (and often several). However the DNS was not originally designed with strong security or privacy mechanisms.  A number of developments have taken place in recent years which aim to increase the privacy of the DNS system and these are now seeing some deployment. This latest evolution of the DNS presents new challenges to operators and this document attempts to provide an overview of considerations for privacy focused DNS services.  </p>
<p id="rfc.section.1.p.2">In recent years there has also been an increase in the availability of "public resolvers" <a href="#I-D.ietf-dnsop-terminology-bis">[I-D.ietf-dnsop-terminology-bis]</a> which users may prefer to use instead of the default network resolver because they offer a specific feature (e.g. good reachability, encrypted transport, strong privacy policy, filtering (or lack of), etc.). These open resolvers have tended to be at the forefront of adoption of privacy related enhancements but it is anticipated that operators of other resolver services will follow.  </p>
<p id="rfc.section.1.p.3">Whilst protocols that encrypt DNS messages on the wire provide protection against certain attacks, the resolver operator still has (in principle) full visibility of the query data and transport identifiers for each user. Therefore, a trust relationship exists. The ability of the operator to provide a transparent, well documented, and secure privacy service will likely serve as a major differentiating factor for privacy conscious users if they make an active selection of which resolver to use.  </p>
<p id="rfc.section.1.p.4">It should also be noted that the choice of a user to configure a single resolver (or a fixed set of resolvers) and an encrypted transport to use in all network environments has both advantages and disadvantages. For example the user has a clear expectation of which resolvers have visibility of their query data however this resolver/transport selection may provide an added mechanism to track them as they move across network environments. Commitments from operators to minimize such tracking are also likely to play a role in user selection of resolvers.  </p>
<p id="rfc.section.1.p.5">More recently the global legislative landscape with regard to personal data collection, retention, and pseudonymization has seen significant activity.  It is an untested area that simply using a DNS resolution service constitutes consent from the user for the operator to process their query data.  The impact of recent legislative changes on data pertaining to the users of both Internet Service Providers and public DNS resolvers is not fully understood at the time of writing.  </p>
<p id="rfc.section.1.p.6">This document has two main goals: </p>
<p/>

<ul>
  <li>To provide operational and policy guidance related to DNS over encrypted transports and to outline recommendations for data handling for operators of DNS privacy services.</li>
  <li>To introduce the DNS Privacy Policy and Practice Statement (DPPPS) and present a framework to assist writers of this document. A DPPPS is a document that an operator can publish outlining their operational practices and commitments with regard to privacy thereby providing a means for clients to evaluate the privacy properties of a given DNS privacy service. In particular, the framework identifies the elements that should be considered in formulating a DPPPS. This document does not, however, define a particular Policy or Practice Statement, nor does it seek to provide legal advice or recommendations as to the contents.</li>
</ul>

<p> </p>
<p id="rfc.section.1.p.8">Community insight [or judgment?] about operational practices can change quickly, and experience shows that a Best Current Practice (BCP) document about privacy and security is a point-in-time statement. Readers are advised to seek out any errata or updates that apply to this document.  </p>
<h1 id="rfc.section.2"><a href="#rfc.section.2">2.</a> <a href="#scope" id="scope">Scope</a></h1>
<p id="rfc.section.2.p.1">"DNS Privacy Considerations" <a href="#I-D.bortzmeyer-dprive-rfc7626-bis">[I-D.bortzmeyer-dprive-rfc7626-bis]</a> describes the general privacy issues and threats associated with the use of the DNS by Internet users and much of the threat analysis here is lifted from that document and from <a href="#RFC6973">[RFC6973]</a>. However this document is limited in scope to best practice considerations for the provision of DNS privacy services by servers (recursive resolvers) to clients (stub resolvers or forwarders). Privacy considerations specifically from the perspective of an end user, or those for operators of authoritative nameservers are out of scope.  </p>
<p id="rfc.section.2.p.2">This document includes (but is not limited to) considerations in the following areas (taken from <a href="#I-D.bortzmeyer-dprive-rfc7626-bis">[I-D.bortzmeyer-dprive-rfc7626-bis]</a>): </p>
<p/>

<ol>
  <li>Data "on the wire" between a client and a server</li>
  <li>Data "at rest" on a server (e.g. in logs)</li>
  <li>Data "sent onwards" from the server (either on the wire or shared with a third party)</li>
</ol>

<p> </p>
<p id="rfc.section.2.p.4">Whilst the issues raised here are targeted at those operators who choose to offer a DNS privacy service, considerations for areas 2 and 3 could equally apply to operators who only offer DNS over unencrypted transports but who would like to align with privacy best practice.  </p>
<h1 id="rfc.section.3"><a href="#rfc.section.3">3.</a> <a href="#privacy-related-documents" id="privacy-related-documents">Privacy related documents</a></h1>
<p id="rfc.section.3.p.1">There are various documents that describe protocol changes that have the potential to either increase or decrease the privacy of the DNS. Note this does not imply that some documents are good or bad, better or worse, just that (for example) some features may bring functional benefits at the price of a reduction in privacy and conversely some features increase privacy with an accompanying increase in complexity. A selection of the most relevant documents are listed in <a href="#documents">Appendix A</a> for reference.  </p>
<h1 id="rfc.section.4"><a href="#rfc.section.4">4.</a> <a href="#terminology" id="terminology">Terminology</a></h1>
<p id="rfc.section.4.p.1">The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 <a href="#RFC2119">[RFC2119]</a> and <a href="#RFC8174">[RFC8174]</a> when, and only when, they appear in all capitals, as shown here.  </p>
<p id="rfc.section.4.p.2">DNS terminology is as described in <a href="#I-D.ietf-dnsop-terminology-bis">[I-D.ietf-dnsop-terminology-bis]</a> with one modification: we restate the clause in the original definition of Privacy-enabling DNS server in <a href="#RFC8310">[RFC8310]</a> to include the requirement that a DNS over (D)TLS server should also offer at least one of the credentials described in Section 8 and implement the (D)TLS profile described in Section 9 of <a href="#RFC8310">[RFC8310]</a>.  </p>
<p id="rfc.section.4.p.3">Other Terms: </p>
<p/>

<ul>
  <li>DPPPS: DNS Privacy Policy and Practice Statement, see <a href="#dns-privacy-policy-and-practice-statement">Section 6</a>.</li>
  <li>DNS privacy service: The service that is offered via a privacy-enabling DNS server and is documented either in an informal statement of policy and practice with regard to users privacy or a formal DPPPS.</li>
</ul>

<p> </p>
<h1 id="rfc.section.5"><a href="#rfc.section.5">5.</a> <a href="#recommendations-for-dns-privacy-services" id="recommendations-for-dns-privacy-services">Recommendations for DNS privacy services</a></h1>
<p id="rfc.section.5.p.1">We describe two classes of threats: </p>
<p/>

<ul>
  <li>'Privacy Considerations for Internet Protocols' <a href="#RFC6973">[RFC6973]</a> Threats <ul><li>Privacy terminology, threats to privacy and mitigations as described in Sections 3, 5 and 6 of <a href="#RFC6973">[RFC6973]</a>.</li></ul></li>
  <li>DNS Privacy Threats <ul><li>These are threats to the users and operators of DNS privacy services that are not directly covered by <a href="#RFC6973">[RFC6973]</a>. These may be more operational in nature such as certificate management or service availability issues.</li></ul></li>
</ul>

<p> </p>
<p id="rfc.section.5.p.3">We describe three classes of actions that operators of DNS privacy services can take: </p>
<p/>

<ul>
  <li>Threat mitigation for well understood and documented privacy threats to the users of the service and in some cases to the operators of the service.</li>
  <li>Optimization of privacy services from an operational or management perspective</li>
  <li>Additional options that could further enhance the privacy and usability of the service</li>
</ul>

<p> </p>
<p id="rfc.section.5.p.5">This document does not specify policy only best practice, however for DNS Privacy services to be considered compliant with these best practice guidelines they SHOULD implement (where appropriate) all: </p>
<p/>

<ul>
  <li>Threat mitigations to be minimally compliant</li>
  <li>Optimizations to be moderately compliant</li>
  <li>Additional options to be maximally compliant</li>
</ul>

<p> </p>
<h1 id="rfc.section.5.1"><a href="#rfc.section.5.1">5.1.</a> <a href="#on-the-wire-between-client-and-server" id="on-the-wire-between-client-and-server">On the wire between client and server</a></h1>
<p id="rfc.section.5.1.p.1">In this section we consider both data on the wire and the service provided to the client.  </p>
<h1 id="rfc.section.5.1.1"><a href="#rfc.section.5.1.1">5.1.1.</a> <a href="#transport-recommendations" id="transport-recommendations">Transport recommendations</a></h1>
<p><a href="#RFC6973">[RFC6973]</a> Threats: </p>
<p/>

<ul>
  <li>Surveillance: <ul><li>Passive surveillance of traffic on the wire <a href="#I-D.bortzmeyer-dprive-rfc7626-bis">[I-D.bortzmeyer-dprive-rfc7626-bis]</a> Section 2.4.2.</li></ul></li>
</ul>

<p> </p>
<p id="rfc.section.5.1.1.p.3">DNS Privacy Threats: </p>
<p/>

<ul>
  <li>Active injection of spurious data or traffic</li>
</ul>

<p> </p>
<p id="rfc.section.5.1.1.p.5">Mitigations: </p>
<p id="rfc.section.5.1.1.p.6">A DNS privacy service can mitigate these threats by providing service over one or more of the following transports </p>
<p/>

<ul>
  <li>DNS-over-TLS <a href="#RFC7858">[RFC7858]</a> and <a href="#RFC8310">[RFC8310]</a></li>
  <li>DoH <a href="#RFC8484">[RFC8484]</a></li>
</ul>

<p> </p>
<p id="rfc.section.5.1.1.p.8">It is noted that a DNS privacy service can also be provided over DNS-over-DTLS <a href="#RFC8094">[RFC8094]</a>, however this is an Experimental specification and there are no known implementations at the time of writing.  </p>
<p id="rfc.section.5.1.1.p.9">It is also noted that DNS privacy service might be provided over IPSec, DNSCrypt or VPNs. However, use of these transports for DNS are not standardized and any discussion of best practice for providing such a service is out of scope for this document.  </p>
<p id="rfc.section.5.1.1.p.10">Whilst encryption of DNS traffic can protect against active injection this does not diminish the need for DNSSEC, see <a href="#encryption-and-dnssec">Appendix B</a>.  </p>
<h1 id="rfc.section.5.1.2"><a href="#rfc.section.5.1.2">5.1.2.</a> <a href="#authentication-of-dns-privacy-services" id="authentication-of-dns-privacy-services">Authentication of DNS privacy services</a></h1>
<p><a href="#RFC6973">[RFC6973]</a> Threats: </p>
<p/>

<ul>
  <li>Surveillance: <ul><li>Active attacks that can redirect traffic to rogue servers <a href="#I-D.bortzmeyer-dprive-rfc7626-bis">[I-D.bortzmeyer-dprive-rfc7626-bis]</a> Section 2.5.3.</li></ul></li>
</ul>

<p> </p>
<p id="rfc.section.5.1.2.p.3">Mitigations: </p>
<p id="rfc.section.5.1.2.p.4">DNS privacy services should ensure clients can authenticate the server. Note that this, in effect, commits the DNS privacy service to a public identity users will trust.  </p>
<p id="rfc.section.5.1.2.p.5">When using DNS-over-TLS clients that select a 'Strict Privacy' usage profile <a href="#RFC8310">[RFC8310]</a> (to mitigate the threat of active attack on the client) require the ability to authenticate the DNS server. To enable this, DNS privacy services that offer DNS-over-TLS should provide credentials in the form of either X.509 certificates or SPKI pinsets.  </p>
<p id="rfc.section.5.1.2.p.6">When offering DoH <a href="#RFC8484">[RFC8484]</a>, HTTPS requires authentication of the server as part of the protocol.  </p>
<p id="rfc.section.5.1.2.p.7">NOTE: At this time the reference to the TLS DNSSEC chain extension draft has been removed as it is no longer considered an active TLS WG document.  </p>
<p id="rfc.section.5.1.2.p.8">Optimizations: </p>
<p id="rfc.section.5.1.2.p.9">DNS privacy services can also consider the following capabilities/options: </p>
<p/>

<ul>
  <li>As recommended in <a href="#RFC8310">[RFC8310]</a> providing DANE TLSA records for the nameserver <ul><li>In particular, the service could provide TLSA records such that authenticating solely via the PKIX infrastructure can be avoided.</li></ul></li>
</ul>

<p> </p>
<h1 id="rfc.section.5.1.2.1"><a href="#rfc.section.5.1.2.1">5.1.2.1.</a> <a href="#certificate-management" id="certificate-management">Certificate management</a></h1>
<p id="rfc.section.5.1.2.1.p.1">Anecdotal evidence to date highlights the management of certificates as one of the more challenging aspects for operators of traditional DNS resolvers that choose to additionally provide a DNS privacy service as management of such credentials is new to those DNS operators.  </p>
<p id="rfc.section.5.1.2.1.p.2">It is noted that SPKI pinset management is described in <a href="#RFC7858">[RFC7858]</a> but that key pinning mechanisms in general have fallen out of favor operationally for various reasons such as the logistical overhead of rolling keys.  </p>
<p id="rfc.section.5.1.2.1.p.3">DNS Privacy Threats: </p>
<p/>

<ul>
  <li>Invalid certificates, resulting in an unavailable service.</li>
  <li>Mis-identification of a server by a client e.g. typos in URLs or authentication domain names</li>
</ul>

<p> </p>
<p id="rfc.section.5.1.2.1.p.5">Mitigations: </p>
<p id="rfc.section.5.1.2.1.p.6">It is recommended that operators: </p>
<p/>

<ul>
  <li>Follow the guidance in Section 6.5 of <a href="#RFC7525">[RFC7525]</a> with regards to certificate revocation</li>
  <li>Choose a short, memorable authentication name for the service</li>
  <li>Automate the generation and publication of certificates</li>
  <li>Monitor certificates to prevent accidental expiration of certificates</li>
</ul>

<p> </p>
<h1 id="rfc.section.5.1.3"><a href="#rfc.section.5.1.3">5.1.3.</a> <a href="#protocol-recommendations" id="protocol-recommendations">Protocol recommendations</a></h1>
<h1 id="rfc.section.5.1.3.1"><a href="#rfc.section.5.1.3.1">5.1.3.1.</a> <a href="#dnsovertls" id="dnsovertls">DNS-over-TLS</a></h1>
<p id="rfc.section.5.1.3.1.p.1">DNS Privacy Threats: </p>
<p/>

<ul>
  <li>Known attacks on TLS such as those described in <a href="#RFC7457">[RFC7457]</a></li>
  <li>Traffic analysis, for example: <a href="https://www.ietf.org/mail-archive/web/dns-privacy/current/pdfWqAIUmEl47.pdf">Pitfalls of DNS Encryption</a></li>
  <li>Potential for client tracking via transport identifiers</li>
  <li>Blocking of well known ports (e.g. 853 for DNS-over-TLS)</li>
</ul>

<p> </p>
<p id="rfc.section.5.1.3.1.p.3">Mitigations: </p>
<p id="rfc.section.5.1.3.1.p.4">In the case of DNS-over-TLS, TLS profiles from Section 9 and the Countermeasures to DNS Traffic Analysis from section 11.1 of <a href="#RFC8310">[RFC8310]</a> provide strong mitigations. This includes but is not limited to: </p>
<p/>

<ul>
  <li>Adhering to <a href="#RFC7525">[RFC7525]</a></li>
  <li>Implementing only (D)TLS 1.2 or later as specified in <a href="#RFC8310">[RFC8310]</a></li>
  <li>Implementing EDNS(0) Padding <a href="#RFC7830">[RFC7830]</a> using the guidelines in <a href="#RFC8467">[RFC8467]</a></li>
  <li>Clients should not be required to use TLS session resumption <a href="#RFC5077">[RFC5077]</a> or Domain Name System (DNS) Cookies <a href="#RFC7873">[RFC7873]</a>.</li>
  <li>A DNS-over-TLS privacy service on both port 853 and 443. This practice may not be possible if e.g. the operator deploys DoH on the same IP address.</li>
</ul>

<p> </p>
<p id="rfc.section.5.1.3.1.p.6">Optimizations: </p>
<p/>

<ul>
  <li>Concurrent processing of pipelined queries, returning responses as soon as available, potentially out of order as specified in <a href="#RFC7766">[RFC7766]</a>. This is often called 'OOOR' - out-of-order responses. (Providing processing performance similar to HTTP multiplexing)</li>
  <li>Management of TLS connections to optimize performance for clients using either <ul><li><a href="#RFC7766">[RFC7766]</a> and EDNS(0) Keepalive <a href="#RFC7828">[RFC7828]</a> and/or</li><li>DNS Stateful Operations <a href="#I-D.ietf-dnsop-session-signal">[I-D.ietf-dnsop-session-signal]</a></li></ul></li>
</ul>

<p> </p>
<p id="rfc.section.5.1.3.1.p.8">Additional options that providers may consider: </p>
<p/>

<ul>
  <li>Offer a .onion <a href="#RFC7686">[RFC7686]</a> service endpoint</li>
</ul>

<p> </p>
<h1 id="rfc.section.5.1.3.2"><a href="#rfc.section.5.1.3.2">5.1.3.2.</a> <a href="#doh" id="doh">DoH</a></h1>
<p id="rfc.section.5.1.3.2.p.1">DNS Privacy Threats: </p>
<p/>

<ul>
  <li>Known attacks on TLS such as those described in <a href="#RFC7457">[RFC7457]</a></li>
  <li>Traffic analysis, for example: <a href="https://petsymposium.org/2018/files/hotpets/4-siby.pdf">DNS Privacy not so private: the traffic analysis perspective</a></li>
  <li>Potential for client tracking via transport identifiers</li>
</ul>

<p> </p>
<p id="rfc.section.5.1.3.2.p.3">Mitigations: </p>
<p/>

<ul>
  <li>Clients must be able to forego the use of HTTP Cookies <a href="#RFC6265">[RFC6265]</a> and still use the service</li>
  <li>Clients should not be required to include any headers beyond the absolute minimum to obtain service from a DoH server. (See Section 6.1 of <a href="#I-D.ietf-httpbis-bcp56bis">[I-D.ietf-httpbis-bcp56bis]</a>.)</li>
</ul>

<p> </p>
<h1 id="rfc.section.5.1.4"><a href="#rfc.section.5.1.4">5.1.4.</a> <a href="#availability" id="availability">Availability</a></h1>
<p id="rfc.section.5.1.4.p.1">DNS Privacy Threats: </p>
<p/>

<ul>
  <li>A failed DNS privacy service could force the user to switch providers, fallback to cleartext or accept no DNS service for the outage.</li>
</ul>

<p> </p>
<p id="rfc.section.5.1.4.p.3">Mitigations: </p>
<p id="rfc.section.5.1.4.p.4">A DNS privacy service must be engineered for high availability. Particular care should to be taken to protect DNS privacy services against denial-of-service attacks, as experience has shown that unavailability of DNS resolving because of attacks is a significant motivation for users to switch services. See, for example Section IV-C of <a href="http://tma.ifip.org/2018/wp-content/uploads/sites/3/2018/06/tma2018_paper30.pdf">Passive Observations of a Large DNS Service: 2.5 Years in the Life of Google</a>.  </p>
<h1 id="rfc.section.5.1.5"><a href="#rfc.section.5.1.5">5.1.5.</a> <a href="#service-options" id="service-options">Service options</a></h1>
<p id="rfc.section.5.1.5.p.1">DNS Privacy Threats: </p>
<p/>

<ul>
  <li>Unfairly disadvantaging users of the privacy service with respect to the services available. This could force the user to switch providers, fallback to cleartext or accept no DNS service for the outage.</li>
</ul>

<p> </p>
<p id="rfc.section.5.1.5.p.3">Mitigations: </p>
<p id="rfc.section.5.1.5.p.4">A DNS privacy service should deliver the same level of service as offered on un-encrypted channels in terms of such options as filtering (or lack thereof), DNSSEC validation, etc.  </p>
<h1 id="rfc.section.5.1.6"><a href="#rfc.section.5.1.6">5.1.6.</a> <a href="#impact-on-operators" id="impact-on-operators">Impact on Operators</a></h1>
<p id="rfc.section.5.1.6.p.1">DNS Privacy Threats: </p>
<p/>

<ul>
  <li>Increased use of encryption impacts operator ability to manage their network <a href="#RFC8404">[RFC8404]</a></li>
</ul>

<p> </p>
<p id="rfc.section.5.1.6.p.3">Many monitoring solutions for DNS traffic rely on the plain text nature of this traffic and work by intercepting traffic on the wire, either using a separate view on the connection between clients and the resolver, or as a separate process on the resolver system that inspects network traffic. Such solutions will no longer function when traffic between clients and resolvers is encrypted. There are, however, legitimate reasons for operators to inspect DNS traffic, e.g. to monitor for network security threats. Operators may therefore need to invest in alternative means of monitoring that relies on either the resolver software directly, or exporting DNS traffic from the resolver using e.g. <a href="http://dnstap.info">dnstap</a>.  </p>
<p id="rfc.section.5.1.6.p.4">Optimization: </p>
<p id="rfc.section.5.1.6.p.5">When implementing alternative means for traffic monitoring, operators of a DNS privacy service should consider using privacy conscious means to do so (see, for example, the discussion on the use of Bloom Filters in the #documents appendix in this document).  </p>
<h1 id="rfc.section.5.1.7"><a href="#rfc.section.5.1.7">5.1.7.</a> <a href="#limitations-of-using-a-pure-tls-proxy" id="limitations-of-using-a-pure-tls-proxy">Limitations of using a pure TLS proxy</a></h1>
<p id="rfc.section.5.1.7.p.1">DNS Privacy Threats: </p>
<p/>

<ul>
  <li>Limited ability to manage or monitor incoming connections using DNS specific techniques</li>
  <li>Misconfiguration of the target server could lead to data leakage if the proxy to target server path is not encrypted.</li>
</ul>

<p> </p>
<p id="rfc.section.5.1.7.p.3">Optimization: </p>
<p id="rfc.section.5.1.7.p.4">Some operators may choose to implement DNS-over-TLS using a TLS proxy (e.g.  <a href="https://nginx.org/">nginx</a>, <a href="https://www.haproxy.org/">haproxy</a> or <a href="https://kb.isc.org/article/AA-01386/0/DNS-over-TLS.html">stunnel</a>) in front of a DNS nameserver because of proven robustness and capacity when handling large numbers of client connections, load balancing capabilities and good tooling.  Currently, however, because such proxies typically have no specific handling of DNS as a protocol over TLS or DTLS using them can restrict traffic management at the proxy layer and at the DNS server. For example, all traffic received by a nameserver behind such a proxy will appear to originate from the proxy and DNS techniques such as ACLs, RRL or DNS64 will be hard or impossible to implement in the nameserver.  </p>
<p id="rfc.section.5.1.7.p.5">Operators may choose to use a DNS aware proxy such as <a href="https://dnsdist.org">dnsdist</a> which offer custom options (similar to that proposed in <a href="#I-D.bellis-dnsop-xpf">[I-D.bellis-dnsop-xpf]</a>) to add source information to packets to address this shortcoming. It should be noted that such options potentially significantly increase the leaked information in the event of a misconfiguration.  </p>
<h1 id="rfc.section.5.2"><a href="#rfc.section.5.2">5.2.</a> <a href="#data-at-rest-on-the-server" id="data-at-rest-on-the-server">Data at rest on the server</a></h1>
<h1 id="rfc.section.5.2.1"><a href="#rfc.section.5.2.1">5.2.1.</a> <a href="#data-handling" id="data-handling">Data handling</a></h1>
<p><a href="#RFC6973">[RFC6973]</a> Threats: </p>
<p/>

<ul>
  <li>Surveillance</li>
  <li>Stored data compromise</li>
  <li>Correlation</li>
  <li>Identification</li>
  <li>Secondary use</li>
  <li>Disclosure</li>
</ul>

<p> </p>
<p id="rfc.section.5.2.1.p.3">Other Threats </p>
<p/>

<ul>
  <li>Contravention of legal requirements not to process user data?</li>
</ul>

<p> </p>
<p id="rfc.section.5.2.1.p.5">Mitigations: </p>
<p id="rfc.section.5.2.1.p.6">The following are common activities for DNS service operators and in all cases should be minimized or completely avoided if possible for DNS privacy services.  If data is retained it should be encrypted and either aggregated, pseudonymized or anonymized whenever possible. In general the principle of data minimization described in <a href="#RFC6973">[RFC6973]</a> should be applied.  </p>
<p/>

<ul>
  <li>Transient data (e.g. that is used for real time monitoring and threat analysis which might be held only memory) should be retained for the shortest possible period deemed operationally feasible.</li>
  <li>The retention period of DNS traffic logs should be only those required to sustain operation of the service and, to the extent that such exists, meet regulatory requirements.</li>
  <li>DNS privacy services should not track users except for the particular purpose of detecting and remedying technically malicious (e.g. DoS) or anomalous use of the service.</li>
  <li>Data access should be minimized to only those personnel who require access to perform operational duties.</li>
</ul>

<p> </p>
<p id="rfc.section.5.2.1.p.8">Optimizations: </p>
<p/>

<ul>
  <li>Consider use of full disk encryption for logs and data capture storage.</li>
</ul>

<p> </p>
<h1 id="rfc.section.5.2.2"><a href="#rfc.section.5.2.2">5.2.2.</a> <a href="#data-minimization-of-network-traffic" id="data-minimization-of-network-traffic">Data minimization of network traffic</a></h1>
<p id="rfc.section.5.2.2.p.1">Data minimization refers to collecting, using, disclosing, and storing the minimal data necessary to perform a task, and this can be achieved by removing or obfuscating privacy-sensitive information in network traffic logs.  This is typically personal data, or data that can be used to link a record to an individual, but may also include revealing other confidential information, for example on the structure of an internal corporate network.  </p>
<p id="rfc.section.5.2.2.p.2">The problem of effectively ensuring that DNS traffic logs contain no or minimal privacy-sensitive information is not one that currently has a generally agreed solution or any Standards to inform this discussion. This section presents and overview of current techniques to simply provide reference on the current status of this work.  </p>
<p id="rfc.section.5.2.2.p.3">Research into data minimization techniques (and particularly IP address pseudonymization/anonymization) was sparked in the late 1990s/early 2000s, partly driven by the desire to share significant corpuses of traffic captures for research purposes. Several techniques reflecting different requirements in this area and different performance/resource tradeoffs emerged over the course of the decade. Developments over the last decade have been both a blessing and a curse; the large increase in size between an IPv4 and an IPv6 address, for example, renders some techniques impractical, but also makes available a much larger amount of input entropy, the better to resist brute force re-identification attacks that have grown in practicality over the period.  </p>
<p id="rfc.section.5.2.2.p.4">Techniques employed may be broadly categorized as either anonymization or pseudonymization. The following discussion uses the definitions from <a href="#RFC6973">[RFC6973]</a> Section 3, with additional observations from <a href="https://doi.org/10.1145/3182660">van Dijkhuizen et al.</a> </p>
<p/>

<ul>
  <li>Anonymization. To enable anonymity of an individual, there must exist a set of individuals that appear to have the same attribute(s) as the individual. To the attacker or the observer, these individuals must appear indistinguishable from each other.</li>
  <li>Pseudonymization. The true identity is deterministically replaced with an alternate identity (a pseudonym). When the pseudonymization schema is known, the process can be reversed, so the original identity becomes known again.</li>
</ul>

<p> </p>
<p id="rfc.section.5.2.2.p.6">In practice there is a fine line between the two; for example, how to categorize a deterministic algorithm for data minimization of IP addresses that produces a group of pseudonyms for a single given address.  </p>
<h1 id="rfc.section.5.2.3"><a href="#rfc.section.5.2.3">5.2.3.</a> <a href="#ip-address-pseudonymization-and-anonymization-methods" id="ip-address-pseudonymization-and-anonymization-methods">IP address pseudonymization and anonymization methods</a></h1>
<p id="rfc.section.5.2.3.p.1">As <a href="#I-D.bortzmeyer-dprive-rfc7626-bis">[I-D.bortzmeyer-dprive-rfc7626-bis]</a> makes clear, the big privacy risk in DNS is connecting DNS queries to an individual and the major vector for this in DNS traffic is the client IP address.  </p>
<p id="rfc.section.5.2.3.p.2">There is active discussion in the space of effective pseudonymization of IP addresses in DNS traffic logs, however there seems to be no single solution that is widely recognized as suitable for all or most use cases. There are also as yet no standards for this that are unencumbered by patents. The following table presents a high level comparison of various techniques employed or under development today and classifies them according to categorization of technique and other properties. The list of techniques includes the main techniques in current use, but does not claim to be comprehensive. <a href="#ip-address-techniques">Appendix C</a> provides a more detailed survey of these techniques and definitions for the categories and properties listed below.  </p>
<p><a href="https://github.com/Sinodun/draft-dprive-bcp-op/blob/master/draft-00/ip_techniques_table.svg">Figure showing comparison of IP address techniques (SVG)</a> </p>
<p id="rfc.section.5.2.3.p.4">The choice of which method to use for a particular application will depend on the requirements of that application and consideration of the threat analysis of the particular situation.  </p>
<p id="rfc.section.5.2.3.p.5">For example, a common goal is that distributed packet captures must be in an existing data format such as PCAP <a href="#pcap">[pcap]</a> or C-DNS <a href="#I-D.ietf-dnsop-dns-capture-format">[I-D.ietf-dnsop-dns-capture-format]</a> that can be used as input to existing analysis tools. In that case, use of a format-preserving technique is essential. This, though, is not cost-free - several authors (e.g. <a href="https://pdfs.semanticscholar.org/7b34/12c951cebe71cd2cddac5fda164fb2138a44.pdf">Brenker &amp; Arnes</a>) have observed that, as the entropy in an IPv4 address is limited, given a de-identified log from a target, if an attacker is capable of ensuring packets are captured by the target and the attacker can send forged traffic with arbitrary source and destination addresses to that target, any format-preserving pseudonymization is vulnerable to an attack along the lines of a cryptographic chosen plaintext attack.  </p>
<h1 id="rfc.section.5.2.4"><a href="#rfc.section.5.2.4">5.2.4.</a> <a href="#pseudonymization-anonymization-or-discarding-of-other-correlation-data" id="pseudonymization-anonymization-or-discarding-of-other-correlation-data">Pseudonymization, anonymization or discarding of other correlation data</a></h1>
<p id="rfc.section.5.2.4.p.1">DNS Privacy Threats: </p>
<p/>

<ul>
  <li>IP TTL/Hoplimit can be used to fingerprint client OS</li>
  <li>Tracking of TCP sessions</li>
  <li>Tracking of TLS sessions and session resumption mechanisms</li>
  <li>Resolvers <em>might</em> receive client identifiers e.g. MAC addresses in EDNS(0) options - some CPE devices are known to add them.</li>
  <li>HTTP headers</li>
</ul>

<p> </p>
<p id="rfc.section.5.2.4.p.3">Mitigations: </p>
<p/>

<ul>
  <li>Data minimization or discarding of such correlation data</li>
</ul>

<p> </p>
<p id="rfc.section.5.2.4.p.5">TODO: More analysis here.  </p>
<h1 id="rfc.section.5.2.5"><a href="#rfc.section.5.2.5">5.2.5.</a> <a href="#cache-snooping" id="cache-snooping">Cache snooping</a></h1>
<p><a href="#RFC6973">[RFC6973]</a> Threats: </p>
<p/>

<ul>
  <li>Surveillance: <ul><li>Profiling of client queries by malicious third parties</li></ul></li>
</ul>

<p> </p>
<p id="rfc.section.5.2.5.p.3">Mitigations: </p>
<p/>

<ul>
  <li>See <a href="https://kb.isc.org/docs/aa-00482">ISC Knowledge database on cache snooping</a> for an example discussion on defending against cache snooping</li>
</ul>

<p> </p>
<p id="rfc.section.5.2.5.p.5">TODO: Describe other techniques to defend against cache snooping </p>
<h1 id="rfc.section.5.3"><a href="#rfc.section.5.3">5.3.</a> <a href="#data-sent-onwards-from-the-server" id="data-sent-onwards-from-the-server">Data sent onwards from the server</a></h1>
<p id="rfc.section.5.3.p.1">In this section we consider both data sent on the wire in upstream queries and data shared with third parties.  </p>
<h1 id="rfc.section.5.3.1"><a href="#rfc.section.5.3.1">5.3.1.</a> <a href="#protocol-recommendations-1" id="protocol-recommendations-1">Protocol recommendations</a></h1>
<p><a href="#RFC6973">[RFC6973]</a> Threats: </p>
<p/>

<ul>
  <li>Surveillance: <ul><li>Transmission of identifying data upstream.</li></ul></li>
</ul>

<p> </p>
<p id="rfc.section.5.3.1.p.3">Mitigations: </p>
<p id="rfc.section.5.3.1.p.4">As specified in <a href="#RFC8310">[RFC8310]</a> for DNS-over-TLS but applicable to any DNS Privacy services the server should: </p>
<p/>

<ul>
  <li>Implement QNAME minimization <a href="#RFC7816">[RFC7816]</a></li>
  <li>Honor a SOURCE PREFIX-LENGTH set to 0 in a query containing the EDNS(0) Client Subnet (ECS) option and not send an ECS option in upstream queries.</li>
</ul>

<p> </p>
<p id="rfc.section.5.3.1.p.6">Optimizations: </p>
<p/>

<ul>
  <li>The server should either <ul><li>not use the ECS option in upstream queries at all, or</li><li>offer alternative services, one that sends ECS and one that does not.</li></ul></li>
</ul>

<p> </p>
<p id="rfc.section.5.3.1.p.8">If operators do offer a service that sends the ECS options upstream they should use the shortest prefix that is operationally feasible (NOTE: the authors believe they will be able to add a reference for advice here soon) and ideally use a policy of whitelisting upstream servers to send ECS to in order to minimize data leakage. Operators should make clear in any policy statement what prefix length they actually send and the specific policy used.  </p>
<p id="rfc.section.5.3.1.p.9">Whitelisting has the benefit that not only does the operator know which upstream servers can use ECS but also allows the operator to decide which upstream servers apply privacy policies that the operator is happy with. However some operators consider whitelisting to incur significant operational overhead compared to dynamic detection of ECS on authoritative servers.  </p>
<p id="rfc.section.5.3.1.p.10">Additional options: </p>
<p/>

<ul>
  <li>Aggressive Use of DNSSEC-Validated Cache <a href="#RFC8198">[RFC8198]</a> to reduce the number of queries to authoritative servers to increase privacy.</li>
  <li>Run a copy of the root zone on loopback <a href="#RFC7706">[RFC7706]</a> to avoid making queries to the root servers that might leak information.</li>
</ul>

<p> </p>
<h1 id="rfc.section.5.3.2"><a href="#rfc.section.5.3.2">5.3.2.</a> <a href="#client-query-obfuscation" id="client-query-obfuscation">Client query obfuscation</a></h1>
<p id="rfc.section.5.3.2.p.1">Additional options: </p>
<p id="rfc.section.5.3.2.p.2">Since queries from recursive resolvers to authoritative servers are performed using cleartext (at the time of writing), resolver services need to consider the extent to which they may be directly leaking information about their client community via these upstream queries and what they can do to mitigate this further. Note, that even when all the relevant techniques described above are employed there may still be attacks possible, e.g.  <a href="#Pitfalls-of-DNS-Encryption">[Pitfalls-of-DNS-Encryption]</a>. For example, a resolver with a very small community of users risks exposing data in this way and OUGHT obfuscate this traffic by mixing it with 'generated' traffic to make client characterization harder. The resolver could also employ aggressive pre-fetch techniques as a further measure to counter traffic analysis.  </p>
<p id="rfc.section.5.3.2.p.3">At the time of writing there are no standardized or widely recognized techniques to perform such obfuscation or bulk pre-fetches.  </p>
<p id="rfc.section.5.3.2.p.4">Another technique that particularly small operators may consider is forwarding local traffic to a larger resolver (with a privacy policy that aligns with their own practices) over an encrypted protocol so that the upstream queries are obfuscated among those of the large resolver.  </p>
<h1 id="rfc.section.5.3.3"><a href="#rfc.section.5.3.3">5.3.3.</a> <a href="#data-sharing" id="data-sharing">Data sharing</a></h1>
<p><a href="#RFC6973">[RFC6973]</a> Threats: </p>
<p/>

<ul>
  <li>Surveillance</li>
  <li>Stored data compromise</li>
  <li>Correlation</li>
  <li>Identification</li>
  <li>Secondary use</li>
  <li>Disclosure</li>
</ul>

<p> </p>
<p id="rfc.section.5.3.3.p.3">DNS Privacy Threats: </p>
<p/>

<ul>
  <li>Contravention of legal requirements not to process user data?</li>
</ul>

<p> </p>
<p id="rfc.section.5.3.3.p.5">Mitigations: </p>
<p id="rfc.section.5.3.3.p.6">Operators should not provide identifiable data to third-parties without explicit consent from clients (we take the stance here that simply using the resolution service itself does not constitute consent).  </p>
<p id="rfc.section.5.3.3.p.7">Even when consent is granted operators should employ data minimization techniques such as those described in <a href="#data-handling">Section 5.2.1</a> if data is shared with third-parties.  </p>
<p id="rfc.section.5.3.3.p.8">Operators should consider including specific guidelines for the collection of aggregated and/or anonymized data for research purposes, within or outside of their own organization. See <a href="https://surf.nl/datasharing">SURFnet's policy</a> on data sharing for research as an example.  </p>
<p id="rfc.section.5.3.3.p.9">TODO: More on data for research vs operations... how to still motivate operators to share anonymized data? </p>
<p id="rfc.section.5.3.3.p.10">TODO: Guidelines for when consent is granted? </p>
<p id="rfc.section.5.3.3.p.11">TODO: Applies to server data handling too.. could operators offer alternatives services one that implies consent for data processing, one that doesn't? </p>
<h1 id="rfc.section.6"><a href="#rfc.section.6">6.</a> <a href="#dns-privacy-policy-and-practice-statement" id="dns-privacy-policy-and-practice-statement">DNS privacy policy and practice statement</a></h1>
<h1 id="rfc.section.6.1"><a href="#rfc.section.6.1">6.1.</a> <a href="#recommended-contents-of-a-dppps" id="recommended-contents-of-a-dppps">Recommended contents of a DPPPS</a></h1>
<h1 id="rfc.section.6.1.1"><a href="#rfc.section.6.1.1">6.1.1.</a> <a href="#policy" id="policy">Policy</a></h1>
<p/>

<ol>
  <li>Make an explicit statement that IP addressses are treated as PII</li>
  <li>State if IP addresses are being logged</li>
  <li>Specify clearly what data (including whether it is aggregated, pseudonymized or anonymized and the conditions of data transfer) is: <ul><li>Collected and retained by the operator, and for what period it is retained</li><li>Shared with partners</li><li>Shared, sold or rented to third-parties</li></ul></li>
  <li>Specify any exceptions to the above, for example technically malicious or anomalous behavior</li>
  <li>Declare any partners, third-party affiliations or sources of funding</li>
  <li>Whether user DNS data is correlated or combined with any other personal information held by the operator</li>
  <li>Result filtering. This section should explain whether the operator filters, edits or alters in any way the replies that it receives from the authoritative servers for each DNS zone, before forwarding them to the clients. For each category listed below, the operator should also specify how the filtering lists are created and managed, whether it employs any third-party sources for such lists, and which ones.  <ul><li>Specify if any replies are being filtered out or altered for network and computer security reasons (e.g. preventing connections to malware-spreading websites or botnet control servers)</li><li>Specify if any replies are being filtered out or altered for mandatory legal reasons, due to applicable legislation or binding orders by courts and other public authorities</li><li>Specify if any replies are being filtered out or altered for voluntary legal reasons, due to an internal policy by the operator aiming at reducing potential legal risks</li><li>Specify if any replies are being filtered out or altered for any other reason, including commercial ones</li></ul></li>
</ol>

<p> </p>
<h1 id="rfc.section.6.1.2"><a href="#rfc.section.6.1.2">6.1.2.</a> <a href="#practice" id="practice">Practice</a></h1>
<p id="rfc.section.6.1.2.p.1">This section should explain the current operational practices of the service.  </p>
<p/>

<ol>
  <li>Specify any temporary or permanent deviations from the policy for operational reasons</li>
  <li>With reference to section <a href="#recommendations-for-dns-privacy-services">Section 5</a> provide specific details of which capabilities are provided on which client facing addresses and ports</li>
  <li>Specify the authentication name to be used (if any) and if TLSA records are published (including options used in the TLSA records)</li>
  <li>Specify the SPKI pinsets to be used (if any) and policy for rolling keys</li>
  <li>Provide contact/support information for the service</li>
  <li>Jurisdiction. This section should communicate the applicable jurisdictions and law enforcement regimes under which the service is being provided.  <ul><li>Specify the entity or entities that will control the data and be responsible for their treatment, and their legal place of business</li><li>Specify, either directly or by pointing to the applicable privacy policy, the relevant privacy laws that apply to the treatment of the data, the rights that users enjoy in regard to their own personal information that is treated by the service, and how they can contact the operator to enforce them</li><li>Specify the countries in which the servers handling the DNS requests and the data are located (if the operator applies a geolocation policy so that requests from certain countries are only served by certain servers, this should be specified as well)</li><li>Specify whether the operator has any agreement in place with law enforcement agencies, or other public and private parties dealing with security and intelligence, to give them access to the servers and/or to the data</li></ul></li>
  <li>Describe how consent is obtained from the user of the DNS privacy service differentiating <ul><li>Uninformed users for whom this trust relationship is implicit</li><li>Privacy-conscious users, that make an explicit trust choice <br/></li></ul><p> (this may prove relevant in the context of e.g. the GDPR as it relates to consent)</p></li>
</ol>

<p> </p>
<h1 id="rfc.section.6.2"><a href="#rfc.section.6.2">6.2.</a> <a href="#current-policy-and-privacy-statements" id="current-policy-and-privacy-statements">Current policy and privacy statements</a></h1>
<p id="rfc.section.6.2.p.1">A tabular comparison of existing policy and privacy statements from various DNS Privacy service operators based on the proposed DPPPS structure can be found on <a href="https://dnsprivacy.org/wiki/display/DP/Comparison+of+policy+and+privacy+statements">dnsprivacy.org</a>.  </p>
<p id="rfc.section.6.2.p.2">We note that the existing set of policies vary widely in style, content and detail and it is not uncommon for the full text for a given operator to equate to more than 10 pages of moderate font sized A4 text. It is a non-trivial task today for a user to extract a meaningful overview of the different services on offer.  </p>
<h1 id="rfc.section.6.3"><a href="#rfc.section.6.3">6.3.</a> <a href="#enforcementaccountability" id="enforcementaccountability">Enforcement/accountability</a></h1>
<p id="rfc.section.6.3.p.1">Transparency reports may help with building user trust that operators adhere to their policies and practices.  </p>
<p id="rfc.section.6.3.p.2">Independent monitoring or analysis could be performed where possible of: </p>
<p/>

<ul>
  <li>ECS, QNAME minimization, EDNS(0) padding, etc.</li>
  <li>Filtering</li>
  <li>Uptime</li>
</ul>

<p> </p>
<p id="rfc.section.6.3.p.4">This is by analogy with e.g. several TLS or website analysis tools that are currently available e.g. <a href="https://www.ssllabs.com/ssltest/">SSL Labs</a> or <a href="https://internet.nl">Internet.nl</a>.  </p>
<p id="rfc.section.6.3.p.5">Additionally operators could choose to engage the services of a third party auditor to verify their compliance with their published DPPPS.  </p>
<h1 id="rfc.section.7"><a href="#rfc.section.7">7.</a> <a href="#iana-considerations" id="iana-considerations">IANA considerations</a></h1>
<p id="rfc.section.7.p.1">None </p>
<h1 id="rfc.section.8"><a href="#rfc.section.8">8.</a> <a href="#security-considerations" id="security-considerations">Security considerations</a></h1>
<p id="rfc.section.8.p.1">Security considerations for DNS-over-TCP are given in <a href="#RFC7766">[RFC7766]</a>, many of which are generally applicable to session based DNS.  </p>
<p id="rfc.section.8.p.2">TODO: e.g. New issues for DoS defence, server admin policies </p>
<h1 id="rfc.section.9"><a href="#rfc.section.9">9.</a> <a href="#acknowledgements" id="acknowledgements">Acknowledgements</a></h1>
<p id="rfc.section.9.p.1">Many thanks to Amelia Andersdotter for a very thorough review of the first draft of this document. Thanks to John Todd for discussions on this topic, and to Stephane Bortzmeyer, Puneet Sood and Vittorio Bertola for review. Thanks to Daniel Kahn Gillmor, Barry Green, Paul Hoffman, Dan York, John Reed, Lorenzo Colitti for comments at the mic. Thanks to Loganaden Velvindron for useful updates to the text.  </p>
<p id="rfc.section.9.p.2">Sara Dickinson thanks the Open Technology Fund for a grant to support the work on this document.  </p>
<h1 id="rfc.section.10"><a href="#rfc.section.10">10.</a> <a href="#contributors" id="contributors">Contributors</a></h1>
<p id="rfc.section.10.p.1">The below individuals contributed significantly to the document: </p>
<p id="rfc.section.10.p.2">John Dickinson <br/> Sinodun Internet Technologies <br/> Magdalen Centre <br/> Oxford Science Park <br/> Oxford OX4 4GA <br/> United Kingdom </p>
<p id="rfc.section.10.p.3">Jim Hague <br/> Sinodun Internet Technologies <br/> Magdalen Centre <br/> Oxford Science Park <br/> Oxford OX4 4GA <br/> United Kingdom </p>
<h1 id="rfc.section.11"><a href="#rfc.section.11">11.</a> <a href="#changelog" id="changelog">Changelog</a></h1>
<p id="rfc.section.11.p.1">draft-ietf-dprive-bcp-op-02 </p>
<p/>

<ul>
  <li>Change 'open resolver' for 'public resolver'</li>
  <li>Minor editorial changes</li>
  <li>Remove recommendation to run a separate TLS 1.3 service</li>
  <li>Move TLSA to purely a optimisation in Section 5.2.1</li>
  <li>Update reference on minimal DoH headers.</li>
  <li>Add reference on user switching provider after service issues in Section 5.1.4</li>
  <li>Add text in Section 5.1.6 on impact on operators.</li>
  <li>Add text on additional threat to TLS proxy use (Section 5.1.7)</li>
  <li>Add reference in Section 5.3.1 on example policies.</li>
</ul>

<p> </p>
<p id="rfc.section.11.p.3">draft-ietf-dprive-bcp-op-01 </p>
<p/>

<ul>
  <li>Many minor editorial fixes</li>
  <li>Update DoH reference to RFC8484 and add more text on DoH</li>
  <li>Split threat descriptions into ones directly referencing RFC6973 and other DNS Privacy threats</li>
  <li>Improve threat descriptions throughout</li>
  <li>Remove reference to the DNSSEC TLS Chain Extension draft until new version submitted.</li>
  <li>Clarify use of whitelisting for ECS</li>
  <li>Re-structure the DPPPS, add Result filtering section.</li>
  <li>Remove the direct inclusion of privacy policy comparison, now just reference dnsprivacy.org and an example of such work.</li>
  <li>Add an appendix briefly discussing DNSSEC</li>
  <li>Update affiliation of 1 author</li>
</ul>

<p> </p>
<p id="rfc.section.11.p.5">draft-ietf-dprive-bcp-op-00 </p>
<p/>

<ul>
  <li>Initial commit of re-named document after adoption to replace draft-dickinson-dprive-bcp-op-01</li>
</ul>

<p> </p>
<p/>
<h1 id="rfc.references"><a href="#rfc.references">12.</a> References</h1>
<h1 id="rfc.references.1"><a href="#rfc.references.1">12.1.</a> Normative References</h1>
<table>
  <tbody>
    <tr>
      <td class="reference">
        <b id="I-D.ietf-dnsop-session-signal">[I-D.ietf-dnsop-session-signal]</b>
      </td>
      <td class="top"><a>Bellis, R.</a>, <a>Cheshire, S.</a>, <a>Dickinson, J.</a>, <a>Dickinson, S.</a>, <a>Lemon, T.</a> and <a>T. Pusateri</a>, "<a href="http://tools.ietf.org/html/draft-ietf-dnsop-session-signal-20">DNS Stateful Operations</a>", Internet-Draft draft-ietf-dnsop-session-signal-20, December 2018.</td>
    </tr>
    <tr>
      <td class="reference">
        <b id="RFC2119">[RFC2119]</b>
      </td>
      <td class="top"><a>Bradner, S.</a>, "<a href="http://tools.ietf.org/html/rfc2119">Key words for use in RFCs to Indicate Requirement Levels</a>", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997.</td>
    </tr>
    <tr>
      <td class="reference">
        <b id="RFC5077">[RFC5077]</b>
      </td>
      <td class="top"><a>Salowey, J.</a>, <a>Zhou, H.</a>, <a>Eronen, P.</a> and <a>H. Tschofenig</a>, "<a href="http://tools.ietf.org/html/rfc5077">Transport Layer Security (TLS) Session Resumption without Server-Side State</a>", RFC 5077, DOI 10.17487/RFC5077, January 2008.</td>
    </tr>
    <tr>
      <td class="reference">
        <b id="RFC6265">[RFC6265]</b>
      </td>
      <td class="top"><a>Barth, A.</a>, "<a href="http://tools.ietf.org/html/rfc6265">HTTP State Management Mechanism</a>", RFC 6265, DOI 10.17487/RFC6265, April 2011.</td>
    </tr>
    <tr>
      <td class="reference">
        <b id="RFC6973">[RFC6973]</b>
      </td>
      <td class="top"><a>Cooper, A.</a>, <a>Tschofenig, H.</a>, <a>Aboba, B.</a>, <a>Peterson, J.</a>, <a>Morris, J.</a>, <a>Hansen, M.</a> and <a>R. Smith</a>, "<a href="http://tools.ietf.org/html/rfc6973">Privacy Considerations for Internet Protocols</a>", RFC 6973, DOI 10.17487/RFC6973, July 2013.</td>
    </tr>
    <tr>
      <td class="reference">
        <b id="RFC7525">[RFC7525]</b>
      </td>
      <td class="top"><a>Sheffer, Y.</a>, <a>Holz, R.</a> and <a>P. Saint-Andre</a>, "<a href="http://tools.ietf.org/html/rfc7525">Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)</a>", BCP 195, RFC 7525, DOI 10.17487/RFC7525, May 2015.</td>
    </tr>
    <tr>
      <td class="reference">
        <b id="RFC7766">[RFC7766]</b>
      </td>
      <td class="top"><a>Dickinson, J.</a>, <a>Dickinson, S.</a>, <a>Bellis, R.</a>, <a>Mankin, A.</a> and <a>D. Wessels</a>, "<a href="http://tools.ietf.org/html/rfc7766">DNS Transport over TCP - Implementation Requirements</a>", RFC 7766, DOI 10.17487/RFC7766, March 2016.</td>
    </tr>
    <tr>
      <td class="reference">
        <b id="RFC7816">[RFC7816]</b>
      </td>
      <td class="top"><a>Bortzmeyer, S.</a>, "<a href="http://tools.ietf.org/html/rfc7816">DNS Query Name Minimisation to Improve Privacy</a>", RFC 7816, DOI 10.17487/RFC7816, March 2016.</td>
    </tr>
    <tr>
      <td class="reference">
        <b id="RFC7828">[RFC7828]</b>
      </td>
      <td class="top"><a>Wouters, P.</a>, <a>Abley, J.</a>, <a>Dickinson, S.</a> and <a>R. Bellis</a>, "<a href="http://tools.ietf.org/html/rfc7828">The edns-tcp-keepalive EDNS0 Option</a>", RFC 7828, DOI 10.17487/RFC7828, April 2016.</td>
    </tr>
    <tr>
      <td class="reference">
        <b id="RFC7830">[RFC7830]</b>
      </td>
      <td class="top"><a>Mayrhofer, A.</a>, "<a href="http://tools.ietf.org/html/rfc7830">The EDNS(0) Padding Option</a>", RFC 7830, DOI 10.17487/RFC7830, May 2016.</td>
    </tr>
    <tr>
      <td class="reference">
        <b id="RFC7858">[RFC7858]</b>
      </td>
      <td class="top"><a>Hu, Z.</a>, <a>Zhu, L.</a>, <a>Heidemann, J.</a>, <a>Mankin, A.</a>, <a>Wessels, D.</a> and <a>P. Hoffman</a>, "<a href="http://tools.ietf.org/html/rfc7858">Specification for DNS over Transport Layer Security (TLS)</a>", RFC 7858, DOI 10.17487/RFC7858, May 2016.</td>
    </tr>
    <tr>
      <td class="reference">
        <b id="RFC7871">[RFC7871]</b>
      </td>
      <td class="top"><a>Contavalli, C.</a>, <a>van der Gaast, W.</a>, <a>Lawrence, D.</a> and <a>W. Kumari</a>, "<a href="http://tools.ietf.org/html/rfc7871">Client Subnet in DNS Queries</a>", RFC 7871, DOI 10.17487/RFC7871, May 2016.</td>
    </tr>
    <tr>
      <td class="reference">
        <b id="RFC7873">[RFC7873]</b>
      </td>
      <td class="top"><a>Eastlake 3rd, D.</a> and <a>M. Andrews</a>, "<a href="http://tools.ietf.org/html/rfc7873">Domain Name System (DNS) Cookies</a>", RFC 7873, DOI 10.17487/RFC7873, May 2016.</td>
    </tr>
    <tr>
      <td class="reference">
        <b id="RFC8174">[RFC8174]</b>
      </td>
      <td class="top"><a>Leiba, B.</a>, "<a href="http://tools.ietf.org/html/rfc8174">Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</a>", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017.</td>
    </tr>
    <tr>
      <td class="reference">
        <b id="RFC8310">[RFC8310]</b>
      </td>
      <td class="top"><a>Dickinson, S.</a>, <a>Gillmor, D.</a> and <a>T. Reddy</a>, "<a href="http://tools.ietf.org/html/rfc8310">Usage Profiles for DNS over TLS and DNS over DTLS</a>", RFC 8310, DOI 10.17487/RFC8310, March 2018.</td>
    </tr>
    <tr>
      <td class="reference">
        <b id="RFC8404">[RFC8404]</b>
      </td>
      <td class="top"><a>Moriarty, K.</a> and <a>A. Morton</a>, "<a href="http://tools.ietf.org/html/rfc8404">Effects of Pervasive Encryption on Operators</a>", RFC 8404, DOI 10.17487/RFC8404, July 2018.</td>
    </tr>
    <tr>
      <td class="reference">
        <b id="RFC8467">[RFC8467]</b>
      </td>
      <td class="top"><a>Mayrhofer, A.</a>, "<a href="http://tools.ietf.org/html/rfc8467">Padding Policies for Extension Mechanisms for DNS (EDNS(0))</a>", RFC 8467, DOI 10.17487/RFC8467, October 2018.</td>
    </tr>
    <tr>
      <td class="reference">
        <b id="RFC8484">[RFC8484]</b>
      </td>
      <td class="top"><a>Hoffman, P.</a> and <a>P. McManus</a>, "<a href="http://tools.ietf.org/html/rfc8484">DNS Queries over HTTPS (DoH)</a>", RFC 8484, DOI 10.17487/RFC8484, October 2018.</td>
    </tr>
  </tbody>
</table>
<h1 id="rfc.references.2"><a href="#rfc.references.2">12.2.</a> Informative References</h1>
<table>
  <tbody>
    <tr>
      <td class="reference">
        <b id="I-D.bellis-dnsop-xpf">[I-D.bellis-dnsop-xpf]</b>
      </td>
      <td class="top"><a>Bellis, R.</a>, <a>Dijk, P.</a> and <a>R. Gacogne</a>, "<a href="http://tools.ietf.org/html/draft-bellis-dnsop-xpf-04">DNS X-Proxied-For</a>", Internet-Draft draft-bellis-dnsop-xpf-04, March 2018.</td>
    </tr>
    <tr>
      <td class="reference">
        <b id="I-D.bortzmeyer-dprive-rfc7626-bis">[I-D.bortzmeyer-dprive-rfc7626-bis]</b>
      </td>
      <td class="top"><a>Bortzmeyer, S.</a> and <a>S. Dickinson</a>, "<a href="http://tools.ietf.org/html/draft-bortzmeyer-dprive-rfc7626-bis-02">DNS Privacy Considerations</a>", Internet-Draft draft-bortzmeyer-dprive-rfc7626-bis-02, January 2019.</td>
    </tr>
    <tr>
      <td class="reference">
        <b id="I-D.ietf-dnsop-dns-capture-format">[I-D.ietf-dnsop-dns-capture-format]</b>
      </td>
      <td class="top"><a>Dickinson, J.</a>, <a>Hague, J.</a>, <a>Dickinson, S.</a>, <a>Manderson, T.</a> and <a>J. Bond</a>, "<a href="http://tools.ietf.org/html/draft-ietf-dnsop-dns-capture-format-10">C-DNS: A DNS Packet Capture Format</a>", Internet-Draft draft-ietf-dnsop-dns-capture-format-10, December 2018.</td>
    </tr>
    <tr>
      <td class="reference">
        <b id="I-D.ietf-dnsop-dns-tcp-requirements">[I-D.ietf-dnsop-dns-tcp-requirements]</b>
      </td>
      <td class="top"><a>Kristoff, J.</a> and <a>D. Wessels</a>, "<a href="http://tools.ietf.org/html/draft-ietf-dnsop-dns-tcp-requirements-03">DNS Transport over TCP - Operational Requirements</a>", Internet-Draft draft-ietf-dnsop-dns-tcp-requirements-03, January 2019.</td>
    </tr>
    <tr>
      <td class="reference">
        <b id="I-D.ietf-dnsop-terminology-bis">[I-D.ietf-dnsop-terminology-bis]</b>
      </td>
      <td class="top"><a>Hoffman, P.</a>, <a>Sullivan, A.</a> and <a>K. Fujiwara</a>, "<a href="http://tools.ietf.org/html/draft-ietf-dnsop-terminology-bis-14">DNS Terminology</a>", Internet-Draft draft-ietf-dnsop-terminology-bis-14, September 2018.</td>
    </tr>
    <tr>
      <td class="reference">
        <b id="I-D.ietf-httpbis-bcp56bis">[I-D.ietf-httpbis-bcp56bis]</b>
      </td>
      <td class="top"><a>Nottingham, M.</a>, "<a href="http://tools.ietf.org/html/draft-ietf-httpbis-bcp56bis-08">Building Protocols with HTTP</a>", Internet-Draft draft-ietf-httpbis-bcp56bis-08, November 2018.</td>
    </tr>
    <tr>
      <td class="reference">
        <b id="pcap">[pcap]</b>
      </td>
      <td class="top"><a>tcpdump.org</a>, "<a href="http://www.tcpdump.org/">PCAP</a>", 2016.</td>
    </tr>
    <tr>
      <td class="reference">
        <b id="Pitfalls-of-DNS-Encryption">[Pitfalls-of-DNS-Encryption]</b>
      </td>
      <td class="top"><a title="Fachbereich Informatik, Technische Universit&#xE4;t Darmstadt">Shulman, H.</a>, "<a href="https://www.ietf.org/mail-archive/web/dns-privacy/current/pdfWqAIUmEl47.pdf">Pretty Bad Privacy: Pitfalls of DNS Encryption</a>", 2014.</td>
    </tr>
    <tr>
      <td class="reference">
        <b id="RFC4033">[RFC4033]</b>
      </td>
      <td class="top"><a>Arends, R.</a>, <a>Austein, R.</a>, <a>Larson, M.</a>, <a>Massey, D.</a> and <a>S. Rose</a>, "<a href="http://tools.ietf.org/html/rfc4033">DNS Security Introduction and Requirements</a>", RFC 4033, DOI 10.17487/RFC4033, March 2005.</td>
    </tr>
    <tr>
      <td class="reference">
        <b id="RFC6235">[RFC6235]</b>
      </td>
      <td class="top"><a>Boschi, E.</a> and <a>B. Trammell</a>, "<a href="http://tools.ietf.org/html/rfc6235">IP Flow Anonymization Support</a>", RFC 6235, DOI 10.17487/RFC6235, May 2011.</td>
    </tr>
    <tr>
      <td class="reference">
        <b id="RFC6841">[RFC6841]</b>
      </td>
      <td class="top"><a>Ljunggren, F.</a>, <a>Eklund Lowinder, AM.</a> and <a>T. Okubo</a>, "<a href="http://tools.ietf.org/html/rfc6841">A Framework for DNSSEC Policies and DNSSEC Practice Statements</a>", RFC 6841, DOI 10.17487/RFC6841, January 2013.</td>
    </tr>
    <tr>
      <td class="reference">
        <b id="RFC7457">[RFC7457]</b>
      </td>
      <td class="top"><a>Sheffer, Y.</a>, <a>Holz, R.</a> and <a>P. Saint-Andre</a>, "<a href="http://tools.ietf.org/html/rfc7457">Summarizing Known Attacks on Transport Layer Security (TLS) and Datagram TLS (DTLS)</a>", RFC 7457, DOI 10.17487/RFC7457, February 2015.</td>
    </tr>
    <tr>
      <td class="reference">
        <b id="RFC7686">[RFC7686]</b>
      </td>
      <td class="top"><a>Appelbaum, J.</a> and <a>A. Muffett</a>, "<a href="http://tools.ietf.org/html/rfc7686">The ".onion" Special-Use Domain Name</a>", RFC 7686, DOI 10.17487/RFC7686, October 2015.</td>
    </tr>
    <tr>
      <td class="reference">
        <b id="RFC7706">[RFC7706]</b>
      </td>
      <td class="top"><a>Kumari, W.</a> and <a>P. Hoffman</a>, "<a href="http://tools.ietf.org/html/rfc7706">Decreasing Access Time to Root Servers by Running One on Loopback</a>", RFC 7706, DOI 10.17487/RFC7706, November 2015.</td>
    </tr>
    <tr>
      <td class="reference">
        <b id="RFC8094">[RFC8094]</b>
      </td>
      <td class="top"><a>Reddy, T.</a>, <a>Wing, D.</a> and <a>P. Patil</a>, "<a href="http://tools.ietf.org/html/rfc8094">DNS over Datagram Transport Layer Security (DTLS)</a>", RFC 8094, DOI 10.17487/RFC8094, February 2017.</td>
    </tr>
    <tr>
      <td class="reference">
        <b id="RFC8198">[RFC8198]</b>
      </td>
      <td class="top"><a>Fujiwara, K.</a>, <a>Kato, A.</a> and <a>W. Kumari</a>, "<a href="http://tools.ietf.org/html/rfc8198">Aggressive Use of DNSSEC-Validated Cache</a>", RFC 8198, DOI 10.17487/RFC8198, July 2017.</td>
    </tr>
  </tbody>
</table>
<h1 id="rfc.appendix.A"><a href="#rfc.appendix.A">Appendix A.</a> <a href="#documents" id="documents">Documents</a></h1>
<p id="rfc.section.A.p.1">This section provides an overview of some DNS privacy related documents, however, this is neither an exhaustive list nor a definitive statement on the characteristic of the document.  </p>
<h1 id="rfc.appendix.A.1"><a href="#rfc.appendix.A.1">A.1.</a> <a href="#potential-increases-in-dns-privacy" id="potential-increases-in-dns-privacy">Potential increases in DNS privacy</a></h1>
<p id="rfc.section.A.1.p.1">These documents are limited in scope to communications between stub clients and recursive resolvers: </p>
<p/>

<ul>
  <li>'Specification for DNS over Transport Layer Security (TLS)' <a href="#RFC7858">[RFC7858]</a>, referred to here as 'DNS-over-TLS'.</li>
  <li>'DNS over Datagram Transport Layer Security (DTLS)' <a href="#RFC8094">[RFC8094]</a>, referred to here as 'DNS-over-DTLS'. Note that this document has the Category of Experimental.</li>
  <li>'DNS Queries over HTTPS (DoH)' <a href="#RFC8484">[RFC8484]</a> referred to here as DoH.</li>
  <li>'Usage Profiles for DNS over TLS and DNS over DTLS' <a href="#RFC8310">[RFC8310]</a></li>
  <li>'The EDNS(0) Padding Option' <a href="#RFC7830">[RFC7830]</a> and 'Padding Policy for EDNS(0)' <a href="#RFC8467">[RFC8467]</a></li>
</ul>

<p> </p>
<p id="rfc.section.A.1.p.3">These documents apply to recursive to authoritative DNS but are relevant when considering the operation of a recursive server: </p>
<p/>

<ul>
  <li>'DNS Query Name minimization to Improve Privacy' <a href="#RFC7816">[RFC7816]</a> referred to here as 'QNAME minimization'</li>
</ul>

<p> </p>
<h1 id="rfc.appendix.A.2"><a href="#rfc.appendix.A.2">A.2.</a> <a href="#potential-decreases-in-dns-privacy" id="potential-decreases-in-dns-privacy">Potential decreases in DNS privacy</a></h1>
<p id="rfc.section.A.2.p.1">These documents relate to functionality that could provide increased tracking of user activity as a side effect: </p>
<p/>

<ul>
  <li>'Client Subnet in DNS Queries' <a href="#RFC7871">[RFC7871]</a></li>
  <li>'Domain Name System (DNS) Cookies' <a href="#RFC7873">[RFC7873]</a>)</li>
  <li>'Transport Layer Security (TLS) Session Resumption without Server-Side State' <a href="#RFC5077">[RFC5077]</a> referred to here as simply TLS session resumption.</li>
  <li>'A DNS Packet Capture Format' <a href="#I-D.ietf-dnsop-dns-capture-format">[I-D.ietf-dnsop-dns-capture-format]</a></li>
  <li>Passive DNS <a href="#I-D.ietf-dnsop-terminology-bis">[I-D.ietf-dnsop-terminology-bis]</a></li>
</ul>

<p> </p>
<p id="rfc.section.A.2.p.3">Note that depending on the specifics of the implementation <a href="#RFC8484">[RFC8484]</a> may also provide increased tracking.  </p>
<h1 id="rfc.appendix.A.3"><a href="#rfc.appendix.A.3">A.3.</a> <a href="#related-operational-documents" id="related-operational-documents">Related operational documents</a></h1>
<p/>

<ul>
  <li>'DNS Transport over TCP - Implementation Requirements' <a href="#RFC7766">[RFC7766]</a></li>
  <li>'Operational requirements for DNS-over-TCP' <a href="#I-D.ietf-dnsop-dns-tcp-requirements">[I-D.ietf-dnsop-dns-tcp-requirements]</a></li>
  <li>'The edns-tcp-keepalive EDNS0 Option' <a href="#RFC7828">[RFC7828]</a></li>
  <li>'DNS Stateful Operations' <a href="#I-D.ietf-dnsop-session-signal">[I-D.ietf-dnsop-session-signal]</a></li>
</ul>

<p> </p>
<h1 id="rfc.appendix.B"><a href="#rfc.appendix.B">Appendix B.</a> <a href="#encryption-and-dnssec" id="encryption-and-dnssec">Encryption and DNSSEC</a></h1>
<p id="rfc.section.B.p.1">The addition of encryption to DNS does not remove the need for DNSSEC <a href="#RFC4033">[RFC4033]</a> - they are independent and fully compatible protocols, each solving different problems. The use of one does not diminish the need nor the usefulness of the other.  </p>
<p id="rfc.section.B.p.2">All DNS privacy services SHOULD offer a DNS privacy service that performs DNSSEC validation. In addition they SHOULD be able to provide the DNSSEC RRs to the client so that it can perform its own validation.  </p>
<p id="rfc.section.B.p.3">While the use of an authenticated and encrypted transport protects origin authentication and data integrity between a client and a DNS privacy service it provides no proof (for a non-validating client) that the data provided by the DNS privacy service was actually DNSSEC authenticated.  </p>
<h1 id="rfc.appendix.C"><a href="#rfc.appendix.C">Appendix C.</a> <a href="#ip-address-techniques" id="ip-address-techniques">IP address techniques</a></h1>
<p id="rfc.section.C.p.1">Data minimization methods may be categorized by the processing used and the properties of their outputs. The following builds on the categorization employed in <a href="#RFC6235">[RFC6235]</a>: </p>
<p/>

<ul>
  <li>Format-preserving. Normally when encrypting, the original data length and patterns in the data should be hidden from an attacker. Some applications of de-identification, such as network capture de-identification, require that the de-identified data is of the same form as the original data, to allow the data to be parsed in the same way as the original.</li>
  <li>Prefix preservation. Values such as IP addresses and MAC addresses contain prefix information that can be valuable in analysis, e.g. manufacturer ID in MAC addresses, subnet in IP addresses. Prefix preservation ensures that prefixes are de-identified consistently; e.g. if two IP addresses are from the same subnet, a prefix preserving de-identification will ensure that their de-identified counterparts will also share a subnet. Prefix preservation may be fixed (i.e. based on a user selected prefix length identified in advance to be preserved ) or general.</li>
  <li>Replacement. A one-to-one replacement of a field to a new value of the same type, for example using a regular expression.</li>
  <li>Filtering. Removing (and thus truncating) or replacing data in a field. Field data can be overwritten, often with zeros, either partially (grey marking) or completely (black marking).</li>
  <li>Generalization. Data is replaced by more general data with reduced specificity. One example would be to replace all TCP/UDP port numbers with one of two fixed values indicating whether the original port was ephemeral (&gt;=1024) or non-ephemeral (&gt;1024). Another example, precision degradation, reduces the accuracy of e.g. a numeric value or a timestamp.</li>
  <li>Enumeration. With data from a well-ordered set, replace the first data item data using a random initial value and then allocate ordered values for subsequent data items. When used with timestamp data, this preserves ordering but loses precision and distance.</li>
  <li>Reordering/shuffling. Preserving the original data, but rearranging its order, often in a random manner.</li>
  <li>Random substitution. As replacement, but using randomly generated replacement values.</li>
  <li>Cryptographic permutation. Using a permutation function, such as a hash function or cryptographic block cipher, to generate a replacement de-identified value.  <br/></li>
</ul>

<p> </p>
<h1 id="rfc.appendix.C.1"><a href="#rfc.appendix.C.1">C.1.</a> <a href="#google-analytics-nonprefix-filtering" id="google-analytics-nonprefix-filtering">Google Analytics non-prefix filtering</a></h1>
<p id="rfc.section.C.1.p.1">Since May 2010, <a href="https://support.google.com/analytics/answer/2763052?hl=en">Google Analytics has provided a facility</a> that allows website owners to request that all their users IP addresses are anonymized within Google Analytics processing. This very basic anonymization simply sets to zero the least significant 8 bits of IPv4 addresses, and the least significant 80 bits of IPv6 addresses. The level of anonymization this produces is perhaps questionable. There are <a href="https://www.conversionworks.co.uk/blog/2017/05/19/anonymize-ip-geo-impact-test/">some analysis results</a> which suggest that the impact of this on reducing the accuracy of determining the user's location from their IP address is less than might be hoped; the average discrepancy in identification of the user city for UK users is no more than 17%.  </p>
<p id="rfc.section.C.1.p.2">Anonymization: Format-preserving, Filtering (grey marking).  </p>
<h1 id="rfc.appendix.C.2"><a href="#rfc.appendix.C.2">C.2.</a> <a href="#dnswasher" id="dnswasher">dnswasher</a></h1>
<p id="rfc.section.C.2.p.1">Since 2006, PowerDNS have included a de-identification tool <a href="https://github.com/edmonds/pdns/blob/master/pdns/dnswasher.cc">dnswasher</a> with their PowerDNS product. This is a PCAP filter that performs a one-to-one mapping of end user IP addresses with an anonymized address. A table of user IP addresses and their de-identified counterparts is kept; the first IPv4 user addresses is translated to 0.0.0.1, the second to 0.0.0.2 and so on. The de-identified address therefore depends on the order that addresses arrive in the input, and running over a large amount of data the address translation tables can grow to a significant size.  </p>
<p id="rfc.section.C.2.p.2">Anonymization: Format-preserving, Enumeration.  </p>
<h1 id="rfc.appendix.C.3"><a href="#rfc.appendix.C.3">C.3.</a> <a href="#prefixpreserving-map" id="prefixpreserving-map">Prefix-preserving map</a></h1>
<p id="rfc.section.C.3.p.1">Used in <a href="http://ita.ee.lbl.gov/html/contrib/tcpdpriv.html">TCPdpriv</a>, this algorithm stores a set of original and anonymised IP address pairs. When a new IP address arrives, it is compared with previous addresses to determine the longest prefix match. The new address is anonymized by using the same prefix, with the remainder of the address anonymized with a random value. The use of a random value means that TCPdrpiv is not deterministic; different anonymized values will be generated on each run. The need to store previous addresses means that TCPdpriv has significant and unbounded memory requirements, and because of the need to allocated anonymized addresses sequentially cannot be used in parallel processing.  </p>
<p id="rfc.section.C.3.p.2">Anonymization: Format-preserving, prefix preservation (general).  </p>
<h1 id="rfc.appendix.C.4"><a href="#rfc.appendix.C.4">C.4.</a> <a href="#cryptographic-prefixpreserving-pseudonymisation" id="cryptographic-prefixpreserving-pseudonymisation">Cryptographic Prefix-Preserving Pseudonymisation</a></h1>
<p id="rfc.section.C.4.p.1">Cryptographic prefix-preserving pseudonymisation was originally proposed as an improvement to the prefix-preserving map implemented in TCPdpriv, described in <a href="http://an.kaist.ac.kr/~sbmoon/paper/intl-journal/2004-cn-anon.pdf">Xu et al.</a> and implemented in the <a href="https://www.cc.gatech.edu/computing/Telecomm/projects/cryptopan/">Crypto-PAn tool</a>.  Crypto-PAn is now frequently used as an acronym for the algorithm. Initially it was described for IPv4 addresses only; extension for IPv6 addresses was proposed in <a href="http://mharvan.net/talks/noms-ip_anon.pdf">Harvan &amp; Sch&#246;nw&#228;lder</a> and implemented in snmpdump. This uses a cryptographic algorithm rather than a random value, and thus pseudonymity is determined uniquely by the encryption key, and is deterministic. It requires a separate AES encryption for each output bit, so has a non-trivial calculation overhead. This can be mitigated to some extent (for IPv4, at least) by pre-calculating results for some number of prefix bits.  </p>
<p id="rfc.section.C.4.p.2">Pseudonymization: Format-preserving, prefix preservation (general).  </p>
<h1 id="rfc.appendix.C.5"><a href="#rfc.appendix.C.5">C.5.</a> <a href="#tophash-subtreereplicated-anonymisation" id="tophash-subtreereplicated-anonymisation">Top-hash Subtree-replicated Anonymisation</a></h1>
<p id="rfc.section.C.5.p.1">Proposed in <a href="http://www.ecs.umass.edu/ece/wolf/pubs/ton2007.pdf">Ramaswamy &amp; Wolf</a>, Top-hash Subtree-replicated Anonymisation (TSA) originated in response to the requirement for faster processing than Crypto-PAn.  It used hashing for the most significant byte of an IPv4 address, and a pre-calculated binary tree structure for the remainder of the address. To save memory space, replication is used within the tree structure, reducing the size of the pre-calculated structures to a few Mb for IPv4 addresses. Address pseudonymization is done via hash and table lookup, and so requires minimal computation. However, due to the much increased address space for IPv6, TSA is not memory efficient for IPv6.  </p>
<p id="rfc.section.C.5.p.2">Pseudonymization: Format-preserving, prefix preservation (general).  </p>
<h1 id="rfc.appendix.C.6"><a href="#rfc.appendix.C.6">C.6.</a> <a href="#ipcipher" id="ipcipher">ipcipher</a></h1>
<p id="rfc.section.C.6.p.1">A <a href="https://medium.com/@bert.hubert/on-ip-address-encryption-security-analysis-with-respect-for-privacy-dabe1201b476">recently-released proposal from PowerDNS</a>, <a href="https://github.com/PowerDNS/ipcipher">ipcipher</a> is a simple pseudonymization technique for IPv4 and IPv6 addresses. IPv6 addresses are encrypted directly with AES-128 using a key (which may be derived from a passphrase). IPv4 addresses are similarly encrypted, but using a recently proposed encryption <a href="https://github.com/veorq/ipcrypt">ipcrypt</a> suitable for 32bit block lengths. However, the author of ipcrypt has <a href="https://www.ietf.org/mail-archive/web/cfrg/current/msg09494.html">since indicated</a> that it has low security, and further analysis has revealed it is vulnerable to attack.  </p>
<p id="rfc.section.C.6.p.2">Pseudonymization: Format-preserving, cryptographic permutation.  </p>
<h1 id="rfc.appendix.C.7"><a href="#rfc.appendix.C.7">C.7.</a> <a href="#bloom-filters" id="bloom-filters">Bloom filters</a></h1>
<p><a href="https://tnc18.geant.org/core/presentation/127">van Rijswijk-Deij et al.</a> have recently described work using Bloom filters to categorize query traffic and record the traffic as the state of multiple filters. The goal of this work is to allow operators to identify so-called Indicators of Compromise (IOCs) originating from specific subnets without storing information about, or be able to monitor the DNS queries of an individual user. By using a Bloom filter, it is possible to determine with a high probability if, for example, a particular query was made, but the set of queries made cannot be recovered from the filter. Similarly, by mixing queries from a sufficient number of users in a single filter, it becomes practically impossible to determine if a particular user performed a particular query. Large numbers of queries can be tracked in a memory-efficient way. As filter status is stored, this approach cannot be used to regenerate traffic, and so cannot be used with tools used to process live traffic.  </p>
<p id="rfc.section.C.7.p.2">Anonymized: Generalization.  </p>
<h1 id="rfc.authors">
  <a href="#rfc.authors">Authors' Addresses</a>
</h1>
<div class="avoidbreak">
  <address class="vcard">
	<span class="vcardline">
	  <span class="fn">Sara Dickinson</span> 
	  <span class="n hidden">
		<span class="family-name">Dickinson</span>
	  </span>
	</span>
	<span class="org vcardline">Sinodun IT</span>
	<span class="adr">
	  <span class="vcardline">Magdalen Centre</span>
<span class="vcardline">Oxford Science Park</span>

	  <span class="vcardline">
		<span class="locality">Oxford</span>,  
		<span class="region"></span>
		<span class="code">OX4 4GA</span>
	  </span>
	  <span class="country-name vcardline">United Kingdom</span>
	</span>
	<span class="vcardline">EMail: <a href="mailto:sara@sinodun.com">sara@sinodun.com</a></span>

  </address>
</div><div class="avoidbreak">
  <address class="vcard">
	<span class="vcardline">
	  <span class="fn">Benno J. Overeinder</span> 
	  <span class="n hidden">
		<span class="family-name">Overeinder</span>
	  </span>
	</span>
	<span class="org vcardline">NLnet Labs</span>
	<span class="adr">
	  <span class="vcardline">Science Park 400</span>

	  <span class="vcardline">
		<span class="locality">Amsterdam</span>,  
		<span class="region"></span>
		<span class="code">1098 XH</span>
	  </span>
	  <span class="country-name vcardline">The Netherlands</span>
	</span>
	<span class="vcardline">EMail: <a href="mailto:benno@nlnetLabs.nl">benno@nlnetLabs.nl</a></span>

  </address>
</div><div class="avoidbreak">
  <address class="vcard">
	<span class="vcardline">
	  <span class="fn">Roland M. van Rijswijk-Deij</span> 
	  <span class="n hidden">
		<span class="family-name">van Rijswijk-Deij</span>
	  </span>
	</span>
	<span class="org vcardline">NLnet Labs</span>
	<span class="adr">
	  <span class="vcardline">Science Park 400</span>

	  <span class="vcardline">
		<span class="locality">Amsterdam</span>,  
		<span class="region"></span>
		<span class="code">1098 XH</span>
	  </span>
	  <span class="country-name vcardline">The Netherlands</span>
	</span>
	<span class="vcardline">EMail: <a href="mailto:roland@nlnetLabs.nl">roland@nlnetLabs.nl</a></span>

  </address>
</div><div class="avoidbreak">
  <address class="vcard">
	<span class="vcardline">
	  <span class="fn">Allison Mankin</span> 
	  <span class="n hidden">
		<span class="family-name">Mankin</span>
	  </span>
	</span>
	<span class="org vcardline">Salesforce</span>
	<span class="adr">
	  
	  <span class="vcardline">
		<span class="locality"></span> 
		<span class="region"></span>
		<span class="code"></span>
	  </span>
	  <span class="country-name vcardline"></span>
	</span>
	<span class="vcardline">EMail: <a href="mailto:allison.mankin@gmail.com">allison.mankin@gmail.com</a></span>

  </address>
</div>

</body>
</html>