draft-hzpa-dprive-xfr-over-tls-01.html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" 
  "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html lang="en" xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head profile="http://www.w3.org/2006/03/hcard http://dublincore.org/documents/2008/08/04/dc-html/">
  <meta http-equiv="Content-Type" content="text/html; charset=us-ascii" />

  <title>DNS Zone Transfer over TLS</title>

  <style type="text/css" title="Xml2Rfc (sans serif)">
  /*<![CDATA[*/
	  a {
	  text-decoration: none;
	  }
      /* info code from SantaKlauss at http://www.madaboutstyle.com/tooltip2.html */
      a.info {
          /* This is the key. */
          position: relative;
          z-index: 24;
          text-decoration: none;
      }
      a.info:hover {
          z-index: 25;
          color: #FFF; background-color: #900;
      }
      a.info span { display: none; }
      a.info:hover span.info {
          /* The span will display just on :hover state. */
          display: block;
          position: absolute;
          font-size: smaller;
          top: 2em; left: -5em; width: 15em;
          padding: 2px; border: 1px solid #333;
          color: #900; background-color: #EEE;
          text-align: left;
      }
	  a.smpl {
	  color: black;
	  }
	  a:hover {
	  text-decoration: underline;
	  }
	  a:active {
	  text-decoration: underline;
	  }
	  address {
	  margin-top: 1em;
	  margin-left: 2em;
	  font-style: normal;
	  }
	  body {
	  color: black;
	  font-family: verdana, helvetica, arial, sans-serif;
	  font-size: 10pt;
	  max-width: 55em;
	  
	  }
	  cite {
	  font-style: normal;
	  }
	  dd {
	  margin-right: 2em;
	  }
	  dl {
	  margin-left: 2em;
	  }
	
	  ul.empty {
	  list-style-type: none;
	  }
	  ul.empty li {
	  margin-top: .5em;
	  }
	  dl p {
	  margin-left: 0em;
	  }
	  dt {
	  margin-top: .5em;
	  }
	  h1 {
	  font-size: 14pt;
	  line-height: 21pt;
	  page-break-after: avoid;
	  }
	  h1.np {
	  page-break-before: always;
	  }
	  h1 a {
	  color: #333333;
	  }
	  h2 {
	  font-size: 12pt;
	  line-height: 15pt;
	  page-break-after: avoid;
	  }
	  h3, h4, h5, h6 {
	  font-size: 10pt;
	  page-break-after: avoid;
	  }
	  h2 a, h3 a, h4 a, h5 a, h6 a {
	  color: black;
	  }
	  img {
	  margin-left: 3em;
	  }
	  li {
	  margin-left: 2em;
	  margin-right: 2em;
	  }
	  ol {
	  margin-left: 2em;
	  margin-right: 2em;
	  }
	  ol p {
	  margin-left: 0em;
	  }
	  p {
	  margin-left: 2em;
	  margin-right: 2em;
	  }
	  pre {
	  margin-left: 3em;
	  background-color: lightyellow;
	  padding: .25em;
	  }
	  pre.text2 {
	  border-style: dotted;
	  border-width: 1px;
	  background-color: #f0f0f0;
	  width: 69em;
	  }
	  pre.inline {
	  background-color: white;
	  padding: 0em;
	  }
	  pre.text {
	  border-style: dotted;
	  border-width: 1px;
	  background-color: #f8f8f8;
	  width: 69em;
	  }
	  pre.drawing {
	  border-style: solid;
	  border-width: 1px;
	  background-color: #f8f8f8;
	  padding: 2em;
	  }
	  table {
	  margin-left: 2em;
	  }
	  table.tt {
	  vertical-align: top;
	  }
	  table.full {
	  border-style: outset;
	  border-width: 1px;
	  }
	  table.headers {
	  border-style: outset;
	  border-width: 1px;
	  }
	  table.tt td {
	  vertical-align: top;
	  }
	  table.full td {
	  border-style: inset;
	  border-width: 1px;
	  }
	  table.tt th {
	  vertical-align: top;
	  }
	  table.full th {
	  border-style: inset;
	  border-width: 1px;
	  }
	  table.headers th {
	  border-style: none none inset none;
	  border-width: 1px;
	  }
	  table.left {
	  margin-right: auto;
	  }
	  table.right {
	  margin-left: auto;
	  }
	  table.center {
	  margin-left: auto;
	  margin-right: auto;
	  }
	  caption {
	  caption-side: bottom;
	  font-weight: bold;
	  font-size: 9pt;
	  margin-top: .5em;
	  }
	
	  table.header {
	  border-spacing: 1px;
	  width: 95%;
	  font-size: 10pt;
	  color: white;
	  }
	  td.top {
	  vertical-align: top;
	  }
	  td.topnowrap {
	  vertical-align: top;
	  white-space: nowrap; 
	  }
	  table.header td {
	  background-color: gray;
	  width: 50%;
	  }
	  table.header a {
	  color: white;
	  }
	  td.reference {
	  vertical-align: top;
	  white-space: nowrap;
	  padding-right: 1em;
	  }
	  thead {
	  display:table-header-group;
	  }
	  ul.toc, ul.toc ul {
	  list-style: none;
	  margin-left: 1.5em;
	  margin-right: 0em;
	  padding-left: 0em;
	  }
	  ul.toc li {
	  line-height: 150%;
	  font-weight: bold;
	  font-size: 10pt;
	  margin-left: 0em;
	  margin-right: 0em;
	  }
	  ul.toc li li {
	  line-height: normal;
	  font-weight: normal;
	  font-size: 9pt;
	  margin-left: 0em;
	  margin-right: 0em;
	  }
	  li.excluded {
	  font-size: 0pt;
	  }
	  ul p {
	  margin-left: 0em;
	  }
	
	  .comment {
	  background-color: yellow;
	  }
	  .center {
	  text-align: center;
	  }
	  .error {
	  color: red;
	  font-style: italic;
	  font-weight: bold;
	  }
	  .figure {
	  font-weight: bold;
	  text-align: center;
	  font-size: 9pt;
	  }
	  .filename {
	  color: #333333;
	  font-weight: bold;
	  font-size: 12pt;
	  line-height: 21pt;
	  text-align: center;
	  }
	  .fn {
	  font-weight: bold;
	  }
	  .hidden {
	  display: none;
	  }
	  .left {
	  text-align: left;
	  }
	  .right {
	  text-align: right;
	  }
	  .title {
	  color: #990000;
	  font-size: 18pt;
	  line-height: 18pt;
	  font-weight: bold;
	  text-align: center;
	  margin-top: 36pt;
	  }
	  .vcardline {
	  display: block;
	  }
	  .warning {
	  font-size: 14pt;
	  background-color: yellow;
	  }
	
	
	  @media print {
	  .noprint {
		display: none;
	  }
	
	  a {
		color: black;
		text-decoration: none;
	  }
	
	  table.header {
		width: 90%;
	  }
	
	  td.header {
		width: 50%;
		color: black;
		background-color: white;
		vertical-align: top;
		font-size: 12pt;
	  }
	
	  ul.toc a::after {
		content: leader('.') target-counter(attr(href), page);
	  }
	
	  ul.ind li li a {
		content: target-counter(attr(href), page);
	  }
	
	  .print2col {
		column-count: 2;
		-moz-column-count: 2;
		column-fill: auto;
	  }
	  }
	
	  @page {
	  @top-left {
		   content: "Internet-Draft"; 
	  } 
	  @top-right {
		   content: "December 2010"; 
	  } 
	  @top-center {
		   content: "Abbreviated Title";
	  } 
	  @bottom-left {
		   content: "Doe"; 
	  } 
	  @bottom-center {
		   content: "Expires June 2011"; 
	  } 
	  @bottom-right {
		   content: "[Page " counter(page) "]"; 
	  } 
	  }
	
	  @page:first { 
		@top-left {
		  content: normal;
		}
		@top-right {
		  content: normal;
		}
		@top-center {
		  content: normal;
		}
	  }
  /*]]>*/
  </style>

  <link href="#rfc.toc" rel="Contents"/>
<link href="#rfc.section.1" rel="Chapter" title="1 Introduction"/>
<link href="#rfc.section.2" rel="Chapter" title="2 Terminology"/>
<link href="#rfc.section.3" rel="Chapter" title="3 Zone Transfer Confidentiality Overview"/>
<link href="#rfc.section.4" rel="Chapter" title="4 Zone Transfer with DoT - Authentication"/>
<link href="#rfc.section.4.1" rel="Chapter" title="4.1 TSIG"/>
<link href="#rfc.section.4.2" rel="Chapter" title="4.2 Mutual TLS"/>
<link href="#rfc.section.5" rel="Chapter" title="5 Session Establishment and Closing"/>
<link href="#rfc.section.5.1" rel="Chapter" title="5.1 AXFR Sessions"/>
<link href="#rfc.section.5.2" rel="Chapter" title="5.2 IXFR Sessions"/>
<link href="#rfc.section.5.3" rel="Chapter" title="5.3 Policies for Both AXFR and IXFR"/>
<link href="#rfc.section.5.4" rel="Chapter" title="5.4 Next Steps"/>
<link href="#rfc.section.6" rel="Chapter" title="6 Performance Considerations"/>
<link href="#rfc.section.7" rel="Chapter" title="7 Implementation Considerations"/>
<link href="#rfc.section.8" rel="Chapter" title="8 IANA Considerations"/>
<link href="#rfc.section.9" rel="Chapter" title="9 Security Considerations"/>
<link href="#rfc.section.10" rel="Chapter" title="10 Acknowledgements"/>
<link href="#rfc.section.11" rel="Chapter" title="11 Contributors"/>
<link href="#rfc.section.12" rel="Chapter" title="12 Changelog"/>
<link href="#rfc.references" rel="Chapter" title="13 Normative References"/>
<link href="#rfc.authors" rel="Chapter"/>


  <meta name="generator" content="xml2rfc version 2.5.1 - http://tools.ietf.org/tools/xml2rfc" />
  <link rel="schema.dct" href="http://purl.org/dc/terms/" />

  <meta name="dct.creator" content="Zhang, H., Aras, P., Toorop, W., Dickinson, S., and A. Mankin" />
  <meta name="dct.identifier" content="urn:ietf:id:draft-hzpa-dprive-xfr-over-tls-01" />
  <meta name="dct.issued" scheme="ISO8601" content="2019-3-11" />
  <meta name="dct.abstract" content="DNS zone transfers are transmitted in clear text, which gives attackers the opportunity to collect the content of a zone by eavesdropping on network connections. The DNS Transaction Signature (TSIG) mechanism is specified to restrict direct zone transfer to authorized clients only, but it does not add confidentiality. This document specifies use of DNS-over-TLS to prevent zone contents collection via passive monitoring of zone transfers.  " />
  <meta name="description" content="DNS zone transfers are transmitted in clear text, which gives attackers the opportunity to collect the content of a zone by eavesdropping on network connections. The DNS Transaction Signature (TSIG) mechanism is specified to restrict direct zone transfer to authorized clients only, but it does not add confidentiality. This document specifies use of DNS-over-TLS to prevent zone contents collection via passive monitoring of zone transfers.  " />

</head>

<body>

  <table class="header">
    <tbody>
    
    	<tr>
  <td class="left">dprive</td>
  <td class="right">H. Zhang</td>
</tr>
<tr>
  <td class="left">Internet-Draft</td>
  <td class="right">P. Aras</td>
</tr>
<tr>
  <td class="left">Intended status: Standards Track</td>
  <td class="right">Salesforce</td>
</tr>
<tr>
  <td class="left">Expires: September 12, 2019</td>
  <td class="right">W. Toorop</td>
</tr>
<tr>
  <td class="left"></td>
  <td class="right">NLnet Labs</td>
</tr>
<tr>
  <td class="left"></td>
  <td class="right">S. Dickinson</td>
</tr>
<tr>
  <td class="left"></td>
  <td class="right">Sinodun IT</td>
</tr>
<tr>
  <td class="left"></td>
  <td class="right">A. Mankin</td>
</tr>
<tr>
  <td class="left"></td>
  <td class="right">Salesforce</td>
</tr>
<tr>
  <td class="left"></td>
  <td class="right">March 11, 2019</td>
</tr>

    	
    </tbody>
  </table>

  <p class="title">DNS Zone Transfer over TLS<br />
  <span class="filename">draft-hzpa-dprive-xfr-over-tls-01</span></p>
  
  <h1 id="rfc.abstract">
  <a href="#rfc.abstract">Abstract</a>
</h1>
<p>DNS zone transfers are transmitted in clear text, which gives attackers the opportunity to collect the content of a zone by eavesdropping on network connections. The DNS Transaction Signature (TSIG) mechanism is specified to restrict direct zone transfer to authorized clients only, but it does not add confidentiality. This document specifies use of DNS-over-TLS to prevent zone contents collection via passive monitoring of zone transfers.  </p>
<h1 id="rfc.status">
  <a href="#rfc.status">Status of This Memo</a>
</h1>
<p>This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.</p>
<p>Internet-Drafts are working documents of the Internet Engineering Task Force (IETF).  Note that other groups may also distribute working documents as Internet-Drafts.  The list of current Internet-Drafts is at http://datatracker.ietf.org/drafts/current/.</p>
<p>Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time.  It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."</p>
<p>This Internet-Draft will expire on September 12, 2019.</p>
<h1 id="rfc.copyrightnotice">
  <a href="#rfc.copyrightnotice">Copyright Notice</a>
</h1>
<p>Copyright (c) 2019 IETF Trust and the persons identified as the document authors.  All rights reserved.</p>
<p>This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document.  Please review these documents carefully, as they describe your rights and restrictions with respect to this document.  Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.</p>

  
  <hr class="noprint" />
  <h1 class="np" id="rfc.toc"><a href="#rfc.toc">Table of Contents</a></h1>
  <ul class="toc">

  	<li>1.   <a href="#rfc.section.1">Introduction</a></li>
<li>2.   <a href="#rfc.section.2">Terminology</a></li>
<li>3.   <a href="#rfc.section.3">Zone Transfer Confidentiality Overview</a></li>
<li>4.   <a href="#rfc.section.4">Zone Transfer with DoT - Authentication</a></li>
<ul><li>4.1.   <a href="#rfc.section.4.1">TSIG</a></li>
<li>4.2.   <a href="#rfc.section.4.2">Mutual TLS</a></li>
</ul><li>5.   <a href="#rfc.section.5">Session Establishment and Closing</a></li>
<ul><li>5.1.   <a href="#rfc.section.5.1">AXFR Sessions</a></li>
<li>5.2.   <a href="#rfc.section.5.2">IXFR Sessions</a></li>
<li>5.3.   <a href="#rfc.section.5.3">Policies for Both AXFR and IXFR</a></li>
<li>5.4.   <a href="#rfc.section.5.4">Next Steps</a></li>
</ul><li>6.   <a href="#rfc.section.6">Performance Considerations</a></li>
<li>7.   <a href="#rfc.section.7">Implementation Considerations</a></li>
<li>8.   <a href="#rfc.section.8">IANA Considerations</a></li>
<li>9.   <a href="#rfc.section.9">Security Considerations</a></li>
<li>10.   <a href="#rfc.section.10">Acknowledgements</a></li>
<li>11.   <a href="#rfc.section.11">Contributors</a></li>
<li>12.   <a href="#rfc.section.12">Changelog</a></li>
<li>13.   <a href="#rfc.references">Normative References</a></li>
<li><a href="#rfc.authors">Authors' Addresses</a></li>


  </ul>

  <h1 id="rfc.section.1"><a href="#rfc.section.1">1.</a> <a href="#introduction" id="introduction">Introduction</a></h1>
<p id="rfc.section.1.p.1">DNS has a number of privacy vulnerabilities, as discussed in detail in <a href="#I-D.bortzmeyer-dprive-rfc7626-bis">[I-D.bortzmeyer-dprive-rfc7626-bis]</a>. Stub client to recursive resolver query privacy has received the most attention to date. There are now standards track documents for three encryption capabilities for stub to recursive queries and more work going on to guide deployment of specifically DNS-over-TLS (DoT) <a href="#RFC7858">[RFC7858]</a> and DNS-over-HTTPS (DoH) <a href="#RFC8484">[RFC8484]</a>.  </p>
<p><a href="#I-D.bortzmeyer-dprive-rfc7626-bis">[I-D.bortzmeyer-dprive-rfc7626-bis]</a> established that stub client DNS query transactions are not public and needed protection, but on zone transfer <a href="#RFC1995">[RFC1995]</a> <a href="#RFC5936">[RFC5936]</a> it says only: </p>
<p id="rfc.section.1.p.3">"Privacy risks for the holder of a zone (the risk that someone gets the data) are discussed in [RFC5936] and [RFC5155]." </p>
<p id="rfc.section.1.p.4">In what way is exposing the full contents of a zone a privacy risk? The contents of the zone could include information such as names of persons used in names of hosts. Best practice is not to use personal information for domain names, but many such domain names exist. There may also be regulatory, policy or other reasons why the zone contents in full must be treated as private.  </p>
<p id="rfc.section.1.p.5">Neither of the RFCs mentioned in <a href="#I-D.bortzmeyer-dprive-rfc7626-bis">[I-D.bortzmeyer-dprive-rfc7626-bis]</a> contemplates the risk that someone gets the data through eavesdropping on network connections, only via enumeration or unauthorised transfer as described in the following paragraphs.  </p>
<p><a href="#RFC5155">[RFC5155]</a> specifies NSEC3 to prevent zone enumeration, which is when queries for the authenticated denial of existences records of DNSSEC allow a client to walk through the entire zone. Note that the need for this protection also motivates NSEC5 <a href="#I-D.vcelak-nsec5">[I-D.vcelak-nsec5]</a>; zone walking is now possible with NSEC3 due to crypto-breaking advances, and NSEC5 is a response to this problem.  </p>
<p><a href="#RFC5155">[RFC5155]</a> does not address data obtained outside zone enumeration (nor does <a href="#I-D.vcelak-nsec5">[I-D.vcelak-nsec5]</a>). Preventing eavesdropping of zone transfers (this draft) is orthogonal to preventing zone enumeration, though they aim to protect the same information.  </p>
<p><a href="#RFC5936">[RFC5936]</a> specifies using TSIG <a href="#RFC2845">[RFC2845]</a> for authorization of the clients of a zone transfer and for data integrity, but does not express any need for confidentiality, and TSIG does not offer encryption. Some operators use SSH tunnelling or IPSec to encrypt the transfer data.  </p>
<p id="rfc.section.1.p.9">Because the AXFR zone transfer is typically carried out over TCP from authoritative DNS protocol implementations, encrypting AXFR using DNS-over-TLS <a href="#RFC7858">[RFC7858]</a> seems like a simple step forward. This document specifies how to use DoT to prevent zone collection from zone transfers, including discussion of approaches for IXFR, which uses UDP or TCP.  </p>
<p id="rfc.section.1.p.10">Next steps: Work on open questions at DNS table during IETF 104 Hackathon, expand this draft, then solicit discussion on the DPRIVE mailing list.  </p>
<h1 id="rfc.section.2"><a href="#rfc.section.2">2.</a> <a href="#terminology" id="terminology">Terminology</a></h1>
<p id="rfc.section.2.p.1">The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 <a href="#RFC2119">[RFC2119]</a> and <a href="#RFC8174">[RFC8174]</a> when, and only when, they appear in all capitals, as shown here.  </p>
<p id="rfc.section.2.p.2">Privacy terminology is as described in Section 3 of <a href="#RFC6973">[RFC6973]</a>.  </p>
<p id="rfc.section.2.p.3">DNS terminology is as described in <a href="#RFC8499">[RFC8499]</a>.  </p>
<p id="rfc.section.2.p.4">DoT: DNS-over-TLS as specified in <a href="#RFC7858">[RFC7858]</a> </p>
<p id="rfc.section.2.p.5">DoH: DNS-over-HTTPS as specified in <a href="#RFC8484">[RFC8484]</a> </p>
<h1 id="rfc.section.3"><a href="#rfc.section.3">3.</a> <a href="#zone-transfer-confidentiality-overview" id="zone-transfer-confidentiality-overview">Zone Transfer Confidentiality Overview</a></h1>
<h1 id="rfc.section.4"><a href="#rfc.section.4">4.</a> <a href="#zone-transfer-with-dot--authentication" id="zone-transfer-with-dot--authentication">Zone Transfer with DoT - Authentication</a></h1>
<h1 id="rfc.section.4.1"><a href="#rfc.section.4.1">4.1.</a> <a href="#tsig" id="tsig">TSIG</a></h1>
<h1 id="rfc.section.4.2"><a href="#rfc.section.4.2">4.2.</a> <a href="#mutual-tls" id="mutual-tls">Mutual TLS</a></h1>
<h1 id="rfc.section.5"><a href="#rfc.section.5">5.</a> <a href="#session-establishment-and-closing" id="session-establishment-and-closing">Session Establishment and Closing</a></h1>
<h1 id="rfc.section.5.1"><a href="#rfc.section.5.1">5.1.</a> <a href="#axfr-sessions" id="axfr-sessions">AXFR Sessions</a></h1>
<p id="rfc.section.5.1.p.1">The connection flow in AXFR is a NOTIFY from the primary server to the secondary server, and then an AXFR request from the secondary to the primary after which the data flows.  </p>
<p id="rfc.section.5.1.p.2">The connection for AXFR via DoT SHOULD be established using port 853, as specified in <a href="#RFC7858">[RFC7858]</a>. If there is no response on port 853, the connection MAY be attempted using port 443 in case the server offers DoT service on this port.  </p>
<p id="rfc.section.5.1.p.3">TODO: diagram of connection flow for AXFR, without and with DoT </p>
<h1 id="rfc.section.5.2"><a href="#rfc.section.5.2">5.2.</a> <a href="#ixfr-sessions" id="ixfr-sessions">IXFR Sessions</a></h1>
<p><a href="#RFC1995">[RFC1995]</a> specifies that Incremental Transfer may use UDP if the entire IXFR response can be contained in a single DNS packet, otherwise, TCP is used.  </p>
<p id="rfc.section.5.2.p.2">QUESTION: Given this, how should confidentiality of IXFR be provided? </p>
<p id="rfc.section.5.2.p.3">To discuss: </p>
<p/>

<ul>
  <li>should IXFR have a mode in which TCP is mandatory? <br/></li>
  <li>should IXFR have a mode in which TLS is mandatory?</li>
  <li>In workloads where there are frequent IXFRs, is the persistent connection mode that TCP-Mode would enable (as well as the retries) a benefit?</li>
</ul>

<p> </p>
<h1 id="rfc.section.5.3"><a href="#rfc.section.5.3">5.3.</a> <a href="#policies-for-both-axfr-and-ixfr" id="policies-for-both-axfr-and-ixfr">Policies for Both AXFR and IXFR</a></h1>
<p id="rfc.section.5.3.p.1">In order to assure the confidentiality of the zone information, entire group of servers involved in XFR (the primary and all secondaries) MUST have a consistent policy of requiring confidentiality. If any do not, this is a weak link for attackers to exploit. How to do this is TBD.  </p>
<p id="rfc.section.5.3.p.2">Additionally, the entire group of servers involved in XFR (the primary and all secondaries) MUST have a consistent policy of requiring Strict or Opportunistic DoT <a href="#RFC8310">[RFC8310]</a>. How to do this is TBD.  </p>
<h1 id="rfc.section.5.4"><a href="#rfc.section.5.4">5.4.</a> <a href="#next-steps" id="next-steps">Next Steps</a></h1>
<p id="rfc.section.5.4.p.1">Upcoming IETF Hackathon experiments will feed into this Session Establishment and Closing section, as much about this needs exploration as well as discussion on the mailing list.  </p>
<h1 id="rfc.section.6"><a href="#rfc.section.6">6.</a> <a href="#performance-considerations" id="performance-considerations">Performance Considerations</a></h1>
<p id="rfc.section.6.p.1">The details in <a href="#RFC7858">[RFC7858]</a> and <a href="#RFC8310">[RFC8310]</a> about e.g. using persistent connections and TLS Session Resumption <a href="#RFC5077">[RFC5077]</a> are fully applicable to DNS Zone Transfer over DoT as well.  </p>
<h1 id="rfc.section.7"><a href="#rfc.section.7">7.</a> <a href="#implementation-considerations" id="implementation-considerations">Implementation Considerations</a></h1>
<p id="rfc.section.7.p.1">TBA </p>
<h1 id="rfc.section.8"><a href="#rfc.section.8">8.</a> <a href="#iana-considerations" id="iana-considerations">IANA Considerations</a></h1>
<p id="rfc.section.8.p.1">TBD </p>
<h1 id="rfc.section.9"><a href="#rfc.section.9">9.</a> <a href="#security-considerations" id="security-considerations">Security Considerations</a></h1>
<p id="rfc.section.9.p.1">This document specifies a security measure against a DNS risk: the risk that an attacker collects entire DNS zones through eavesdropping on clear text DNS zone transfers. It presents a new Security Consideration for DNS. Some questions to discuss are: should DoT in this new case be required to use only TLS 1.3 and higher to avoid residual exposure? How should padding be used (if it should)? </p>
<h1 id="rfc.section.10"><a href="#rfc.section.10">10.</a> <a href="#acknowledgements" id="acknowledgements">Acknowledgements</a></h1>
<p id="rfc.section.10.p.1">The authors thank Benno Overeinder, Shumon Huque and Tim Wicinski for review and discussions.  </p>
<h1 id="rfc.section.11"><a href="#rfc.section.11">11.</a> <a href="#contributors" id="contributors">Contributors</a></h1>
<p id="rfc.section.11.p.1">The following contributed significantly to the document: </p>
<h1 id="rfc.section.12"><a href="#rfc.section.12">12.</a> <a href="#changelog" id="changelog">Changelog</a></h1>
<p id="rfc.section.12.p.1">draft-hzpa-dprive-xfr-over-tls-01 </p>
<p/>

<ul>
  <li>Editorial changes, updates to references.</li>
</ul>

<p> </p>
<p id="rfc.section.12.p.3">draft-hzpa-dprive-xfr-over-tls-00 </p>
<p/>

<ul>
  <li>Initial commit</li>
</ul>

<p> </p>
<h1 id="rfc.references"><a href="#rfc.references">13.</a> Normative References</h1>
<table>
  <tbody>
    <tr>
      <td class="reference">
        <b id="I-D.bortzmeyer-dprive-rfc7626-bis">[I-D.bortzmeyer-dprive-rfc7626-bis]</b>
      </td>
      <td class="top"><a>Bortzmeyer, S.</a> and <a>S. Dickinson</a>, "<a href="http://tools.ietf.org/html/draft-bortzmeyer-dprive-rfc7626-bis-02">DNS Privacy Considerations</a>", Internet-Draft draft-bortzmeyer-dprive-rfc7626-bis-02, January 2019.</td>
    </tr>
    <tr>
      <td class="reference">
        <b id="I-D.vcelak-nsec5">[I-D.vcelak-nsec5]</b>
      </td>
      <td class="top"><a>Vcelak, J.</a>, <a>Goldberg, S.</a>, <a>Papadopoulos, D.</a>, <a>Huque, S.</a> and <a>D. Lawrence</a>, "<a href="http://tools.ietf.org/html/draft-vcelak-nsec5-08">NSEC5, DNSSEC Authenticated Denial of Existence</a>", Internet-Draft draft-vcelak-nsec5-08, December 2018.</td>
    </tr>
    <tr>
      <td class="reference">
        <b id="RFC1995">[RFC1995]</b>
      </td>
      <td class="top"><a>Ohta, M.</a>, "<a href="http://tools.ietf.org/html/rfc1995">Incremental Zone Transfer in DNS</a>", RFC 1995, DOI 10.17487/RFC1995, August 1996.</td>
    </tr>
    <tr>
      <td class="reference">
        <b id="RFC2119">[RFC2119]</b>
      </td>
      <td class="top"><a>Bradner, S.</a>, "<a href="http://tools.ietf.org/html/rfc2119">Key words for use in RFCs to Indicate Requirement Levels</a>", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997.</td>
    </tr>
    <tr>
      <td class="reference">
        <b id="RFC2845">[RFC2845]</b>
      </td>
      <td class="top"><a>Vixie, P.</a>, <a>Gudmundsson, O.</a>, <a>Eastlake 3rd, D.</a> and <a>B. Wellington</a>, "<a href="http://tools.ietf.org/html/rfc2845">Secret Key Transaction Authentication for DNS (TSIG)</a>", RFC 2845, DOI 10.17487/RFC2845, May 2000.</td>
    </tr>
    <tr>
      <td class="reference">
        <b id="RFC5077">[RFC5077]</b>
      </td>
      <td class="top"><a>Salowey, J.</a>, <a>Zhou, H.</a>, <a>Eronen, P.</a> and <a>H. Tschofenig</a>, "<a href="http://tools.ietf.org/html/rfc5077">Transport Layer Security (TLS) Session Resumption without Server-Side State</a>", RFC 5077, DOI 10.17487/RFC5077, January 2008.</td>
    </tr>
    <tr>
      <td class="reference">
        <b id="RFC5155">[RFC5155]</b>
      </td>
      <td class="top"><a>Laurie, B.</a>, <a>Sisson, G.</a>, <a>Arends, R.</a> and <a>D. Blacka</a>, "<a href="http://tools.ietf.org/html/rfc5155">DNS Security (DNSSEC) Hashed Authenticated Denial of Existence</a>", RFC 5155, DOI 10.17487/RFC5155, March 2008.</td>
    </tr>
    <tr>
      <td class="reference">
        <b id="RFC5936">[RFC5936]</b>
      </td>
      <td class="top"><a>Lewis, E.</a> and <a>A. Hoenes</a>, "<a href="http://tools.ietf.org/html/rfc5936">DNS Zone Transfer Protocol (AXFR)</a>", RFC 5936, DOI 10.17487/RFC5936, June 2010.</td>
    </tr>
    <tr>
      <td class="reference">
        <b id="RFC6973">[RFC6973]</b>
      </td>
      <td class="top"><a>Cooper, A.</a>, <a>Tschofenig, H.</a>, <a>Aboba, B.</a>, <a>Peterson, J.</a>, <a>Morris, J.</a>, <a>Hansen, M.</a> and <a>R. Smith</a>, "<a href="http://tools.ietf.org/html/rfc6973">Privacy Considerations for Internet Protocols</a>", RFC 6973, DOI 10.17487/RFC6973, July 2013.</td>
    </tr>
    <tr>
      <td class="reference">
        <b id="RFC7858">[RFC7858]</b>
      </td>
      <td class="top"><a>Hu, Z.</a>, <a>Zhu, L.</a>, <a>Heidemann, J.</a>, <a>Mankin, A.</a>, <a>Wessels, D.</a> and <a>P. Hoffman</a>, "<a href="http://tools.ietf.org/html/rfc7858">Specification for DNS over Transport Layer Security (TLS)</a>", RFC 7858, DOI 10.17487/RFC7858, May 2016.</td>
    </tr>
    <tr>
      <td class="reference">
        <b id="RFC8174">[RFC8174]</b>
      </td>
      <td class="top"><a>Leiba, B.</a>, "<a href="http://tools.ietf.org/html/rfc8174">Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</a>", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017.</td>
    </tr>
    <tr>
      <td class="reference">
        <b id="RFC8310">[RFC8310]</b>
      </td>
      <td class="top"><a>Dickinson, S.</a>, <a>Gillmor, D.</a> and <a>T. Reddy</a>, "<a href="http://tools.ietf.org/html/rfc8310">Usage Profiles for DNS over TLS and DNS over DTLS</a>", RFC 8310, DOI 10.17487/RFC8310, March 2018.</td>
    </tr>
    <tr>
      <td class="reference">
        <b id="RFC8484">[RFC8484]</b>
      </td>
      <td class="top"><a>Hoffman, P.</a> and <a>P. McManus</a>, "<a href="http://tools.ietf.org/html/rfc8484">DNS Queries over HTTPS (DoH)</a>", RFC 8484, DOI 10.17487/RFC8484, October 2018.</td>
    </tr>
    <tr>
      <td class="reference">
        <b id="RFC8499">[RFC8499]</b>
      </td>
      <td class="top"><a>Hoffman, P.</a>, <a>Sullivan, A.</a> and <a>K. Fujiwara</a>, "<a href="http://tools.ietf.org/html/rfc8499">DNS Terminology</a>", BCP 219, RFC 8499, DOI 10.17487/RFC8499, January 2019.</td>
    </tr>
  </tbody>
</table>
<h1 id="rfc.authors">
  <a href="#rfc.authors">Authors' Addresses</a>
</h1>
<div class="avoidbreak">
  <address class="vcard">
	<span class="vcardline">
	  <span class="fn">Han Zhang</span> 
	  <span class="n hidden">
		<span class="family-name">Zhang</span>
	  </span>
	</span>
	<span class="org vcardline">Salesforce</span>
	<span class="adr">
	  
	  <span class="vcardline">
		<span class="locality">San Francisco, CA</span>,  
		<span class="region"></span>
		<span class="code"></span>
	  </span>
	  <span class="country-name vcardline">United States</span>
	</span>
	<span class="vcardline">EMail: <a href="mailto:hzhang@salesforce.com">hzhang@salesforce.com</a></span>

  </address>
</div><div class="avoidbreak">
  <address class="vcard">
	<span class="vcardline">
	  <span class="fn">Pallavi Aras</span> 
	  <span class="n hidden">
		<span class="family-name">Aras</span>
	  </span>
	</span>
	<span class="org vcardline">Salesforce</span>
	<span class="adr">
	  
	  <span class="vcardline">
		<span class="locality">Herndon, VA</span>,  
		<span class="region"></span>
		<span class="code"></span>
	  </span>
	  <span class="country-name vcardline">United States</span>
	</span>
	<span class="vcardline">EMail: <a href="mailto:paras@salesforce.com">paras@salesforce.com</a></span>

  </address>
</div><div class="avoidbreak">
  <address class="vcard">
	<span class="vcardline">
	  <span class="fn">Willem Toorop</span> 
	  <span class="n hidden">
		<span class="family-name">Toorop</span>
	  </span>
	</span>
	<span class="org vcardline">NLnet Labs</span>
	<span class="adr">
	  <span class="vcardline">Science Park 400</span>

	  <span class="vcardline">
		<span class="locality">Amsterdam</span>,  
		<span class="region"></span>
		<span class="code">1098 XH</span>
	  </span>
	  <span class="country-name vcardline">The Netherlands</span>
	</span>
	<span class="vcardline">EMail: <a href="mailto:willem@nlnetlabs.nl">willem@nlnetlabs.nl</a></span>

  </address>
</div><div class="avoidbreak">
  <address class="vcard">
	<span class="vcardline">
	  <span class="fn">Sara Dickinson</span> 
	  <span class="n hidden">
		<span class="family-name">Dickinson</span>
	  </span>
	</span>
	<span class="org vcardline">Sinodun IT</span>
	<span class="adr">
	  <span class="vcardline">Magdalen Centre</span>
<span class="vcardline">Oxford Science Park</span>

	  <span class="vcardline">
		<span class="locality">Oxford</span>,  
		<span class="region"></span>
		<span class="code">OX4 4GA</span>
	  </span>
	  <span class="country-name vcardline">United Kingdom</span>
	</span>
	<span class="vcardline">EMail: <a href="mailto:sara@sinodun.com">sara@sinodun.com</a></span>

  </address>
</div><div class="avoidbreak">
  <address class="vcard">
	<span class="vcardline">
	  <span class="fn">Allison Mankin</span> 
	  <span class="n hidden">
		<span class="family-name">Mankin</span>
	  </span>
	</span>
	<span class="org vcardline">Salesforce</span>
	<span class="adr">
	  
	  <span class="vcardline">
		<span class="locality">Herndon, VA</span>,  
		<span class="region"></span>
		<span class="code"></span>
	  </span>
	  <span class="country-name vcardline">United States</span>
	</span>
	<span class="vcardline">EMail: <a href="mailto:allison.mankin@gmail.com">allison.mankin@gmail.com</a></span>

  </address>
</div>

</body>
</html>