{"draft":"draft-ietf-dprive-unilateral-probing-13","doc_id":"RFC9539","title":"Unilateral Opportunistic Deployment of Encrypted Recursive-to-Authoritative DNS","authors":["D. K. Gillmor, Ed.","J. Salazar, Ed.","P. Hoffman, Ed."],"format":["HTML","TEXT","PDF","XML"],"page_count":"24","pub_status":"EXPERIMENTAL","status":"EXPERIMENTAL","source":"DNS PRIVate Exchange","abstract":"This document sets out steps that DNS servers (recursive resolvers\r\nand authoritative servers) can take unilaterally (without any\r\ncoordination with other peers) to defend DNS query privacy against a\r\npassive network monitor. The protections provided by the guidance in\r\nthis document can be defeated by an active attacker, but they should\r\nbe simpler and less risky to deploy than more powerful defenses.\r\n\r\nThe goal of this document is to simplify and speed up deployment of\r\nopportunistic encrypted transport in the recursive-to-authoritative\r\nhop of the DNS ecosystem. Wider easy deployment of the underlying\r\nencrypted transport on an opportunistic basis may facilitate the\r\nfuture specification of stronger cryptographic protections against\r\nmore-powerful attacks.","pub_date":"February 2024","keywords":["DNS over TLS","DNS over QUIC","ToT","DoQ","encryption","unilateral","recursive","authoritative","DNS"],"obsoletes":[],"obsoleted_by":[],"updates":[],"updated_by":[],"see_also":[],"doi":"10.17487\/RFC9539","errata_url":"https:\/\/www.rfc-editor.org\/errata\/rfc9539"}