LLMpediaThe first transparent, open encyclopedia generated by LLMs

IETF RFC 7858

Generated by GPT-5-mini
Note: This article was automatically generated by a large language model (LLM) from purely parametric knowledge (no retrieval). It may contain inaccuracies or hallucinations. This encyclopedia is part of a research project currently under review.
Article Genealogy
Parent: IETF DNS Working Group Hop 4
Expansion Funnel Raw 65 → Dedup 0 → NER 0 → Enqueued 0
1. Extracted65
2. After dedup0 (None)
3. After NER0 ()
4. Enqueued0 ()
IETF RFC 7858
TitleDNS over TLS
Number7858
StatusProposed Standard
AuthorsPaul Wouters, Patrik Fältström, Opendns
PublishedMay 2016
OrganizationInternet Engineering Task Force

IETF RFC 7858.

IETF RFC 7858 specifies DNS over TLS as a transport mechanism for the Domain Name System to increase confidentiality and integrity. The document formalizes the use of Transport Layer Security in DNS exchanges and situates the mechanism within existing Internet protocols and standards developed by bodies such as the Internet Engineering Task Force, the Internet Architecture Board, and the Internet Assigned Numbers Authority. It influenced subsequent work by organizations including the World Wide Web Consortium, the Internet Society, and various standards-track RFCs.

Overview

RFC 7858 defines a method to carry Domain Name System queries and responses over Transport Layer Security to provide privacy for name resolution. The specification updates interactions between DNS clients and resolvers and references foundational protocols like Transmission Control Protocol, User Datagram Protocol, and TLS 1.2 as specified by the Internet Engineering Task Force and contributors from working groups such as the DNS Privacy group. It frames DNS over TLS in relation to earlier secure transport efforts exemplified by projects at Mozilla Foundation, Google LLC, and Cloudflare, Inc..

Background and Motivation

The impetus for RFC 7858 arose from concerns raised by communities around Edward Snowden disclosures and subsequent debates in venues like DEF CON, Black Hat, and workshops hosted by the Internet Society. Operators and vendors such as Cisco Systems, Juniper Networks, Akamai Technologies, and F5 Networks had deployed opportunistic mechanisms and proprietary solutions prompting standardization. The work responded to prior standards and documents including the RFC 1035 family, the RFC 5246 specification of TLS, and operational guidance circulated by the IETF DNSOP Working Group and by researchers at institutions like MIT, Stanford University, and University of California, Berkeley.

Protocol Specification

RFC 7858 specifies DNS sessions over TLS using a record framing compatible with RFC 1035 message formats transported over TCP augmented by TLS 1.2 handshake semantics defined in RFC 5246. The standard prescribes port assignments consistent with registries maintained by IANA and details session establishment, certificate validation anchored in trust anchors like those used by Let's Encrypt and commercial certificate authorities such as DigiCert and Comodo. It describes fallback behaviors analogous to mechanisms in PostgreSQL client-server negotiation and ties into name resolution behavior observed in products from Microsoft Corporation and Apple Inc..

Security and Privacy Considerations

The document emphasizes confidentiality and integrity protections against passive eavesdroppers illustrated by surveillance cases involving entities such as National Security Agency revelations and debates in fora like the Electronic Frontier Foundation. It discusses authentication requirements relying on the X.509 certificate framework and how misissuance incidents involving authorities like Symantec and responses from regulators influenced operational practice. The specification acknowledges limitations versus endpoint authentication paradigms favored in projects like DNSSEC and contrasts with anonymity-focused designs discussed in the context of Tor Project research and privacy engineering at EFF and Privacy International.

Deployment and Implementation

Adoption of RFC 7858 involved implementations by vendors and open-source projects including BIND, Unbound, Knot DNS, PowerDNS, and consumer platforms like Android and iOS. Large-scale providers such as Google Public DNS, Cloudflare DNS, and Quad9 announced support, while infrastructure operators like Level 3 Communications and NTT Communications evaluated impacts on middleboxes from companies such as Akamai Technologies. Deployment patterns mirrored those seen in the rollout of IPv6 and TLS adoption curves, with guidance from operator groups like the RIPE NCC and regional registries such as ARIN and APNIC.

Reception and Impact

RFC 7858 catalyzed further standardization efforts including complementary work in the IETF HTTPS Working Group and subsequent encrypted DNS proposals that influenced the design of DNS over HTTPS and related drafts. Policymakers and civil society actors including European Commission privacy dialogues and hearings in parliaments referenced the specification when considering interception laws and lawful access regimes. The specification affected commercial practice across companies such as Amazon Web Services, IBM, and Oracle Corporation and continues to be cited in research from universities like University of Cambridge and ETH Zurich assessing the privacy and performance trade-offs of encrypted name resolution.

Category:Internet Standards