Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Feature/CharacteristicRelevant RFCs/I-DsNotes
DNS-over-TLS on port 853 (IPv4)RFC7858 
DNS-over-TLS on port 853 (IPv6)RFC7858 
Compliance with BCP195RRC7525

In particular, MUST implement TLS 1.2, SHOULD NOT negotiate TLS 1.1

Use recommended Cipher Suites:

TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

TLS authentication via SPKI public keys provided securely via an out-of-band mechansismmechanism

RFC7858,

draft-ietf-dprive-dtls-and-tls-profiles

Required for Strict Privacy using SPKI pinsets
Verifiable certificate/certificate chain

RFC7858,

draft-ietf-dprive-dtls-and-tls-profiles

Required for Strict Privacy using CA Certs
Concurrent processing of TCP/TLS queriesRFC7766Improves performance by elimiinating eliminating head of line blocking at the query level
EDNS0 KeepaliveRFC7828Recommened Recommended for TCP/TLC TLS connection management
EDNS0 Client subnet privacy optionRFC7871Allows end users to specify their client subnet should not be sent to an authoritive authoritative server in the ENDS0 Client Subnet option
EDNS0 paddingRFC7830Obfuscates message size, reduces effectiveness of traffic analysis.
TCP Fast OpenRFC7413Data can be sent in the TCP SYN. For TLS the Client Hello can therefore be sent in the SYN reducing latency.
QNAME minimisation to Auth ServersRFC7816Reduce data sent to Authoritative servers, improves end user privacy
De-identification of data  
Data retention policy (if no de-identification)