Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


Feature/CharacteristicRelevant RFCs/I-DsNotes
DNS-over-TLS on port 853 (IPv4)RFC7858 
DNS-over-TLS on port 853 (IPv6)RFC7858 
Compliance with BCP195RRC7525

In particular, MUST implement TLS 1.2, SHOULD NOT negotiate TLS 1.1

Use recommended Cipher Suites:


TLS authentication via SPKI public keys provided securely via an out-of-band mechansismmechanism



Required for Strict Privacy using SPKI pinsets
Verifiable certificate/certificate chain



Required for Strict Privacy using CA Certs
Concurrent processing of TCP/TLS queriesRFC7766Improves performance by elimiinating eliminating head of line blocking at the query level
EDNS0 KeepaliveRFC7828Recommened Recommended for TCP/TLC TLS connection management
EDNS0 Client subnet privacy optionRFC7871Allows end users to specify their client subnet should not be sent to an authoritive authoritative server in the ENDS0 Client Subnet option
EDNS0 paddingRFC7830Obfuscates message size, reduces effectiveness of traffic analysis.
TCP Fast OpenRFC7413Data can be sent in the TCP SYN. For TLS the Client Hello can therefore be sent in the SYN reducing latency.
QNAME minimisation to Auth ServersRFC7816Reduce data sent to Authoritative servers, improves end user privacy
De-identification of data  
Data retention policy (if no de-identification)