This page describes at a high level the progress in various areas of DNS Privacy work (most recent activity at the top).

Q3 2024

Q2 2024

Feb 2024

Jan 2024

Dec 2023

Nov 2023

Oct 2023

Sept 2023

Aug 2023

July 2023

June 2023

May 2023

April 2023

March 2023

February 2023

January 2023

December 2022

November 2022

October 2022

September 2022

August 2022

July 2022

June 2022

May 2022

April 2022

March 2022

February 2022

January 2022

December 2021

November 2021

October 2021

September 2021

August 2021

  • RFC 9310: Zone transfer over TLS (XoT) is published
  • RFC 9102: TLS DNSSEC Chain Extension finally published in the Independent Submission stream after hitting the buffers in the TLS WG
  • conference held online

July 2021

June 2021

May 2021

  • QUIC protocol specification is published: RFC9000
  • Increasing adoption of the European Resolver Policy:  press release
  • OARC 35 included talks on Oblivious DNS, XFRW-over-TLS and ‘DNS over HTTPS over CGN or public NAT64’

April 2021

March 2021

February 2021

January 2021

December 2020

November 2020

October 2020

September 2020

August 2020

July 2020

June 2020

May 2020

  • Chrome 83 ships with DoH auto-upgrade option (and manual configuration options)
  • Microsoft announced DoH client available for Windows Insiders
  • New drafts submitted to the IETF ADD WG on discovery
  • EDDI has produced a Interim DoH Discovery Proposal for Browser and OS vendors
  • US govt agencies to disable DoH until their own federal DoT/DoH service is available
  • ISC publish a design document for their upcoming support of DoT and DoH

April 2020

March 2020

February 2020

January 2020

December 2019:

November 2019:

October 2019

September 2019

August 2019

July 2019

June 2019

May 2019

April 2019

March 2019

February 2019

January 2019

Nov 2018

October 2018

    • OARC 29: Where will encrypted DNS transports push DNS operators?- Slides, Video
    • OARC 29: Operational experience for DNS over HTTPS (DoH) and DNS over TLS (DoT)- Slides, Video
    • RIPE 77: It’s DNS Jim, But Not as We Know It - Slides, Video
    • RIPE 77 DNS WG: DNS Privacy measurements (Benchmarking DoT) - Slides, Video
    • RIPE 77 BCOP TF: Implications of DNS over anything but UDP - Slides, Video
  • Thanks to Jonathan Underwood for all his work on Stubby in OpenWRT!

  • Chrome is working on exposing DoH via a user configuration option with a drop down list and user defined option.

  • Quad9 announce support for DoH!

  • More dual DoT & DoH servers thanks to DNS Warden!

Sept 2018

Aug 2018

Jul 2018

Jun 2018

May 2018

April 2018

March 2018

February 2018

January 2018

December 2017

November 2017

October 2017

September 2017

August 2017

July 2017

June 2017

May 2017

April 2017

  • New Internet Draft on DNS in dedicated QUIC Connections and lots of interesting drafts around DNS over HTTP getting discussion
  • Latest 1.1.0 release of getdns includes Stubby!
  • The DNS Privacy team is highlighted in the IETF Hackathon Videos
  • We’ll be talking at both the RMLL conference (5th July) and at JCSA in Paris (6th July) about DNS Privacy
  • We are proud to add Salesforce as supporters of the DNS Privacy project!

March 2017

February 2017

January 2017

December 2016

  • Improved usability for Stubby planned for the 1.1.0-alpha3 release
  • The content of this site is now available via the site.
  • CoreDNS now offers DNS-over-HTTPS (as well as DNS-over-TLS). Also see dingo if interested in DNS-over-HTTPS clients.

November 2016

  • IETF 97 EDU team held a DNS Privacy Tutorial, which got coverage in both Heise and two articles in The Register: The_Register_22Nov, The_Register_6Dec
  • More work at the Hackathon on Knot Resolver DNS Privacy implementation, TCP support in BIND and Stubby. A further DNS Privacy test server made available thanks to dkg.
  • DPRIVE working group discussed a possible re-charter to focus work on the Resolver to Authoritative problem.
  • DNS-over- HTTP(S) BOF held

October 2016

September 2016

August 2016

July 2016

June 2016

May 2016

  • Presentation in the RIPE DNS working group on experimental deployments of DNS Privacy servers. 
  • RFC7858 Published: Specification for DNS over Transport Layer Security (TLS)

April 2016

  • Work at the IETF Hackathon in Buenos Aires to start implementing TLS in Knot resolver

March 2016

  • getdns 1.0.0b1 release!
  • RFC7816 Published: DNS Query Name Minimisation to Improve Privacy

February 2016

  • EDNS0 Keepalive draft approved for publication as RFC7828

January 2016

  • 5966bis draft approved for publication as RFC7766
  • Authentication and (D)TLS Profile for DNS-over-TLS and DNS-over-DTLS draft adopted by DPRIVE
  • Testing of FreeBSD implementation of TCP Fast Open. Reported bug in linux client implementation of TFO (now fixed) and made feature request to OpenSSL to support client side TFO.
  • Started work on Unbound patch to support TFO on Linux, FreeBSD and OS X. 

December 2015

  • Produced first version of Authentication and (D)TLS Profile for DNS-over-TLS and DNS-over-DTLS draft for submission to DPRIVE working group
  • Client side EDNS0 keepalive option implemented in getdns
  • SPKI pinset TLS authentication available in getdns

November 2105

  • Attended IETF 94. 
    • Participated in Hackathon including getdns implementation of EDNS0 Padding option
    • Last call review of DNS-over-TLS
    • Agreed to start work on combined draft for (D)TLS Authentication mechanisms

October 2015

  • Attended OARC Fall Workshop. Presentationed onUsing TLS for DNS privacy in practice.
  • Attended ICANN in Dublin, presented on DNSSEC for Legacy applications including discussing DNS privacy features of getdns. 

August 2015

  • Addition of TLS authentication using hostname to getdns

July 2015

  • IETF 93 
  • 0.3 release of getdns including 
    • New transport list options allowing user to flexibly specify an ordered list of accepted transport options from TLS, STARTTLS, TCP, UDP
    • Ability to configure idle timeout associated with TCP connections

May 2015

  • 0.2 release of getdns including STARTTLS 

April 2015

  • Release of version 0.1.8 of getdns including TLS and TLS with fallback to TCP

March 2015

January 2015

  • Changed to using DNS-over-TLS instead of T-DNS
  • Extend LDNS and NSD patches to include options to use the TO bit (for experimental inter-op testing)
  • Publish LDNS code into repository for review
  • getdns work put on hold, instead start work on Unbound server patch

November 2014

  • Presenting at IETF 91
  • Started work on T-DNS in getdns

October 2014

  • Implementation of TCP Fast open support (linux only) in getdn for stub mode in  0.1.5 release.
  • Testing of 0.1.5 getdns codebase which implements TCP pipelining.
  • POC implementation of TCP Fast Open in ldns, Unbound and NSD.
  • Patch released to implement STARTTLS in NSD.
  • Released patch to ldns for connection re-use.

September 2014

  • Continued helping to implement switch to ldns for stub mode in getdns. 
    • Basic support for synchronous API implemented and per query namespaces also supported. (Note DNSSEC stub validation is still done by unbound at this point….)
  • Creating patch for ldns/drill to support connection reuse for TCP. Using this from synchronous stub mode in getdns to demonstrate connection re-use. 
  • Work on TCP related drafts

August 2014

  • Working on getnds
    • Added a new test to verify which transport queries are actually sent over
    • Helping to implement the switch to ldns for stub mode
    • Working on support for pipelining of TCP queries

July 2014

  • Attended IETF 90 in Toronto and gave a demo of sending queries from drill to Unbound using T-DNS
  • Started looking at pipelining multiple queries from drill to Unbound
  • Extending test framework to test multiple scenarios for drill <-> Unbound
  • Finished patch to drill to add extra options:
    • -l will send a single query over TLS
    • -L will send a single query over TLS after negotiating an upgrade using a STARTTLS/CH/TXT query
  • Finished patch to Unbound to support ‘upgrade_tls’ configure option. This enables unbound to receive a a STARTTLS/CH/TXT query, send a STARTTLS/CH/TXT response when configured properly, upgrade to SSL and then receive a query over SSL. 

June 2014

  • Started work on Unbound <-> NSD hop
  • Completing implementation in Unbound to get drill <-> Unbound hop working 
  • Implemented a patch to drill to support T-DNS for a single DNS query
  • Discussions on the class to be used for the dummy query. The resolver -> authoritative hop might be better implemented with a IN class query.
  • Start work on Unbound - understand current SSL-upstream implementation
  • From Willem: LDNS does not have support for asynchronous operation so in the short term it will probably be used in getdns just in synchronous mode so that the implementation of TDNS can continue. 
  • Further work on test framework

May 2014

  • Current getdns stub implementation cannot support sending of CH class queries as it uses libunbound which denies the query and never sends it onwards. Discussed in getnds meeting 19th May that further implementation of T-DNS in getdns will have to wait until libunbound is replaced with ldns for the stub mode. Current understanding is that Willem is going to tackle this in the next few weeks. 
  • Identified need to support CH class in getdns for dummy STARTTLS query. Start on implementation of this.
    • This implementation highlighted the need for getdns to gracefully handle refused queries that have no associated data.
  • Created test harness to create a dummy STARTTLS query
  • Agreed that initial implementations will use the dummy CH class query (not the TO bit)
  • Forked getdns. Familiarisation with getdns code base - get it to install and run!
  • Kick off meetings with T-DNS and getdns teams
  • Creation of project issue tracker and wiki site
  • Reading of relevant drafts and documentation - capture any early technical questions