This page describes at a high level the progress in various areas of DNS
Privacy work (most recent activity at the top) mainly focussed on
- RFC 9310: Zone transfer over TLS (XoT) is published
- RFC 9102: TLS DNSSEC Chain Extension finally published in the Independent Submission stream after hitting the buffers in the TLS WG
- https://sdns2021.dnscrypt.info conference held online
- QUIC protocol specification is published:
- Increasing adoption of the European Resolver Policy: press
included talks on Oblivious DNS, XFRW-over-TLS and ‘DNS over HTTPS
over CGN or public NAT64’
- Chrome 83 ships with DoH auto-upgrade option (and manual
- Microsoft announced DoH client available for Windows Insiders
- New drafts submitted to the IETF ADD WG on discovery
- EDDI has produced a Interim DoH Discovery Proposal for Browser and
- US govt agencies to disable DoH until their own federal DoT/DoH
service is available
- ISC publish a design document for their upcoming support of DoT and
- So much discussion of DoT/DoH at IETF 104:
- The Stubby chocolatey package is now
accepted and has
the name stubby (thanks to the chocolatey folks - the previous
stubby package was renamed!).
- A trio of drafts discussing DoH deployment issues causing much
discussion on the IETF DOH/DPRIVE/DNSOP mailing lists:
- Great news - the latest systemd-resolvd release now supports
- Interesting work by the folks at Bromite
(a privacy focused fork of Chromium that runs on Android). They just
enabled the Chromium DoH implementation by exposing configure
options (via chrome://flags). See this user
- Awesome tutorial by linuxbabe.com about
using Stubby on Ubuntu
- The DoH draft is in WGLC and is getting significant discussion!
- The amazing folks at dnsdist are working on implementing DoH and
finding important issues with the draft
- Mozilla have been blogging about their plans for using DoH
- DPRIVE WG at IETF just re-chartered to cover adding confidentiality
to recursive to authoritative exchanges.
- Interesting presentations from the DNS WG @ RIPE
- The Stubby Windows installer and
macOS GUI App are both updated to use the
getdns 1.4.2rc1 and stubby 0.2.3rc1 releases.
- Unbound 1.7.1 now supports authentication of DNS-over-TLS using PKIX
- New Internet Draft on DNS in dedicated QUIC
and lots of interesting drafts around DNS over HTTP getting
- Latest 1.1.0 release
of getdns includes Stubby!
- The DNS Privacy team is highlighted in the IETF Hackathon
- We’ll be talking at both the RMLL
conference (5th July) and at JCSA in
Paris (6th July) about DNS Privacy
- We are proud to add Salesforce as supporters of the DNS Privacy
- Improved usability for
planned for the 1.1.0-alpha3 release
- The content of this site is now available via the
- CoreDNS now offers
(as well as DNS-over-TLS). Also see
dingo if interested in
- IETF 97 EDU team held a DNS Privacy
Tutorial, which got coverage in both
and two articles in The
- More work at the
on Knot Resolver DNS Privacy implementation, TCP support in BIND and
Stubby. A further DNS Privacy test server made available thanks to
- DPRIVE working group discussed a possible re-charter to focus work
on the Resolver to Authoritative problem.
- DNS-over- HTTP(S) BOF held
- Presentation in the RIPE DNS working group on experimental
deployments of DNS Privacy servers.
- RFC7858 Published: Specification for DNS over Transport Layer
- Work at the IETF Hackathon in Buenos Aires to start implementing TLS
in Knot resolver
- getdns 1.0.0b1 release!
- RFC7816 Published: DNS Query Name Minimisation to Improve Privacy
- EDNS0 Keepalive draft approved for publication as RFC7828
- 5966bis draft approved for publication as RFC7766
- Authentication and (D)TLS Profile for DNS-over-TLS and
DNS-over-DTLS draft adopted by DPRIVE
- Testing of FreeBSD implementation of TCP Fast Open. Reported bug in
linux client implementation of TFO (now fixed) and made feature
request to OpenSSL to support client side TFO.
- Started work on Unbound patch to support TFO on Linux, FreeBSD and
- Produced first version of Authentication and (D)TLS Profile for
DNS-over-TLS and DNS-over-DTLS draft for submission to DPRIVE
- Client side EDNS0 keepalive option implemented in getdns
- SPKI pinset TLS authentication available in getdns
- Attended IETF 94.
- Participated in Hackathon including getdns implementation of
EDNS0 Padding option
- Last call review of DNS-over-TLS
- Agreed to start work on combined draft for (D)TLS Authentication
- Attended OARC Fall Workshop. Presentationed onUsing TLS for DNS
privacy in practice.
- Attended ICANN in Dublin, presented on DNSSEC for Legacy
applications including discussing DNS privacy features of getdns.
- Addition of TLS authentication using hostname to getdns
- IETF 93
- 0.3 release of getdns including
- New transport list options allowing user to flexibly specify an
ordered list of accepted transport options from TLS, STARTTLS,
- Ability to configure idle timeout associated with TCP
- 0.2 release of getdns including STARTTLS
- Release of version 0.1.8 of getdns including TLS and TLS with
fallback to TCP
- Changed to using DNS-over-TLS instead of T-DNS
- Extend LDNS and NSD patches to include options to use the TO bit
(for experimental inter-op testing)
- Publish LDNS code into repository for review
- getdns work put on hold, instead start work on Unbound server patch
- Presenting at IETF 91
- Started work on T-DNS in getdns
- Implementation of TCP Fast open support (linux only) in getdn for
stub mode in 0.1.5 release.
- Testing of 0.1.5 getdns codebase which implements TCP pipelining.
- POC implementation of TCP Fast Open in ldns, Unbound and NSD.
- Patch released to implement STARTTLS in NSD.
- Released patch to ldns for connection re-use.
- Continued helping to implement switch to ldns for stub mode in
- Basic support for synchronous API implemented and per query
namespaces also supported. (Note DNSSEC stub validation is still
done by unbound at this point….)
- Creating patch for ldns/drill to support connection reuse for TCP.
Using this from synchronous stub mode in getdns to demonstrate
- Work on TCP related drafts
- Working on getnds
- Added a new test to verify which transport queries are actually
- Helping to implement the switch to ldns for stub mode
- Working on support for pipelining of TCP queries
- Attended IETF 90 in Toronto and gave a demo of sending queries from
drill to Unbound using T-DNS
- Started looking at pipelining multiple queries from drill to Unbound
- Extending test framework to test multiple scenarios for drill <->
- Finished patch to drill to add extra options:
- -l will send a single query over TLS
- -L will send a single query over TLS after negotiating an
upgrade using a STARTTLS/CH/TXT query
- Finished patch to Unbound to support ‘upgrade_tls’ configure option.
This enables unbound to receive a a STARTTLS/CH/TXT query, send a
STARTTLS/CH/TXT response when configured properly, upgrade to SSL
and then receive a query over SSL.
- Started work on Unbound <-> NSD hop
- Completing implementation in Unbound to get drill <-> Unbound hop
- Implemented a patch to drill to support T-DNS for a single DNS query
- Discussions on the class to be used for the dummy query. The
resolver -> authoritative hop might be better implemented with a IN
- Start work on Unbound - understand current SSL-upstream
- From Willem: LDNS does not have support for asynchronous operation
so in the short term it will probably be used in getdns just in
synchronous mode so that the implementation of TDNS can continue.
- Further work on test framework
- Current getdns stub implementation cannot support sending of CH
class queries as it uses libunbound which denies the query and never
sends it onwards. Discussed in getnds meeting 19th May that further
implementation of T-DNS in getdns will have to wait until libunbound
is replaced with ldns for the stub mode. Current understanding is
that Willem is going to tackle this in the next few weeks.
- Identified need to support CH class in getdns for dummy
STARTTLS query. Start on implementation of this.
- This implementation highlighted the need for getdns to
gracefully handle refused queries that have no associated data.
- Created test harness to create a dummy STARTTLS query
- Agreed that initial implementations will use the dummy CH class
query (not the TO bit)
- Forked getdns. Familiarisation with getdns code base - get it to
install and run!
- Kick off meetings with T-DNS and getdns teams
- Creation of project issue tracker and wiki site
- Reading of relevant drafts and documentation - capture any early