[dns-resolver-tf] Final final draft of RIPE DNS Resolver Best Common Practices

Sun Mar 24 17:34:08 CET 2024

Oh Shane beat me to it and I agree with Shane's changes. However, I am more
inclined to keep the issues we draw from RFC8932.  I think streamlining and
repeating it maybe better than   just referencing it and might even help
with promoting the RFC.

just a thought.

Farzaneh

On Sun, Mar 24, 2024 at 12:25 PM Shane Kerr <shane at time-travellers.org>
wrote:

> Maarten,
>
> Thank you for your suggestions, edits, and discussion. I've updated the
> final draft to give us a final, final draft. 😉
>
> I've included the last (?) version at the bottom of this e-mail, and
> responded to your suggestions inline below.
>
> On 19/03/2024 10.24, Maarten Aertsen wrote:
>
> >>
> >> * Those running public DNS resolver services, and
> >
> > Should we remove "public" here?
>
> Hm, good point!
>
> >>    - Data Security: Since you are in control of the physical servers,
> >>      there is no risk of data leakage that can occur due to
> >>      vulnerabilities in multi-tenant virtualization platforms,
> >>      including CPU cache-based side-channel vulnerabilities. It could
> >>      be argued that attacks targeting such issues are rare, and their
> >>      impact on a DNS resolver service is low, but potential breaches
> >>      may have significant privacy impact. It is advised to evaluate
> >>      this against your organisation's risk model, or to discuss this
> >>      with your information security compliance experts.
> >
> > The ", or [..]" This feels a bit wordy; we don't suggest who to talk to
> > for all the other recommendations either.
>
> Makes sense. Discussing with experts is basically an option for
> everything. 😄
>
> >> #### Server capacity
> >>
> >> If using a model that is easy to scale (cloud based, or Kubernetes
> >> based, or similar), then getting server capacity correct is largely a
> >
> > Given the earlier text about Kubernetes being 'similar' to cloud, "or
> > Kubernetes based, " can probably be removed.
>
> I'm inclined to leave this in. I'd rather be explicit than implicit.
>
> >>
> >> Since DNS is mostly UDP-based, it is often easy to generate large
> >> amounts of spoofed traffic to and from DNS servers. DNS traffic is
> >> small compared to application traffic (videos and other content), but
> >> still significant. Authoritative server operators often build their
> >> networks and servers to handle 10 times their normal load. Recursive
> >> server operators may need to do the same, although the service only
> >
> > I would split this sentence, to read:
> >
> > server operators may need to do the same. When the service only
>
> Fair.
>
> >> accepts traffic from IP addresses that cannot be spoofed (for example
> >> users within a network that operated by the same company) then this
> >
> > remove "then"
>
> Done.
>
> >> ### Resilience
> >>
> >> #### System Diversity
> >>
> >> In addition to the software considerations above, operators should
> >
> > Either change to "software **licensing** considerations", or start the
> > sentence with Operators. After all, the previous part of the text is not
> > about software considerations, so current wording may be a bit confusing
> > to linear readers.
>
> Makes sense. I've started with Operators, no need to remind people of
> the other considerations here.
>
> >> consider whether to use different server implementations to provide
> >
> > s/server/software/ ?
>
> Makes sense.
>
> >> In addition to the DNS-specific security considerations, normal
> >> security best practices for any Internet service should be followed,
> >> including updating software updated regularly, patching software as
> >> soon as possible for any known security vulnerabilities, following
> >> CERT announcements and so on.
> >
> > Perhaps CERT/CSIRT. Not super important.
>
> You led me down a short trip to the Wikipedia:
>
> https://en.wikipedia.org/wiki/Computer_emergency_response_team
>
> In spite of CMU's trademark on the term CERT (?!?!), I see way more CERT
> in the national lists than CSIRT, so I'll stick with it.
>
> In a random note, the RIPE Database has an IRT object type rather than a
> CERT or CSIRT object type, through some artifact of history. 😆
>
> >> #### Certification
> >>
> >> It may be useful or required for an organization to follow specific
> >
> > s/follow/obtain/ ?
>
> In this case "follow" instead of "obtain" was deliberate. It might not
> be necessary to actually go through the cost of getting certification in
> order to get the benefits. But, since this section concludes mentioning
> that business customers will look for them, "obtain" probably makes more
> sense.
>
> >> certifications, such as ISO or ITIL. These can be government-defined
> >
> > Not sure if (unspecified) "ISO or ITIL" are the most relevant examples.
> > I would either remove or replace by say "ISO-IEC 27017, 27018 or SOC 2
> > Type 2", which all relate to services provided by an organisation, to be
> > relied on by users of that service.
>
> Replaced with "ISO or SOC 2 Type 2".
>
> >> QUESTION: Do we need to publish certificate in other ways that via the
> >> DDR mechanisms?
> >
> > Should this remain in?
>
> Good point, removed!
>
> >> ### TTL-based Record Pre-Fetch
> >>
> >> **TTL record pre-fetch should be enabled when available.**
> >
> > I would remove "when available", seeing that the last sentence of the
> > next paragraph already covers this.
>
> I'm leaving it in, since we use that exact phraseology elsewhere.
>
> >> ### DNS Error Reporting
> >>
> >> **DNS error reporting may be enabled.**
> >>
> >> For: All DNS resolver operators.
> >>
> >> DNS error reporting is a way for resolver operators to let
> >> authoritative operators know about problems in authoritative servers
> >> or zones. It provides little direct value for the resolver operators,
> >> but over time should improve the overall quality of the DNS ecosystem.
> >> It is neither widely deployed nor standardized, but hopefully will be
> >> both soon. Resolver operators are encouraged to enable DNS error
> >
> > To me, 'may be' does not sound like much encouragement. Should this be
> > 'should be' instead? The paragraph already explains that availability is
> > limited for the moment.
>
> I'm not sure we have enough operational experience to know if this is
> actually a good idea. It may end up being spammy, or unintentionally
> result in privacy leaks, or any other kinds of unpleasant side-effects.
> I don't expect it, but I also don't feel comfortable recommending it
> strongly.
>
> >> ## Privacy, Filtering, Transparency
> >
> > Reviewing this next part was a bit painful, because I was involved in
> > writing it and yet I see quite a few places where I feel we should
> > improve. After re-reading RFC8932 for the second time, I noticed quite
> > some overlap where RFC8932 is more exhaustive, specific and practicable.
> > By creating overlap, I think we may be watering down our own advise.
> > Below I go over all the items one by one, reference specific sections to
> > advocate for removal of any such overlap.
>
> Okay, thanks for the detailed re-reading.
>
> >> ### Privacy & anonymity
> >>
> >> Operators are advised to apply
> >
> > DNS resolver operators
>
> Yes.
>
> >> [RFC8932](https://www.rfc-editor.org/rfc/rfc8932.html)
> >>
> >> "Recommendations for DNS Privacy Service Operators" as follows:
> >>
> >>    1. its operational and policy guidance related to DNS encrypted
> >>    transports and data handling, by applying all "Threat mitigations"
> >>    (thereby by meeting its level of "minimally compliant") and
> >>    additionally by applying the "Optimizations" on EDNS Client Subnet
> >>    listed in section 5.3.1.
> >>
> >>    2. its framework on a Recursive operator Privacy Statement, by
> >>    publishing a privacy statement on their website that is compliant
> >>    with Section 6.
> >
> > I suggest we strengthen this sentence a bit, then remove duplicates in
> > the next section:
> >
> > s/that is compliant with/covers all topics in/
>
> Makes sense.
>
> >> #### Logging considerations
> >>
> >> 1. Public privacy policy: DNS resolvers are recommended to publish
> >>     their privacy policies transparently on their website. It can be a
> >>     brief privacy commitment as well or be more elaborate on how the
> >>     privacy policy was made. (See for example
> >>     [Cloudflare's
> >> statement](
> https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver)
> >> or [Quad9's privacy page](https://www.quad9.net/service/privacy/).)
> >>
> >>     Such policies should explicitly mention the sampling rate of DNS
> >>     queries/responses that are kept, and whether these are anonymized.
> >
> > This is fully covered by the reference to RFC8932, Section 6. I suggest
> > we remove this text.
>
> Okay, that makes some sense. I kept the examples from Cloudflare and
> Quad9, but moved them at the end of the previous section.
>
> >> 2. Third party access to personal data: it seems that the only
> >>     critical personal data that DNS resolvers collect are IP addresses
> >>     and the queries that are resolved.  The other meta data collected
> >>     can be used to have an understanding of for example which user
> >>     accessed which website which can reveal information about a
> >>     person’s health, lifestyle and other personal preferences (we call
> >>     this profiling). For example, resolving the website for alcoholics
> >>     anonymous may tell you something about the health of a person
> >>     behind an IP address. IP addresses are personally identifiable
> >>     information. Follow the applicable privacy laws or privacy
> >>     principles when receiving third party requests to access.
> >
> >>     Resolvers
> >>     should only comply with such requests when balancing legitimate
> >>     third party interest with other fundamental rights.
> >
> > This goes beyond RFC8932, Section 5.3.3 and Section 6.1.1 item 2 and may
> > therefore be worth keeping.
> >
> > I suggest re-ordering this paragraph a bit to start with the advice. The
> > following is an attempt to reorder:
> >
> > Resolver operators may receive third party requests for information they
> > have logged that relates to users, including IP addresses, queries and
> > meta data.  Resolvers should only comply with such requests when
> > balancing legitimate third party interest with the user's fundamental
> > rights, including rights to privacy. Usage information can be personal
> > data, PII or similarly regulated under the privacy laws applicable to
> > the users, operator or third party, revealing a person's health,
> > lifestyle or other personal preferences (profiling). For example,
> > logging information that documents a user resolving a website for
> > alcoholics anonymous may relate to the health of a person behind an IP
> > address.
>
> Makes sense, I've included this text.
>
> >> 3. Access to data for researchers: how it is done, who has access and
> >>     who can request access, how the resolver makes a decision to give
> >>     access (validated and credible researchers, what they can access
> >>     and other issues)
> >
> > Covered in RFC8932, Section 5.3.3. Suggest removal.
>
> Removed.
>
> >> 4. Data minimization: do not collect personal information not needed
> >>     for critical operations.  Only retain or use what is being asked
> >>     (the query). If collecting data to make the service more private
> >>     and secure, explain the rationale for each piece of data (data
> >>     collection purpose)
> >
> > Covered in RFC8932 section 5.2.1 and section 5.2.2. Suggest removal.
>
> Removed.
>
> >> 5. Encryption: If data is encrypted, explain how it has been encrypted
> >>     (DoH, DoT, or so on).
> >
> > Covered in RFC8932, Section 6.1.2, item 2. Suggest removal.
>
> Removed.
>
> >> 6. Data security and retention: when to delete the data and how it is
> >>     stored
> >
> > Data retention is covered in RFC8932 section 5.2.1 and section 5.2.2.
> > Section 5.2.1, last bullit under mitigations sets a security goal
> > relating to data access, though the word security is not used (it is the
> > scope of the entire document).
> >
> > Suggest removal. Alternatively, abstract to a level higher than RFC8932
> > by stating something like the following (with limited operational value):
> >
> > 2. Data security: DNS Resolver operators should take appropriate
> > technical and organisational measures to protect logging information
> > that relates to users.
>
> I've included this higher-level recommendation.
>
> >> **Legal requests and blocking and filtering laws:** DNS resolvers
> >
> > operators
>
> Updated.
>
> >> should not filter content and block access to web-services. When the
> >> local law requires blocking, and the law applies to the resolver, the
> >> resolver should transparently disclose a list of blocked websites and
> >> services, when possible (disclosing such a list may not be allowed by
> >> law or regulation). Similarly, the resolver should disclose the source
> >> of such block lists, when possible.
> >>
> >> If it is not possible to disclose the source of blocklists, operators
> >> should try to be as transparent as possible about how they receive
> >> those blocklists, based on what criteria, and how they mitigate errors
> >> and false positives. Disclosing which organizations operators interact
> >> with, how they liase, and so on, can help users understand the impact
> >> on the service provided.
> >>
> >> If possible, resolvers should provide information about blocked
> >> responses via the Extended DNS Error with the Blocked, Censored,
> >> Filtered, or Prohibited code - whichever applies best - along with a
> >> text why the response was blocked, censored, filtered, or prohibited.
> >>
> >> [RFC 8914](https://www.rfc-editor.org/rfc/rfc8914.html#section-4.16)
> >> provides information about the meanings of the different codes.
> >
> > I like these paragraphs, but they are also covered by RFC8932, section
> > 6.1.1 item 6 (result filtering), which we already advise to apply.
> > As an example of where that section is stronger, it does not feature
> > 'when possible' escape hatches.
> >
> > I'm not sure what to do here. At a minimum, I believe we should make a
> > reference to that content and substantiate why we feel it is worth
> > repeating here (while not the other topics of RFC8932).
>
> Interesting. The "when possible" language was added in recognition that
> there may be legal or other barriers preventing such transparency.
>
> Also, RFC 8932 6.1.1 just talks about documentation... our text here
> actually recommends not filtering, which RFC 8932 does not do.
>
> RFC 8932 also doesn't reference RFC 8914, which makes sense since they
> came out very near to each other.
>
> So... I understand the concern about re-specifying things, but I'm
> actually happy to let this text stand.
>
> >> **Community governance of blocklists:** blocklists, if mandatory, have
> >> to be audited and assessed by third parties and there should be a
> >> right to appeal for those blocked. The Internet community can vet the
> >> blocklists from time to time to avoid blocking access to websites that
> >> are mistakenly blocked. During crisis - when mistakes can have drastic
> >> effects on accessing a critical service - preferably filtering and
> >> blocking should not be used.
> >
> > This is not covered by 8932, so relevant to keep.
>
> 👍
>
> >> ### Transparency
> >
> > Suggest leading with the advice:
> >
> > Public DNS resolver operators should publish transparency reports to
> > build user trust in their adherence to policies and practices. This goes
> > beyond our advise to apply RFC8932, section 6.2.
>
> Makes sense. Updated.
>
> >> DNS resolvers usually provide transparency reports once a year. The
> >
> > Suggest to replace with:
> >
> > A common frequency is once a year. The
>
> Done.
>
> >> #### Voluntary certificates and standards
> >>
> >> Some DNS resolvers opt for obtaining certificates in security and
> >> privacy. Some also undertake audits on their privacy practices. See
> >> for example:https://www.cloudflare.com/trust-hub/compliance-resources/
> >
> > Suggest removing this; certification is already covered under ###
> > Resilience above.  Should the group feel that this is the most
> > appropriate place, I suggest moving that section to replace the one here.
>
> Good point. I added a bit of text mentioning audits or reports, and
> include the link as an example there.
>
> >> #### Human rights considerations
> >>
> >> DNS resolvers can opt for declaring their understanding of their
> >> responsibilities regarding human rights from the Universal Declaration
> >> of Human Rights. Specifically, Quad9 mentions rights to freedoms
> >
> > s/Specifically/As an example of a public DNS resolver operator/
>
> Make sense, updated.
>
> --
> Shane
>
> # DNS Resolver Recommendations
>
> About the DNS Resolver Best Common Practice Task Force
>
>
> https://www.ripe.net/participate/ripe/tf/dns-resolver-best-common-practice-task-force
>
> ## Terminology
>
> * Open Resolver: A DNS resolver that accepts queries from any client.
>    Often the result of misconfiguration.
>
> * Public Resolver: A resolver intentionally configured to be an open
>    resolver.
>
> ## Introduction
>
> ### What Is This Document? Who Is It For?
>
> This document presents recommendations and best current practices for
> operating DNS resolvers, both public and non-public ones. It covers
> technical aspects of operations and provides best practice
> recommendations for data management, with a particular focus on user
> privacy, security, and resilience.
>
> The document serves as guidance for the wider Internet community,
> offering input to:
>
> * Those running DNS resolver services, and
> * Those who want to make informed choices between such services.
>
> Its purpose is to provide clear guidance and promote effective
> practices in DNS resolver operation.
>
> The intended audience is not the entire DNS community. Advice here is
> probably not useful for operators of authoritative servers, domain
> registrars, and so on. It is also not meant to be an introductory or
> educational document. There are many documents which cover the basics
> of DNS and the roles of organizations in it; a good overview is:
>
> Addressing the challenges of modern DNS - a comprehensive tutorial
> by van der Toorn et al.
>
> https://ris.utwente.nl/ws/files/282427879/1_s2.0_S1574013722000132_main.pdf
>
> The document does not consider how to measure adherence to these
> recommendations. So it is not intended to be used for certification,
> although certification created based on the principles here is
> possible.
>
> ### How Is This Document Organized?
>
> This document has a number of sections, and specific recommendations
> in each section. The intent is for each recommendations to have clear
> guidance at the top, and then background and discussion related to the
> recommendation afterwards. Each recommendation indicates whether it is
> mostly for operators of public resolvers or for operators of any
> resolver.
>
> ### About Recomendation Text
>
> This is not a standards document, and does not propose any way to
> measure compliance or interoperability. It does use words like
> "should" or "may be" throughout. These are meant to be interpreted in
> the usual English sense, and not as IETF-style RFC 2119 jargon.
>
> ## System and Network Hardening
>
> ### Infrastructure considerations
>
> Running any Internet service requires attention to the infrastructure
> used to operate it. This section discusses various approaches that can
> be used to run a DNS resolver. Everything applies to both public and
> non-public DNS resolvers.
>
> #### Bare metal or public cloud
>
> All DNS resolver software can run either on dedicated servers (rented
> or colocated), or in virtualized clouds, or in a combination of those.
> Every approach has pros and cons. Most of these are not specific to
> running DNS resolvers, however, some of them are.
>
> **Running DNS resolver instances as OS level daemons on bare metal
> hosts:**
>
> Pros:
>
>    - Performance: Bare metal servers have direct access to the
>      underlying hardware, and can offer superior performance/cost
>      balance by avoiding the overhead associated with virtualization.
>      Moreover, you have full control over the server's configurations,
>      down to the hardware level, which can be beneficial for
>      performance and cost optimization once you get the understanding
>      of your typical work load during peak hours.
>
>    - Data Security: Since you are in control of the physical servers,
>      there is no risk of data leakage that can occur due to
>      vulnerabilities in multi-tenant virtualization platforms,
>      including CPU cache-based side-channel vulnerabilities. It could
>      be argued that attacks targeting such issues are rare, and their
>      impact on a DNS resolver service is low, but potential breaches
>      may have significant privacy impact. It is advised to evaluate
>      this against your organisation's risk model.
>
>    - Predictability: Because there is no virtualization layer and no
>      "noisy neighbours" on the host, the performance of your servers is
>      more predictable.
>
> Cons:
>
>    - Cost of failure: If you pick hardware configuration that is not
>      optimal for the workload of your DNS resolver, you may need to
>      upgrade and replace hardware components afterwards. Ways to reduce
>      this risk include renting servers instead of buying them, carrying
>      load testing with data similar to production workloads, and
>      providing limited beta access to the service before it fully
>      enters the production phase.
>
>    - Scalability: Scaling up with physical servers means acquiring or
>      renting, installing, and configuring new hardware, which will take
>      more time than provisioning new virtual servers in a cloud
>      environment. Moreover, most cloud environments will provide you
>      with cluster autoscaling features, which could barely be achieved
>      in bare metal.
>
>    - Maintenance: You will be responsible for all server maintenance
>      tasks, including hardware issues, which can require significant
>      effort and specific expertise.
>
>    - Redundancy: Setting up high availability and disaster recovery
>      strategies can be more complex and time consuming compared to the
>      cloud, where these features are often provided as value added
>      products. See the Redundancy section for more details.
>
> **Running DNS resolver instances in containers in a public cloud:**
>
> Pros:
>
>    - Scalability: Clouds excel at scaling applications. You can scale
>      up and down rapidly based on load, which is important for a DNS
>      resolver that needs to handle variable query loads. In case of
>      regional or geographically distributed resolvers, in every region
>      where the resolver would be deployed, daily periodicity is likely
>      to be observed, for example peak hour is likely to occur around
>      19:00 local time, and off-peak hours may begin at around
>      01:00-03:00. In a situation like that, using cluster autoscaling
>      features and tools, you can run less instances in the night and
>      more instances throughout the day, which may help to optimize your
>      cloud hosting costs.
>
>    - Fault Tolerance and High Availability: Most clouds have built-in
>      strategies, features, and products for handling node failures,
>      which can increase your service's availability.
>
>    - Deployment and Management: Cloud providers offer built-in methods
>      to deploy and manage applications, which can simplify operations
>      and reduce the likelihood of human errors if your infrastructure
>      management department is already familiar with these tools.
>
>    - Cost: While this largely depends on your specific usage, cloud
>      services can sometimes be more cost-effective than managing your
>      own physical servers, especially when you consider the total cost
>      of ownership, including power, cooling, and maintenance.
>
> Cons:
>
>    - Performance: The virtualization layer of public clouds can impact
>      performance. While this certainly could be mitigated through
>      scaling the number of virtual hosts, the cost would also increase
>      accordingly.
>
>    - Complexity: Advanced cloud technologies are complex systems which
>      come with a steep learning curve. Without prior experience,
>      properly configuring and managing a cloud-based compute cluster
>      can be challenging.
>
>    - Cost Variability: While the cloud can be cheaper, it can also be
>      more expensive if not properly managed. Costs can rise
>      unexpectedly based on traffic. Make sure to always set some limits
>      on how much may be spent on hosting in the cloud control panel,
>      and to set up notifications to be sent to you when these
>      thresholds are about to be triggered.
>
>    - Multi-tenancy Risks: In a public cloud environment, the "noisy
>      neighbour" problem could potentially affect your service's
>      performance. Additionally, even though cloud providers take steps
>      to isolate tenant environments, vulnerabilities could potentially
>      expose sensitive data (see the previous section for a detailed
>      explanation).
>
> **Additional considerations**
>
>    - In today's environments, Kubernetes and Terraform are sometimes
>      used as a substitute for cloud APIs when it comes to production
>      services' management. When running a DNS resolver in a Kubernetes
>      cluster on top of a public cloud environment, all the pros and
>      cons of the public cloud apply; basically, Kubernetes becomes your
>      public cloud provider. If you have significant prior experience
>      running services in Kubernetes in production, you may successfully
>      replicate your experience with the DNS resolver software.
>      Otherwise, we would advise against Kubernetes in this case.
>
>    - The only reason we may find to run a DNS resolver in a Kubernetes
>      cluster on top of self-hosted dedicated servers is when you have
>      significant hands-on experience with Kubernetes and it is natural
>      for you to manage applications this way. Otherwise, running DNS
>      resolver daemons in containers brings little, if any, benefit.
>      Autoscaling features are not available to you in this case, and
>      neither horizontal nor vertical pod autoscaling is of any use,
>      because DNS resolver software typically scales in-host by itself
>      just fine.
>
>    - When designing a cluster of resolvers for autoscaling, keep in
>      mind that newly spawned resolver machines would need to populate
>      resolver cache first before they are fully useful. Your DNS
>      resolver software may provide cache replication mechanisms.
>      Otherwise, it is safe to overprovision clusters somewhat under
>      heavy load, and discarding excessive instances once all the caches
>      are populated and the average load of a compute instance
>      decreases. In addition, it may be worthwhile to consider sharing
>      cache data between instances.
>
>    - It is always advised to prefer environments your infrastructure
>      management team is familiar with.
>
> ### Software considerations
>
> #### Open Source
>
> **Recommendation**: Choose any well-maintained DNS software you are
> comfortable using. Regardless of which software you choose, ensure you
> have somewhere to go for support. In the case of open source software,
> consider providing financial support to ensure continued development.
> Some open source maintainers take donations, while others offer
> support contracts.
>
> There are both open source and proprietary implementations of DNS
> resolver software. Mixing these is also possible, for example, by
> using proprietary extensions with open source software or deploying
> open source software modified in-house.
>
> General observations:
>    - Software licensing is orthogonal to software security. Neither is
>      proprietary software less secure on principle nor are
>      contributions by "unknown" developers more of a risk in open
>      source.
>
> Benefits of open source:
>    - Open source allows for inspection, independent auditing, and
> troubleshooting.
>    - Open source can avoid vendor lock-in.
>    - Open source can aid internet standards development.
>      Widely-deployed open source implementations allow proponents of
>      standards drafts to contribute proof of concept implementations
>      without permission or cooperation of vendors.
>
> Drawbacks of open source
>    - Both open source and proprietary software require skilled
>      maintenance, which has costs. Proprietary licensed software or
>      appliances typically come with license fees to cover these. In
>      contrast, open source licenses decouple usage by operators from
>      monetary compensation to developers. It is up to operators to
>      consider the financial sustainability of continued maintenance of
>      the open source DNS software they depend upon.
>
> Please also consider deploying different software implementations to
> ensure diversity, as discussed in the diversity section below.
>
> ### Networking considerations
>
> #### IPv4 and IPv6
>
> **If available, both IPv4 and IPv6 must be deployed.**
>
> Large parts of the authoritative DNS are only accessible via IPv4, so
> the resolver must be able to originate IPv4 queries. Authoritative DNS
> that is only accessible via IPv6 is very rare.
>
> Depending on the connectivity of clients, a resolver may be IPv4-only,
> IPv6-only, or support IPv4 and IPv6.
>
> #### Addressing
>
> **Using multiple IP addresses for the service address should be
> considered.**
>
> Using 2 or more IPv4 addresses and 2 or more IPv6 addresses from
> different RIR will allow resilience in failure at an RIR, either
> governance, security, or technical. Note that support for multiple
> addresses for recursive resolvers varies and some clients perform
> poorly if any address does not respond normally.
>
> There is no need to pick an IPv4 address with all octets the same,
> like 2.2.2.2 or 11.11.11.11.
>
> **Publishing a list of back-end addresses used for resolving should be
> considered.**
>
> Publishing a list of back-end addresses used for resolving can be
> useful for other network & DNS operators (for example, geo-IP
> location, making sure data is getting to correct places, and so on).
>
> #### High Availability
>
> This can be considered in terms of local and global scope.
>
> ##### Local scope
>
> Inside a single location/region, such as an office, campus, or small
> ISP network, the main availability concern is that a resolver is
> always reachable.  Client systems can be configured with multiple
> resolver addresses, but the failover behaviour of stub resolvers to a
> second address can be painful.  Ideally the primary address is highly
> available and such fallback rarely required. How much effort is put
> into ensuring this is true should probably scale in line with the
> number of users, or sensitivity of the clients using that resolver to
> delayed resolution.
>
> There are several ways to promote high availability of an individual
> resolver address, such as dedicated load balancing equipment, or
> network techniques like VRRP, or IP anycast. These generally have in
> common a pool of recursive servers and the means to direct queries to
> them when a health check has determined them to be capable of
> answering those queries.
>
> Dedicated free or commercially produced, hardware or software load
> balancing solutions are available. These typically own the resolver IP
> address and forward queries to the currently available instances of a
> pool of recursive servers.
>
> VRRP enables a technique to make the resolver IP address available on
> multiple servers, often used to provide automatic failover between
> two.  A pool of recursive servers using this technique must reside in
> the same broadcast domain.
>
> IP anycast in the local scope typically involves a pool of recursive
> servers advertising a route to a shared resolver IP address into a
> routing protocol.  This can be configured in failover or load-sharing
> configurations. A load sharing configuration typically requires
> network equipment able to balance traffic to a destination over equal
> cost paths (ECMP). A pool of recursive servers using this technique
> can be distributed in different parts of the network.
>
> ##### Global scope
>
> The same concerns as for local service availability are present in the
> global scope, with the added issue that DNS resolution over long
> distances may be slow. Practically speaking, only multiple resolver
> addresses, or IP anycast are useful strategies here. The motivations
> for finding better failover solutions than multiple resolver addresses
> have been covered above.
>
> IP anycast in the global scope means routing the same IP prefix to
> more than one location. This can provide effective solutions for
> failover and, when optimally configured for routing client queries to
> the topologically least distant recursive server location. IP anycast
> in the global scope requires the use of globally routable prefixes. If
> a separate prefix is to be used for anycasting, usually this means a
> /24 in IPv4 and a /48 in IPv6, as those are the smallest sizes that
> will be widely propagated in BGP. A common practice is to use a
> covering prefix (/23 in IPv4 or /47 in IPv6) for fallback, and a
> more-specific prefix (/24 or /48) for the traffic. The more-specific
> prefix can then be withdrawn to send traffic to a backup site; this
> will happen automatically if the site is disconnected from routing.
>
> [RFC7094](https://www.rfc-editor.org/rfc/rfc7094.html) discusses
> anycast architecture in detail, including references to various other
> RFC which discuss anycast in general and to DNS in particular.
>
> [RFC4786](https://datatracker.ietf.org/doc/html/rfc4786) discuses
> operation of anycast services.
>
> ##### Generally
>
> Operators of a globally scoped recursive service are encouraged to
> also adopt the local scope recommendations in each of the locations
> where the service is provisioned.
>
> Though the above deals with the shortcomings of reliance on stub
> resolver failover between a list of addresses those recommendations
> shouldn’t be seen as an exclusive alternative. Multiple resolver
> addresses, where each is provisioned using differing failover
> strategies, can provide a resolver of last resort and further improved
> resilience.
>
> #### Ingress Filtering
>
> **Ingress Filtering to follow BCP 38 should be deployed.**
>
> DNS normally uses UDP traffic, which makes it a common vector of both
> [reflection](https://en.wikipedia.org/wiki/Reflection_attack) and
> [amplification](
> https://www.cisa.gov/news-events/alerts/2014/01/17/udp-based-amplification-attacks
> )
> attacks. To minimize the amount of spoofed traffic that a resolver
> responds to, the network should be configured as recommended in
> [BCP 38](https://www.rfc-editor.org/rfc/rfc2827.html).
>
> #### RPKI Sign Advertised Routes
>
> **Route Advertisements should be signed using RPKI**
>
> Using RPKI to sign any route advertisements - either toward
> authoritative servers or toward DNS clients - is straightforward to do
> and will reduce the impact of BGP misconfigurations and some BGP
> hijacking attempts.
>
> RPKI validation is also possible, although the effort is greater. It
> is possible that the hosting provider or the transit provider for your
> service validates BGP; asking and making this part of your selection
> criteria is reasonable.
>
> #### (D)DoS measures
>
> Denial-of-Service (DoS) attacks, both distributed (DDoS) and not are a
> threat to any Internet service. Network operators for a service
> providing any DNS service must be prepared for large amounts of attack
> traffic.
>
> In addition to attacks on the service itself, a resolver may be used
> both as an attack reflector and as an attack amplifier.
>
> Active monitoring of network and service usage, careful logging, and a
> security team that is able to respond to problem reports is necessary.
> Mitigation techniques will include filtering or rate-limiting traffic,
> both on the authoritative and client side of the resolver.
>
> ### Capacity planning
>
> #### Server capacity
>
> If using a model that is easy to scale (cloud based, or Kubernetes
> based, or similar), then getting server capacity correct is largely a
> question of budgeting. If using a less-flexible model (bare metal for
> example), then under-estimating will mean problems delivering service.
>
> Hardware performance varies widely, as does operating system and
> resolver performance. Some lab testing will be necessary to estimate
> the number of systems needed.
>
> #### Network capacity
>
> Since DNS is mostly UDP-based, it is often easy to generate large
> amounts of spoofed traffic to and from DNS servers. DNS traffic is
> small compared to application traffic (videos and other content), but
> still significant. Authoritative server operators often build their
> networks and servers to handle 10 times their normal load. Recursive
> server operators may need to do the same. When the service only
> accepts traffic from IP addresses that cannot be spoofed (for example
> users within a network that operated by the same company) this can be
> reduced, for example to 3 times normal load. To estimate expected
> load, the best approach is to examine historical usage for the actual
> expected users of the system.
>
> ### Resilience
>
> #### System Diversity
>
> Operators should consider whether to use different software
> implementations to provide service. This allows continued operation if
> a critical vulnerability is found in one implementation, by shifting
> traffic to other implementations.
>
> Placing resolvers and control systems in different physical locations
> will allow continued operation in the event of a disaster or other
> problem that impacts a single location. In addition, ensuring diverse
> connectivity to other networks will prevent single points of failure
> on the network side. Ensuring network diversity may take some care, as
> it is not always obvious what fate is shared between any given path;
> this may be physical, virtual, or organizational, and my sometimes be
> hidden.
>
> #### Security
>
> In addition to the DNS-specific security considerations, normal
> security best practices for any Internet service should be followed,
> including updating software updated regularly, patching software as
> soon as possible for any known security vulnerabilities, following
> CERT announcements and so on.
>
> #### Certification
>
> It may be useful or required for an organization to obtain specific
> certifications, such as ISO or SOC 2 Type 2. These can be
> government-defined or industry-defined. For end users there is
> typically not much direct value, but business customers will often
> look for services that are operated by organizations meeting such
> standards. Audits or other reports about this may be published, see
> for example:
> https://www.cloudflare.com/trust-hub/compliance-resources/
>
> ## DNS configuration knobs
>
> The DNS is an old protocol that has a lot of settings that can be
> tweaked. This section reviews these and provides recommendations on
> which should be used for a resolver.
>
> ### DNSSEC validation
>
> **DNSSEC validation should be enabled.**
>
> For: All DNS resolver operators.
>
> DNSSEC validation is the best way to ensure that the answers from the
> owner of domain name being queried are returned.
>
> The root KSK must be updated when it changes. While
> [RFC5011](https://www.rfc-editor.org/rfc/rfc5011.html) defines an
> automated way to do this, a resolver operator will probably either
> manage this trust anchor directly or have it updated via OS updates.
>
> [RFC9364](https://www.rfc-editor.org/rfc/rfc9364.html) provides a lot
> of useful information, and links to further documents about DNSSEC.
> However, operators usually do not need to know the details, and can
> simply ensure that DNSSEC validation is enabled in their software.
>
> Resolver software that does not support DNSSEC validation should be
> avoided.
>
> ### DNS Transport Protocols
>
> **UDP and TCP must be supported.**
>
> For: All DNS resolver operators.
>
> UDP is what most clients use, and TCP is necessary for DNS answers
> that are too large for a single UDP packet.
>
> [RFC7766](https://www.rfc-editor.org/rfc/rfc7766.html) explains why
> TCP is necessary in more detail.
>
> ### Packet Fragmentation Avoidance
>
> **Servers should be configured to avoid fragmentation.**
>
> For: ALL DNS resolver operators.
>
> Packet fragmentation can cause issues with DNS over UDP, especially
> over IPv6. These issues can be minimized by choosing implementations
> that set IP options to avoid this, and by taking care with EDNS0
> message sizes.
>
> Recommendations are available in
> [draft-ietf-dnsop-avoid-fragmentation](
> https://datatracker.ietf.org/doc/draft-ietf-dnsop-avoid-fragmentation/).
>
> ### Encrypted DNS
>
> **At least one of DNS-over-TLS (DoT), DNS-over-HTTPS (DoH), and
> DNS-over-QUIC (DoQ) should be supported.**
>
> For: All DNS resolver operators.
>
> DoT, DoH, and DoQ are different technologies that all provide an
> encrypted channel between the resolver and the authoritative server.
> DoT is the oldest, and provides encrypted DNS using TLS. DoH uses HTTP
> over TLS as a way to transmit queries and answers, and is widely
> supported by web browsers. DoQ is the newest, and provides advanced
> features such as separate streams for each query, avoiding the "head
> of line" blocking problem common with all protocols layered on top of
> TCP (such as DoT and DoH).
>
> - DoT
>    - [RFC7858](https://www.rfc-editor.org/rfc/rfc7858.html)
> - DoH
>    - [RFC8484](https://www.rfc-editor.org/rfc/rfc8484.html)
> - DoQ
>    - [RFC9250](https://www.rfc-editor.org/rfc/rfc9250.html)
>
> **Discovery of DNS Designated Resolvers**
>
> There are new mechanisms that allow DNS clients to use DNS records to
> discover encrypted DNS configurations.  Resolvers should publish DNS
> records to assist clients finding encrypted resolvers.
>
> - Discovery of Designated Resolvers
>    - [RFC9462](https://www.rfc-editor.org/rfc/rfc9462.html)
>
> ### QNAME Minimization
>
> **QNAME minimization should be enabled.**
>
> For: All DNS resolver operators.
>
> Using QNAME minimization, a resolver does not send the full name that
> it is trying to resolver to authoritative servers higher in the DNS
> hierarchy. So, for example, when querying "atlas.ripe.net" the servers
> for ".net" would only be asked for "ripe.net". This improves privacy
> for the end user querying the name.
>
> [RFC7816](https://www.rfc-editor.org/rfc/rfc7816.html) covers QNAME
> minimization.
>
> ### Aggressive NSEC caching
>
> **Aggressive NSEC caching may be enabled.**
>
> For: Public resolver operators.
>
> "Aggressive NSEC caching", meaning negative caching based on NSEC and
> NSEC3 values, can reduce traffic greatly. It is important to protect
> against random subdomain attacks.
>
> This style of caching takes advantage of the way that NSEC and NSEC3
> records cover a range of names in a zone. A resolver can know that a
> query falls within such a range without sending any further queries,
> by remembering the NSEC or NSEC3 redords that is has seen as answers
> to earlier queries.
>
> Aggressive NSEC caching is almost always a good idea. However enabling
> this is less important for DNS resolver operators who have a close
> relationship with users, since they can stop attacks by blocking users
> or otherwise directly dealing with the source of abusive queries.
>
> [RFC8189](https://www.rfc-editor.org/rfc/rfc8189.html) describes
> negative caching in detail.
>
> ### ANY Queries
>
> **ANY queries responses should be limited.***
>
> For: All resolver operators.
>
> Public or large-scale resolvers should be exceptionally careful with
> queries of type ANY, which return all all records at a given name. If
> a resolver replies with all of the records cached for a given type,
> the response can be much larger than for a single record type. Strict
> limits should be enforced on volumes of such queries to prevent
> amplification abuse, or truncation should be applied to prevent
> spoofed redirections.
>
> [RFC8482](https://www.rfc-editor.org/rfc/rfc8482.html) describes
> several approaches to limiting ANY responses.
>
> ### Local Root
>
> **Local root should be used.**
>
> For: Public resolver operators.
>
> Running a local root has several benefits, but it is an additional
> component to maintain. For public resolver operators this is
> definitely worth the cost, but other resolver operators may choose to
> simply send all queries to the well-distributed root name servers.
>
> [RFC8806](https://www.rfc-editor.org/rfc/rfc8806.html) describes local
> root, including several example configurations.
>
> In the future it will be possible to use ZONEMD to validate the copy
> of the root zone obtained before using it. This is currently available
> for the root zone.
>
> [RFC8976](https://www.rfc-editor.org/rfc/rfc8976.html) describes ZONEMD.
>
> ### DNS Cookies
>
> **Interoperable DNS Cookies may be supported.**
>
> For: Public resolver operators.
>
> DNS cookies provide some improved security over plain UDP, and are
> designed to be more lightweight than TCP. If more than one server is
> responding for a given IP address, then the Server Secret must be
> shared by all servers, and the answer must be constructed in a
> consistent manner by all server implementations.
>
> Since client-side support for DNS cookies is not very widespread, and
> since managing server-side secrets involves some work, the costs may
> outweigh the benefits for some non-public resolver operators.
>
> [RFC7873](https://www.rfc-editor.org/rfc/rfc7873.html) describes DNS
> cookies, and [RFC9018](https://www.rfc-editor.org/rfc/rfc9018.html)
> standardizes shared DNS cookies.
>
> ### TTL Recommendations
>
> **TTL limits may be adjusted.**
>
> For: All DNS resolver operators.
>
> Software typically defaults to a maximum stored TTL of 1 or 2 days.
> A lower TTL will mean removing rarely-used records that have long TTL,
> and should not have much operational impact from a CPU or network
> point of view.
>
> It is possible to set a minimum TTL in many implementations. This is a
> violation of the DNS protocol, although may be useful to reduce load
> from records with very low TTL (less than 5 seconds).
>
> Note that software may set different maximum and minimum TTL
> independent of the results that the resolver returns. That may have a
> significant impact on queries as well, but resolver operators cannot
> influence that.
>
> ### TTL-based Record Pre-Fetch
>
> **TTL record pre-fetch should be enabled when available.**
>
> For: All DNS resolver operators.
>
> Some resolvers have the ability to look up a record before it has
> expired from cache, in order to refresh the value and extend the TTL.
> This way there is never a time when the records are missing from the
> cache. This is not currently standardized, but a form of this was
> proposed in the IETF as
> [DNS
> Hammer](
> https://datatracker.ietf.org/doc/html/draft-wkumari-dnsop-hammer-03).
> We recommend turning this feature on if available.
>
> ### EDNS Client Subnet (ECS)
>
> **ECS may be enabled.**
>
> For: All DNS resolver operators.
>
> EDNS Client Subnet (ECS) allows the resolver to include information
> about the IP address of the client querying it when sending messages
> to authoritative servers. This may allow authoritative servers to
> provide different answers which are more appropriate for the client.
> However, ECS will increase the amount of cache space required by
> resolvers, may reduce DNS performance, and may have privacy
> implications.
>
> A resolver operator that has clients that are limited to a specific
> region may see no benefit. A resolver operator that has a widely
> distributed anycast network may not have much benefit from ECS, since
> the locations that initiate the query will be close to the client. But
> a resolver operator that answers client queries only from a few
> locations, and expects clients to come from a wide area, may provide
> better service for end-users by supporting ECS.
>
> EDNS client subnet is described in
> [RFC7871](https://www.rfc-editor.org/rfc/rfc7871.html), an
> informational RFC.
>
> ### Extended DNS Errors
>
> **Extended DNS errors should be enabled.**
>
> For: All DNS resolver operators.
>
> DNS traditionally provides very broad error reporting, SERVFAIL being
> the most common. This makes diagnosing and fixing problems difficult.
> Extended DNS errors provide extra information about failures, for
> example expired DNSSEC signatures. They also allow resolver operators
> to report administrative reasons for DNS failures, such as blocks due
> to legal requirements.
>
> [RFC8914](https://www.rfc-editor.org/rfc/rfc8914.html) defines
> extended DNS errors.
>
> ### Negative Trust Anchors
>
> **Negative trust anchors may be deployed.**
>
> For: All DNS resolver operators.
>
> Negative trust anchors (NTA) allow a resolver operator to handle a
> case where an authoritative server has a DNSSEC problem and becomes
> inaccessible. They basically disable DNSSEC checking for a domain.
> When this is warranted is difficult to know with certainty, and will
> usually requires some manual checking. Since DNSSEC validation is now
> widespread, DNSSEC failures on the authoritative side will impact many
> resolvers.
>
> Because of these reasons this document does not recommend NTA, but
> also does not recommend that a deployment avoid NTA if it makes sense
> for that environment.
>
> Negative trust anchors are documented in
> [RFC7646](https://www.rfc-editor.org/rfc/rfc7646.html).
>
> ### DNS Error Reporting
>
> **DNS error reporting may be enabled.**
>
> For: All DNS resolver operators.
>
> DNS error reporting is a way for resolver operators to let
> authoritative operators know about problems in authoritative servers
> or zones. It provides little direct value for the resolver operators,
> but over time should improve the overall quality of the DNS ecosystem.
> It is neither widely deployed nor standardized, but hopefully will be
> both soon. Resolver operators are encouraged to enable DNS error
> reporting when it is available.
>
> DNS error reporting is proposed in
> [draft-ietf-dnsop-dns-error-reporting](
> https://datatracker.ietf.org/doc/draft-ietf-dnsop-dns-error-reporting).
>
> ### Trust Anchor Reporting
>
> **Trust anchor reporting should be enabled.**
>
> For: All DNS resolver operators.
>
> Trust anchor reporting is a way for resolver operators to convey their
> DNSSEC trust anchor configuration to the operator of the zone that it
> is for. For most resolvers this is only the root zone. This
> information is intended to be used during a root KSK rollover to
> ensure that it is safe to proceed. In the future ICANN is planning an
> algorithm roll for the root KSK, and this information could be
> helpful. Resolver operators are encouraged to enable trust anchor
> reporting.
>
> [RFC8145](https://www.rfc-editor.org/rfc/rfc8145.html) covers trust
> anchor reporting, in both possibilities available.
>
> ### Name Server Identification
>
> **Servers should be configured to identify themselves.**
>
> For: All DNS resolver operators.
>
> Large resolver operations, especially publicly available resolvers,
> should support an in-band method of discovery that is obvious to
> permit users to discover what node has answered their query. This
> improves troubleshooting significantly, and may be useful for research
> and testing purposes. NSID (Name Server Identifier) is ideal for this,
> though also “CH TXT id.server” support is also reasonable. Geographic
> hints should be provided in this data, though specific host data is
> optional for arrays of servers in clusters. IATA codes have
> traditionally been used for naming points-of-presence, though this is
> at the discretion of the operator.
>
> [RFC5001](https://www.rfc-editor.org/rfc/rfc5001.html) describes NSID.
>
> [RFC4892](https://www.rfc-editor.org/rfc/rfc4892.html) describes name
> server identification in general, and documents the pre-NSID
> approaches.
>
> ## Privacy, Filtering, Transparency
>
> ### Privacy & anonymity
>
> DNS Resolver operators are advised to apply
> [RFC8932](https://www.rfc-editor.org/rfc/rfc8932.html)
>
> "Recommendations for DNS Privacy Service Operators" as follows:
>
>    1. its operational and policy guidance related to DNS encrypted
>    transports and data handling, by applying all "Threat mitigations"
>    (thereby by meeting its level of "minimally compliant") and
>    additionally by applying the "Optimizations" on EDNS Client Subnet
>    listed in section 5.3.1.
>
>    2. its framework on a Recursive operator Privacy Statement, by
>    publishing a privacy statement on their website covers all topics in
>    Section 6. (See for example
>    [Cloudflare's
> statement](
> https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver)
>    or [Quad9's privacy page](https://www.quad9.net/service/privacy/).)
>
> #### Logging considerations
>
> In addition to the logging recommendations from RFC8932, operators
> should consider the following:
>
> 1. Third party access to personal data: Resolver operators may receive
>     third party requests for information they have logged that relates
>     to users, including IP addresses, queries and meta data.  Resolvers
>     should only comply with such requests when balancing legitimate
>     third party interest with the user's fundamental rights, including
>     rights to privacy. Usage information can be personal data,
>     Personally Identifable Infomation (PII) or similarly regulated
>     under the privacy laws applicable to the users, operator or third
>     party, revealing a person's health, lifestyle or other personal
>     preferences (profiling). For example, logging information that
>     documents a user resolving a website for alcoholics anonymous may
>     relate to the health of a person behind an IP address.
>
> 2. Data security: DNS Resolver operators should take appropriate
>     technical and organisational measures to protect logging
>     information that relates to users.
>
> #### Advertisement Policy
>
> If there is any advertising from the service, the policy should be
> published as well as how it can potentially affect the users' privacy.
>
> ### Filtering and blocking
>
> #### Block Lists
>
> Resolvers can be directed to block or modify answers in various ways.
> Blocklists may be provided by governments, communities, or other
> parties (for example security firms).
>
> Response Policy Zone (RPZ) allows a way to both document specific
> modifications that resolvers will make to DNS answers, and send the
> rules to resolvers. This allows updates to occur very quickly. If RPZ
> or some other high-speed blocking technology is used, the parties
> supplying these sources must be highly trusted, as changes to
> blocklists will usually immediately impact user queries.
>
> RPZ is not standardized, but there is an IETF draft,
> [draft-vixie-dnsop-dns-rpz](
> https://datatracker.ietf.org/doc/draft-vixie-dnsop-dns-rpz/00/).
>
> #### Legal blocking
>
> **Legal requests and blocking and filtering laws:** DNS resolver
> operators should not filter content and block access to web-services.
> When the local law requires blocking, and the law applies to the
> resolver, the resolver should transparently disclose a list of blocked
> websites and services, when possible (disclosing such a list may not
> be allowed by law or regulation). Similarly, the resolver should
> disclose the source of such block lists, when possible.
>
> If it is not possible to disclose the source of blocklists, operators
> should try to be as transparent as possible about how they receive
> those blocklists, based on what criteria, and how they mitigate errors
> and false positives. Disclosing which organizations operators interact
> with, how they liase, and so on, can help users understand the impact
> on the service provided.
>
> If possible, resolvers should provide information about blocked
> responses via the Extended DNS Error with the Blocked, Censored,
> Filtered, or Prohibited code - whichever applies best - along with a
> text why the response was blocked, censored, filtered, or prohibited.
>
> [RFC 8914](https://www.rfc-editor.org/rfc/rfc8914.html#section-4.16)
> provides information about the meanings of the different codes.
>
> **Community governance of blocklists:** blocklists, if mandatory, have
> to be audited and assessed by third parties and there should be a
> right to appeal for those blocked. The Internet community can vet the
> blocklists from time to time to avoid blocking access to websites that
> are mistakenly blocked. During crisis - when mistakes can have drastic
> effects on accessing a critical service - preferably filtering and
> blocking should not be used.
>
> #### Opt-in/Opt-out Mechanisms
>
> End users may choose to use a DNS resolver that filters specific kinds
> of traffic. For example, they may wish to avoid potential malware web
> sites. Or resolver operators may be required to default to filtering
> but allowed for to provide an unfiltered DNS resolver service.
>
> Depending on the specific requirements, a resolver service may publish
> different IP addresses and what type of filtering applies to each
> address. It is also possible to perform client authentication and
> authorization, using IP-based authentication, TSIG keys, or
> client-side TLS certificates.
>
> ### Transparency
>
> Public DNS resolver operators should publish transparency reports to
> build user trust in their adherence to policies and practices. This
> goes beyond our advise to apply RFC8932, section 6.2.
>
> A common frequency is once a year. The reports inform the public about
> disclosure of user information and removal of content required by law
> enforcement and other government agencies.
>
> Transparency reports should (to the extent that the law allows)
> indicate which government agencies and law enforcement agencies
> request access on what basis.
>
> It should also be clear from the transparency reports what kind of
> data has been requested and if content removal and content blocking
> have been requested. Categories of data include: Content Data, Basic
> Subscriber Data, Other Non-Content Data and Content Blocking.
>
> #### Negative Trust Anchor reporting
>
> Negative Trust Anchors (NTA) are discussed in the previous section on
> DNS configurations. If NTAs are present in the resolver, they should
> be published with as much detail as possible about them. This includes
> reasons for insertion, dates of activation and expected removal dates,
> or a published review date or cycle for when NTAs should be actively
> examined for deletion if such fine-grained information cannot be
> shared.
>
> NTAs are equivalent to a security fault, and may even be more
> significant than a block event as they remove expected trust behavior
> with limited signal of that trust downgrade ("limited" because few if
> any clients care about those response bits changing.).
>
> #### Human rights considerations
>
> DNS resolvers can opt for declaring their understanding of their
> responsibilities regarding human rights from the Universal Declaration
> of Human Rights. As an example of a public DNS resolver operator,
> Quad9 mentions rights to freedoms without distinction made on the
> basis of country, no interference with privacy, the right to freedom
> of opinion and expression, the right to peaceful assembly, and the
> right to freely participate in the cultural life of the community.
>
> See
> [Quad9's Human Rights
> Considerations](https://www.quad9.net/privacy/human-rights-considerations/
> )
> for the full statement.
>
> It also invokes other human rights related solutions other than
> [UDHR](https://www.un.org/en/universal-declaration-human-rights/) such
> as Articles 8 and 9 of Resolution 42/15 of the United Nations Human
> Rights Council on the right to privacy in the digital age of 26
> September 2019 more directly define the responsibilities of the
> private sector toward the furtherance of human rights in modern terms.
> They also follow the Guidelines for Human Rights Protocol and
> Architecture Consideration of the Human Rights Protocol Considerations
> Research Group at Internet Research Task Force.
>
> The latest version of the IRTF
> [Guidelines for
> HRPC](https://tools.ietf.org/html/draft-irtf-hrpc-guidelines) may be
> considered for all network operators.
>
> ## Appendix A: Why Did RIPE Write This Document?
>
> There is increasing concern that large open DNS resolvers will become
> centralised points of DNS operations on the Internet. In order to
> address this, the European Commission issued the
> [DNS4EU](
> https://hadea.ec.europa.eu/calls-proposals/equipping-backbone-networks-high-performance-and-secure-dns-resolution-infrastructures-works_en
> )
> proposal. However, such an initiative could lead to centralised
> guidance or regulation which might interfere with the decentralised
> way the Internet infrastructure works - including the DNS. See for
> reference the
> [RIPE NCC Open House
> discussion](
> https://labs.ripe.net/author/chrisb/dns4eu-ripe-ncc-open-house-discussion/
> )
> on this topic.
>
> Rather than attempting to respond to the EC proposal or organize
> specific DNS resolver deployments, the RIPE community has decided that
> it is best able to provide advice and guidance. The RIPE Community is
> well positioned to provide a set of Best Current Practices that
> operators of Open DNS Resolvers will be encouraged to subscribe to.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ripe.net/ripe/mail/archives/dns-resolver-tf/attachments/20240324/0595ff12/attachment-0001.html>