[DNSOP] New I-D: draft-dns-content-delivery-00 (DNS-Based Content Delivery & Fallback)

April John <aprl@sakamoto.pl> Fri, 27 March 2026 11:54 UTC

Return-Path: <aprl@sakamoto.pl>
X-Original-To: dnsop@mail2.ietf.org
Delivered-To: dnsop@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 43BA3D256F53 for <dnsop@mail2.ietf.org>; Fri, 27 Mar 2026 04:54:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1774612498; bh=ukAwPB/wJqKHsDZGHnTfbkP6y0+gASBgv3vsiJh43jE=; h=Date:From:To:Subject; b=giZ+MHFcdCHa7Ttdy9L8ptoiAcElKSo4yjCcjc4mkZwcenvjr6D+8Ck9rOlAuttLa uQYriIgEa8XU7hrnqRvgd/+ASn2cAdoSf9E009ZIqz69wcvk31i63CeodddHkwDLYt frLiHKfdJHOybxXOCJRYpReoJg/1Yss5qsVQ62ns=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -1.3
X-Spam-Level:
X-Spam-Status: No, score=-1.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FROM_FMBLA_NEWDOM28=0.799, MSGID_FROM_MTA_HEADER=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=sakamoto.pl
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MYmFxOqxGUrg for <dnsop@mail2.ietf.org>; Fri, 27 Mar 2026 04:54:57 -0700 (PDT)
Received: from mail.sakamoto.pl (mail.sakamoto.pl [IPv6:2a0d:eb00:8006::1337]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 30E87D256E8E for <dnsop@ietf.org>; Fri, 27 Mar 2026 04:54:39 -0700 (PDT)
Authentication-Results: mail.sakamoto.pl; auth=pass (login)
MIME-Version: 1.0
Date: Fri, 27 Mar 2026 12:54:02 +0100
From: April John <aprl@sakamoto.pl>
To: dnsop@ietf.org
Message-ID: <e96eb0afef8dc48f8b8d3a77f6f8af01@acab.dev>
X-Sender: aprl@sakamoto.pl
Organization: Servfail
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Received: from localhost (Unknown [127.0.0.1]) by mail.sakamoto.pl (Haraka/3.0.3) with ESMTPSA id DE87B1DC-54D1-40EC-A83A-F9B3114ADF9A.1 envelope-from <aprl@sakamoto.pl> tls TLS_AES_256_GCM_SHA384 (authenticated bits=0); Fri, 27 Mar 2026 12:54:02 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakamoto.pl; h=Content-Transfer-Encoding: Content-Type: Message-ID: Subject: To: From: Date: MIME-Version; q=dns/txt; s=s20200705610; t=1774612443; bh=sqk7mF+2HGgHTKdxCMMFQhgCj4SD9cTSmrUbxIPMUFU=; b=IIra5tHcdQ8wK5xVe6vRW4pcd5kc1zKNbYsPOYjoypnvmoUK0Cd++geYLPpoSbPBi0MUdxJ1y /eeiVqUD4P2DBr8jrlUMophggwyk4z/cNNXG3081JRcdGjT3xwul67nUTKsL/GpBHLnrX3g04By fCqgxtdT1tPIDaRRo9iKqXSCFTEszr1Inf1toRHW0Lb3NdZOV+lozPaXiltYWs6QDIHu0lf0+IU 73pN2EBSn8+VcjvjAib7Tf7hkUcRGN236BWY50eXa3P21bgrAsuLGsCNbtEMZ8lSH1omqJVqz6m 9lzdOWswjIgbgxepbiOznDbD2uBxnwbbU0/sbfNCW4Yg==
Message-ID-Hash: 6R433EFVWMBLWCKH2QKMIN32LMQFP5XD
X-Message-ID-Hash: 6R433EFVWMBLWCKH2QKMIN32LMQFP5XD
X-MailFrom: aprl@sakamoto.pl
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [DNSOP] New I-D: draft-dns-content-delivery-00 (DNS-Based Content Delivery & Fallback)
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/q6TZjY--IskxbUKfqqhUKpJIJkw>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

Hi everyone,

I have just submitted a new individual Internet-Draft, 
draft-dns-content-delivery-00 , titled "DNS-Based Content Delivery & 
Fallback Mechanism".

This document proposes a new protocol (DNSC) that allows User Agents to 
retrieve content, such as HTML or JSON, directly via DNS TXT records.
The primary goals of this mechanism are:

    - Primarily, o provide a fallback mechanism for when a primary 
service's A/AAAA records are unreachable or result in connection 
timeouts.

    - To offer a lightweight hosting solution for parked domains or 
placeholder sites.

Key technical aspects of the draft include:

    - It allows for content delivery using entries in the DNS.

    - It establishes trust and can provide a secure context by relying on 
DNSSEC validation.

    - It implements a chunking mechanism to support content that exceeds 
the safe size limits of a single DNS message by splitting it across 
multiple records.

    - It supports content compression, specifically gzip and Brotli.

The full draft is available here:
https://datatracker.ietf.org/doc/draft-dns-content-delivery/

I would greatly appreciate any feedback, reviews, or thoughts from the 
working group regarding the architecture, security considerations, and 
general interest in this approach.

Best regards,

April Faye John

---

PS: Here are some possible questions that I thought y'all might have, 
and my thoughts on them:

Q: DNS is designed for low-latency name resolution, not for hosting 
content like HTML or JSON. Can't large TXT records can lead to packet 
fragmentation or increased load on recursive resolvers?

A: This is meant as a fallback mechanism or for parked domains only. It 
is not intended to replace high-traffic web servers. See my 
recommendation for caching and chunk limits (max 16 chunks) as a way to 
protect the infrastructure in Security Considerations.

--

Q: Aren't large TXT records are a classic tool for DNS Amplification 
DDoS attacks? An attacker can send a small spoofed query and cause a 
large response to be sent to a victim.

A: Since these are TXT records, they are no more dangerous than existing 
large TXT records (like those used for DKIM or SPF) if managed 
correctly.

--

Q: Your security model relies entirely on DNSSEC for trust. If a zone 
isn't signed, the content is "insecure," which many modern browsers are 
moving away from.

A: In my opinion this creates an incentive for DNSSEC adoption. By tying 
"Secure Context" status to DNSSEC validation, you provide a tangible 
benefit for domain owners to sign their zones and many Registrars 
nowadays automatically provide DNSSEC for their customers.

--

Q: The IETF recently standardized SVCB and HTTPS records (RFC 9460) to 
provide instructions on how to reach a service. Why not just use those?

A: SVCB/HTTPS records tell a client how to connect to an HTTP server, 
whereas DNSC provides the actual content when that server is dead or 
non-existent. It’s a solution for the "Connection Refused" scenario.

--

Q: DNS queries are often unencrypted (unless using DoH/DoT). Serving 
content via DNS might expose a user's browsing habits even more than 
standard SNI does.

A: There are two answers to that:
1. This method is intended to serve static content, not dynamic ones. 
All those pages that a user could browse on, that serve similar content 
anyways, are A) already crawled and backed up my many spiders in the 
internet (like the wayback machine) and B) would not show different 
content per person anyways, so a MITM like an ISP could just auto curl 
those pages and would get the same result
2. As DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT) become standard, the 
privacy of a DNSC request becomes better than a standard unencrypted 
HTTP request.