6. Considerations for Unprotected Use
This section preserves the RFC text for DNS over CoAP, including CoAP FETCH exchanges, application/dns-message Content-Format 553, SVCB docpath discovery, OSCORE and (D)TLS protection, CoAP caching, IANA registrations, and operational/security considerations.
Original RFC Text
6. Considerations for Unprotected Use
The use of DoC without confidentiality and integrity protection is
NOT RECOMMENDED. Without secure communication, many possible attacks
need to be evaluated in the context of the application's threat
model. This includes known threats for unprotected DNS [RFC3833]
[RFC9076] and CoAP (Section 11 of [RFC7252]). While DoC does not use
the random ID of the DNS header (see Section 4.2.2), equivalent
protection against off-path poisoning attacks is achieved by using
random large token values for unprotected CoAP requests. If a DoC
message is unprotected, it MUST use a random token with a length of
at least 2 bytes to mitigate this kind of poisoning attack.