IETF Logo Mail Archive

Re: [dns-privacy] Root Server Operators Statement on DNS Encryption

Eric Rescorla <ekr@rtfm.com> Wed, 31 March 2021 00:25 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 082B13A0C05 for <dns-privacy@ietfa.amsl.com>; Tue, 30 Mar 2021 17:25:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SMw6w4vo69Fs for <dns-privacy@ietfa.amsl.com>; Tue, 30 Mar 2021 17:25:25 -0700 (PDT)
Received: from mail-lj1-x22b.google.com (mail-lj1-x22b.google.com [IPv6:2a00:1450:4864:20::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C9DC93A0C17 for <dprive@ietf.org>; Tue, 30 Mar 2021 17:25:20 -0700 (PDT)
Received: by mail-lj1-x22b.google.com with SMTP id o16so7778367ljp.3 for <dprive@ietf.org>; Tue, 30 Mar 2021 17:25:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=55iXEiaFPjkd3yLoFhlmOu42WaNTpOe7JnYLvslLIoA=; b=fSN1cZ9e8qLZ03maBLV9l0uhQdE3XF7J0ey+mci3fSdd9uun0U5Z74j/bHRw6/kN8q 29sKazFPO0MlfOLuWWx51xtZI2HCPNbJDndel2873MnZAu5lyLk/+39+z47DVvP+W5G4 W59TVqZ2LFgUyAQCRzetroLh2/RrFOWEhYsQBgvyX97IqIr4qrubtVHBY+buOBa6aVum vaZzsNuwBGJuxIbe2sw2LEUMIHEr/FHXTE+9/CjFTjXkI+Z9fQ3owVFRbIw2vEJJfNg6 ywoc6JXg6OK+nvOKSyCY1CsIs3EGamR9kyJvgd8twXSzlYJHgCW4XWl51roVV1ZAYYVZ qkqA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=55iXEiaFPjkd3yLoFhlmOu42WaNTpOe7JnYLvslLIoA=; b=giDCJY8taqV2Jd9WM2St+FY9Dpc8j1Foy1q0GiF+MdwNa/VJq5RsIJ1BnJWiSDtg8W cudvZOWoxudJzebZDEznFrXC4MdE4aLeZQ7o0JXSdkO0QcGNU8i2LV2iisYsmvV9IFIg PVVX8rtcOokn4cGi+Q5Kp8H7XLpv1Pe8ZS6Voujz0b7VfeEqiJK26GBncShrBf66JrI8 cy5Pms468tVYzTzMoNJDSuOtaLL1P9CknWlXgZKbb+Do1H7tcJhvC9SwFmERyKeGdF/G tCj7D/VapD7TwQ+JQrPpux01V5NCyCS6SxegWpU7uloQOC3/f8QOVO7buLUgnZiZ3+qT tZhA==
X-Gm-Message-State: AOAM5319WFO/02pEJ/Bvn1Yh3SlFeClZ+/wStcFqVvHmOg4GMBfKg5FO Z2S5Va9v+R0Sib6sscc5+OGkTGwyQxZm8ho3ilA5Cg==
X-Google-Smtp-Source: ABdhPJx6FA91RKxQlIIt1eJ5WUxhF+FX8w0FjGfM+e0wtd62hxcWWYx+QciCYciTeR3vIBnR6bnEQctTykxqgnZDeB8=
X-Received: by 2002:a2e:9c12:: with SMTP id s18mr352999lji.383.1617150317077; Tue, 30 Mar 2021 17:25:17 -0700 (PDT)
MIME-Version: 1.0
References: <c925da9089fa4b1e991ec74fc9c11e7f@verisign.com> <CAChr6Sxwao=FAcoeHMuOf0L=JCZ+wvhsr9BNZW_dbt+1=HWQwg@mail.gmail.com> <CAMGpriX5rbswMQnjh4gZqsLjh2xUJxjJVxe2rEAVu=RdLAbGFw@mail.gmail.com>
In-Reply-To: <CAMGpriX5rbswMQnjh4gZqsLjh2xUJxjJVxe2rEAVu=RdLAbGFw@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Tue, 30 Mar 2021 17:24:41 -0700
Message-ID: <CABcZeBOntrAqq_bVL-y-BP0DZLvYmVMkvKqi8K0D_SFqAfCVXg@mail.gmail.com>
To: Erik Kline <ek.ietf@gmail.com>
Cc: Rob Sayre <sayrer@gmail.com>, "Hollenbeck, Scott" <shollenbeck=40verisign.com@dmarc.ietf.org>, "dprive@ietf.org" <dprive@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000032b66a05beca26bd"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/0J1t8eJY4qi4cE4HEO051V9nw6A>
Subject: Re: [dns-privacy] Root Server Operators Statement on DNS Encryption
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 31 Mar 2021 00:25:29 -0000

On Tue, Mar 30, 2021 at 5:08 PM Erik Kline <ek.ietf@gmail.com> wrote:

>
> On Tue, Mar 30, 2021 at 5:01 PM Rob Sayre <sayrer@gmail.com> wrote:
>
>> On Tue, Mar 30, 2021 at 7:49 AM Hollenbeck, Scott <shollenbeck=
>> 40verisign.com@dmarc.ietf.org> wrote:
>>
>>> This is worth reading:
>>>
>>> https://root-servers.org/media/news/Statement_on_DNS_Encryption.pdf
>>
>>
>> I am not sure I agree it is worth reading.
>>
>> Why can't "The Root Server Operators" run QUIC etc as well as their
>> existing UDP methods?
>>
>> thanks,
>> Rob
>>
>
> (no hats)
>
> >From my reading the answer, and the whole document, seems to be
> summarizable in this one excerpt:
>
>     "Root Server Operators do not feel comfortable being the early
> adopters of authoritative DNS encryption and would like to first see
> increased deployment in other parts of the DNS hierarchy."
>
> Seems fair to me, for the time being.
>

As I said earlier, this seems overly conservative given our experience with
large scale TLS-based services.

With that said, this doesn't seem to me to present a severe problem: there
are a relatively small number of TLD servers, so we could probably create a
lookaside list of which ones support TLS as suggested in
draft-rescorla-dprive-adox-latest-00 Section 3,

-Ekr

v2.23.0 | Report a Bug | By Email