Re: [dns-privacy] Possible use case: Opportunistic encryption for recursive to authoritative

Rob Sayre <> Sat, 08 August 2020 02:12 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 3C65D3A0A8E for <>; Fri, 7 Aug 2020 19:12:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Yb-cHBMqzN4G for <>; Fri, 7 Aug 2020 19:12:40 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4864:20::12f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id BE0E63A0A88 for <>; Fri, 7 Aug 2020 19:12:40 -0700 (PDT)
Received: by with SMTP id e16so3295329ilc.12 for <>; Fri, 07 Aug 2020 19:12:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=SLSukEWxSxsS0Xf1nXvpF0EpSUU5xYbTa4gHDNxZUVo=; b=PVkxjtWKV8wRZEGNKpAXxwVdfCnRgUTC16ql68z93iPmKh6yVgOwkgYkoNMZBi9Uvk j3dn2DGmdA+qmRQR1Ky6XDDKeSH77j+gG0JwaXvGQ3n+sus5Vdt/vupvmDyj2/POiO6X V3jLdivoA6PhJKrmTqirFvqKz/bsCgVtbnbOcYmtksfaQFcjigiWhTFbNdx/NeRShKl6 9YHhsUH/vFtXDaPnAFEL0FjHfDNU8uhyuYGvyDr7li4B+w3aZjDoDvtyCEs7EHF4rsA0 bKzNk73j4iQT249U9Uhmv+PYhs+Qx9X5pSU4RkszUpDZG86fuJ1ggcJZ8VcxoTkzpc51 na4w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=SLSukEWxSxsS0Xf1nXvpF0EpSUU5xYbTa4gHDNxZUVo=; b=V8cYhUW8WnaYB2wc+aCdyqPqIYFskICbfHkSWEZ1XYDQiSxLiuCM6zHFOeF9jDbXky R2D3dYMc9M070D4dkM+XsZ4a01Ri1RBDsmMJaXl3KcZSbzXrIWxaN3um1XLMDqRJ71EZ Q9srV5ebH2wySsE1Twq/Sl4y1A3+GqHjTafA/5hNpgptCw2+lxCpOTwWfZFN8em+lEV2 qcFhc8IbWgbhpdG1WqaUcL8tYQ3xE0EWcaHHSngOkWOFSkZOFDU+j2BKwIQ1BVEuwSLj mifEb5ll/4eyVLre3kp2mTmI2NBve00uQ0yY2gZRt4A3qKbiVso+wEyK2JhoGUMJSR7r Bw/g==
X-Gm-Message-State: AOAM532sc1pWu9OuwZRuobKyZv3fxR2q6hliEvYpcVbsEQbRWG/DhMbC 6jymw+e62AhcdBZ2X+NgmqMK8P8pGCDkWtilnj0ilHjs
X-Google-Smtp-Source: ABdhPJw96fqCT7dJVV7lep767uMK2JxgMCmSsOGcxzEp8OQugS9U8QsYj0uouU+WVeXckL3zvOriIOX9goWO15OQcU8=
X-Received: by 2002:a05:6e02:8b4:: with SMTP id a20mr7314880ilt.254.1596852759999; Fri, 07 Aug 2020 19:12:39 -0700 (PDT)
MIME-Version: 1.0
References: <> <20200808020442.127E71E60494@ary.qy>
In-Reply-To: <20200808020442.127E71E60494@ary.qy>
From: Rob Sayre <>
Date: Fri, 07 Aug 2020 19:12:28 -0700
Message-ID: <>
To: John Levine <>
Cc: DNS Privacy Working Group <>
Content-Type: multipart/alternative; boundary="00000000000084bb3105ac544135"
Archived-At: <>
Subject: Re: [dns-privacy] Possible use case: Opportunistic encryption for recursive to authoritative
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 08 Aug 2020 02:12:42 -0000

On Fri, Aug 7, 2020 at 7:04 PM John Levine <> wrote:

> In article <
>> you
> write:
> >Assuming this traffic is encrypted, which I am in favor of, the CPU load
> on
> >the authoritative server will increase after an outage or network problem.
> >
> >Is this already factored in?
> How is that diffferent from now? If a DNS server is offline and comes
> back online, it will see a bunch of queries.

The issue is that connection establishment will be expensive, which is
something separate from getting a bunch of queries. As others have pointed
out, this cost will be amortized to almost nothing most of the time. After
an outage, this connection establishment cost will have to be dealt with in

I don't have an opinion on whether this should be implementation guidance,
or even in the spec.