Re: [dns-privacy] Root Server Operators Statement on DNS Encryption

Stephane Bortzmeyer <bortzmeyer@nic.fr> Wed, 31 March 2021 09:16 UTC

Return-Path: <bortzmeyer@nic.fr>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 40AD53A2142 for <dns-privacy@ietfa.amsl.com>; Wed, 31 Mar 2021 02:16:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ISY_lGG5L0FM for <dns-privacy@ietfa.amsl.com>; Wed, 31 Mar 2021 02:15:59 -0700 (PDT)
Received: from mx4.nic.fr (mx4.nic.fr [IPv6:2001:67c:2218:2::4:12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 317273A2143 for <dprive@ietf.org>; Wed, 31 Mar 2021 02:15:57 -0700 (PDT)
Received: from mx4.nic.fr (localhost [127.0.0.1]) by mx4.nic.fr (Postfix) with SMTP id ABE7528135B; Wed, 31 Mar 2021 11:15:55 +0200 (CEST)
Received: by mx4.nic.fr (Postfix, from userid 500) id A514B2813AB; Wed, 31 Mar 2021 11:15:55 +0200 (CEST)
Received: from relay01.prive.nic.fr (unknown [10.1.50.11]) by mx4.nic.fr (Postfix) with ESMTP id 9D6E328135B; Wed, 31 Mar 2021 11:15:55 +0200 (CEST)
Received: from b12.nic.fr (b12.users.prive.nic.fr [10.10.86.133]) by relay01.prive.nic.fr (Postfix) with ESMTP id 9842360911A0; Wed, 31 Mar 2021 11:15:55 +0200 (CEST)
Received: by b12.nic.fr (Postfix, from userid 1000) id 8A01F3FE9E; Wed, 31 Mar 2021 11:15:30 +0200 (CEST)
Date: Wed, 31 Mar 2021 11:15:30 +0200
From: Stephane Bortzmeyer <bortzmeyer@nic.fr>
To: Rob Sayre <sayrer@gmail.com>
Cc: Erik Kline <ek.ietf@gmail.com>, "Hollenbeck, Scott" <shollenbeck=40verisign.com@dmarc.ietf.org>, "dprive@ietf.org" <dprive@ietf.org>
Message-ID: <20210331091530.GB10597@nic.fr>
References: <c925da9089fa4b1e991ec74fc9c11e7f@verisign.com> <CAChr6Sxwao=FAcoeHMuOf0L=JCZ+wvhsr9BNZW_dbt+1=HWQwg@mail.gmail.com> <CAMGpriX5rbswMQnjh4gZqsLjh2xUJxjJVxe2rEAVu=RdLAbGFw@mail.gmail.com> <CAChr6SxmUf8bb9KZCu8Ytx2uajugPObKpXvgwmBD_rA5km36rQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CAChr6SxmUf8bb9KZCu8Ytx2uajugPObKpXvgwmBD_rA5km36rQ@mail.gmail.com>
X-Operating-System: Debian GNU/Linux 10.8
X-Kernel: Linux 4.19.0-14-amd64 x86_64
X-Charlie: Je suis Charlie
Organization: NIC France
X-URL: http://www.nic.fr/
User-Agent: Mutt/1.10.1 (2018-07-13)
X-Bogosity: No, tests=bogofilter, spamicity=0.000000, version=1.2.2
X-PMX-Version: 6.4.9.2830568, Antispam-Engine: 2.7.2.2107409, Antispam-Data: 2021.3.31.90916, AntiVirus-Engine: 5.82.0, AntiVirus-Data: 2021.3.31.5820000
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/Du62KGA1FUFoDJBL-1iZfp4JEyM>
Subject: Re: [dns-privacy] Root Server Operators Statement on DNS Encryption
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 31 Mar 2021 09:16:00 -0000

On Tue, Mar 30, 2021 at 05:19:29PM -0700,
 Rob Sayre <sayrer@gmail.com> wrote 
 a message of 69 lines which said:

> The DNSSEC stuff stood out to me. Why is that even seen as something that
> would help?

Because one of the ways to improve privacy at the root is local
synthesis of answers by the resolver, following RFC 8198, and it
depends of DNSSEC. (Otherwise, we could just use RFC 8020.)

True, it will work only for non-existing domains, which may not be too
revealing but it is just one of the recommended ways, the other being
QNAME minimisation (which does not depend on DNSSEC).