Re: [dns-privacy] Root Server Operators Statement on DNS Encryption

Stephen Farrell <> Wed, 31 March 2021 00:33 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 822213A0765 for <>; Tue, 30 Mar 2021 17:33:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id XsS9fYqcsiPD for <>; Tue, 30 Mar 2021 17:33:36 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 692373A086E for <>; Tue, 30 Mar 2021 17:33:36 -0700 (PDT)
Received: from localhost (localhost []) by (Postfix) with ESMTP id 7BE2FBE3E; Wed, 31 Mar 2021 01:33:31 +0100 (IST)
X-Virus-Scanned: Debian amavisd-new at
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id QXj8XcjHFI8c; Wed, 31 Mar 2021 01:33:29 +0100 (IST)
Received: from [] ( []) by (Postfix) with ESMTPSA id 654C9BE2D; Wed, 31 Mar 2021 01:33:29 +0100 (IST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;; s=mail; t=1617150809; bh=ulj7tZeLMyvrl9sEeRi8hFY8mln29dc52yQz/qX7XKs=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From; b=wxlQPorztLIgVkVcJNgECyl2h/lxvGESszJ1dmNMD5HJYHFbXNUJ/W8Lwri6ki2MR rzQdWK7mzvjnRoA4m2uzoVjxmN78mvx87eFjyKVK/rnxo87DgRWJWpxYV8s9bdF1V8 h1I6xAPYLgSDs+9EqVKwl4MtaLftrYF03kR+zZAQ=
To: Eric Rescorla <>, Erik Kline <>
Cc: "Hollenbeck, Scott" <>, "" <>, Rob Sayre <>
References: <> <> <> <>
From: Stephen Farrell <>
Message-ID: <>
Date: Wed, 31 Mar 2021 01:33:28 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.7.1
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="tq8OKOn7Q8votGap95j4ZNx73vietqYDP"
Archived-At: <>
Subject: Re: [dns-privacy] Root Server Operators Statement on DNS Encryption
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 31 Mar 2021 00:33:49 -0000


On 31/03/2021 01:24, Eric Rescorla wrote:
> As I said earlier, this seems overly conservative given our experience with
> large scale TLS-based services.

For the root servers, I don't get why QNAME minimisation
isn't enough? If it is enough, that'd imply to me that the
root server operators statement is fine, so long as it
is only read to apply to root servers and not TLDs.

> With that said, this doesn't seem to me to present a severe problem: there
> are a relatively small number of TLD servers, so we could probably create a
> lookaside list of which ones support TLS as suggested in
> draft-rescorla-dprive-adox-latest-00 Section 3,

I agree that the privacy issues with TLD servers are more
worthy of attention and I guess require encryption if we are
to improve things. I'm not saying the above draft is a good
way to handle that, but the problem in querying TLDs is real,
whereas for root servers it seems to me way less of a deal.

Or... am I confused? (That happens often:-)