Re: [dns-privacy] Root Server Operators Statement on DNS Encryption

"Hollenbeck, Scott" <shollenbeck@verisign.com> Wed, 31 March 2021 13:01 UTC

Return-Path: <shollenbeck@verisign.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9CC853A27CB for <dns-privacy@ietfa.amsl.com>; Wed, 31 Mar 2021 06:01:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verisign.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YlYG0fyQO1AR for <dns-privacy@ietfa.amsl.com>; Wed, 31 Mar 2021 06:01:37 -0700 (PDT)
Received: from mail3.verisign.com (mail3.verisign.com [72.13.63.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 413863A298E for <dns-privacy@ietf.org>; Wed, 31 Mar 2021 06:00:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=verisign.com; l=1532; q=dns/txt; s=VRSN; t=1617195646; h=from:to:cc:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version:subject; bh=3ykpdDpNXfwuibq1L7iOK95CjbxYSgCqhIG+2d0Dmd0=; b=bTPJ9Ox35ld7R23ePMfeC18UkcustvSy25UYF9AvreMuCh9fMfmbCJ3K Yo8hOfBHZgakoqEdeT3on7Bq8+LPr5W4wQ+SEIwz/ev1WF+NM5gG2C6We S5judA71K3YkqTrGl28ca4K+FIbdVQpPWsNjG7VtWYyvsxzTvy0+jsbKY TqR4IMF5OMJ25XcFvfWo/rs/uw2laro2fTdScrhuYL8H4MYxpfv7RzIEP q/zNoeRkClwn2y1S31FJ82JDuiSh3ddxfKKZweO1E3hsRy+UXKhshU3sE FQqRk6InXzICjbBN3mlDp83EeDpPk4jP7JAh3H0sUWhH2VFh09T2q8wKD Q==;
IronPort-SDR: Sj8EJDea3huQLcGiO1w6J8WRjFE6B8Kwc8OrnbYS30yuIOkP/8OJGo/NZA3/NCyQlGdmxGp9+T vrGQj4PP2O7sN+ULbuaJ9vsX8Lc1XENWLplkgTEGo9Tncy00/bJcXqumnkdmAE69ax7Q6deV0T jYW9BjWKqg16Hs4hW3DS08VYQJLDGTHwdjnirnUu0NpaNTGjDBViQ+v7icuZ2O/gF9SiL2hq3h NgAA/ETudcySPECQ9xVMUYGvOhNvfk+nNVtaghat8b0V+xwT0po7HQseVZoUpBUjw2mkMj4sFD WDw=
IronPort-HdrOrdr: A9a23:0ZNrBqr25qek17PdJPOV2IwaV5s9L9V00zAX/kB9WHVpW+STnc y2gbA/3Rj7lD4eVBgb6LS9EYOrKEmxybde544NMbC+GCzvv2W1JI9vhLGSpAHIMSv46+JbyO NcaKB4EtL9FhxXisz97Qm+Hb8bsaO62YqvgvrTyGoocBFyZ8hbnnxEIyuSD0Eefml7LLUjEp 703KB6jhqmPU8ad8GqQkQCNtKzwuHjsLLDTVo4CwU86A+I5AnYlYLSNxSDxB8RX3du7N4ZgA v4ujf07KmirP23oyW0vwTuxq9bl9f7xtxICNbksLl2FhzXlg2qaI59MofsgBkJofqi4FtvsN 7ArwZIBaVOwk7RZW28rF/R3RDh2l8VhUPK9FnwuxbeiP28YAh/KsJawapFbxPS6iMbzbdB+Z MO+1jcir16Ilfrmj/n693BShdw/3DE2EYKgKoUlHxQUYwXdb9Xo8ge5SpuYe89IB4=
X-IronPort-AV: E=Sophos;i="5.81,293,1610409600"; d="scan'208";a="6438357"
Received: from BRN1WNEX02.vcorp.ad.vrsn.com (10.173.153.49) by BRN1WNEX02.vcorp.ad.vrsn.com (10.173.153.49) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2176.2; Wed, 31 Mar 2021 09:00:43 -0400
Received: from BRN1WNEX02.vcorp.ad.vrsn.com ([fe80::7c0a:1cc:5def:9dde]) by BRN1WNEX02.vcorp.ad.vrsn.com ([fe80::7c0a:1cc:5def:9dde%4]) with mapi id 15.01.2176.009; Wed, 31 Mar 2021 09:00:43 -0400
From: "Hollenbeck, Scott" <shollenbeck@verisign.com>
To: "stephen.farrell@cs.tcd.ie" <stephen.farrell@cs.tcd.ie>, "jim@rfc1035.com" <jim@rfc1035.com>, "brian@innovationslab.net" <brian@innovationslab.net>
CC: "dns-privacy@ietf.org" <dns-privacy@ietf.org>
Thread-Topic: [EXTERNAL] Re: [dns-privacy] Root Server Operators Statement on DNS Encryption
Thread-Index: Adclc4T7cJutMdCAT4G/dGlY+W8t7QAbt5aAAABFSgAAAJMTgAAATogAAAC3b4AAEGt3AAABa72AAAabIgAAAKVnAAAAMtCAAAheoxA=
Date: Wed, 31 Mar 2021 13:00:43 +0000
Message-ID: <a8eacd5988df461c9ec3c858dd426bb7@verisign.com>
References: <c925da9089fa4b1e991ec74fc9c11e7f@verisign.com> <CAChr6Sxwao=FAcoeHMuOf0L=JCZ+wvhsr9BNZW_dbt+1=HWQwg@mail.gmail.com> <CAMGpriX5rbswMQnjh4gZqsLjh2xUJxjJVxe2rEAVu=RdLAbGFw@mail.gmail.com> <CABcZeBOntrAqq_bVL-y-BP0DZLvYmVMkvKqi8K0D_SFqAfCVXg@mail.gmail.com> <96c2475d-ad93-a442-2003-db6f8782e450@cs.tcd.ie> <CAMGpriXdU7_mJh8CQvSiZGQaDUD9aZF=0iYu0yKBS06khAHgng@mail.gmail.com> <4094551f-4b39-a996-f12f-8c5317c4fe21@nic.cz> <20210331092449.GD10597@nic.fr> <cefd04bf-8685-1894-ef3a-b61ce6a37167@innovationslab.net> <155BAF8D-9F65-4C5C-9EB1-58EFD70827B5@rfc1035.com> <c1ae3401-2565-016b-7acc-4891d0bde067@cs.tcd.ie>
In-Reply-To: <c1ae3401-2565-016b-7acc-4891d0bde067@cs.tcd.ie>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.170.148.18]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/Hm93Mgblx0XQoGFc9TsG9rXRnpo>
Subject: Re: [dns-privacy] Root Server Operators Statement on DNS Encryption
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 31 Mar 2021 13:01:42 -0000

> -----Original Message-----
> From: dns-privacy <dns-privacy-bounces@ietf.org> On Behalf Of Stephen
> Farrell
> Sent: Wednesday, March 31, 2021 8:58 AM
> To: Jim Reid <jim@rfc1035.com>om>; Brian Haberman
> <brian@innovationslab.net>
> Cc: dns-privacy@ietf.org
> Subject: [EXTERNAL] Re: [dns-privacy] Root Server Operators Statement on
> DNS Encryption
>
>
> Hiya,
>
> On 31/03/2021 13:52, Jim Reid wrote:
>
> > We all want better privacy of course. For some definition of privacy.
> > But what does that actually mean in the context of queries to
> > authoritative servers at the root or TLDs?
>
> Workable answers for the root and TLDs are likely very different, as the scale
> of risk is very different.
>
> I think it doesn't really help to try discuss both root servers and TLDs at the
> same time.
>
> > And is TLS the*only*  game
> > in town?
> When encrypting DNS based on some standard protocol? It is, though of
> course you can have that DoT or DoH or DoQ or maybe even opaquely
> flavoured;-(

[SAH] Why assume that encryption is required to provide confidentiality?

Scott