Re: [dns-privacy] Possible use case: Opportunistic encryption for recursive to authoritative

Paul Ebersman <> Sat, 08 August 2020 22:09 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 1CBCD3A08E6 for <>; Sat, 8 Aug 2020 15:09:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id dl3FRV1FFhRT for <>; Sat, 8 Aug 2020 15:09:39 -0700 (PDT)
Received: from ( [IPv6:2001:4f8:1:2000::15]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id DEC083A0826 for <>; Sat, 8 Aug 2020 15:09:39 -0700 (PDT)
Received: from (ip6-localhost [IPv6:::1]) by (Postfix) with ESMTP id 8FD6A7A11A1 for <>; Sat, 8 Aug 2020 15:09:39 -0700 (PDT)
Received: by (Postfix, from userid 501) id 5D78891DC2E; Sat, 8 Aug 2020 16:09:39 -0600 (MDT)
Received: from fafnir.local (localhost []) by (Postfix) with ESMTP id 5A63A91DC2D for <>; Sat, 8 Aug 2020 16:09:39 -0600 (MDT)
From: Paul Ebersman <>
In-reply-to: <>
References: <> <> <>
Comments: In-reply-to Ask Bjørn Hansen <> message dated "Sat, 08 Aug 2020 14:54:29 -0700."
X-Mailer: MH-E 7.4.2; nmh 1.7.1; XEmacs 21.4 (patch 22)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-ID: <10692.1596924579.1@fafnir.local>
Date: Sat, 08 Aug 2020 16:09:39 -0600
Message-Id: <>
Archived-At: <>
Subject: Re: [dns-privacy] Possible use case: Opportunistic encryption for recursive to authoritative
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 08 Aug 2020 22:09:41 -0000

ask> I don't have data (and haven't looked into it recently), but I think
ask> it's a very safe assumption that

ask> - most of the authoritative servers don't use anycast

ask> - most authoritative queries (for an average resolver) go to
ask>   servers that use anycast

I'd disagree. There's been huge consolidation in the DNS operator
business and the vast majority of domain names are served by a fairly
small number of really large operators' auth servers.

Anycast for auth makes sense for robustness and resilience while not
inflating the number of listed NSs (keeping packet size small).

Combine that with most of the world using a smaller number of recursive
operators who also widely distibute via anycast and you wind up with
auth and recursive operators being in most of the same cities and data
centers and close to each other. This means cache misses aren't that
much slower than cache hits. Clients get fast answers, zones are
robustly and quickly served, everyone wins.

Whether centralization as a trend is good has already been argued on
this list and others plenty of times. ;)

There is definitely a choice or tradeoff between speed/robustness and