Re: [dns-privacy] Root Server Operators Statement on DNS Encryption

Eric Rescorla <> Wed, 31 March 2021 01:18 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id D65F03A0E61 for <>; Tue, 30 Mar 2021 18:18:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id fkzMvKjuiRx9 for <>; Tue, 30 Mar 2021 18:17:57 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:4864:20::129]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id E998F3A0E5C for <>; Tue, 30 Mar 2021 18:17:56 -0700 (PDT)
Received: by with SMTP id d12so5551825lfv.11 for <>; Tue, 30 Mar 2021 18:17:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=EIM2nFwntkX9QkSUNJjUPhvZjjhvwwhNfb5HXIbdFmk=; b=XI0Npfyk5my12CpWbTdz7/OdIbVWKL+vGzBbZez/CunDi3aWBp5ZL7sIhiU3m9wQLy FyztToQUuYkO7EWgV+aQ45fAww91WeLpXPGqhyWiS3jOGlYl60f9urmupM2mNPDUCFeJ 2EMeZ5d2IM4YJo1t6PaxxSV8933vmIsgWlamsu8J+abT1JT6V69ePTnyeEsjIqwaJGIZ o+8JRgHcpb0Dz78zYQxm9SjLDhY79UG9wmAapwJ1Drl2JayEuEgdP44Z4+qREyElWZ1V +9dcyYLhCH/xFaHSQL9MZpx/k+gaX+poTIAP0cUYY7Ep3mY0piblNeKmgo9d0oNaAOzv NHyQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=EIM2nFwntkX9QkSUNJjUPhvZjjhvwwhNfb5HXIbdFmk=; b=s6ifXq6xTw9lBBmFnH1zFM6w4qcXBk5ffpxGxjEBYOcsKyl9TqoIh4R5EoYUVI9ZR6 ayzEQ8H3WHRsrJXqxr27o6BIzDyo5xr45EHKs2+5qDPJzb1CBEb8fGX61VpwuugCR3pR oFOsHq7pIxH+eJys/ogKuPjoV3hxKThREYixYGBJ7F+esNKB+aQD/IHOl/JOJEMGGRTm iAVXrQJa4clbXgJbTowVh2ESk5zjyA1tGvG/2R8L0gQlWjXVfLF+pQjriN/4THaIXmj5 GzETT3KhBohifHawKFF3TrWjHClrWpriiGRWoI3F1UfOMNTvID6D02REgVSFw3pnvduE 0tUg==
X-Gm-Message-State: AOAM53271LAg6rmJA3fqwlN62B96+KN0E15Sc64vZjk7T3zTGN7r+ynJ +lLW3nPQSLXysxz0K5EqY8COY6ZYwCmpzPcoO8PVFg==
X-Google-Smtp-Source: ABdhPJwvD/A86iL/xYMiqieYzGg8XGvG7h9sN01sFWlY+jX4s04S8hOF1ASvewVu+dD9kDYR7XxxD+qR7On3wGluAA8=
X-Received: by 2002:ac2:4d9b:: with SMTP id g27mr561792lfe.113.1617153474551; Tue, 30 Mar 2021 18:17:54 -0700 (PDT)
MIME-Version: 1.0
References: <> <> <> <> <>
In-Reply-To: <>
From: Eric Rescorla <>
Date: Tue, 30 Mar 2021 18:17:18 -0700
Message-ID: <>
To: Stephen Farrell <>
Cc: Erik Kline <>, "Hollenbeck, Scott" <>, "" <>, Rob Sayre <>
Content-Type: multipart/alternative; boundary="00000000000065f19905becae2ae"
Archived-At: <>
Subject: Re: [dns-privacy] Root Server Operators Statement on DNS Encryption
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 31 Mar 2021 01:18:02 -0000

On Tue, Mar 30, 2021 at 5:33 PM Stephen Farrell <>

> Hiya,
> On 31/03/2021 01:24, Eric Rescorla wrote:
> > As I said earlier, this seems overly conservative given our experience
> with
> > large scale TLS-based services.
> For the root servers, I don't get why QNAME minimisation
> isn't enough? If it is enough, that'd imply to me that the
> root server operators statement is fine, so long as it
> is only read to apply to root servers and not TLDs.
> >
> > With that said, this doesn't seem to me to present a severe problem:
> there
> > are a relatively small number of TLD servers, so we could probably
> create a
> > lookaside list of which ones support TLS as suggested in
> > draft-rescorla-dprive-adox-latest-00 Section 3,
> I agree that the privacy issues with TLD servers are more
> worthy of attention and I guess require encryption if we are
> to improve things. I'm not saying the above draft is a good
> way to handle that, but the problem in querying TLDs is real,
> whereas for root servers it seems to me way less of a deal.
> Or... am I confused? (That happens often:-)

As Erik indicates, it's possible that the the TLD is sensitive, though it's
a bit hard to evaluate that risk.

However, recall that the TLS connection to the parent is what protects the
NS records for the child, as they are not DNSSEC signed. Thus, one has a
somewhat fragile situation if one has to store a lookaside list of the TLS
status (and at some level the nameservers!) for the TLDs. I'm not saying
it's unmanageable, but it's not amazing.