Re: [dns-privacy] [Ext] next steps for draft-opportunistic-adotq

[Jim Reid <jim@rfc1035.com>]

> On 23 Mar 2021, at 14:56, Paul Wouters <paul@nohats.ca> wrote:
> 
> The point of putting them into a TLD would be to be able to build up a
> secure private connection to the TLD nameserver, before issuing a target
> domain query within the TLD.

These things can be done without needing SVCB records. Though they do make that a little less clunky than trying DoT or DoH to some name in the NS RRset and hoping for the best.

> Your "remarkably bad idea" needs more qualifications that can be
> discussed on technical and societal merit.

Most of the busy TLDs use a mix of DNS providers and so there may not be a uniform provision of DoH and DoT service across all of the TLD’s authoritative servers. [Would busy TLD servers ever do DoT or DoH anyway?] Which I suppose could be argued the other way: for instance don’t send DoT traffic to provider A for $tld because they don’t do DoT.

Using SCVB records to say “send all DoH (say) traffic to $provider” is a vector for all sorts of nasties: DoS, privacy, competition, consolidation/centralisation, robustness, etc. These are things TLDs should try to avoid IMO.

It doesn’t seem right to allow a TLD operator to tell someone what DoH server(s) to use/not use to resolve $tld's names. Would SVCB records let the edge device or end user make informed choices about the privacy (or whatever) policies for those DoH servers? It’s one thing to do that for whatever.com*. IMO it’s something very different for .com as a whole. [*Other TLDs are available.]