Re: [dns-privacy] [Ext] Re: ADoT requirements for authentication?
Watson Ladd <watsonbladd@gmail.com> Wed, 30 October 2019 06:37 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CE376120043 for <dns-privacy@ietfa.amsl.com>; Tue, 29 Oct 2019 23:37:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mIBfGLqi5YOE for <dns-privacy@ietfa.amsl.com>; Tue, 29 Oct 2019 23:37:29 -0700 (PDT)
Received: from mail-lf1-x144.google.com (mail-lf1-x144.google.com [IPv6:2a00:1450:4864:20::144]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E14751200B1 for <dns-privacy@ietf.org>; Tue, 29 Oct 2019 23:37:28 -0700 (PDT)
Received: by mail-lf1-x144.google.com with SMTP id v4so625562lfd.11 for <dns-privacy@ietf.org>; Tue, 29 Oct 2019 23:37:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=i1z4ri8CVyOYD+P7eiCoERsMzb3Yc35BgW2vOWglT+U=; b=NNher8o0SZFxwDCx01zH1Y6H9DCE3jHZN4BzNvcp2pGRK36bNFv0I2KsVfo0xUxuKQ vtPgY7U9HEpM1zopNo2YvUv7ZycsgmzHJU7K7l4/HgHU9KYZgbatc1lpfRwQiR9EPwJG B4SQ/Afp0e1ZdakiT4UyGyiHq/CBBnVBEN0w1Csw8LeYD1txZeTvcK5ZuGBJIMfDNKZU ItU/D16jyVsQKozHVmiHfVhqnM1nZPP4U6Fcdp6/WGXzEvhrPlvpLBg+eXTCXgb6XYFA ENqBYEflqOE4nlbkFro3HJyqOIU6AnOpZwPvlJZx94D6TMdQMm0/6kFdjiHVNDLQv4cV Xpfg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=i1z4ri8CVyOYD+P7eiCoERsMzb3Yc35BgW2vOWglT+U=; b=Q+zoRXn5siiFQW6G909dJBONZ9UQ8dZ58KC2u7/4HoNH9CGLDGd8GJKfV0D7ZhsFJn VYM4NZDQhlQHqJ40m/7Q0ZTC93uuiaWTkom+zJ4NC+oYkXXOpRkZ1IrJscHeKT4Kbfwu 8v/wAHwqkEeaWyKq+qVbRqBAaj9Em1VhxJwlFCKqRYchweLYRUcNAv6K/WgzgVW2FUzB Bm2uEA83LY6CBECm9Exwtgt+62Ypcsx+9DJad3IlRKXHBAnomSYpoqln3q1HwlCxTW1/ Hwb1izKE5OcCnb4pgcZTFq70hElzMwSB7kKqertJaFtERa2+ZcgRaWrHdlqJ/LdTmtGU TOrw==
X-Gm-Message-State: APjAAAWY2rnv58dJgs/ZFanhqqoUKk4PvZJ9PO/w7Ru+uanLqrGOSMtl Zn8aZCD6a11XJwzQxFJwyhMEN1ETC3gZ+z0VlS8=
X-Google-Smtp-Source: APXvYqymJIBDlSVL0UkXprLdNtj7twU9s7prmVWtj4lcs6lM8MZcN5tyhLktu8qiyNerlbOOo9w93ClkuFsSh+2A6WQ=
X-Received: by 2002:ac2:5210:: with SMTP id a16mr4554368lfl.156.1572417447021; Tue, 29 Oct 2019 23:37:27 -0700 (PDT)
MIME-Version: 1.0
References: <943e3973-f6a7-9f6e-a66a-33aff835bd5e@innovationslab.net> <503df6fb-b653-476f-055f-15c1a668ba36@innovationslab.net> <5fe86408-35a8-16ea-d22a-9c6c4a681057@icann.org> <CA+9kkMBZUPfWov6B+pgLYuFmZh10dTzwF2PdKs5Vozzssqvzjw@mail.gmail.com> <edf53c16-3be9-786c-dcb1-0edc9fd9711c@icann.org> <CA+9kkMC5ynqK+8QO==5Pi_9edjTkJJ3yLHBHqJFOox8fi1_8HQ@mail.gmail.com> <CAHbrMsAAvadukzifKEj9eEWB91aDjmnu775F_YdtBaUHrHwDDQ@mail.gmail.com> <CA+9kkMCVj3Lte1dooNthm0f6eBPFUGbxdQBGyjB62KD8wn+f-g@mail.gmail.com> <CAHbrMsCU4b7yNwEfq1J0qsX3vbij+bLdXpanPMKaF+h6yqkXKw@mail.gmail.com> <CA+9kkMA9=m67w=yPR4=cNmHvMH29ogzBVzA8GZU_HCBkVNUxOg@mail.gmail.com> <CABcZeBMyrW=D+dyoT3FUvfe+9hM7ZCndv=tZ9B2F170U0Z7obw@mail.gmail.com> <CAHbrMsAgR-Andoxs5WRMp2jE3Gf_1EWWpsrAm3eFc-vGhb5A3w@mail.gmail.com> <CABcZeBNTJYQc_1kbK7cL3S8KcHfEzpNsZaeK=OeYopEpjLF9_Q@mail.gmail.com> <CAHbrMsBaGBx-gye+Y+4Ja_a9Dkvkt6kLva3fzyvrzuuzxECZuw@mail.gmail.com> <CABcZeBP64qr81ccw+cbYy6FuQkgArS=G9_itEt8A_UfN8SO7GA@mail.gmail.com> <BDFD7D8F-BB99-46DF-85AC-922DDF25A1D3@rfc1035.com>
In-Reply-To: <BDFD7D8F-BB99-46DF-85AC-922DDF25A1D3@rfc1035.com>
From: Watson Ladd <watsonbladd@gmail.com>
Date: Tue, 29 Oct 2019 23:37:15 -0700
Message-ID: <CACsn0c=6Kv5j0SKJkTLxSNSPoz_uA62p1vTjWx=ccVJbnv4f7A@mail.gmail.com>
To: Jim Reid <jim@rfc1035.com>
Cc: Eric Rescorla <ekr@rtfm.com>, dns-privacy@ietf.org
Content-Type: multipart/alternative; boundary="0000000000005e52cc05961af72c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/YAYezwslOM9WoItNT1JNmRA0SrU>
Subject: Re: [dns-privacy] [Ext] Re: ADoT requirements for authentication?
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Oct 2019 06:37:32 -0000
On Tue, Oct 29, 2019 at 8:30 PM Jim Reid <jim@rfc1035.com> wrote: > > On 30 Oct 2019, at 01:32, Eric Rescorla <ekr@rtfm.com> wrote: > > > >> Yes, it's hard, but I think it's worthwhile, because the prospect of getting the root to offer ADoT seems very distant to me. > >> > > Why? Do we have estimates of the load level here as compared to (say) Quad9 or 1.1.1.1? > > The root server operators publish statistics on the traffic they get. Links for some of their data can be found at https://root-servers.org. > > The anycast cluster for a.root-servers.net alone currently handles upwards of 8B queries/day - roughly 100,000 queries/second. That’s steady state. The numbers would go *far* higher than that during a Mirai-style DDoS attack. > > It’s going to be a challenge to get authoritative servers handling those sorts of query levels to support DoT (over TCP?). FWIW solving the non-trivial operational and engineering issues will be the easy bit. Solving the layer-9 issues will be harder. I expect that also holds for DoT support at authoritative servers for important TLDs or the DNS hosting platforms from the likes of Akamai, Dyn, UltraDNS, etc that handle very high query rates. > > I suppose someone could ask RS SAC* for their opinion on deploying DoT at the root. And having lit the blue touchpaper, I will now run away at great speed to watch the ensuing firework display. :-) The root zone is data: whether one distributes it via DoT, DoH, IPv6, or carrier pigeon is irrelevant to the policies that goven what's in it. And furthermore none of the network engineering issues raised against DoH apply to recursive to authoritative. We absolutely can engineer reliable anycast clusters to handle 100,000 queries a second. That's only 100 cores if each core can do 1000 queries a second. Akamai handles a substantially greater volume of considerably more expensive HTTPS traffic: the DNS queries are part of the HTTPS. Encryption at the root is very possible. > > * Other ICANN advisory committees are available. > _______________________________________________ > dns-privacy mailing list > dns-privacy@ietf.org > https://www.ietf.org/mailman/listinfo/dns-privacy -- "Man is born free, but everywhere he is in chains". --Rousseau.
- [dns-privacy] DPRIVE Interim: 10/29 Brian Haberman
- Re: [dns-privacy] DPRIVE Interim: 10/29 Allison Mankin
- Re: [dns-privacy] DPRIVE Interim: 10/29 tjw ietf
- Re: [dns-privacy] DPRIVE Interim: 10/29 Brian Haberman
- Re: [dns-privacy] [Ext] Re: DPRIVE Interim: 10/29 Paul Hoffman
- Re: [dns-privacy] [Ext] Re: DPRIVE Interim: 10/29 Brian Haberman
- Re: [dns-privacy] [Ext] Re: DPRIVE Interim: 10/29 Livingood, Jason
- Re: [dns-privacy] [Ext] Re: DPRIVE Interim: 10/29 Alexander Mayrhofer
- Re: [dns-privacy] DPRIVE Interim: 10/29 Brian Haberman
- Re: [dns-privacy] [Ext] Re: DPRIVE Interim: 10/29 Brian Dickson
- Re: [dns-privacy] [Ext] Re: DPRIVE Interim: 10/29 Rob Sayre
- Re: [dns-privacy] DPRIVE Interim: 10/29 Eric Vyncke (evyncke)
- Re: [dns-privacy] [Ext] Re: DPRIVE Interim: 10/29 Paul Hoffman
- [dns-privacy] ADoT requirements for authenticatio… Paul Hoffman
- Re: [dns-privacy] ADoT requirements for authentic… Ted Hardie
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Paul Hoffman
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Ted Hardie
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Ben Schwartz
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Brian Dickson
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Paul Wouters
- Re: [dns-privacy] [Ext] Re: DPRIVE Interim: 10/29 Brian Dickson
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Ted Hardie
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Brian Dickson
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Ben Schwartz
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Ted Hardie
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Eric Rescorla
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Ben Schwartz
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Eric Rescorla
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Brian Dickson
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Ben Schwartz
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Eric Rescorla
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Christian Huitema
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… John Levine
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Jim Reid
- [dns-privacy] DoT at the DNS root Jim Reid
- Re: [dns-privacy] DoT at the DNS root Jim Reid
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Watson Ladd
- Re: [dns-privacy] [Ext] Re: DPRIVE Interim: 10/29 Alexander Mayrhofer
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Ralf Weber
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Paul Wouters
- Re: [dns-privacy] ADoT requirements for authentic… Tony Finch
- Re: [dns-privacy] [EXTERNAL] Re: [Ext] Re: DPRIVE… Livingood, Jason
- Re: [dns-privacy] [Ext] Re: DPRIVE Interim: 10/29 Livingood, Jason
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Livingood, Jason
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… John Levine
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Jim Reid
- [dns-privacy] ADoT deployment at the root Jim Reid
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Jim Reid
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Brian Dickson
- Re: [dns-privacy] ADoT deployment at the root Ted Hardie
- Re: [dns-privacy] ADoT deployment at the root Warren Kumari
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… John Levine
- Re: [dns-privacy] ADoT deployment at the root John Levine
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… John Levine
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Ben Schwartz
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Stephen Farrell
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Brian Dickson
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… John R Levine
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Eric Rescorla
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Vladimír Čunát
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Vladimír Čunát
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Hollenbeck, Scott
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Eric Rescorla
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Vladimír Čunát
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Brian Dickson
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Eric Rescorla
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Eric Rescorla
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Brian Dickson
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Brian Dickson
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Vladimír Čunát
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… John R Levine
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Ted Hardie
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Brian Dickson
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… John R Levine
- Re: [dns-privacy] DPRIVE Interim: 10/29 Brian Haberman