Re: [dns-privacy] [Ext] Re: ADoT requirements for authentication?

Watson Ladd <watsonbladd@gmail.com> Wed, 30 October 2019 06:37 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CE376120043 for <dns-privacy@ietfa.amsl.com>; Tue, 29 Oct 2019 23:37:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mIBfGLqi5YOE for <dns-privacy@ietfa.amsl.com>; Tue, 29 Oct 2019 23:37:29 -0700 (PDT)
Received: from mail-lf1-x144.google.com (mail-lf1-x144.google.com [IPv6:2a00:1450:4864:20::144]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E14751200B1 for <dns-privacy@ietf.org>; Tue, 29 Oct 2019 23:37:28 -0700 (PDT)
Received: by mail-lf1-x144.google.com with SMTP id v4so625562lfd.11 for <dns-privacy@ietf.org>; Tue, 29 Oct 2019 23:37:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=i1z4ri8CVyOYD+P7eiCoERsMzb3Yc35BgW2vOWglT+U=; b=NNher8o0SZFxwDCx01zH1Y6H9DCE3jHZN4BzNvcp2pGRK36bNFv0I2KsVfo0xUxuKQ vtPgY7U9HEpM1zopNo2YvUv7ZycsgmzHJU7K7l4/HgHU9KYZgbatc1lpfRwQiR9EPwJG B4SQ/Afp0e1ZdakiT4UyGyiHq/CBBnVBEN0w1Csw8LeYD1txZeTvcK5ZuGBJIMfDNKZU ItU/D16jyVsQKozHVmiHfVhqnM1nZPP4U6Fcdp6/WGXzEvhrPlvpLBg+eXTCXgb6XYFA ENqBYEflqOE4nlbkFro3HJyqOIU6AnOpZwPvlJZx94D6TMdQMm0/6kFdjiHVNDLQv4cV Xpfg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=i1z4ri8CVyOYD+P7eiCoERsMzb3Yc35BgW2vOWglT+U=; b=Q+zoRXn5siiFQW6G909dJBONZ9UQ8dZ58KC2u7/4HoNH9CGLDGd8GJKfV0D7ZhsFJn VYM4NZDQhlQHqJ40m/7Q0ZTC93uuiaWTkom+zJ4NC+oYkXXOpRkZ1IrJscHeKT4Kbfwu 8v/wAHwqkEeaWyKq+qVbRqBAaj9Em1VhxJwlFCKqRYchweLYRUcNAv6K/WgzgVW2FUzB Bm2uEA83LY6CBECm9Exwtgt+62Ypcsx+9DJad3IlRKXHBAnomSYpoqln3q1HwlCxTW1/ Hwb1izKE5OcCnb4pgcZTFq70hElzMwSB7kKqertJaFtERa2+ZcgRaWrHdlqJ/LdTmtGU TOrw==
X-Gm-Message-State: APjAAAWY2rnv58dJgs/ZFanhqqoUKk4PvZJ9PO/w7Ru+uanLqrGOSMtl Zn8aZCD6a11XJwzQxFJwyhMEN1ETC3gZ+z0VlS8=
X-Google-Smtp-Source: APXvYqymJIBDlSVL0UkXprLdNtj7twU9s7prmVWtj4lcs6lM8MZcN5tyhLktu8qiyNerlbOOo9w93ClkuFsSh+2A6WQ=
X-Received: by 2002:ac2:5210:: with SMTP id a16mr4554368lfl.156.1572417447021; Tue, 29 Oct 2019 23:37:27 -0700 (PDT)
MIME-Version: 1.0
References: <943e3973-f6a7-9f6e-a66a-33aff835bd5e@innovationslab.net> <503df6fb-b653-476f-055f-15c1a668ba36@innovationslab.net> <5fe86408-35a8-16ea-d22a-9c6c4a681057@icann.org> <CA+9kkMBZUPfWov6B+pgLYuFmZh10dTzwF2PdKs5Vozzssqvzjw@mail.gmail.com> <edf53c16-3be9-786c-dcb1-0edc9fd9711c@icann.org> <CA+9kkMC5ynqK+8QO==5Pi_9edjTkJJ3yLHBHqJFOox8fi1_8HQ@mail.gmail.com> <CAHbrMsAAvadukzifKEj9eEWB91aDjmnu775F_YdtBaUHrHwDDQ@mail.gmail.com> <CA+9kkMCVj3Lte1dooNthm0f6eBPFUGbxdQBGyjB62KD8wn+f-g@mail.gmail.com> <CAHbrMsCU4b7yNwEfq1J0qsX3vbij+bLdXpanPMKaF+h6yqkXKw@mail.gmail.com> <CA+9kkMA9=m67w=yPR4=cNmHvMH29ogzBVzA8GZU_HCBkVNUxOg@mail.gmail.com> <CABcZeBMyrW=D+dyoT3FUvfe+9hM7ZCndv=tZ9B2F170U0Z7obw@mail.gmail.com> <CAHbrMsAgR-Andoxs5WRMp2jE3Gf_1EWWpsrAm3eFc-vGhb5A3w@mail.gmail.com> <CABcZeBNTJYQc_1kbK7cL3S8KcHfEzpNsZaeK=OeYopEpjLF9_Q@mail.gmail.com> <CAHbrMsBaGBx-gye+Y+4Ja_a9Dkvkt6kLva3fzyvrzuuzxECZuw@mail.gmail.com> <CABcZeBP64qr81ccw+cbYy6FuQkgArS=G9_itEt8A_UfN8SO7GA@mail.gmail.com> <BDFD7D8F-BB99-46DF-85AC-922DDF25A1D3@rfc1035.com>
In-Reply-To: <BDFD7D8F-BB99-46DF-85AC-922DDF25A1D3@rfc1035.com>
From: Watson Ladd <watsonbladd@gmail.com>
Date: Tue, 29 Oct 2019 23:37:15 -0700
Message-ID: <CACsn0c=6Kv5j0SKJkTLxSNSPoz_uA62p1vTjWx=ccVJbnv4f7A@mail.gmail.com>
To: Jim Reid <jim@rfc1035.com>
Cc: Eric Rescorla <ekr@rtfm.com>, dns-privacy@ietf.org
Content-Type: multipart/alternative; boundary="0000000000005e52cc05961af72c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/YAYezwslOM9WoItNT1JNmRA0SrU>
Subject: Re: [dns-privacy] [Ext] Re: ADoT requirements for authentication?
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Oct 2019 06:37:32 -0000

On Tue, Oct 29, 2019 at 8:30 PM Jim Reid <jim@rfc1035.com> wrote:
>
> On 30 Oct 2019, at 01:32, Eric Rescorla <ekr@rtfm.com> wrote:
> >
> >> Yes, it's hard, but I think it's worthwhile, because the prospect of
getting the root to offer ADoT seems very distant to me.
> >>
> > Why? Do we have estimates of the load level here as compared to (say)
Quad9 or 1.1.1.1?
>
> The root server operators publish statistics on the traffic they get.
Links for some of their data can be found at https://root-servers.org.
>
> The anycast cluster for a.root-servers.net alone currently handles
upwards of 8B queries/day - roughly 100,000 queries/second. That’s steady
state. The numbers would go *far* higher than that during a Mirai-style
DDoS attack.
>
> It’s going to be a challenge to get authoritative servers handling those
sorts of query levels to support DoT (over TCP?). FWIW solving the
non-trivial operational and engineering issues will be the easy bit.
Solving the layer-9 issues will be harder. I expect that also holds for DoT
support at authoritative servers for important TLDs or the DNS hosting
platforms from the likes of Akamai, Dyn, UltraDNS, etc that handle very
high query rates.
>
> I suppose someone could ask RS SAC* for their opinion on deploying DoT at
the root. And having lit the blue touchpaper, I will now run away at great
speed to watch the ensuing firework display. :-)

The root zone is data: whether one distributes it via DoT, DoH, IPv6, or
carrier pigeon is irrelevant to the policies that goven what's in it. And
furthermore none of the network engineering issues raised against DoH apply
to recursive to authoritative.

We absolutely can engineer reliable anycast clusters to handle 100,000
queries a second. That's only 100 cores if each core can do 1000 queries a
second.

Akamai handles a substantially greater  volume of considerably more
expensive HTTPS traffic: the DNS queries are part of the HTTPS.

Encryption at the root is very possible.

>
> * Other ICANN advisory committees are available.
> _______________________________________________
> dns-privacy mailing list
> dns-privacy@ietf.org
> https://www.ietf.org/mailman/listinfo/dns-privacy


--
"Man is born free, but everywhere he is in chains".
--Rousseau.