Re: [dns-privacy] Root Server Operators Statement on DNS Encryption
Stephen Farrell <stephen.farrell@cs.tcd.ie> Wed, 31 March 2021 01:37 UTC
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A11103A0F4A for <dns-privacy@ietfa.amsl.com>; Tue, 30 Mar 2021 18:37:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.3
X-Spam-Level:
X-Spam-Status: No, score=-4.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cs.tcd.ie
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 89cG3O5K4JB2 for <dns-privacy@ietfa.amsl.com>; Tue, 30 Mar 2021 18:37:00 -0700 (PDT)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 292FC3A0FCA for <dprive@ietf.org>; Tue, 30 Mar 2021 18:36:58 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id EB09ABE3E; Wed, 31 Mar 2021 02:36:56 +0100 (IST)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RAiqZrgLGcW0; Wed, 31 Mar 2021 02:36:47 +0100 (IST)
Received: from [10.244.2.119] (95-45-153-252-dynamic.agg2.phb.bdt-fng.eircom.net [95.45.153.252]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 69CF5BE2D; Wed, 31 Mar 2021 02:36:47 +0100 (IST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1617154607; bh=ZWNJlxFGBIqOlY8VacuKEAsx7Egjq3DcBzs7HSxrfV0=; h=To:Cc:References:From:Subject:Date:In-Reply-To:From; b=Nkvl0rfMNTDJxl8aVbs9rmTMiIpUsuH4V3iu44YfxSv37ABwzM09q6eOAcxEBMvDD eKETQYrQkbB9NpQ+1gdBXzfA57odUVIJDtrG/XuwQ+0Z53F1NME6YqUity68aFzZwR o177xpyttlixpjnnM0o1PSuj2LJ6k+FRe0n8r8/8=
To: Erik Kline <ek.ietf@gmail.com>
Cc: Eric Rescorla <ekr@rtfm.com>, "Hollenbeck, Scott" <shollenbeck=40verisign.com@dmarc.ietf.org>, "dprive@ietf.org" <dprive@ietf.org>, Rob Sayre <sayrer@gmail.com>
References: <c925da9089fa4b1e991ec74fc9c11e7f@verisign.com> <CAChr6Sxwao=FAcoeHMuOf0L=JCZ+wvhsr9BNZW_dbt+1=HWQwg@mail.gmail.com> <CAMGpriX5rbswMQnjh4gZqsLjh2xUJxjJVxe2rEAVu=RdLAbGFw@mail.gmail.com> <CABcZeBOntrAqq_bVL-y-BP0DZLvYmVMkvKqi8K0D_SFqAfCVXg@mail.gmail.com> <96c2475d-ad93-a442-2003-db6f8782e450@cs.tcd.ie> <CAMGpriXdU7_mJh8CQvSiZGQaDUD9aZF=0iYu0yKBS06khAHgng@mail.gmail.com>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Message-ID: <d531d35c-0fd0-552d-6fb0-d01840053b10@cs.tcd.ie>
Date: Wed, 31 Mar 2021 02:36:46 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.7.1
MIME-Version: 1.0
In-Reply-To: <CAMGpriXdU7_mJh8CQvSiZGQaDUD9aZF=0iYu0yKBS06khAHgng@mail.gmail.com>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="hlBXKdnvfKhBDa6O3Ia4JdyAvoeqvZbPM"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/YWP7mNlVM2ESMCF1uSnpoOHHfug>
Subject: Re: [dns-privacy] Root Server Operators Statement on DNS Encryption
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 31 Mar 2021 01:37:05 -0000
Hiya, On 31/03/2021 01:53, Erik Kline wrote: > I think, "IN NS com." doesn't reveal much information. Right. And such cases are probably a huge percentage of both all, and all-of-the-sensitive, queries to root servers. > But perhaps "IN NS sensitive-tld." could have privacy implications > for some folks? I guess that's a fair point that querying some e.g. ccTLD NS from some locales could sometimes be an issue. Do we have any information as to the prevalence of such? (Or of cases where such queries are abused in ways that decrease privacy or enforce censorship.) Maybe in addition to recommending QNAME minimisation it'd be good if root server operators also recommended services that face such issues deploy those services lower down in the naming hierarchy? My guess is that service providers will do that anyway but no harm to give a bit of direction. On 31/03/2021 02:17, Eric Rescorla wrote: > > However, recall that the TLS connection to the parent is what > protects the NS records for the child, as they are not DNSSEC signed. > Thus, one has a somewhat fragile situation if one has to store a > lookaside list of the TLS status (and at some level the nameservers!) > for the TLDs. I'm not saying it's unmanageable, but it's not > amazing. Also fair. Requiring the parent to be involved is a big deal for any of the offered solutions here (regardless of whether or not DNSSEC is involved). In any case, I still think we ought be able to live with a situation where the root server operators do less than the TLD server operators - it's the queries to the latter that more or less have to include the vast majority of sensitive information. (And if a solution that works for .com is found, then I bet we'd be able to find something that works as well for root server operators.) Cheers, S.
- [dns-privacy] Root Server Operators Statement on … Hollenbeck, Scott
- Re: [dns-privacy] Root Server Operators Statement… Rob Sayre
- Re: [dns-privacy] Root Server Operators Statement… Erik Kline
- Re: [dns-privacy] Root Server Operators Statement… Rob Sayre
- Re: [dns-privacy] Root Server Operators Statement… Jim Reid
- Re: [dns-privacy] Root Server Operators Statement… Eric Rescorla
- Re: [dns-privacy] Root Server Operators Statement… Stephen Farrell
- Re: [dns-privacy] Root Server Operators Statement… Stephen Farrell
- Re: [dns-privacy] Root Server Operators Statement… Erik Kline
- Re: [dns-privacy] Root Server Operators Statement… Eric Rescorla
- Re: [dns-privacy] Root Server Operators Statement… Rob Sayre
- Re: [dns-privacy] Root Server Operators Statement… Stephen Farrell
- Re: [dns-privacy] Root Server Operators Statement… Vladimír Čunát
- Re: [dns-privacy] Root Server Operators Statement… Stephane Bortzmeyer
- Re: [dns-privacy] Root Server Operators Statement… Stephane Bortzmeyer
- Re: [dns-privacy] Root Server Operators Statement… Stephane Bortzmeyer
- Re: [dns-privacy] Root Server Operators Statement… Stephane Bortzmeyer
- Re: [dns-privacy] Root Server Operators Statement… Brian Haberman
- Re: [dns-privacy] Root Server Operators Statement… Frederico A C Neves
- Re: [dns-privacy] Root Server Operators Statement… Jim Reid
- Re: [dns-privacy] Root Server Operators Statement… Stephen Farrell
- Re: [dns-privacy] Root Server Operators Statement… Hollenbeck, Scott
- Re: [dns-privacy] Root Server Operators Statement… Stephane Bortzmeyer
- Re: [dns-privacy] Root Server Operators Statement… Jim Reid
- Re: [dns-privacy] Root Server Operators Statement… Vladimír Čunát
- Re: [dns-privacy] Root Server Operators Statement… Stephen Farrell
- Re: [dns-privacy] Root Server Operators Statement… Stephen Farrell
- Re: [dns-privacy] Root Server Operators Statement… Stephane Bortzmeyer
- Re: [dns-privacy] Root Server Operators Statement… Stephane Bortzmeyer
- Re: [dns-privacy] Root Server Operators Statement… Jim Reid
- Re: [dns-privacy] Root Server Operators Statement… Stephen Farrell
- Re: [dns-privacy] Root Server Operators Statement… Brian Haberman
- Re: [dns-privacy] Root Server Operators Statement… Brian Haberman
- Re: [dns-privacy] Root Server Operators Statement… Rob Sayre
- Re: [dns-privacy] Root Server Operators Statement… Bill Woodcock
- Re: [dns-privacy] Root Server Operators Statement… Rob Sayre
- Re: [dns-privacy] Root Server Operators Statement… Bill Woodcock
- Re: [dns-privacy] Root Server Operators Statement… Rob Sayre
- Re: [dns-privacy] Root Server Operators Statement… Bill Woodcock
- Re: [dns-privacy] Root Server Operators Statement… Rob Sayre
- Re: [dns-privacy] Root Server Operators Statement… Bill Woodcock
- Re: [dns-privacy] Root Server Operators Statement… Stephen Farrell
- Re: [dns-privacy] Root Server Operators Statement… Bill Woodcock
- Re: [dns-privacy] Root Server Operators Statement… Rob Sayre
- Re: [dns-privacy] Root Server Operators Statement… Bill Woodcock
- Re: [dns-privacy] Root Server Operators Statement… Andrew Campling
- Re: [dns-privacy] Root Server Operators Statement… Bill Woodcock
- Re: [dns-privacy] Root Server Operators Statement… Andrew Campling
- Re: [dns-privacy] Root Server Operators Statement… Bill Woodcock
- Re: [dns-privacy] Root Server Operators Statement… Christian Huitema
- Re: [dns-privacy] Root Server Operators Statement… Rob Sayre
- Re: [dns-privacy] Root Server Operators Statement… Tomas Krizek
- Re: [dns-privacy] Root Server Operators Statement… Petr Špaček
- Re: [dns-privacy] Root Server Operators Statement… Brian Haberman
- Re: [dns-privacy] Root Server Operators Statement… Bill Woodcock
- Re: [dns-privacy] Root Server Operators Statement… Vittorio Bertola
- Re: [dns-privacy] Root Server Operators Statement… Stephane Bortzmeyer
- Re: [dns-privacy] Root Server Operators Statement… Stephane Bortzmeyer
- Re: [dns-privacy] Root Server Operators Statement… Stephane Bortzmeyer
- [dns-privacy] DDoS resiliance & DNS-over-TCP (was… Shane Kerr
- Re: [dns-privacy] Root Server Operators Statement… Christian Huitema
- [dns-privacy] RFC7626 and risk/threat analysis Jim Reid
- Re: [dns-privacy] Root Server Operators Statement… John Heidemann
- Re: [dns-privacy] Root Server Operators Statement… Wes Hardaker
- Re: [dns-privacy] Root Server Operators Statement… Brian Haberman