Re: [dns-privacy] how can we ADoT? (with github url)

Tony Finch <> Fri, 13 November 2020 17:28 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 913993A0FC1 for <>; Fri, 13 Nov 2020 09:28:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id sNQNpK8G6yAt for <>; Fri, 13 Nov 2020 09:28:55 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 740A33A09EE for <>; Fri, 13 Nov 2020 09:28:27 -0800 (PST)
X-Cam-AntiVirus: no malware found
Received: from ([]:37136) by ( []:25) with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) id 1kdcs3-000GdE-mL (Exim 4.92.3) (return-path <>); Fri, 13 Nov 2020 17:28:24 +0000
Date: Fri, 13 Nov 2020 17:28:23 +0000
From: Tony Finch <>
To: Manu Bretelle <>
cc: DNS Privacy Working Group <>
In-Reply-To: <>
Message-ID: <>
References: <> <> <> <> <> <>
User-Agent: Alpine 2.20 (DEB 67 2015-01-07)
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Archived-At: <>
Subject: Re: [dns-privacy] how can we ADoT? (with github url)
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 13 Nov 2020 17:28:57 -0000

Manu Bretelle <> wrote:

> The "cloud provider" case, e.g few name servers for many zones is also
> tricky.

I prefer to think of this as the normal common case, since I'm not a cloud
provider and I have many more zones than servers :-)

> I think in those cases, TLSA may be the best bet as this is under
> control of the nameserver, not the zone operator. Then there  may be issue
> with being able to opt people in/out. I think in any cases, if you want to
> be able to gradually enroll your customers while giving the the choice to
> not be enrolled, you essentially need to provide them with a new NS that
> supports ADoT and have them move over.

Yes. It can be just different aliases for the same server, where the
aliases differ in whether they have associated TLSA records or not. (I
need to write more about nameserver aliases.)

> That hint could be downgraded, but if not, can be used to fetch the TLSA
> record over an unauthenticated TLS connection and then validating it. I
> suppose it just obfuscate the  zone, which may be useful *if* multiple name
> server names are behind the same IP and/or name server name matches the
> zone name (because TLSA record would be against name server name, not zone).
> Unless the query to the parent zone was using ADoT, that information may
> already be known from someone on-path.

Yes. (I think I covered all those points in my notes.)

f.anthony.n.finch  <>
Fair Isle: South 6 to gale 8. Rough or very rough, occasionally high in
northwest. Rain or squally showers. Good, occasionally poor.