Re: [dns-privacy] Root Server Operators Statement on DNS Encryption

Stephen Farrell <stephen.farrell@cs.tcd.ie> Wed, 31 March 2021 13:20 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 63AAE3A2869 for <dns-privacy@ietfa.amsl.com>; Wed, 31 Mar 2021 06:20:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cs.tcd.ie
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0cwLCCOjOJ7q for <dns-privacy@ietfa.amsl.com>; Wed, 31 Mar 2021 06:20:34 -0700 (PDT)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9C0283A2874 for <dns-privacy@ietf.org>; Wed, 31 Mar 2021 06:20:16 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 4D46BBE3E; Wed, 31 Mar 2021 14:20:15 +0100 (IST)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aBDESIJCEwHa; Wed, 31 Mar 2021 14:20:13 +0100 (IST)
Received: from [10.244.2.242] (95-45-153-252-dynamic.agg2.phb.bdt-fng.eircom.net [95.45.153.252]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 8A324BE2F; Wed, 31 Mar 2021 14:20:13 +0100 (IST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1617196813; bh=LmS4y41l8S2lFy50C53knYfQ9J73Bd2Y1VKk9VJ7New=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From; b=TXrRHekDOfgS+V7qfTnvj6Eew6oeBYWqH+LPiSXVBhK5QrakwRdpjpUSMtJLzg/ym KABcxACODtRat/ua95IcaDeR2Ufw5fYaM+Txr33ZmDmbHd9qlltfvl9R4T8sT7yQ31 1C1UAp+6XE/duL1AHoelBz8bQc2onbdbRbpylLG0=
To: Jim Reid <jim@rfc1035.com>
Cc: DNS Privacy Working Group <dns-privacy@ietf.org>
References: <c925da9089fa4b1e991ec74fc9c11e7f@verisign.com> <CAChr6Sxwao=FAcoeHMuOf0L=JCZ+wvhsr9BNZW_dbt+1=HWQwg@mail.gmail.com> <CAMGpriX5rbswMQnjh4gZqsLjh2xUJxjJVxe2rEAVu=RdLAbGFw@mail.gmail.com> <CABcZeBOntrAqq_bVL-y-BP0DZLvYmVMkvKqi8K0D_SFqAfCVXg@mail.gmail.com> <96c2475d-ad93-a442-2003-db6f8782e450@cs.tcd.ie> <CAMGpriXdU7_mJh8CQvSiZGQaDUD9aZF=0iYu0yKBS06khAHgng@mail.gmail.com> <4094551f-4b39-a996-f12f-8c5317c4fe21@nic.cz> <20210331092449.GD10597@nic.fr> <cefd04bf-8685-1894-ef3a-b61ce6a37167@innovationslab.net> <155BAF8D-9F65-4C5C-9EB1-58EFD70827B5@rfc1035.com> <c1ae3401-2565-016b-7acc-4891d0bde067@cs.tcd.ie> <DEEF3D2D-695F-4FCE-BF2B-425BB9FF1F39@rfc1035.com>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Message-ID: <3be9a2fa-b09d-18ba-8a4a-b539e11b6ce1@cs.tcd.ie>
Date: Wed, 31 Mar 2021 14:20:12 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.7.1
MIME-Version: 1.0
In-Reply-To: <DEEF3D2D-695F-4FCE-BF2B-425BB9FF1F39@rfc1035.com>
Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="9jEByY2kv5ikSNCisYY4VneyfTrkH7aO1"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/cDyK2_TuagxOgUF2IdocHO6JpEc>
Subject: Re: [dns-privacy] Root Server Operators Statement on DNS Encryption
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 31 Mar 2021 13:20:38 -0000

Hiya,

On 31/03/2021 14:12, Jim Reid wrote:
> I know that Stephen. The point I was trying (and apparently failing)
> to make was there are other privacy-friendly tools/protocols
> available that could well be good enough solutions for some parts of
> the problem space.
> 
> As an example, widespread adoption of RFC8806 - no sniggering at the
> back! - could obviate the need for encrypted queries to the root or
> possibly offload the TLS goop to the local instances of the root. But
> the WG doesn’t seem to want to consider that.

Not sure how you reach that conclusion TBH. ISTM that that
is actively being discussed.

It seems pretty obvious thought that while such mechanisms
can certainly help for root servers, there is going to be a
need for a TLS-based mechanism if TLDs want significantly
better privacy. I reckon that's the case even if traffic from
large recursives isn't considered sensitive - there'll I
guess always be many smaller recursives where queries are
going to be sensitive. (What's not yet clear is whether we
can define a TLS-based mechanism that's good enough to get
widely deployed by TLDs.)

Cheers,
S.