Re: [dns-privacy] Root Server Operators Statement on DNS Encryption

Bill Woodcock <> Wed, 31 March 2021 21:16 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 12A683A3790 for <>; Wed, 31 Mar 2021 14:16:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Lv6yIoiy4-gI for <>; Wed, 31 Mar 2021 14:16:13 -0700 (PDT)
Received: from ( []) (using TLSv1.1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 831F43A378F for <>; Wed, 31 Mar 2021 14:16:11 -0700 (PDT)
X-Footer: cGNoLm5ldA==
Received: from [] ([]) by (Kerio Connect 9.2.7 patch 3) with ESMTPS (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256 bits)); Wed, 31 Mar 2021 14:16:01 -0700
From: Bill Woodcock <>
Message-Id: <>
Content-Type: multipart/signed; boundary="Apple-Mail=_22C540E2-7499-4954-8B51-B2255036FDCD"; protocol="application/pgp-signature"; micalg=pgp-sha256
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.\))
Date: Wed, 31 Mar 2021 23:15:53 +0200
In-Reply-To: <>
Cc: "" <>
To: Rob Sayre <>
References: <> <> <> <> <> <>
X-Mailer: Apple Mail (2.3654.
Archived-At: <>
Subject: Re: [dns-privacy] Root Server Operators Statement on DNS Encryption
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 31 Mar 2021 21:16:18 -0000

> On Mar 31, 2021, at 10:51 PM, Rob Sayre <> wrote:
> On Wed, Mar 31, 2021 at 1:29 PM Bill Woodcock <> wrote:
>>> > On Mar 31, 2021, at 9:55 PM, Rob Sayre <> wrote:
>>> > I still don't understand the resistance here. Some data on what the impact would be still seems like the most helpful thing to move the conversation forward.
>> We have that:
> That paper is about home measurements, and says:
> "Previous work [8,17,26] has studied the support and response times of DoT (and DoH). However, the studies performed response time measurements from proxy networks and data centers, which means that results might not appropriately reflect the latency of regular home users...”

…and it’s measuring latency rather than server-side load.  I just checked with our engineers, and it sounds like the server load per-query is more like 3x-5x higher for the encrypted queries.

> only measures DoT, rather than the more popular DoH.

DoH isn’t that much worse than DoT from a load perspective, but it's a web-browser thing…  It’s difficult for me to imagine anyone with enough clue to operate a recursive resolver wanting to use DoH to query an authoritative server.  What would be the point?

>> Could you state the problem that’s being solved?
> Sure, it's in the first sentence of
> "A recursive resolver using traditional DNS over port 53 may wish instead to use encrypted communication with authoritative servers in order to limit passive snooping of its DNS traffic."

Right, so that just means the wording of the draft is over-broad, in that it just says “authoritative” rather than “authoritative SLD” or something.  It’s quite a stretch to think that anything sensitive would be disclosed between a well-behaved recursive and a _root_ server, since it doesn’t disclose either the individual nor the domain being queried.

So, again, what problem would be solved?