Re: [dns-privacy] [Ext] Re: ADoT requirements for authentication?

"Livingood, Jason" <Jason_Livingood@comcast.com> Wed, 30 October 2019 18:40 UTC

Return-Path: <Jason_Livingood@comcast.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4BA271200FE for <dns-privacy@ietfa.amsl.com>; Wed, 30 Oct 2019 11:40:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=comcast.com header.b=dQSQcVJA; dkim=pass (2048-bit key) header.d=comcast.com header.b=OQ7bMgeq; dkim=fail (1024-bit key) reason="fail (message has been altered)" header.d=comcastcorp.onmicrosoft.com header.b=Tetq+MFo
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lLemRUMD7Fla for <dns-privacy@ietfa.amsl.com>; Wed, 30 Oct 2019 11:40:57 -0700 (PDT)
Received: from mx0b-00143702.pphosted.com (mx0b-00143702.pphosted.com [148.163.141.77]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 250E8120018 for <dns-privacy@ietf.org>; Wed, 30 Oct 2019 11:40:56 -0700 (PDT)
Received: from pps.filterd (m0156896.ppops.net [127.0.0.1]) by mx0b-00143702.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id x9UIaKJe008646 for <dns-privacy@ietf.org>; Wed, 30 Oct 2019 14:40:53 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-id : content-transfer-encoding : mime-version; s=20190412; bh=Y2OxUBQS1X6Bo8FRh7l5sQgTKVBjUX2bTE8hn9rmU7s=; b=dQSQcVJApKyYmclMS0j4DhSreiFgx0hMVyycjMdPpIo5rBwQVG0APFWiiuj4KLo28TFb 24vl54xvW3H7LQpc2AsmcaIGnS2jZ0QuoVIRNeEY0PYOefM9yU+80fu44Q7/9Suige0m MddEL3Riv8/NkYyGr8ZwdhfpGYxQMLKOe9moulHOVWH2URpAVkgwdkk5+yEnwT5LQyVM 1wPSmE/rUIYqnpt6B/e12Ecu8+rmybBu0RTYdrPayAyVyEl5WQILYM1+sPCN1GfXiEPH BUuQjiZvEMVTkulp89vrD0kqD2DGN/AMRjXK0RyyR50YLJ2Q/CHlt5u/x3aQs8VsBkZk 1w==
Received: from copdcmhout02.cable.comcast.com (copdcmhout02.cable.comcast.com [96.114.158.212]) by mx0b-00143702.pphosted.com with ESMTP id 2vxwf7y03y-23 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for <dns-privacy@ietf.org>; Wed, 30 Oct 2019 14:40:53 -0400
DKIM-Signature: v=1; a=rsa-sha256; d=comcast.com; s=20190412; c=relaxed/simple; q=dns/txt; i=@comcast.com; t=1572460852; x=2436374452; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:CC:MIME-Version:Content-Type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=Y2OxUBQS1X6Bo8FRh7l5sQgTKVBjUX2bTE8hn9rmU7s=; b=OQ7bMgeqA2jx9YD5PLukUBh+fYRzOXlXDJyQl7k0/biFF7Dq2CQMAd/lBIWuQT5+ 8vgdoAwz3YWdGFk8qcIr7NBBc75wlku+uPc6pSDRatTy6pBOAUwTjdWtZJlY13iv 3odTn8vw8tDHnIk5J0J81QFA534AjmxnbK0wuKcNlk8HSDGUcnE9Jz3VIBIH2tTV pOdfImNCgdIZE8VfAALbztAEntbrQYHa2/gLxyyzzMl1C+SN82/lyA7QEpF7cKTt ADH/LxDOM0aSV7d0pJQpsLh8lzaJ27W5RD11MTzShHpL90ev3UdsW0wEvds+sZxH MZgu2uUWvYx4FM07PkjCRA==;
X-AuditID: 60729ed4-04dff7000000a7f4-aa-5db9d93403ce
Received: from COPDCEX16.cable.comcast.com (copdcmhoutvip.cable.comcast.com [96.114.156.147]) (using TLS with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (Client did not present a certificate) by copdcmhout02.cable.comcast.com (SMTP Gateway) with SMTP id 96.8A.42996.439D9BD5; Wed, 30 Oct 2019 12:40:52 -0600 (MDT)
Received: from COPDCEX21.cable.comcast.com (147.191.124.152) by COPDCEX16.cable.comcast.com (147.191.124.147) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Wed, 30 Oct 2019 12:40:51 -0600
Received: from COPDCEXEDGE01.cable.comcast.com (96.114.158.213) by COPDCEX21.cable.comcast.com (147.191.124.152) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Wed, 30 Oct 2019 12:40:51 -0600
Received: from NAM04-CO1-obe.outbound.protection.outlook.com (104.47.45.53) by webmail.comcast.com (96.114.158.213) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Wed, 30 Oct 2019 14:40:53 -0400
Received: from BY5PR11MB4403.namprd11.prod.outlook.com (52.132.252.96) by BY5PR11MB4008.namprd11.prod.outlook.com (10.255.160.144) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2387.24; Wed, 30 Oct 2019 18:40:22 +0000
Received: from BY5PR11MB4403.namprd11.prod.outlook.com ([fe80::c15e:699c:749e:790a]) by BY5PR11MB4403.namprd11.prod.outlook.com ([fe80::c15e:699c:749e:790a%7]) with mapi id 15.20.2387.025; Wed, 30 Oct 2019 18:40:22 +0000
From: "Livingood, Jason" <Jason_Livingood@comcast.com>
To: Jim Reid <jim@rfc1035.com>, Eric Rescorla <ekr@rtfm.com>
CC: "dns-privacy@ietf.org" <dns-privacy@ietf.org>
Thread-Topic: [dns-privacy] [Ext] Re: ADoT requirements for authentication?
Thread-Index: AQHVjnJPBG5BfYc7cE6P07Tp+RBb0Kdx1gaAgAAlHgCAAB89AIAAIFoAgAASyoCAAAwHAIAAAi2AgAAJt4CAAAFhgIAAIOeAgAC7TIA=
Date: Wed, 30 Oct 2019 18:40:21 +0000
Message-ID: <BAD38F3A-5344-410A-BC8A-A25DD66257A6@cable.comcast.com>
References: <943e3973-f6a7-9f6e-a66a-33aff835bd5e@innovationslab.net> <503df6fb-b653-476f-055f-15c1a668ba36@innovationslab.net> <5fe86408-35a8-16ea-d22a-9c6c4a681057@icann.org> <CA+9kkMBZUPfWov6B+pgLYuFmZh10dTzwF2PdKs5Vozzssqvzjw@mail.gmail.com> <edf53c16-3be9-786c-dcb1-0edc9fd9711c@icann.org> <CA+9kkMC5ynqK+8QO==5Pi_9edjTkJJ3yLHBHqJFOox8fi1_8HQ@mail.gmail.com> <CAHbrMsAAvadukzifKEj9eEWB91aDjmnu775F_YdtBaUHrHwDDQ@mail.gmail.com> <CA+9kkMCVj3Lte1dooNthm0f6eBPFUGbxdQBGyjB62KD8wn+f-g@mail.gmail.com> <CAHbrMsCU4b7yNwEfq1J0qsX3vbij+bLdXpanPMKaF+h6yqkXKw@mail.gmail.com> <CA+9kkMA9=m67w=yPR4=cNmHvMH29ogzBVzA8GZU_HCBkVNUxOg@mail.gmail.com> <CABcZeBMyrW=D+dyoT3FUvfe+9hM7ZCndv=tZ9B2F170U0Z7obw@mail.gmail.com> <CAHbrMsAgR-Andoxs5WRMp2jE3Gf_1EWWpsrAm3eFc-vGhb5A3w@mail.gmail.com> <CABcZeBNTJYQc_1kbK7cL3S8KcHfEzpNsZaeK=OeYopEpjLF9_Q@mail.gmail.com> <CAHbrMsBaGBx-gye+Y+4Ja_a9Dkvkt6kLva3fzyvrzuuzxECZuw@mail.gmail.com> <CABcZeBP64qr81ccw+cbYy6FuQkgArS=G9_itEt8A_UfN8SO7GA@mail.gmail.com> <BDFD7D8F-BB99-46DF-85AC-922DDF25A1D3@rfc1035.com>
In-Reply-To: <BDFD7D8F-BB99-46DF-85AC-922DDF25A1D3@rfc1035.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.1e.0.191013
x-originating-ip: [2001:558:1438:aa::4]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 3498eaba-2f34-4a67-393a-08d75d689eee
x-ms-traffictypediagnostic: BY5PR11MB4008:
x-ms-exchange-purlcount: 2
x-microsoft-antispam-prvs: <BY5PR11MB40083186A04BCE99FEC40498C7600@BY5PR11MB4008.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8273;
x-forefront-prvs: 02065A9E77
x-forefront-antispam-report: SFV:NSPM; SFS:(10001)(10019020)(4636009)(346002)(39860400002)(366004)(396003)(136003)(376002)(199004)(189003)(8676002)(25786009)(58126008)(2906002)(102836004)(71190400001)(6116002)(229853002)(71200400001)(8936002)(46003)(478600001)(6246003)(4326008)(316002)(305945005)(7736002)(6306002)(53546011)(486006)(6512007)(66946007)(66476007)(76116006)(64756008)(14454004)(91956017)(6436002)(966005)(446003)(80792005)(2616005)(66446008)(66556008)(33656002)(110136005)(81156014)(256004)(81166006)(99286004)(14444005)(5660300002)(186003)(86362001)(11346002)(6486002)(476003)(76176011)(6506007); DIR:OUT; SFP:1102; SCL:1; SRVR:BY5PR11MB4008; H:BY5PR11MB4403.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:3;
received-spf: None (protection.outlook.com: cable.comcast.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: yt7iQ6HjaIOLHQLq0hHhXKCe+15FwrYnGkJEQco0LWc0DMT8NJaB9hw4HBnMNDhhBcq3acB5/qomUY5cecfr6UpTGf4Sdsgt5EBqIqoSOkToXMMLPSS1J3w34AwPhP6GFqYAI2AK/E6kYZI+ER+ep4cJEIa5SIxG86Xdk2d2NKoeknU1YMCOiRfLhlFlrYAZTM4BRxUS6RPAbGyV9oONPro0dHT3FyIcebGWquBzkUPuY2o+DMVNYxmmJcswXrng5zCdrXjnmHXnwbjkU2POA6NFGgYJXAAe0NYFm57QkE89N+DA6MW64HXwNhlX/UJj4pIxoO3DUMpTU7y7lRLui2oXNwEe0YKFU8B4CrRdRg1fjNEtRgpcADQWKYx6QN72O1IqQ/fhSXUkw1ztLXvS9P1MEEdj0uBx6n3bB4o9D6SyoeUewLjWjCxOsHOs9hzW8FDU/28NzEGNoj5Z671w1BdFry98iz7feGLC2s/My3WJtOcOeHipTseZp1yaGBj//JSNvlZpy6uQl+YFlgZyjQ==
x-ms-exchange-transport-forked: True
arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ocIuOdUa6I+8o/VPhqWNp0hi8cfDQA+F8Kg/Dmn8yh5DzAKvCIsJITanF5BRl5MHDH5MgVbri8sf39SRm0g81kF9l8Ncc3+KxVkawr3jbmwCWoAb8Ay18dIPJd/x6pCC3lcBYCwZAzRJar+7UI0oT7g93ubMTrNgF25fnRVEB6+mZRMUx55eXtZq08yWRk7o9WMgegdsS1Qca+bOx16vUFCqFfZoPYRSGxuo2OIF0CanDDVnPcQFtWBhiM3h8NLxDfxFKFdqCzfNkbZtaYyFMC7+63NLkyobFc+z3Rwq+N20f9rQ+3NcxmHf3d/VMYNpCbyNrUazxRteyAIQWaqvtg==
arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=JT61biIQ0sYW09c+3Nu3D/0dd95N/mhiF/pyQoz4W8Y=; b=cnhm05cWzkQ+hP18Ov3f+FiiPIFFIzw6ft0xo/qdUtIAtA0pteuV8RV3EIxOjjYksR6/mz/SVPJaG2lZ0mBOmlWgM2wmSExOaQBqZCpL4cY4nwstD2m7c3AItaSsFSozzZgFZ/WGonKkisRgKTB09okZgo7kGsYpEJFR9CPAxdRE3ShlqiP8Is8emfmTBy5Xi9H37Lklap9iNW7zcBHjBq/subYCudJekHDwV4WhgeltHulkHPkHUOKlkp8aMb/Sz95eKiLg+OTf/r8bJYtzdqHeajbPrH/lvp4dbkbnjDzdThdEIj3y+3lSDCYLEs1mODOjl7ymlhVIztqctgMiEA==
arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cable.comcast.com; dmarc=pass action=none header.from=cable.comcast.com; dkim=pass header.d=cable.comcast.com; arc=none
dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcastcorp.onmicrosoft.com; s=selector2-comcastcorp-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=JT61biIQ0sYW09c+3Nu3D/0dd95N/mhiF/pyQoz4W8Y=; b=Tetq+MFo88Bm/jTIXH1YUCptBV1jh4JTG8MtOMWHHBmFbjdH7v6R7ASXlXXpPesRbDBwOpJFBcLsJ5KTWt2VzhVwVzfomH6JkiZyRSy0EKzmP/yDiey42YAuNsQPG56EUBqtPkF7JVoJTtxfF18uerFCInIT1v+ds+0dNFJ21cQ=
x-ms-exchange-crosstenant-network-message-id: 3498eaba-2f34-4a67-393a-08d75d689eee
x-ms-exchange-crosstenant-originalarrivaltime: 30 Oct 2019 18:40:21.9179 (UTC)
x-ms-exchange-crosstenant-fromentityheader: Hosted
x-ms-exchange-crosstenant-id: 906aefe9-76a7-4f65-b82d-5ec20775d5aa
x-ms-exchange-crosstenant-mailboxtype: HOSTED
x-ms-exchange-crosstenant-userprincipalname: rtjarlwJdJqSBze/WPHfXv5WIEITS6faBLjRBnkjCH22pJmsC+G147KUWpAEe/PY1h6Z8hJ5fCnN9ihr9aMhCofvBivNXky9JyWrlul/JyU=
x-ms-exchange-transport-crosstenantheadersstamped: BY5PR11MB4008
x-originatororg: cable.comcast.com
Content-Type: text/plain; charset="utf-8"
Content-ID: <77645864CB76294FB186572C41B4DCB6@namprd11.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-CFilter-Loop: Forward
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFupik+LIzCtJLcpLzFFi42JJKJozWdfk5s5Yg7Zj6hYbWnewWqx4fY7d 4tyzBAdmjyVLfjJ5nL76itlj8uM25gDmqAZGm5KMotTEEpfUtNS84lQ7LgUMYJOUmpZflOqa WJRTGZSak5qIXRlIZUpqTmZZapE+VmP0sZqT0MWUsfnoLtaCCZIVnTvusDQw7pHoYuTkkBAw kbhz5zpTFyMXh5DAYSaJM687GSGcQ4wStzq/sEM4d4CcFU9YIJwTjBJbX76Bykxhktg4cR2U 84hRYuauPywgk9kEzCTuLrzCDGKLCNhIrN37HsxmFjCUeHe8GaiBg0NYwEti+217iBJviQOv DkGVl0lMnryMHcRmEVCV2Lp1BVicV8BF4vCaL8wQu1ZySCw5cIUNJMEpYC8xb+s1sAZGATGJ 76fWMEHsEpe49WQ+E8SnAhJL9pxnhrBFJV4+/scKcoOogL7Ewb++EK0pEou7FkGVq0scu/cR ypaVuDS/mxHC9pU4fqqJDcLWkmht6GWFsKUkvj/+yA5hZ0vc3rYEqldN4uqnoywQtozEpr7N YPdLCLxglVjXd5J9AqPZLCSnzgI6iVlAU2L9Ln2IsIfEqdvN7BC2osSU7odgNq+AoMTJmU9Y FjCyrmLkszTTMzQ00TM0tdAzMjTaxAhOofOu7GC8PN3jEKMAB6MSD2/p+Z2xQqyJZcWVucCY 5WBWEuH9ZgMU4k1JrKxKLcqPLyrNSS0+xCjNwaIkzsu3dkGskEB6YklqdmpqQWoRTJaJg1Oq gbHmyNTfVxbmhwncMzGMeLRnvezSkBV9saIdnm0Rbb/t1wgwmzxNu8kUd2PHd1PfXcvz7iuc 2fZdfOXOD0HFa/oya+Nfx0lLLmCfG6Sl0WP+8vmyew8j53Mt2qb2PnHq7aPGyt0NwvPXFK8U b9uuLbTIIvM0z41irWW7m+3X+jbXdRVabuzp8FFiKc5INNRiLipOBAD2XndNnQMAAA==
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.95,1.0.8 definitions=2019-10-30_08:2019-10-30,2019-10-30 signatures=0
X-Proofpoint-Spam-Reason: safe
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/icK86O_-q7Bv2Peo3Bqq1bmgNSc>
Subject: Re: [dns-privacy] [Ext] Re: ADoT requirements for authentication?
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Oct 2019 18:40:59 -0000

I agree that this is not a technical issue of scaling the root; that quantity of queries per day and second is not a big problem. Rather, as you note, it is a layer-9 issue. But I don't think we should constrain our requirements development & protocol design because of this. Ultimately root operators and others will need to make independent assessments of cost/benefit and it's not unheard of for communities in ICANN to initiate the different policy development processes in order to change pricing/margin/contract stuff to accommodate new requirements.

On 10/29/19, 11:30 PM, "dns-privacy on behalf of Jim Reid" <dns-privacy-bounces@ietf.org on behalf of jim@rfc1035.com> wrote:

    On 30 Oct 2019, at 01:32, Eric Rescorla <ekr@rtfm.com> wrote:
    >
    >> Yes, it's hard, but I think it's worthwhile, because the prospect of getting the root to offer ADoT seems very distant to me.
    >>
    > Why? Do we have estimates of the load level here as compared to (say) Quad9 or 1.1.1.1?

    The root server operators publish statistics on the traffic they get. Links for some of their data can be found at https://protect2.fireeye.com/url?k=2afc0159bfd08024.2afc26ed-cd00c20c720e6f6a&u=https://root-servers.org.

    The anycast cluster for a.root-servers.net alone currently handles upwards of 8B queries/day - roughly 100,000 queries/second. That’s steady state. The numbers would go *far* higher than that during a Mirai-style DDoS attack.

    It’s going to be a challenge to get authoritative servers handling those sorts of query levels to support DoT (over TCP?). FWIW solving the non-trivial operational and engineering issues will be the easy bit. Solving the layer-9 issues will be harder. I expect that also holds for DoT support at authoritative servers for important TLDs or the DNS hosting platforms from the likes of Akamai, Dyn, UltraDNS, etc that handle very high query rates.

    I suppose someone could ask RSSAC* for their opinion on deploying DoT at the root. And having lit the blue touchpaper, I will now run away at great speed to watch the ensuing firework display. :-)

    * Other ICANN advisory committees are available.
    _______________________________________________
    dns-privacy mailing list
    dns-privacy@ietf.org
    https://www.ietf.org/mailman/listinfo/dns-privacy