Re: [dns-privacy] ADoT deployment at the root

Warren Kumari <warren@kumari.net> Thu, 31 October 2019 19:36 UTC

Return-Path: <warren@kumari.net>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 61246120018 for <dns-privacy@ietfa.amsl.com>; Thu, 31 Oct 2019 12:36:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=kumari-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hdFMUs5yt_Y6 for <dns-privacy@ietfa.amsl.com>; Thu, 31 Oct 2019 12:36:06 -0700 (PDT)
Received: from mail-qt1-x844.google.com (mail-qt1-x844.google.com [IPv6:2607:f8b0:4864:20::844]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 77CA212000F for <dns-privacy@ietf.org>; Thu, 31 Oct 2019 12:36:06 -0700 (PDT)
Received: by mail-qt1-x844.google.com with SMTP id g50so10132724qtb.4 for <dns-privacy@ietf.org>; Thu, 31 Oct 2019 12:36:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kumari-net.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=hFN+yWx/ufvlfq3YLHfsec80CeNQjuSGepDGpl1JNtU=; b=NZlJLtAig/6f88V3D+m0UL6JOVSTreMdlVTu9rJG/RXQiogb1gub1S8wHAhu08rdDY eTCpLR6vNK5JM54wkp2oFk66TO6OrhHWLLjzXO2hEEREmnBa54biLDvgsYztheyrKr0c ftTXmFWaz0bIuYT03ua2Y15n0rlQ1NOIrrjaj5jFev6d37rsZVGgEA12rbOWcnoM+GTC xo8wWAksav2UNBgWqpACx2u7t1dLQm9HjNgXpICPf0CSYhqXxPj2up8uaaTYvgaq355C auEqZSrW/QsAMhVRINeQkBNiwt3YGYwqVUKYnsevROuy8BuzGSjtn1iLqxGP4bJua7co yYng==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=hFN+yWx/ufvlfq3YLHfsec80CeNQjuSGepDGpl1JNtU=; b=am254K68ux/FsfZ8JR48kruYsuv3UiGx4Q1OMUeSz4gnK0wsTnV26VE74qDRaN5oNY 0i1WWl0llPsAncSyZ2Tad1dpv2VkPXslHiLssaCNmUDbzV/ioK3hbgaTKnOsv+3cTfSv QtRcD3qt2qR+x9dYRmNCurR/Uij6hdHxnwleNoa6hTgiKKy147cOf5Xy35RJCxE/ONDm S0+/2DAhoNMhkclvFAQ3Tka12FVpZXVcJQbzHFn/iqJI0tCEnIF5Gc+zSwQ3h3X9KnEF lJ/14uexXm3tCSxrNGb3fd7PW0xK5/es21wi4rxBSjE9HPrsYL4czei39oVNfmg5Xpse BISA==
X-Gm-Message-State: APjAAAVThx6VRfstW5KoljFS8iaV1a92i7O1kcQsp1EG1khCQfChSc7J AxEPH3JVoZY4iKqhv75zIeBHKGCqHVqNzX1VGGNY8g==
X-Google-Smtp-Source: APXvYqxBOTLdmI8kzQWdXnlN7iZHC2Ub0Fto0DiGSMaVzNYln29RM7q0l5P5amyNdDlOXQPLgF+z3OD8IRJPFfkSXoE=
X-Received: by 2002:ac8:74c1:: with SMTP id j1mr7251843qtr.77.1572550565297; Thu, 31 Oct 2019 12:36:05 -0700 (PDT)
MIME-Version: 1.0
References: <943e3973-f6a7-9f6e-a66a-33aff835bd5e@innovationslab.net> <503df6fb-b653-476f-055f-15c1a668ba36@innovationslab.net> <5fe86408-35a8-16ea-d22a-9c6c4a681057@icann.org> <CA+9kkMBZUPfWov6B+pgLYuFmZh10dTzwF2PdKs5Vozzssqvzjw@mail.gmail.com> <edf53c16-3be9-786c-dcb1-0edc9fd9711c@icann.org> <CA+9kkMC5ynqK+8QO==5Pi_9edjTkJJ3yLHBHqJFOox8fi1_8HQ@mail.gmail.com> <CAHbrMsAAvadukzifKEj9eEWB91aDjmnu775F_YdtBaUHrHwDDQ@mail.gmail.com> <CA+9kkMCVj3Lte1dooNthm0f6eBPFUGbxdQBGyjB62KD8wn+f-g@mail.gmail.com> <CAHbrMsCU4b7yNwEfq1J0qsX3vbij+bLdXpanPMKaF+h6yqkXKw@mail.gmail.com> <CA+9kkMA9=m67w=yPR4=cNmHvMH29ogzBVzA8GZU_HCBkVNUxOg@mail.gmail.com> <CABcZeBMyrW=D+dyoT3FUvfe+9hM7ZCndv=tZ9B2F170U0Z7obw@mail.gmail.com> <CAHbrMsAgR-Andoxs5WRMp2jE3Gf_1EWWpsrAm3eFc-vGhb5A3w@mail.gmail.com> <CABcZeBNTJYQc_1kbK7cL3S8KcHfEzpNsZaeK=OeYopEpjLF9_Q@mail.gmail.com> <CAHbrMsBaGBx-gye+Y+4Ja_a9Dkvkt6kLva3fzyvrzuuzxECZuw@mail.gmail.com> <CABcZeBP64qr81ccw+cbYy6FuQkgArS=G9_itEt8A_UfN8SO7GA@mail.gmail.com> <BDFD7D8F-BB99-46DF-85AC-922DDF25A1D3@rfc1035.com> <CACsn0c=6Kv5j0SKJkTLxSNSPoz_uA62p1vTjWx=ccVJbnv4f7A@mail.gmail.com> <5DA6B1B6-5EC3-45E2-8622-47331E59FE39@rfc1035.com> <CA+9kkMDNX-t4a+u63m8jf7rCMt2uD-7hvLjybQ50EWouAK8SDA@mail.gmail.com>
In-Reply-To: <CA+9kkMDNX-t4a+u63m8jf7rCMt2uD-7hvLjybQ50EWouAK8SDA@mail.gmail.com>
From: Warren Kumari <warren@kumari.net>
Date: Thu, 31 Oct 2019 15:35:29 -0400
Message-ID: <CAHw9_iK3FdxsjrDpQAip=tvbdszquBMPhuGoNCPbzRWnjzK7cQ@mail.gmail.com>
To: Ted Hardie <ted.ietf@gmail.com>
Cc: Jim Reid <jim@rfc1035.com>, Watson Ladd <watsonbladd@gmail.com>, dns-privacy@ietf.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/q2mtQQ63Tyb8THNbU4bGgitfeQo>
Subject: Re: [dns-privacy] ADoT deployment at the root
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 31 Oct 2019 19:36:08 -0000

On Thu, Oct 31, 2019 at 3:27 PM Ted Hardie <ted.ietf@gmail.com> wrote:
>
> On Thu, Oct 31, 2019 at 12:06 PM Jim Reid <jim@rfc1035.com> wrote:
>>
>>
>> There are gazillions of layer-9+ problems around the introduction of new or different distribution mechanisms at the root for serving root zone data. Not least of these are the interminable ICANN consultations that inevitably have to take place for anything remotely related to the root.
>>
>> Some of those problems will also apply to ADoT deployment at "busy" TLDs and their DNS service providers.
>>
>
> I think the point John Levine was making earlier relates to this, though.  If the root zone is signed, it is small enough to keep a copy locally in any reasonable cache.  That means many caching resolvers can avoid using DoT on queries routed to the root by using AXFR instead,  to the servers mentioned in https://www.dns.icann.org/services/axfr/ or similar servers hosted elsewhere.


See: https://datatracker.ietf.org/doc/draft-ietf-dnsop-7706bis/ and
RFC7706 for details on how....
draft-ietf-dnsop-7706bis is in WGLC, so that's the one people should read).

Thank you Ted, for queuing this up so nicely!
W

> Asking that those AXFR-suitable servers support DoT seems a much more tractable proposition and it results in the right thing.
>
> I may have misunderstood John, of course, but that's the point of what I understood him to be saying.
>
> regards,
>
> Ted
> _______________________________________________
> dns-privacy mailing list
> dns-privacy@ietf.org
> https://www.ietf.org/mailman/listinfo/dns-privacy



-- 
I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.
   ---maf