Re: [dns-privacy] Possible use case: Opportunistic encryption for recursive to authoritative

Manu Bretelle <> Sat, 08 August 2020 01:56 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id D24993A09F6 for <>; Fri, 7 Aug 2020 18:56:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.847
X-Spam-Status: No, score=-1.847 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id K2fGRtEfyHaq for <>; Fri, 7 Aug 2020 18:56:45 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4864:20::d36]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 1D9313A09E7 for <>; Fri, 7 Aug 2020 18:56:45 -0700 (PDT)
Received: by with SMTP id j8so3730399ioe.9 for <>; Fri, 07 Aug 2020 18:56:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=wDBSBHvkwIb0aPJOcTGy94iQ9TAU6krMVQUG+jJYoDs=; b=u0ESZO5Amq8uSjA5YWo/56rG2KSHOdCDq5M7usubEiKi4A25+ssihkpwoQYqdzAUSx Mp70f+2f6y3zs4qmfXA00TdU5tr7fllC5dG+vJL9TKRNytnw/eiErutagO55AQjIahXA 6vnUGHbJlVEKBHOcppUiGXNkb2UIzGCREfRM4w7iXh9QOkNYk/qJikoier0oUVtPE0yk GkA2LP1+08fBPY5hxWHeg2ry1/M7HF/0poCY6HI/j9tHF2fdEMMt/f0WB7KXX2+tV6Rw L4P/jDP/AEePYbIVhvnyY8XjEZSndkGMFJL0Y4EsFatY8Yl5lK/V1KXxpbkyOYL7dH2Z k74w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=wDBSBHvkwIb0aPJOcTGy94iQ9TAU6krMVQUG+jJYoDs=; b=JleMSkfcNlwngmtTLabT0VVfHnYavZBMJWE5k6qbP9fiht47NjouZVkq016NH20V/Q 237ZHkJS3O9/uHtv66y3PTM0qaRWJQJlbvEk/j75hgCoh4Z5cU/SDgmE1D+Uu6lHh7my bTa/dTy1Jqsp0yTMWjBavWC3mqP2k0k9Q5Zdpgoi/b3WcQ46+VwNPDNF2ekzyTBjyDNg 39bvD+lPDgFx/Mndh/73O+fM23ccMThthkeq1HSM9djZaQLfyZTPlv0ZNZbZVqg7QO9e oqEpyfu+UkXX+lo+jf92sPHBcSzXJ2/VwVYO4aOF0ZYQrp+gjqgditpkinDioFKUd7HY Ayyg==
X-Gm-Message-State: AOAM530dl4ET/RjuAhZBI4mkHmZUh0MbrDaH7cU73XZlJEMNlX426dip RrGA5MZUvSs4iOY8o7aj+WDRyVU/LoniY3lFGmycgh1j
X-Google-Smtp-Source: ABdhPJxLXVc80wS1Ozpd+StNr3EYGIvvLy6rJ5h/124Z3XPAJWPoqNs+IztcwmgW19/oXkoyDeWN4YhtRQ4TDcB57KU=
X-Received: by 2002:a05:6638:419:: with SMTP id q25mr8104295jap.85.1596851804111; Fri, 07 Aug 2020 18:56:44 -0700 (PDT)
MIME-Version: 1.0
References: <>
In-Reply-To: <>
From: Manu Bretelle <>
Date: Fri, 07 Aug 2020 18:56:33 -0700
Message-ID: <>
To: Paul Hoffman <>
Cc: "" <>
Content-Type: multipart/alternative; boundary="0000000000008b06c305ac540895"
Archived-At: <>
Subject: Re: [dns-privacy] Possible use case: Opportunistic encryption for recursive to authoritative
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 08 Aug 2020 01:56:47 -0000

Yes. I think it is worth doing.

On Thu, Aug 6, 2020 at 7:59 AM Paul Hoffman <> wrote:

> Greetings again. The following is a short text-based version of my slides
> from last week's WG meeting. I'd like to find out if this is one of the use
> cases that the WG would be interested in dealing with.
> Use case: Opportunistic encryption for recursive to authoritative
> In this use case, a resolver operator says “I’m happy to use encryption
> with the authoritative servers if it doesn’t slow down getting answers by
> much”, and an authoritative server says “I’m happy to use encryption with
> the recursive resolvers if it doesn’t cost me much”.
> Opportunistic encryption is defined in RFC 7535. From the abstract:
> "Protocol designs based on Opportunistic Security use encryption even when
> authentication is not available, and use authentication when possible,
> thereby removing barriers to the widespread use of encryption on the
> Internet."
> The assumptions behind the use case are:
> • More encryption is good for the Internet
> • Resolver vendors are smart and motivated
> • Most resolvers don’t validate with DNSSEC and may never want to
> • Authoritative operators don’t care much about encryption, but some would
> turn it on because more encryption is good for the Internet
> • Other use cases for authentication stronger than opportunistic may
> appear and would co-exist with this one
> The other slides had thoughts about possible solutions that implement this
> use case, but before we go there, I wanted to find out if more than a
> handful of people here are interested in this use case. If so, I could turn
> the above into a draft with some possible solutions for us to bang on.
> --Paul Hoffman
> _______________________________________________
> dns-privacy mailing list