Re: [dns-privacy] ADoT deployment at the root
Ted Hardie <ted.ietf@gmail.com> Thu, 31 October 2019 19:27 UTC
Return-Path: <ted.ietf@gmail.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DC1D3120A5B for <dns-privacy@ietfa.amsl.com>; Thu, 31 Oct 2019 12:27:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HmVGyVm09gIM for <dns-privacy@ietfa.amsl.com>; Thu, 31 Oct 2019 12:27:24 -0700 (PDT)
Received: from mail-il1-x131.google.com (mail-il1-x131.google.com [IPv6:2607:f8b0:4864:20::131]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3A52A120A43 for <dns-privacy@ietf.org>; Thu, 31 Oct 2019 12:27:24 -0700 (PDT)
Received: by mail-il1-x131.google.com with SMTP id p8so6461225ilp.2 for <dns-privacy@ietf.org>; Thu, 31 Oct 2019 12:27:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Phe9zxFCtyfNcbGgaK7MSdZKXWYCNa56Xh8XgCH0Le4=; b=rX1k83YKt3Rm+r9A1NsO/sTUmOHVGt1Xvv1NV5F+APlXoqelSBlM9UmEixroZTFZr6 SCILuf+OTp6g5Jfg+X4e0w+duARUUewUCkYEyWGbHv6J9eZs+6BpaUfU/kgMIJMcA5Te fZb10VVGrIwdO+DGv2PJ00Hl4Lhy2Qf11vC0Xl181+ZBW/l1ubsiH5uuoDaYH8mdd1Ho j386/9/pIVwwRSE4DYZNGLX7570EAYcJpp6s1vxf+ijFcUUWuF4zBSRSd6qyPjGyvn4Y /21pGtJNyb407VCz9qTgiZAeQ1GLxUp9IeOjZTwRKfSukTxb14zNdL0bNHi4GCaJOVT9 Kdqg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Phe9zxFCtyfNcbGgaK7MSdZKXWYCNa56Xh8XgCH0Le4=; b=tRVAUYHHoVEKvNalpUk2riPTKOXyWVnUMF2u6N3798hHpk22C2N8fHE4xMaUHVCJdz RLj8xRnoY3cUXyYFTJpalboijnfBhbkqn+9TZqsJKCynmkEg5iljFV6yzSxM/xxbJmAj 5ddUQCR/ZJLuaJ6jQ51Ks4M1dwDdJAEOVS4t8UMeILodjuj+lZ+WcE3Sa6AZakpyqE6J 6fIz/Qvl+EKzfq9H3VnairX+igo0IzhLoKzezReSyWswfvR59R+A13IY0wRK2BQcMd11 jgKC0+p0i9NH1wlUo3q+mXf+3R0GOT5eNeasfGvLnpDL7TOhYjbr2S6acxQPqx0pZN5W Swfg==
X-Gm-Message-State: APjAAAWT8dh1QWubreT4yUT+T9OVfjrc+5Ez8QzvLDsEU/06T0+HNbpX diLKFNEb37Z96t+7sX1bSkI1hsUFg48BBIV3UAA=
X-Google-Smtp-Source: APXvYqzzFjbcjR/7XP3NbTDy9dVeGTCVh6ReQgELXWt24Q7rwU9iWYd3gBtQfwDH/CexGQgD1BK+KxFlfshhVg9FOrM=
X-Received: by 2002:a05:6e02:1002:: with SMTP id n2mr2957076ilj.27.1572550043356; Thu, 31 Oct 2019 12:27:23 -0700 (PDT)
MIME-Version: 1.0
References: <943e3973-f6a7-9f6e-a66a-33aff835bd5e@innovationslab.net> <503df6fb-b653-476f-055f-15c1a668ba36@innovationslab.net> <5fe86408-35a8-16ea-d22a-9c6c4a681057@icann.org> <CA+9kkMBZUPfWov6B+pgLYuFmZh10dTzwF2PdKs5Vozzssqvzjw@mail.gmail.com> <edf53c16-3be9-786c-dcb1-0edc9fd9711c@icann.org> <CA+9kkMC5ynqK+8QO==5Pi_9edjTkJJ3yLHBHqJFOox8fi1_8HQ@mail.gmail.com> <CAHbrMsAAvadukzifKEj9eEWB91aDjmnu775F_YdtBaUHrHwDDQ@mail.gmail.com> <CA+9kkMCVj3Lte1dooNthm0f6eBPFUGbxdQBGyjB62KD8wn+f-g@mail.gmail.com> <CAHbrMsCU4b7yNwEfq1J0qsX3vbij+bLdXpanPMKaF+h6yqkXKw@mail.gmail.com> <CA+9kkMA9=m67w=yPR4=cNmHvMH29ogzBVzA8GZU_HCBkVNUxOg@mail.gmail.com> <CABcZeBMyrW=D+dyoT3FUvfe+9hM7ZCndv=tZ9B2F170U0Z7obw@mail.gmail.com> <CAHbrMsAgR-Andoxs5WRMp2jE3Gf_1EWWpsrAm3eFc-vGhb5A3w@mail.gmail.com> <CABcZeBNTJYQc_1kbK7cL3S8KcHfEzpNsZaeK=OeYopEpjLF9_Q@mail.gmail.com> <CAHbrMsBaGBx-gye+Y+4Ja_a9Dkvkt6kLva3fzyvrzuuzxECZuw@mail.gmail.com> <CABcZeBP64qr81ccw+cbYy6FuQkgArS=G9_itEt8A_UfN8SO7GA@mail.gmail.com> <BDFD7D8F-BB99-46DF-85AC-922DDF25A1D3@rfc1035.com> <CACsn0c=6Kv5j0SKJkTLxSNSPoz_uA62p1vTjWx=ccVJbnv4f7A@mail.gmail.com> <5DA6B1B6-5EC3-45E2-8622-47331E59FE39@rfc1035.com>
In-Reply-To: <5DA6B1B6-5EC3-45E2-8622-47331E59FE39@rfc1035.com>
From: Ted Hardie <ted.ietf@gmail.com>
Date: Thu, 31 Oct 2019 12:27:13 -0700
Message-ID: <CA+9kkMDNX-t4a+u63m8jf7rCMt2uD-7hvLjybQ50EWouAK8SDA@mail.gmail.com>
To: Jim Reid <jim@rfc1035.com>
Cc: Watson Ladd <watsonbladd@gmail.com>, dns-privacy@ietf.org
Content-Type: multipart/alternative; boundary="000000000000b9d1d9059639d605"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/xuieDWfhIQjSZeuroyTyhWOB15o>
Subject: Re: [dns-privacy] ADoT deployment at the root
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 31 Oct 2019 19:27:29 -0000
On Thu, Oct 31, 2019 at 12:06 PM Jim Reid <jim@rfc1035.com> wrote: > > There are gazillions of layer-9+ problems around the introduction of new > or different distribution mechanisms at the root for serving root zone > data. Not least of these are the interminable ICANN consultations that > inevitably have to take place for anything remotely related to the root. > > Some of those problems will also apply to ADoT deployment at "busy" TLDs > and their DNS service providers. > > I think the point John Levine was making earlier relates to this, though. If the root zone is signed, it is small enough to keep a copy locally in any reasonable cache. That means many caching resolvers can avoid using DoT on queries routed to the root by using AXFR instead, to the servers mentioned in https://www.dns.icann.org/services/axfr/ or similar servers hosted elsewhere. Asking that those AXFR-suitable servers support DoT seems a much more tractable proposition and it results in the right thing. I may have misunderstood John, of course, but that's the point of what I understood him to be saying. regards, Ted
- [dns-privacy] DPRIVE Interim: 10/29 Brian Haberman
- Re: [dns-privacy] DPRIVE Interim: 10/29 Allison Mankin
- Re: [dns-privacy] DPRIVE Interim: 10/29 tjw ietf
- Re: [dns-privacy] DPRIVE Interim: 10/29 Brian Haberman
- Re: [dns-privacy] [Ext] Re: DPRIVE Interim: 10/29 Paul Hoffman
- Re: [dns-privacy] [Ext] Re: DPRIVE Interim: 10/29 Brian Haberman
- Re: [dns-privacy] [Ext] Re: DPRIVE Interim: 10/29 Livingood, Jason
- Re: [dns-privacy] [Ext] Re: DPRIVE Interim: 10/29 Alexander Mayrhofer
- Re: [dns-privacy] DPRIVE Interim: 10/29 Brian Haberman
- Re: [dns-privacy] [Ext] Re: DPRIVE Interim: 10/29 Brian Dickson
- Re: [dns-privacy] [Ext] Re: DPRIVE Interim: 10/29 Rob Sayre
- Re: [dns-privacy] DPRIVE Interim: 10/29 Eric Vyncke (evyncke)
- Re: [dns-privacy] [Ext] Re: DPRIVE Interim: 10/29 Paul Hoffman
- [dns-privacy] ADoT requirements for authenticatio… Paul Hoffman
- Re: [dns-privacy] ADoT requirements for authentic… Ted Hardie
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Paul Hoffman
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Ted Hardie
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Ben Schwartz
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Brian Dickson
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Paul Wouters
- Re: [dns-privacy] [Ext] Re: DPRIVE Interim: 10/29 Brian Dickson
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Ted Hardie
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Brian Dickson
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Ben Schwartz
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Ted Hardie
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Eric Rescorla
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Ben Schwartz
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Eric Rescorla
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Brian Dickson
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Ben Schwartz
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Eric Rescorla
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Christian Huitema
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… John Levine
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Jim Reid
- [dns-privacy] DoT at the DNS root Jim Reid
- Re: [dns-privacy] DoT at the DNS root Jim Reid
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Watson Ladd
- Re: [dns-privacy] [Ext] Re: DPRIVE Interim: 10/29 Alexander Mayrhofer
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Ralf Weber
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Paul Wouters
- Re: [dns-privacy] ADoT requirements for authentic… Tony Finch
- Re: [dns-privacy] [EXTERNAL] Re: [Ext] Re: DPRIVE… Livingood, Jason
- Re: [dns-privacy] [Ext] Re: DPRIVE Interim: 10/29 Livingood, Jason
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Livingood, Jason
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… John Levine
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Jim Reid
- [dns-privacy] ADoT deployment at the root Jim Reid
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Jim Reid
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Brian Dickson
- Re: [dns-privacy] ADoT deployment at the root Ted Hardie
- Re: [dns-privacy] ADoT deployment at the root Warren Kumari
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… John Levine
- Re: [dns-privacy] ADoT deployment at the root John Levine
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… John Levine
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Ben Schwartz
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Stephen Farrell
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Brian Dickson
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… John R Levine
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Eric Rescorla
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Vladimír Čunát
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Vladimír Čunát
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Hollenbeck, Scott
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Eric Rescorla
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Vladimír Čunát
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Brian Dickson
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Eric Rescorla
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Eric Rescorla
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Brian Dickson
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Brian Dickson
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Vladimír Čunát
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… John R Levine
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Ted Hardie
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Brian Dickson
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… John R Levine
- Re: [dns-privacy] DPRIVE Interim: 10/29 Brian Haberman