IETF Logo Mail Archive

Re: [dns-privacy] ADoT deployment at the root

Ted Hardie <ted.ietf@gmail.com> Thu, 31 October 2019 19:27 UTC

Return-Path: <ted.ietf@gmail.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DC1D3120A5B for <dns-privacy@ietfa.amsl.com>; Thu, 31 Oct 2019 12:27:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HmVGyVm09gIM for <dns-privacy@ietfa.amsl.com>; Thu, 31 Oct 2019 12:27:24 -0700 (PDT)
Received: from mail-il1-x131.google.com (mail-il1-x131.google.com [IPv6:2607:f8b0:4864:20::131]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3A52A120A43 for <dns-privacy@ietf.org>; Thu, 31 Oct 2019 12:27:24 -0700 (PDT)
Received: by mail-il1-x131.google.com with SMTP id p8so6461225ilp.2 for <dns-privacy@ietf.org>; Thu, 31 Oct 2019 12:27:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Phe9zxFCtyfNcbGgaK7MSdZKXWYCNa56Xh8XgCH0Le4=; b=rX1k83YKt3Rm+r9A1NsO/sTUmOHVGt1Xvv1NV5F+APlXoqelSBlM9UmEixroZTFZr6 SCILuf+OTp6g5Jfg+X4e0w+duARUUewUCkYEyWGbHv6J9eZs+6BpaUfU/kgMIJMcA5Te fZb10VVGrIwdO+DGv2PJ00Hl4Lhy2Qf11vC0Xl181+ZBW/l1ubsiH5uuoDaYH8mdd1Ho j386/9/pIVwwRSE4DYZNGLX7570EAYcJpp6s1vxf+ijFcUUWuF4zBSRSd6qyPjGyvn4Y /21pGtJNyb407VCz9qTgiZAeQ1GLxUp9IeOjZTwRKfSukTxb14zNdL0bNHi4GCaJOVT9 Kdqg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Phe9zxFCtyfNcbGgaK7MSdZKXWYCNa56Xh8XgCH0Le4=; b=tRVAUYHHoVEKvNalpUk2riPTKOXyWVnUMF2u6N3798hHpk22C2N8fHE4xMaUHVCJdz RLj8xRnoY3cUXyYFTJpalboijnfBhbkqn+9TZqsJKCynmkEg5iljFV6yzSxM/xxbJmAj 5ddUQCR/ZJLuaJ6jQ51Ks4M1dwDdJAEOVS4t8UMeILodjuj+lZ+WcE3Sa6AZakpyqE6J 6fIz/Qvl+EKzfq9H3VnairX+igo0IzhLoKzezReSyWswfvR59R+A13IY0wRK2BQcMd11 jgKC0+p0i9NH1wlUo3q+mXf+3R0GOT5eNeasfGvLnpDL7TOhYjbr2S6acxQPqx0pZN5W Swfg==
X-Gm-Message-State: APjAAAWT8dh1QWubreT4yUT+T9OVfjrc+5Ez8QzvLDsEU/06T0+HNbpX diLKFNEb37Z96t+7sX1bSkI1hsUFg48BBIV3UAA=
X-Google-Smtp-Source: APXvYqzzFjbcjR/7XP3NbTDy9dVeGTCVh6ReQgELXWt24Q7rwU9iWYd3gBtQfwDH/CexGQgD1BK+KxFlfshhVg9FOrM=
X-Received: by 2002:a05:6e02:1002:: with SMTP id n2mr2957076ilj.27.1572550043356; Thu, 31 Oct 2019 12:27:23 -0700 (PDT)
MIME-Version: 1.0
References: <943e3973-f6a7-9f6e-a66a-33aff835bd5e@innovationslab.net> <503df6fb-b653-476f-055f-15c1a668ba36@innovationslab.net> <5fe86408-35a8-16ea-d22a-9c6c4a681057@icann.org> <CA+9kkMBZUPfWov6B+pgLYuFmZh10dTzwF2PdKs5Vozzssqvzjw@mail.gmail.com> <edf53c16-3be9-786c-dcb1-0edc9fd9711c@icann.org> <CA+9kkMC5ynqK+8QO==5Pi_9edjTkJJ3yLHBHqJFOox8fi1_8HQ@mail.gmail.com> <CAHbrMsAAvadukzifKEj9eEWB91aDjmnu775F_YdtBaUHrHwDDQ@mail.gmail.com> <CA+9kkMCVj3Lte1dooNthm0f6eBPFUGbxdQBGyjB62KD8wn+f-g@mail.gmail.com> <CAHbrMsCU4b7yNwEfq1J0qsX3vbij+bLdXpanPMKaF+h6yqkXKw@mail.gmail.com> <CA+9kkMA9=m67w=yPR4=cNmHvMH29ogzBVzA8GZU_HCBkVNUxOg@mail.gmail.com> <CABcZeBMyrW=D+dyoT3FUvfe+9hM7ZCndv=tZ9B2F170U0Z7obw@mail.gmail.com> <CAHbrMsAgR-Andoxs5WRMp2jE3Gf_1EWWpsrAm3eFc-vGhb5A3w@mail.gmail.com> <CABcZeBNTJYQc_1kbK7cL3S8KcHfEzpNsZaeK=OeYopEpjLF9_Q@mail.gmail.com> <CAHbrMsBaGBx-gye+Y+4Ja_a9Dkvkt6kLva3fzyvrzuuzxECZuw@mail.gmail.com> <CABcZeBP64qr81ccw+cbYy6FuQkgArS=G9_itEt8A_UfN8SO7GA@mail.gmail.com> <BDFD7D8F-BB99-46DF-85AC-922DDF25A1D3@rfc1035.com> <CACsn0c=6Kv5j0SKJkTLxSNSPoz_uA62p1vTjWx=ccVJbnv4f7A@mail.gmail.com> <5DA6B1B6-5EC3-45E2-8622-47331E59FE39@rfc1035.com>
In-Reply-To: <5DA6B1B6-5EC3-45E2-8622-47331E59FE39@rfc1035.com>
From: Ted Hardie <ted.ietf@gmail.com>
Date: Thu, 31 Oct 2019 12:27:13 -0700
Message-ID: <CA+9kkMDNX-t4a+u63m8jf7rCMt2uD-7hvLjybQ50EWouAK8SDA@mail.gmail.com>
To: Jim Reid <jim@rfc1035.com>
Cc: Watson Ladd <watsonbladd@gmail.com>, dns-privacy@ietf.org
Content-Type: multipart/alternative; boundary="000000000000b9d1d9059639d605"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/xuieDWfhIQjSZeuroyTyhWOB15o>
Subject: Re: [dns-privacy] ADoT deployment at the root
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 31 Oct 2019 19:27:29 -0000

On Thu, Oct 31, 2019 at 12:06 PM Jim Reid <jim@rfc1035.com> wrote:

>
> There are gazillions of layer-9+ problems around the introduction of new
> or different distribution mechanisms at the root for serving root zone
> data. Not least of these are the interminable ICANN consultations that
> inevitably have to take place for anything remotely related to the root.
>
> Some of those problems will also apply to ADoT deployment at "busy" TLDs
> and their DNS service providers.
>
>
I think the point John Levine was making earlier relates to this, though.
If the root zone is signed, it is small enough to keep a copy locally in
any reasonable cache.  That means many caching resolvers can avoid using
DoT on queries routed to the root by using AXFR instead,  to the servers
mentioned in https://www.dns.icann.org/services/axfr/ or similar servers
hosted elsewhere.  Asking that those AXFR-suitable servers support DoT
seems a much more tractable proposition and it results in the right thing.

I may have misunderstood John, of course, but that's the point of what I
understood him to be saying.

regards,

Ted

v2.23.0 | Report a Bug | By Email