IETF Logo Mail Archive

[DNSOP] Re: Proposal for opportunistic transport signaling from authoritative servers

Ben Schwartz <bemasc@meta.com> Wed, 25 June 2025 13:15 UTC

Return-Path: <prvs=2271f3dbf6=bemasc@meta.com>
X-Original-To: dnsop@mail2.ietf.org
Delivered-To: dnsop@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 63756394551F; Wed, 25 Jun 2025 06:15:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.793
X-Spam-Level:
X-Spam-Status: No, score=-2.793 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=meta.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yFd5U8A8-dvg; Wed, 25 Jun 2025 06:15:46 -0700 (PDT)
Received: from mx0a-00082601.pphosted.com (mx0a-00082601.pphosted.com [67.231.145.42]) by mail2.ietf.org (Postfix) with ESMTP id 8E4173945154; Wed, 25 Jun 2025 06:14:49 -0700 (PDT)
Received: from pps.filterd (m0109334.ppops.net [127.0.0.1]) by mx0a-00082601.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 55PCW7AS020314; Wed, 25 Jun 2025 06:14:47 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=meta.com; h=cc :content-type:date:from:in-reply-to:message-id:mime-version :references:subject:to; s=s2048-2021-q4; bh=UqqX6aL4w+F3DtDcB0F7 4NO/8thv3wHmyDxWxiuNlcY=; b=QJcrTeg6LMDfzeYxdOJa5SUtUk4wRyEETYTX Mr28ZzPNGgSNPvGxeC7pPPHrKzgNY8xEAgzvuIH3+XwlQNXtHmBvA5KnDJ9BnpUx 0Wpv77DxVdygAorM3wrnrUBPNYYlb5W9akDBzFR+9Mz3IckvFKGwlLneEHas12BH cT1Xz4ATI9TU3X8uBTjCZAFQqh3T3z7vew7SAJvLKMO0FcUxsx8n0CNBr/kL6/e5 FSYpuZHHM7myh1I8IjJxNhnQmopej+932VsU6KN58PbnVM1wOLA4VGv0dAzHBRoI Qn7lxykNmnw2jJ8HDzYwSeniXV41w5HcTQ0AKZ+by/vzdjWNrw==
Received: from nam10-mw2-obe.outbound.protection.outlook.com (mail-mw2nam10on2052.outbound.protection.outlook.com [40.107.94.52]) by mx0a-00082601.pphosted.com (PPS) with ESMTPS id 47fkh5uf2u-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 25 Jun 2025 06:14:47 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=gsTybx1LcxfhlxO6ncXhgk1gJ2oi4VQq2yI/0RaAEqjvSgbHkdz5fsdFszQ/J3DuqM8VpohEVppx7WlV/HpVN4ySaEEst8XFkbOvoncBGNp6jrZUfQAiShC3PFDyRuh4Nvl5gp4pP7D3ufbR5INL2mGADD567koBBP2XAzHBI0u7Iw9YolgoKub9tsqfW3bGU4evooJXwDfjpDYZptkv3AlGSCc8ixeL4NdCWh/pPG3txEpghBpKVErQTZf+f5/xwCcNUhUisNhd0fPfBFjOL9xQXp/dLuCLqtQZihRaJy6JOd2d2x6c6D5s0YHeUG+hLP7mGscPHSoov/x5oLV5rQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=UqqX6aL4w+F3DtDcB0F74NO/8thv3wHmyDxWxiuNlcY=; b=RptGsxMfNnHKdckU+kLEua7jK66lmRc2hzkHnROvKXCb7u39fqTWTEFHWAYyH+HiKh0YHU6Eid//voRuOYYFyzxfopNM6xOd6ybWi2NwBl4JiSEVSmptXSkR0wVQfQ9ctMXw8igue+gSjG3RVZ7H476XdyI7N4Om8KLeUPttttWwlzojEzzMTgz0NOTBfQY7fhgpeENRvIJ1cF9cbvsWkKlh7xRSJvXbJuVEunxceIXhAR16jNOtpy3temkW4mulAGlEvnn8nIuUUlJnMvpi/+3wXQt3h19ZGcXvziRZdgUb+75yvqQFWxClh9u1WduzcQoS2VjDgOdtsc7+PC5OhA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=meta.com; dmarc=pass action=none header.from=meta.com; dkim=pass header.d=meta.com; arc=none
Received: from DM6PR15MB2361.namprd15.prod.outlook.com (2603:10b6:5:82::33) by MW4PR15MB4762.namprd15.prod.outlook.com (2603:10b6:303:10b::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8880.17; Wed, 25 Jun 2025 13:14:43 +0000
Received: from DM6PR15MB2361.namprd15.prod.outlook.com ([fe80::33bb:f6d1:d19f:95b6]) by DM6PR15MB2361.namprd15.prod.outlook.com ([fe80::33bb:f6d1:d19f:95b6%6]) with mapi id 15.20.8857.026; Wed, 25 Jun 2025 13:14:42 +0000
From: Ben Schwartz <bemasc@meta.com>
To: Johan Stenstam <johan.stenstam=40internetstiftelsen.se@dmarc.ietf.org>, Joe Abley <jabley@strandkip.nl>
Thread-Topic: [DNSOP] Proposal for opportunistic transport signaling from authoritative servers
Thread-Index: AQHb5bNks/L8/FB9PkWufY3GQ82WqLQT17X1
Date: Wed, 25 Jun 2025 13:14:42 +0000
Message-ID: <DM6PR15MB23614DE53F03D12BA8BF57F3B37BA@DM6PR15MB2361.namprd15.prod.outlook.com>
References: <DM6PR15MB236101155DF60A3C47B7138FB378A@DM6PR15MB2361.namprd15.prod.outlook.com> <CA8BCDDC-950F-4E07-B523-787C3C4769FD@strandkip.nl> <62A06625-1FDB-4234-BF39-AB510DE0C50C@internetstiftelsen.se>
In-Reply-To: <62A06625-1FDB-4234-BF39-AB510DE0C50C@internetstiftelsen.se>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: DM6PR15MB2361:EE_|MW4PR15MB4762:EE_
x-ms-office365-filtering-correlation-id: 681c0bf8-4f78-483a-d380-08ddb3ea3f83
x-fb-source: Internal
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|1800799024|10070799003|376014|366016|8096899003|38070700018|3613699012;
x-microsoft-antispam-message-info: RHd/k+RNVOWZ7acX3vwMISd29h/Tx2Z2EPC0PGPNXhUOHPd7MWATFfzKDwxkdVoLS6RmftHbuxhbqVpVEZO4ljbDH6MMYru4+vRAfrmE2m9zyTwBOsMV0GblVT4etFFzDRtbMsw9OSJqjx/Haz7wcEUj8HiAwwCQfcf70/ek+sRPcqBUIbSrVHb9DWL4plOmXgdC5wqqQM35FaIfWszl7rCODrKZgwZ3LYNcmKUTzZ9MizYkoaPci/ltVzUbd1UzUrjEIzY21cJ9uaX8+iFlsIylAEEMFGjIpbvJA41KDmhWXo8xwhvUVcmWupXoeJ/wgGGRFm5sldcNY6A3kEMcbfBjf4NtYJt1jtzuRON0HWXkDfNQlW5M6l8+T2DE1EQy9ZZoQX30sWvuAU5v3/ftHfZ2f2hDfXWEw1JnLDjRa7xuozwiAxw0oTh9KsAxEVhO+KezPze/akKITGa5OCkNHenggkuYcJp83d9sQ2UR1+ZUfnn+XaH48aC15eKNDnqr40oBetfjqWihBaZ2gIU6hEnRH2RVvNec0uVyx8FECy4dum9BIJHhhgBjBzwikGYOhPeW7YTfhcXx0eySIxRnBau0uQaiE6T6apPl2NPOVJEeRPQTiTLItvUJtlwsOP67teuq/VKJA4LYMCk2ntC6RgwgoBSJYWIYM5nZ0+XbOudJanbhP0xQt8JRKOOHWiYXgF4xH+a7t8LmTuQexh+4e5zEVrOTxg3fJ99ak/08qcOT08LlDyVN7MMmCtyUBAR8STu5fiCakPR+9A8Ti5nuVeYTSGMX2MT5ZDSsuG4j5jYl4SaaZZkx4G/KOOBVzwVJu8xBdbhf+dn8C/HDZyehWRN1hVSbPEm8Fbjh4joIzxDD3I5YgpItws1iCeWoinSZXVGQ176twjYOW2kOth+tb7E9VPceffNKfwK7Lg7S6YvRr4SaWqgjoXRVyK0JsNY8OrIGUxfl4fmeP0n0m0kpTUlAHuToH8BjqMSm5YPOcKHc9ytrDHWsVT5EkrRgjUB4SAOOXXBkMidvDrl3HBYRyLEmgiY7AtTEjTVAsTE/AcRGmtfVciCOyZkjUE/Kl88D12iSBPyBY7WJleFA8pPekToQOc7Y5hnMfB6ijycF89rfNvAteoY52TncLkP1MS3dTgvATnROR3Ld/+QeNWBGe5sY/zGHv/HTqR+9cWYz5Wso3LQjnIwzDGsy25VqSbh0MDwso2WF/t/8ODbZcLIArCy2u1dK/rFfosFco51PmqjJ1HdWQ4+ZdZAYKbp3untcP2FMhKzFgHnXT7V/Rr2WBVQ2bGXau+nX7Rv9CoS5f/SwTSUqVUnjMptGgt3T6qCaicC2GJhwcwioOHEwbUGkz8oss/jJjPlMzBjZEGgH3ccz8WVdt4nSCu746ARPRHE4/MTkyWPrPIWWmKN/QKvR3a/1phnKCgFVSXr+cKOqUUa839gT/zfCrJZrW59c7nEa
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DM6PR15MB2361.namprd15.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(10070799003)(376014)(366016)(8096899003)(38070700018)(3613699012);DIR:OUT;SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: TQJFizjfR2YhsS2moRaJ8Pr6IxNTxBp8Bu/KaybrmXJ0ACTa03xflVw3AJ7S523gVqe3WZKPwqVQ+FvH1nD7C0FASm9pi/1ZIwxASB9uG6RnzfMx/g5C2NYk/t5ZIT3p2VoKAsrzeyhLAEXDGguPekyxXMY9lloh8OxWmw3Q+a6ZMEAFffrVOrRTnqAfjVPYuXgAmq3rqG2ybsVmhHCqcQa5IaXQ4JjhH0GTG4/0UqnwL11jKXe68OKdvE2RwiJc9wcz5lSM1MSuUFygduIvOJs0kzFlrzd+9fYvlCRe8CHz0jTg9qnxJvVO3q/z44XW/Jla3u+uHH4ICs39qBu42NXfPKorpDgPNgvplf8m/ooTJxkII5dTwFL7N4nl6qXHNRJ0FqwvPnzvfqBvpnKnYJf2pcipUFr0nwHdshDRU4pRz2j4Det4w8DS0HFU4prTH2zVtqbKjTBiYGpWOycujRWicdu5hjh+lm47fk//z7M/1AfPi6mki/JazuV9tRje19nCL8yUvajzfGCpV+3HSADYgPijtDOTUQH8MTosUkj31Epar8v//TvbazPzG1eFMNNDzB05GDt4QQQGRA/baxispNSBhashqlQD4mfK7QSGI4IEohIrQ2xRBEQkMg++wNRD3OaL/N2JggT4Q32AJhpN3yHipNbpq+CMihBYjK55QP74HWv9ef/8Oy8AZsAPXH+TlTS9LNC0DK/YeOkw61D4HnVNafIo0RuTc/W4TesOgFtFKT1gPuKddjfJ66x2/gqTUMqqyYGmN8jBYsKKw6YQt9ngkb16wJAmtoYnEV0dZXkP5COROMDXyTk15V1U8JDHeVa6QMk7XRVlp1MZr22uDry/KU1UKmEZu+2VvYIkrNIiE/Ji15hhQGQiVCvs2rAcbErKQzI4g+Ci0XPMK3PY5UDLoDwGloFQ+4a3COEZFWrOy7PheasHr9MsIZoV81clpVbInokTZNKSNQNqQL+oGmPc9lqf4/sZU81EIg6ZiCXYwEBop7wiIzLamzCGejEFbPwDmnglph3Q4JrgjiK9CtgQsQMeK5Mm0PmoGHBRSdYLtsSs/WA3AAUV9PxUQC9nS4X45dcrSw4MMQjtGq36hMpRP5E/vpoTdGXdTk7QZvPBxNAi64R55qwa5RLg7cR2VpWog1/QZ8Zk0SlysBjI11UR8l6cGCP2zzOL2mS7dvBjfvrcvN0Yv8hqypDXODJikGidtvxA7p8Ca+uUhDbmo96TfY1dkTrfZYmkO+RRlqLDXJwaBqJJ5Ts+a9u5R801zlORYYcUrv4KWxgB+YA71DAZIIZHq6EVEOvX1mSZnyyU85BjvDuEMWMnE6F1NACHt6ZzuJi90jaA59wH3hcJlShnMApgxGBkZD48qCOTYFTmvTv1tt1c2nmEDYzT7rsmQLa50tQ390RWt6/rRIRFAl7vo2Ofa9Zqf4mGk6X5c8eR473lXj04hL3BeeaNgOef2xazM7OdN4LN78WmBXu7vybEEbmEXi9INaujbtFlBU+i3y4aIkxsFYHg/+6LURe2JJ76W+fVIehQ0I3Q8ikA4ZQlRpo7TnGLbAuzDD5w1tpYY+HyqoTCPcClndTYB/kQqSmtHXn+P3TvfsvY/apQxwiT+9wF0NO9MHhgAEQ=
Content-Type: multipart/alternative; boundary="_000_DM6PR15MB23614DE53F03D12BA8BF57F3B37BADM6PR15MB2361namp_"
MIME-Version: 1.0
X-OriginatorOrg: meta.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DM6PR15MB2361.namprd15.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 681c0bf8-4f78-483a-d380-08ddb3ea3f83
X-MS-Exchange-CrossTenant-originalarrivaltime: 25 Jun 2025 13:14:42.5564 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 8ae927fe-1255-47a7-a2af-5f3a069daaa2
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: N6H9mIfUp+YqOzuyG3ss19ngy6PECPEyQQoliM5Rm3ge45lkPCnmGZZe9bNq9XRQ
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MW4PR15MB4762
X-Proofpoint-GUID: SFGgtxE4BeDelJSBPzsKGWrUsK9JBBJ8
X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwNjI1MDA5NyBTYWx0ZWRfX0svk3d6NtpvC Umq0qRhjwxkSglWj9Unp1SjKP1q+WFNomE0ODkCPwyXzeFRyi5/jYl8lqVvVFkdXSIsBwjREN3l J9Iy4ukyK4HpDXZviG5TLNXnp6lqwSmqzUSNhwyDsfdDfNlQEbS+qbEIyBpyqdBR3ymCbQ4TA6K hPjUNkQJy47jN0BWES+JyZumXrzU2wrOyLIphay/PIq6nOXr9BAu+B5lMWDPXMEKgpXZCholMX8 wg/9Xoo/+FhuFb4tk+ONJPj3N8siy0/jIZO/+VDo4vuao0j6aqPnnIklPK/30RzsVp7Pnax+j39 9m07R7NOiejt3VR5RYS6XtCk7oFe9ExogdtBd2eTiB+SvVyJI4/G5FryvmFJW4XBCnbKvEdMbdo X8888QknlDMm55Yg3HYFN/rtE7Mb677YxuaMbnijNONgMF4tThT1lttQiEqSDWYgohtAi1U8
X-Authority-Analysis: v=2.4 cv=IZeHWXqa c=1 sm=1 tr=0 ts=685bf647 cx=c_pps a=hFyXiFHt1z/RcV9jVS6qVQ==:117 a=lCpzRmAYbLLaTzLvsPZ7Mbvzbb8=:19 a=wKuvFiaSGQ0qltdbU6+NXLB8nM8=:19 a=Ol13hO9ccFRV9qXi2t6ftBPywas=:19 a=xqWC_Br6kY4A:10 a=6IFa9wvqVegA:10 a=48vgC7mUAAAA:8 a=y9plqzxeAAAA:8 a=EG7W4yiQAAAA:8 a=uGBQ09X__4wvdbI2UHsA:9 a=pILNOxqGKmIA:10 a=7VEgs6Wos7UQuRXs:21 a=frz4AuCg-hUA:10 a=_W_S_7VecoQA:10 a=lqcHg5cX4UMA:10 a=lBp3Ekt4YYfsEVDhWcye:22
X-Proofpoint-ORIG-GUID: SFGgtxE4BeDelJSBPzsKGWrUsK9JBBJ8
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1099,Hydra:6.1.7,FMLib:17.12.80.40 definitions=2025-06-25_03,2025-06-25_01,2025-03-28_01
Message-ID-Hash: WHHQVD6YDQ5WLHXMYYDMYTXVZYMXUPZ4
X-Message-ID-Hash: WHHQVD6YDQ5WLHXMYYDMYTXVZYMXUPZ4
X-MailFrom: prvs=2271f3dbf6=bemasc@meta.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Working Group DNSOP <dnsop@ietf.org>, "dns-privacy@ietf.org" <dns-privacy@ietf.org>, Erik Bergström <erik.bergstrom@internetstiftelsen.se>, Leon Fernandez <leon.fernandez@internetstiftelsen.se>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [DNSOP] Re: Proposal for opportunistic transport signaling from authoritative servers
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/BJRkSbm_6jvs2IENM0eVfryO_H0>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

Thanks for the clarification.  It sounds like the intent here is that:

1. The SVCB signal is not included in referral responses.
2. The SVCB signal is acquired during NS revalidation.
3. This avoids the additional work for resolvers to probe port 853.

I can understand the logic of this, but most resolvers do not perform NS revalidation, so stacking this capability on top of NS revalidation would limit the number of resolvers that are able to deploy this behavior.  Also, RFC 9539 probing can generally run in parallel to NS revalidation, so it should be faster than waiting to start TLS until after receiving the SVCB hint.

--Ben


________________________________
From: Johan Stenstam
Sent: Wednesday, June 25, 2025 5:27 AM
To: Joe Abley; Ben Schwartz
Cc: Working Group DNSOP; dns-privacy@ietf.org; Erik Bergström; Leon Fernandez
Subject: Re: [DNSOP] Proposal for opportunistic transport signaling from authoritative servers

Hi,

Many thanks for the comments. There are a bunch of things to sort out. Let’s start with the issue of whether this is worthwhile or we should just wait for DELEG.

Using an opportunistic scheme like this is not able to defend against an active attacker. The complete solution is clearly DELEG. Full stop.

My concern with that is that DELEG will not be able to add privacy to a large fraction of the public zones for, well, a rather long time. The reason is that even if the specification was complete tomorrow, and implementations were done next week we would still have to wait for all the registries and registrars to add DELEG support. And after that every single zone will need to be upgraded which will also take years.

I’m not objecting to this, there is just no way around the fact that a major change to the DNS like DELEG will take a long time to reach wide scale deployment. Just like DNSSEC. Or IPv6. Or...

The point with our proposal is that because it is so simple, and because it doesn’t require any changes to the registry/registrar/registrant ecosystem (only providers of authoritative or recursive services need to do anything) this could, if we want, reach wide scale deployment in a fraction of the time.

I argue that we want to add more privacy to authoritative DNS now and the reason we have not done that yet is that we have not (AFAIK) had a sufficiently simple mechanism to provide transport signaling from auth to resolver within the current protocol. And blind probing a la RFC9539 was not not sufficiently attractive (as the odds of it working were low).

This proposal is just an opportunistic hint that says “Hey! I support DoQ, please try it” to allow the resolver to do something like RFC9539, but with open rather than closed eyes and therefore a vastly larger chance of success.

On 24 Jun 2025, at 21:46, Joe Abley <jabley@strandkip.nl> wrote:
On 24 Jun 2025, at 21:38, Ben Schwartz <bemasc=40meta.com@dmarc.ietf.org<mailto:bemasc=40meta.com@dmarc.ietf.org>> wrote:

1. An attacker could strip the SVCB record and its RRSIG, resulting in an ordinary delegation response that would be accepted and used without encryption.

True. A client that didn't find a record could query for it which would give it the ability to validate any non-existence, but that sounds like a lot of pointless queries in the situation where the majority of zones don't have this kind of thing deployed (when most referrals don't include a courtesy SVCB).

All of this is true and I am not suggesting actively querying for the SVCB. If the resolver gets the transport signal for free it may use it, that’s all.

2. This is a child-side record, and so presumably also a child-side RRSIG, but the validator may not yet have the child's DNSKEYs.  Fetching those keys (in order to validate the transport configuration) would create additional delay before the query could be sent.

That additional delay can be amortised over the lifetime in the cache of those records needed to provide a chain of trust though. A validator is going to have to do that work at some point.

I agree to the amortization point. However, I want to point out that that we’re not talking about the child’s DNSKEYs, we're talking about the DNS provider’s DNSKEYs. I.e. for the child zone "example.parent.”, with the DNS provider Cloudflare the response would be something like:

…
Answer:
www.example.parent.  IN A 1.2.3.4
Authority:
example.parent.      IN NS ns.cloudflare.com.
Additional:
ns.cloudflare.com.   IN A 5.6.7.8
ns.cloudflare.com.   IN AAAA 2001::bad:cafe:53
ns.cloudflare.com.   IN SVCB 1 . alpn=doq,dot
ns.cloudflare.com.   IN RRSIG SVCB …

And the likelihood of resolvers already having the DNSKEYs of all the major DNS providers is rather high.

3. The parent-side logic to serve this RRSIG, and the coordination channels to get it there, seem complicated.

I guess. It seems approximately as complicated as CNAME flattening which is pretty common.

This part I don’t understand. There is no “parent side logic”. There is no change whatsoever to the delegation information (otherwise this would be a non-starter).

The proposal is to add the transport signal when sending an authoritative response, i.e. an Answer, from an authoritive nameserver (where the auth nameserver will make a statement about its own transport capabilities).

There is no suggestion about changing anything in a referral from the parent.

Assuming it is signed by the ZSK, this also breaks a usual rule of not having parent-side content depend on the child ZSK.

The referral can be processed without it (by using other transports) so I'm not sure it's a dependency.

The downgrade attack seems worth thinking about. I'm not sure how much we need to care about the other things.

I think there may be a misunderstanding hidden here. But as I don’t understand what you’re talking about here I may be wrong…

Regards,
Johan

v2.46.0 | Report a Bug | By Email | System Status