Peter van Dijk <peter.van.d...@powerdns.com> wrote: > On Sat, 2020-10-31 at 13:52 -0700, Brian Dickson wrote: > > > Using NS names in a separate zone or zones (for each DNS operator) is > > scalable, and facilitates DNSSEC signing, at little to no incremental > > cost and little to no operational complexity > > The incremental cost for a resolver (doing a full resolution process > for the TLSA records of one or more NS names) is not small, and neither > are the latency costs. For 'popular' name servers, this cost can mostly > be amortised, leaving the penalty with any domain hosted on a NSset > that only has a few domains.
Yes. However I think the relative cost of TLSA lookups is much less when a resolver implements delegation revalidation because then it's fetching authoritative A and AAAA anyway, so it can fetch TLSA concurrently. https://datatracker.ietf.org/doc/draft-ietf-dnsop-ns-revalidation/ > > Using TLSA records at _853._tcp.<NS_NAME> in a signed zone provides an > > unambiguous signal to use optionally TLSA, in a downgrade-resistant > > manner. > > Not downgrade-resistant, until NS names in delegations become signed. Or until the parent nameservers support authenticated encrypted transports. Even so I think delegations should be signed. A (the?) major issue with this whole ADoT effort is the bad trade-off between a delegation-centric design (where the DoT signal is in the parent zone) which has really formidable deployment obstacles, and really troublesome scalability issues; or a DNS-hosting-provider-centric design which has poor performance and downgrade weaknesses. If (big if) we think it's worth upgrading the DNS delegation model (and EPP, and all the registries and registrars, and all the IPAM databases and user interfaces, and documentation and textbooks), can we also tackle the scalability problem? By "scalability" I mean the need for a hosting provider to update NNNNN delegations when a server cert changes. And there are decades old problems keeping delegation NS and glue and DS records correct. (A large chunk of the "it's always DNS" meme comes from how hard it is to understand delegations and update them correctly.) This whole area is a massive pain in the arse sorely in need of universal automation. Any serious attempt at improving delegations needs to deal convincingly with the quesion of why support for CDS, CDNSKEY, and CSYNC is so appallingly bad. Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ North Utsire, South Utsire: Southwesterly 5 to 7. Rough, occasionally very rough later. Occasional rain. Good, occasionally poor. _______________________________________________ dns-privacy mailing list dns-privacy@ietf.org https://www.ietf.org/mailman/listinfo/dns-privacy