On Tue, Mar 30, 2021 at 5:33 PM Stephen Farrell <stephen.farr...@cs.tcd.ie> wrote:
> > Hiya, > > On 31/03/2021 01:24, Eric Rescorla wrote: > > As I said earlier, this seems overly conservative given our experience > with > > large scale TLS-based services. > > For the root servers, I don't get why QNAME minimisation > isn't enough? If it is enough, that'd imply to me that the > root server operators statement is fine, so long as it > is only read to apply to root servers and not TLDs. > > > > > With that said, this doesn't seem to me to present a severe problem: > there > > are a relatively small number of TLD servers, so we could probably > create a > > lookaside list of which ones support TLS as suggested in > > draft-rescorla-dprive-adox-latest-00 Section 3, > > I agree that the privacy issues with TLD servers are more > worthy of attention and I guess require encryption if we are > to improve things. I'm not saying the above draft is a good > way to handle that, but the problem in querying TLDs is real, > whereas for root servers it seems to me way less of a deal. > > Or... am I confused? (That happens often:-) As Erik indicates, it's possible that the the TLD is sensitive, though it's a bit hard to evaluate that risk. However, recall that the TLS connection to the parent is what protects the NS records for the child, as they are not DNSSEC signed. Thus, one has a somewhat fragile situation if one has to store a lookaside list of the TLS status (and at some level the nameservers!) for the TLDs. I'm not saying it's unmanageable, but it's not amazing. -Ekr
_______________________________________________ dns-privacy mailing list dns-privacy@ietf.org https://www.ietf.org/mailman/listinfo/dns-privacy
