From: dns-privacy <[email protected]> On Behalf Of Tim Wicinski Sent: Monday, July 12, 2021 1:12 PM To: DNS Privacy Working Group <[email protected]> Cc: [email protected] Subject: [EXTERNAL] [dns-privacy] WG strategy on opportunistic vs authenticated moving forward
Caution: This email originated from outside the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. All, The chairs have been watching the working group while we prepare for the upcoming meeting, and working through the proposals and arguments that keep coming up. We feel there is strong consensus to work on opportunistic encryption and that it may be beneficial to discuss possible experimental deployments with a version of the currently documented approach (draft-ietf-dprive-unauth-to-authoritative). The concern with lumping the root, TLDs, and SLDs into one solution is that there are contractual issues with what can be in a zone above an SLD. These limitations are potentially an issue with some solutions that need/want new records in the parent’s zone. We feel like the WG will not be able to make additional progress on any of the proposed solutions until we can reach consensus on whether the solution should be homogeneous from the root down or that the real focus is on SLDs and down. We've asked Paul and Petr to not focus on the common-features document and move that content back into their draft. The authors of draft-rescorla-dprive-adox-latest will be incorporating concepts from draft-schwartz-dprive-name-signal as a next step for the authenticated encryption proposal. This should provide a more concrete proposal that can be considered for WG adoption. The chairs would like to solicit any input/feedback on the above as we prepare for our session during IETF 111. [SAH] Knowing that there are concerns from the root server operators and operators of some top-level domains about both the server resource overhead of adding support for encryption and the value proposition in doing so, my preference would be for the WG to focus on solutions for authoritative name servers serving zones that aren’t delegation-centric. The recursive-to-authoritative resolution environment is already heterogeneous, and data minimization techniques (such as QNAME minimization) are available to reduce information disclosure during exchanges at the delegation-centric levels. There may be more interest in experimentation using non-delegation-centric zones and name servers where the data minimization techniques aren’t available, and those experiments can help guide the “increased deployment in other parts of the DNS hierarchy” mentioned in the statement from the root server operators [1]. [1] https://root-servers.org/media/news/Statement_on_DNS_Encryption.pdf Scott
_______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
