> On 2 Jun 2026, at 15:25, Philip Homburg <[email protected]> wrote: > >> Having analysed root-server >> traffic via DITL data, I am acutely aware about the need for >> *complete* privacy protection. Since the best way to keep things >> secret is not to tell anyone, I see that LocalRoot fulfills that >> promise. The other methods go a long way, but do not stop your >> queries from ending up in, say, DITL data. > > What I find problematic is that only a small part of query traffic is > considered. > > Most DNS queries do not just go to the root and stop there. Queries continue > TLDs, SLDs, etc. > > For an on path attacker, does a local root provide much protection? Not > really, the attacker will see the query go to the TLD. > > With local root, root operators will not see the query but operators of > TLDs will. Are root operators less trustworthy than TLDs operators. It seems > that the answer is yes because root operators participate in DITL. So > may be a local root is a good idea. > > When considering all upstream traffic of a resolver to answer a query, > is the improvement provided by a local root significant?
I agree that LocalRoot is not complete DNS privacy. Queries will still go to TLDs and authoritative servers. My point is narrower: LocalRoot removes one unnecessary disclosure point. Root traffic is uniquely aggregated and studied (e.g., via DITL), so preventing queries from leaving the local environment at the root level is still a meaningful privacy improvement. This is not about whether root operators are more or less trustworthy than TLD operators. It is about minimising disclosure. If a query does not need to go to the root, not sending it there is the better privacy outcome. So yes, LocalRoot is only a partial solution, but reducing upstream exposure is still significant. Warmly, Roy _______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
