OARC 45

DNS Transport Signaling: Avoiding the Chicken-and-Egg Problem

7 Oct 2025, 14:45

15m

Stjärnrummet (Quality Hotel Globe)

In-Person Standard Presentation Public Workshop OARC 45 Day 1

Speaker

Johan Stenstam (Swedish Internet Foundation)

Description

I have two proposals for OARC45. This is the first.

There are presently two “mainline” paths towards deployment of DoT / DoQ for authoritative DNS service between auth server and resolver. The first is RFC 9539 (“blind probing”) and the second is “wait for DELEG”.

Both have problems.

In the RFC 9539 case it is about creating enough incentive to auth server and resolver operators to actually implement this, but, also, that even if it is implemented RFC 9539 does not provide any “signal” to enable an operator to differentiate between “we are now testing our ability to provide {transport}” from “we are now ready and support production traffic over {transport}”.

In the DELEG case the problem is that we simply don’t have DELEG yet, and given the complexity of the current DELEG proposal it seems likely that it will be ~10 years until we have wide scale deployment of DELEG. And from a privacy POV, it really is wide scale deployment that is required.

We therefore propose a hybrid approach:

Take the transport signaling mechanism from DELEG (i.e. put the transport signal inside an SVCB). Attach this SVCB to the additional section for authoritative responses from a nameserver authoritative for the zone as a statement about its own transport capabilities. If the zone with the nameserver is signed, then the SVCB will be verifiable, otherwise not.

This is an operational change, not a protocol change (i.e. it is already allowed by the DNS protocol). What is needed is operator feedback that this would be a sensible approach to get around the “chicken-and-egg” problem that has made encrypted DNS transport for auth DNS get mostly nowhere for way too many years.

I will point out that there is an Internet-Draft describing this and I have presented this proposal at the IETF in Madrid. However, there is no protocol work and the primary need is operator feedback (which is much better at OARC than at IETF these days) and that makes OARC an optimal venue for this discussion.

I apologize for not having any slides ready, but this is in the middle of vacation and I was just reminded that the submission deadline is today, so this is the best I can do right now.

Regards,
Johan Stenstam
Swedish Internet Foundation