Speaker
Description
There are presently two “mainline” paths towards deployment of DoT / DoQ for authoritative DNS service between auth server and resolver. The first is RFC 9539 (“blind probing”) and the second is “wait for DELEG”.
Both have problems.
In the RFC 9539 case it is about creating enough incentive to auth server and resolver operators to actually implement this, but, also, that even if it is implemented RFC 9539 does not provide any “signal” to enable an operator to differentiate between “we are now testing our ability to provide {transport}” from “we are now ready and support production traffic over {transport}”.
In the DELEG case the problem is that we simply don’t have DELEG yet, and given the complexity of the current DELEG proposal it seems likely that it will be ~10 years until we have wide scale deployment of DELEG. And from a privacy POV, it really is wide scale deployment that is required.
We therefore propose an enhanced approach where a signaling mechanism is added. Pros and cons of this alternative are presented. The proposal is purely operational. What is needed is operator feedback that this would be a sensible approach to get around the “chicken-and-egg” problem that has made encrypted DNS transport for auth DNS get mostly nowhere for way too many years.
| Talk duration | 10 Minutes (+5 for Q&A) |
|---|---|
| Other conferences? | This abstract has not been submitted elsewhere. The actual proposal has recently been presented at IETF, but this talk has a different angle. |
