Speaker
Description
RFC 9539 - Unilateral Opportunistic Deployment of Encrypted Recursive-to-Authoritative DNS (also known as ‘Blind Probing’) was published over two years ago and amongst the stated goals were:
- Protection from passive attackers for recursive-to-authoritative DNS queries.
- A road map for gaining real-world experience at scale with encrypted protections of this traffic.
- A bridge to some possible future protection against a more powerful attacker.
Sadly however, it has seen only limited deployment - whilst some open resolvers have adopted it, most authoritative operators are reluctant to do so due to significant operational and performance concerns. As a result, none of the above goals are being fully realised and the real-world experience at scale with encrypted transports has not progressed. The ‘big win’ of shifting as much recursive-to-auth traffic as possible to use at least opportunistic encryption seems stalled at present.
In this presentation we will drill into several related issues:
-
What are the specific factors preventing adoption of encrypted transports by authoritative servers today and what solutions should the community consider?
-
What do the criteria look like for establishing encrypted transports as a feasible and scalable solution?
-
What positive steps can we take to encourage experimentation with and confidence building around encrypted transports today? Can the community create a new roadmap to de-risk encrypted transport deployment and drive future adoption?
-
How can we better harmonize opportunistic deployment in the existing namespace with future developments to provide the maximum privacy benefit to users?
| Talk duration | 10 Minutes (+5 for Q&A) |
|---|
