Re: Mozilla Firefox DoH to CloudFlare by default (for US users)?

To: debian-devel@lists.debian.org
Subject: Re: Mozilla Firefox DoH to CloudFlare by default (for US users)?
From: Robert Edmonds <edmonds@debian.org>
Date: Mon, 9 Sep 2019 02:37:27 -0400
Message-id: <[🔎] 20190909063727.6aw7fog5a72ecqjf@mycre.ws>
In-reply-to: <[🔎] ED68ACBF-1848-40D5-A3DC-BA960E10CA8B@sury.org>
References: <[🔎] CAKTje6F4wQ4Ja56cg_iDix=TXTncO4PYit+b9Kpwy8Ui37p2Ag@mail.gmail.com> <[🔎] ED68ACBF-1848-40D5-A3DC-BA960E10CA8B@sury.org>

The entire DNS root zone is only 1 MB compressed and is updated about
once a day. It would be even better for privacy if the whole root zone
were distributed via HTTPS, as the initiator would not reveal to the
server any information about what TLD is being looked up.

There are currently ~1500 TLDs in the root zone. Dividing 1 MB by the
number of TLDs, this is ~700 bytes per TLD, which is roughly the amount
of bandwidth required by a query/response pair of UDP DNS packets to
obtain the delegation for a TLD.

The size of the DNS root zone could also be reduced if it were signed by
an ECC algorithm rather than RSA.

If the ZONEMD resource record (draft-ietf-dnsop-dns-zone-digest) were
standardized and deployed in the root zone, it would allow for
cryptographic verification of the entire contents of the root zone
regardless of the source. So it would not even be necessary to obtain
the root zone from the "official" root name server infrastructure.

That moves the problem down a level to the TLDs, where it is
impracticable to distribute copies of all TLD zone files. So a better
question to ask would be whether any of the DNS TLD servers plan to
implement any of the DNS transport privacy options. That moves the
problem down another level, etc.

The benefit of encrypting the resolver to authoritative side of the DNS
protocol is that it makes it possible to deploy "non stub" caching DNS
resolvers to individual hosts without exposing the plaintext lookup
traffic to either network observers or a centralized resolver operator
such as an ISP or cloud provider.

Ondřej Surý wrote:
> DNSCurve - probably never
> 
> DoT - the current profiles are stub to resolver, when they are profiles for resolver to authoritative and a solid support in the software, the RSSAC will surely talk about this. The deployment will have impact (switching all traffics to TCP? Yay?)
> 
> DoH - I am not sure what would be the benefit for resolver to authoritative, but same as with DoT.
> 
> DNSoQUIC - not yet there, but it might be better option for resolver to authoritative...
> 
> Ondřej
> --
> Ondřej Surý <ondrej@sury.org>
> 
> > On 9 Sep 2019, at 03:17, Paul Wise <pabs@debian.org> wrote:
> > 
> > On Mon, Sep 9, 2019 at 2:31 AM Ondřej Surý wrote:
> > 
> >> Mozilla plans to enable DoH to CloudFlare by default to US based users
> > 
> > Does anyone know if there is any plan for the DNS root servers to
> > enable any of the DNS privacy options? AFAIK the available options are
> > DNSCurve, DoT or DoH.
> > 
> > -- 
> > bye,
> > pabs
> > 
> > https://wiki.debian.org/PaulWise
> > 
> 

-- 
Robert Edmonds
edmonds@debian.org

Reply to:

Follow-Ups:
- Re: Mozilla Firefox DoH to CloudFlare by default (for US users)?
  - From: Florian Weimer <fw@deneb.enyo.de>
- Re: Mozilla Firefox DoH to CloudFlare by default (for US users)?
  - From: Bjørn Mork <bjorn@mork.no>

References:
- Re: Mozilla Firefox DoH to CloudFlare by default (for US users)?
  - From: Paul Wise <pabs@debian.org>
- Re: Mozilla Firefox DoH to CloudFlare by default (for US users)?
  - From: Ondřej Surý <ondrej@sury.org>

Prev by Date: Re: Mozilla Firefox DoH to CloudFlare by default (for US users)?
Next by Date: Re: Git Packaging Round 2: When to Salsa
Previous by thread: Re: Mozilla Firefox DoH to CloudFlare by default (for US users)?
Next by thread: Re: Mozilla Firefox DoH to CloudFlare by default (for US users)?
Index(es):
- Date
- Thread