[firebird84]

What's the issue with having TLS-based authoritative lookups? I know it seems out of scope for what Mozilla's asking, but it seems like the missing piece of the puzzle to me.

It's great if your recursive resolver is trusted (maybe you trust cloudflare or nextdns), but what if you don't trust anyone and want to run your own TRR? From what I can see from my own TRR the queries to authoritative DNS are sent in the clear... Edit On further thought, I realize that querying myanimememes.com's authoritative DNS CAN reveal which site you're interested in, but I believe most sites delegate their authoritative DNS these days to third parties.

[fanf2]

There are a bunch of awkward constraints and trade-offs that make it difficult to do DNS-over-TLS to authoritative servers. I have some work in progress trying to write a reasonably comprehensive analysis of how to go about it (I have been waiting years for someone else to and finally lost patience...)

https://mailarchive.ietf.org/arch/msg/dns-privacy/Fv91jt_n2-...

https://github.com/fanf2/draft-dprive-adot

[tristor]

> but what if you don't trust anyone and want to run your own TRR?

You can do that today. Run your own DNS server w/ DoH as an endpoint (dnscrypt-proxy provides an avenue, you can also use nginx to do this). Then have enterprise policies on your network to point DoH clients to use this resolver.

[firebird84]

The problem is if your TRR can be associated with you, then outgoing queries to authoritative servers can be tracked.

[Spivak]

I don't know if this is a solvable problem that doesn't require boiling the ocean. Opportunistic TLS would work fine but if the authoritative server for some domain doesn't do TLS then you're kinda stuck.