ADoT/Q Table Talk notes and feedback

General notes:

This table talk had 10 or more attendees everyday and we had discussions at full capacity

Attendees representing various parts of DNS ecosystem, including researchers, software vendors, Resolver operators, Authoritative operators and Root operators

8 Oct 2025 - Day 1

Attendees (not a complete list): K root, H root, NS1, Quad9, Infoblox

  • When enabling encryption on root or high-traffic authoritative servers, there are uncertainties regarding potential impacts on load and stability.
  • Root operators generally view themselves as the last group to enable this feature.
  • Given the widespread use of QNAME minimization, this topic may be less relevant to root operators and more applicable to authoritative servers.
  • There was discussion about how using hyperlocal roots might benefit resolver operators.
  • One perspective was that resolver operators prefer to limit the operational risks of running hyperlocal roots, especially since many already operate very close to root instances.
  • On the authoritative side, there is limited customer demand. As commercial entities, authoritative operators tend to prioritize based on customer needs, and they do not observe significant awareness or demand for encrypted transport from the customers.
  • Recursive operators, based on their operational experience, see clear value in enabling encryption between resolvers and authoritative servers. They have observed instances of targeted censorship that encryption could help mitigate.
  • At the same time, there is reluctance to share such experiences publicly, as this could draw unwanted attention and potentially affect their presence in certain regions.
  • There is also a risk of censorship at the protocol level. In such cases, resolvers may silently fall back to Do53, which undermines the purpose of encryption.
  • Although most authoritative software stacks already support at least DoT, the resolver ecosystem still lags behind. Some major resolver implementations lack DoT or DoQ support for outbound queries.
  • Overall, there appears to be limited awareness of this topic, and the importance or benefits of encryption are not well understood across different stakeholders.
  • Software vendors are waiting for the standardization of DELEG, which is expected to enable broader adoption of encrypted DNS between resolvers and authoritative servers (ADoX).

9 Oct 2025- Day 2

Attendees (not a complete list): Switch (.ch), SIDN (.nl), deNIC (.de), nic.at, Google, RIPE NCC

  • Representatives from several ccTLDs noted that there is little to no demand for encrypted resolver-to-authoritative communication, and the topic has not been widely discussed or considered a requirement.
  • At the same time, they expressed concerns about potential impacts on performance and stability. (Similar concerns were raised by root operators in the previous day’s session.)
  • There is a lack of secure signaling mechanisms.
  • Google has supported DoT for resolver-to-authoritative communication for 5+ years.
  • Quad9 began a canary deployment of Opportunistic DoT earlier this year and plans full deployment by Q4 2025.
  • There is a general lack of awareness about this issue across the DNS ecosystem.
  • Authoritative operators view encryption as operationally complex and costly, particularly since there is no visible demand for it. There were clear concerns about certificate management aspect.
  • Current resolver and authoritative software implementations do not provide sufficient observability or statistics, which makes operators hesitant to deploy due to the inability to assess impact.
  • However, such requirements have not been formally raised with software vendors.
  • DNS operators at various levels are now recognized as critical infrastructure operators (particularly in the EU). This increased responsibility makes them more cautious about taking on additional risks, such as enabling encryption, and slows down decision making process.
  • There are concerns about the lack of transparency and absence of signaling between resolvers and authoritative servers in failure scenarios.
  • Handling of failure conditions remains unclear. For example, how to deal with expired certificates. And what happens when encrypted connection to Authoritative fails for any reason. There is particular concerns about risk of TLD zone becoming inaccessible due to failure on establishing encrypted connections.
  • There is no best-practices document or operational guidance currently available on this topic.