[dns-operations] DNS-over-TLS in public resolvers

Phillip Hallam-Baker phill at hallambaker.com
Mon Mar 6 12:59:36 UTC 2017


On Mon, Mar 6, 2017 at 3:33 AM, Marat Khalili <mkh at rqc.ru> wrote:

> There are two issues, both of which I brought up at the start of DPRIV:
>
> 1) Must be supported by browsers.
> 2) Protocol MUST be entirely state free
>
> If you want a protocol to be deployed, you need to solicit input from the
> people who you need for deployment and take notice of it. DNS over anything
> TCP is not going to measure up.
>
> DNS-over-TLS in public resolvers would be very useful for small-scale DNS
> repeaters in corporations and ISPs. They usually connect to few public
> resolvers and can easily keep these connections alive. Persistent TCP
> connections place much lighter burden on firewalls than UDP requests, so
> there might be overall performance gain on both sides.
>
> QUIK, SCTP and similar future technologies can be even better, but are
> obviously not ready for deployment here and now. TLS is.
>
​No. TLS is not ready for deployment because the protocol model for TLS
(and for that matter DTLS) is not compatible with running a large public
resolver.

I find it rather astonishing that no lessons were learned from DANE. The
DPRIV group was told what was required to deploy and the advice was
rejected in favor of using TLS 'for speed of deployment'.

What they meant was ease of implementation which is a different and much
less difficult problem.​
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20170306/967ca2a2/attachment.html>


More information about the dns-operations mailing list