[dns-operations] DNS-over-TLS in public resolvers

Thomas Steen Rasmussen thomas at gibfest.dk
Mon Mar 6 14:13:24 UTC 2017

On 03/06/2017 01:59 PM, Phillip Hallam-Baker wrote:
> On Mon, Mar 6, 2017 at 3:33 AM, Marat Khalili <mkh at rqc.ru 
> <mailto:mkh at rqc.ru>> wrote:
>>     There are two issues, both of which I brought up at the start of
>>     DPRIV:
>>     1) Must be supported by browsers.
>>     2) Protocol MUST be entirely state free
>>     If you want a protocol to be deployed, you need to solicit input
>>     from the people who you need for deployment and take notice of
>>     it. DNS over anything TCP is not going to measure up.
>     DNS-over-TLS in public resolvers would be very useful for
>     small-scale DNS repeaters in corporations and ISPs. They usually
>     connect to few public resolvers and can easily keep these
>     connections alive. Persistent TCP connections place much lighter
>     burden on firewalls than UDP requests, so there might be overall
>     performance gain on both sides.
>     QUIK, SCTP and similar future technologies can be even better, but
>     are obviously not ready for deployment here and now. TLS is.
> ​No. TLS is not ready for deployment because the protocol model for 
> TLS (and for that matter DTLS) is not compatible with running a large 
> public resolver.

If providers running large resolvers today are unwilling to use the 
extra resources that dns-over-tls will require then maybe they should 
stop running large resolvers. This is no different from the people who 
used to complain loudly that HTTPS will never work large scale. Of 
course it will, we might have to throw some more hardware at it though, 
but more likely said hardware will have been naturally replaced with 
newer hardware before we reach high adoption of dns-over-tls. Adoption 
will not happen overnight.

I applaud dns-over-tls and I have much more faith in it than say 
dnscrypt for the simple fact that it is standardised. I am running 
dns-over-tls with nginx which is in no way built to serve DNS - only 
possible because it's all standard TLS. Lovely.

I'll let the list know if I start seeing problems with load because of 
dns-over-tls, but I wouldn't hold my breath.



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20170306/548b85ee/attachment.html>

More information about the dns-operations mailing list