[dns-operations] DNS-over-TLS in public resolvers
Paul Hoffman
phoffman at proper.com
Mon Mar 6 15:16:41 UTC 2017
On 5 Mar 2017, at 23:28, Ralf Weber wrote:
> Moin!
>
> On 5 Mar 2017, at 17:01, Phillip Hallam-Baker wrote:
>> There are two issues, both of which I brought up at the start of
>> DPRIV:
>>
>> 1) Must be supported by browsers.
>> 2) Protocol MUST be entirely state free
>>
>> If you want a protocol to be deployed, you need to solicit input from
>> the
>> people who you need for deployment and take notice of it. DNS over
>> anything
>> TCP is not going to measure up.
> +1. I brought up similar concerns in dprive, but the counter argument
> was
> always that people run web services with it so TCP does scale. The
> problem
> with that argument is that people don't want to invest the same money
> in DNS
> services that they are investing in HTTP services.
>
> Running a DNS over TLS for a couple of users is easy, but running it
> for
> millions of users is not easy. As these scaling issues were brushed
> aside
> in the working group we now have to face them at deployment stage or
> maybe
> we won't see widespread deployment.
They were not "brushed aside": there was a second document that used
DTLS that is now RFC 8094. If you feel that it is superior for
large-scale use, it would be valuable to show evidence of that so that
implementors will know about it.
--Paul Hoffman
More information about the dns-operations
mailing list