[dns-operations] DNS-over-TLS in public resolvers

Paul Hoffman phoffman at proper.com
Mon Mar 6 15:16:41 UTC 2017

On 5 Mar 2017, at 23:28, Ralf Weber wrote:

> Moin!
> On 5 Mar 2017, at 17:01, Phillip Hallam-Baker wrote:
>> There are two issues, both of which I brought up at the start of 
>> 1) Must be supported by browsers.
>> 2) Protocol MUST be entirely state free
>> If you want a protocol to be deployed, you need to solicit input from 
>> the
>> people who you need for deployment and take notice of it. DNS over 
>> anything
>> TCP is not going to measure up.
> +1. I brought up similar concerns in dprive, but the counter argument 
> was
> always that people run web services with it so TCP does scale. The 
> problem
> with that argument is that people don't want to invest the same money 
> in DNS
> services that they are investing in HTTP services.
> Running a DNS over TLS for a couple of users is easy, but running it 
> for
> millions of users is not easy. As these scaling issues were brushed 
> aside
> in the working group we now have to face them at deployment stage or 
> maybe
> we won't see widespread deployment.

They were not "brushed aside": there was a second document that used 
DTLS that is now RFC 8094. If you feel that it is superior for 
large-scale use, it would be valuable to show evidence of that so that 
implementors will know about it.

--Paul Hoffman

More information about the dns-operations mailing list