[dns-operations] DNS-over-TLS in public resolvers

Phillip Hallam-Baker phill at hallambaker.com
Mon Mar 6 15:31:10 UTC 2017 

On Mon, Mar 6, 2017 at 9:13 AM, Thomas Steen Rasmussen <thomas at gibfest.dk>
wrote:

> On 03/06/2017 01:59 PM, Phillip Hallam-Baker wrote:
>
>
>
> On Mon, Mar 6, 2017 at 3:33 AM, Marat Khalili <mkh at rqc.ru> wrote:
>
>> There are two issues, both of which I brought up at the start of DPRIV:
>>
>> 1) Must be supported by browsers.
>> 2) Protocol MUST be entirely state free
>>
>> If you want a protocol to be deployed, you need to solicit input from the
>> people who you need for deployment and take notice of it. DNS over anything
>> TCP is not going to measure up.
>>
>> DNS-over-TLS in public resolvers would be very useful for small-scale DNS
>> repeaters in corporations and ISPs. They usually connect to few public
>> resolvers and can easily keep these connections alive. Persistent TCP
>> connections place much lighter burden on firewalls than UDP requests, so
>> there might be overall performance gain on both sides.
>>
>> QUIK, SCTP and similar future technologies can be even better, but are
>> obviously not ready for deployment here and now. TLS is.
>>
> ​No. TLS is not ready for deployment because the protocol model for TLS
> (and for that matter DTLS) is not compatible with running a large public
> resolver.
>
> Hello,
>
> If providers running large resolvers today are unwilling to use the extra
> resources that dns-over-tls will require then maybe they should stop
> running large resolvers.
>

​Or maybe:

PEOPLE WHO WANT TO PROPOSE SECURITY STANDARDS FOR US TO USE SHOULD LISTEN
TO US FIRST.​

​Just a suggestion you know..​



> This is no different from the people who used to complain loudly that
> HTTPS will never work large scale.
>

​Actually no it is not. I never argued that HTTPS would not scale. I did
point out that certain aspects of PKIX would not scale, CRLs for example.
But nobody I know of ever argued TLS does not scale.



> Of course it will, we might have to throw some more hardware at it though,
> but more likely said hardware will have been naturally replaced with newer
> hardware before we reach high adoption of dns-over-tls. Adoption will not
> happen overnight.
>

​No, it is not just a question of different hardware. It is a completely
different model because a DNS over UDP resolver is entirely stateless and a
DNS over TCP resolver is not.​

​The group was told repeatedly that this was a show stopper and they
ignored us. And now their work is being ignored. DPRIV was not a waste of
time, it was much worse than that.​
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20170306/a74d73cd/attachment.html>

More information about the dns-operations mailing list