[dns-operations] DNS-over-TLS in public resolvers

Phillip Hallam-Baker phill at hallambaker.com
Mon Mar 6 15:31:10 UTC 2017

On Mon, Mar 6, 2017 at 9:13 AM, Thomas Steen Rasmussen <thomas at gibfest.dk>

> On 03/06/2017 01:59 PM, Phillip Hallam-Baker wrote:
> On Mon, Mar 6, 2017 at 3:33 AM, Marat Khalili <mkh at rqc.ru> wrote:
>> There are two issues, both of which I brought up at the start of DPRIV:
>> 1) Must be supported by browsers.
>> 2) Protocol MUST be entirely state free
>> If you want a protocol to be deployed, you need to solicit input from the
>> people who you need for deployment and take notice of it. DNS over anything
>> TCP is not going to measure up.
>> DNS-over-TLS in public resolvers would be very useful for small-scale DNS
>> repeaters in corporations and ISPs. They usually connect to few public
>> resolvers and can easily keep these connections alive. Persistent TCP
>> connections place much lighter burden on firewalls than UDP requests, so
>> there might be overall performance gain on both sides.
>> QUIK, SCTP and similar future technologies can be even better, but are
>> obviously not ready for deployment here and now. TLS is.
> ​No. TLS is not ready for deployment because the protocol model for TLS
> (and for that matter DTLS) is not compatible with running a large public
> resolver.
> Hello,
> If providers running large resolvers today are unwilling to use the extra
> resources that dns-over-tls will require then maybe they should stop
> running large resolvers.

​Or maybe:


​Just a suggestion you know..​

> This is no different from the people who used to complain loudly that
> HTTPS will never work large scale.

​Actually no it is not. I never argued that HTTPS would not scale. I did
point out that certain aspects of PKIX would not scale, CRLs for example.
But nobody I know of ever argued TLS does not scale.

> Of course it will, we might have to throw some more hardware at it though,
> but more likely said hardware will have been naturally replaced with newer
> hardware before we reach high adoption of dns-over-tls. Adoption will not
> happen overnight.

​No, it is not just a question of different hardware. It is a completely
different model because a DNS over UDP resolver is entirely stateless and a
DNS over TCP resolver is not.​

​The group was told repeatedly that this was a show stopper and they
ignored us. And now their work is being ignored. DPRIV was not a waste of
time, it was much worse than that.​
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20170306/a74d73cd/attachment.html>

More information about the dns-operations mailing list