[dns-operations] DNS-over-TLS in public resolvers
Thomas Steen Rasmussen
thomas at gibfest.dk
Mon Mar 6 16:01:01 UTC 2017
On 03/06/2017 04:31 PM, Phillip Hallam-Baker wrote:
> On Mon, Mar 6, 2017 at 9:13 AM, Thomas Steen Rasmussen
> <thomas at gibfest.dk <mailto:thomas at gibfest.dk>> wrote:
> If providers running large resolvers today are unwilling to use
> the extra resources that dns-over-tls will require then maybe they
> should stop running large resolvers.
> Or maybe:
> PEOPLE WHO WANT TO PROPOSE SECURITY STANDARDS FOR US TO USE SHOULD
> LISTEN TO US FIRST.
> Just a suggestion you know..
> This is no different from the people who used to complain loudly
> that HTTPS will never work large scale.
> Actually no it is not. I never argued that HTTPS would not scale. I
> did point out that certain aspects of PKIX would not scale, CRLs for
> example. But nobody I know of ever argued TLS does not scale.
Maybe you personally didn't, but the biggest concern about https has
always been the performance hit, right up until maybe 5 years ago. This
is the whole reason sites like https://istlsfastyet.com/ existed. And as
it turns out it was not an issue at all by the time we got around
actually implementing it wide scale.
Our hardware evolves faster than our workload. See also NSEC5 - it was
considered downright impossible to to "live" signing/proof of
non-existance to prevent zone walking, but lo and behold, what do you
think we will all be doing in a few years?
DNS-over-TLS will not happen widescale from one day to the next. You
will have plenty of time to adapt your setup to the new worloads.
> Of course it will, we might have to throw some more hardware at it
> though, but more likely said hardware will have been naturally
> replaced with newer hardware before we reach high adoption of
> dns-over-tls. Adoption will not happen overnight.
> No, it is not just a question of different hardware. It is a
> completely different model because a DNS over UDP resolver is entirely
> stateless and a DNS over TCP resolver is not.
Just because it has been stateless historically does not mean it has to
be stateless for all eternity. Stuff changes, deal with it.
Whatsapp could do well over 2 million simultaneous TCP connections five
years ago on a single FreeBSD server, yet you want to throw in the towel
on this before we even give it a shot? smh
> The group was told repeatedly that this was a show stopper and they
> ignored us. And now their work is being ignored. DPRIV was not a waste
> of time, it was much worse than that.
Well that tends to happen when you yell your point at people. I am
tempted to ignore you myself, so there's that. :)
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the dns-operations