[dns-operations] DNS-over-TLS in public resolvers

Thomas Steen Rasmussen thomas at gibfest.dk
Mon Mar 6 16:01:01 UTC 2017 

On 03/06/2017 04:31 PM, Phillip Hallam-Baker wrote:
> On Mon, Mar 6, 2017 at 9:13 AM, Thomas Steen Rasmussen 
> <thomas at gibfest.dk <mailto:thomas at gibfest.dk>> wrote:
>
>     Hello,
>
>     If providers running large resolvers today are unwilling to use
>     the extra resources that dns-over-tls will require then maybe they
>     should stop running large resolvers.
>
>
> ​Or maybe:
>
> PEOPLE WHO WANT TO PROPOSE SECURITY STANDARDS FOR US TO USE SHOULD 
> LISTEN TO US FIRST.​
>
> ​Just a suggestion you know..​
>
>     This is no different from the people who used to complain loudly
>     that HTTPS will never work large scale.
>
>
> ​Actually no it is not. I never argued that HTTPS would not scale. I 
> did point out that certain aspects of PKIX would not scale, CRLs for 
> example. But nobody I know of ever argued TLS does not scale.

Maybe you personally didn't, but the biggest concern about https has 
always been the performance hit, right up until maybe 5 years ago. This 
is the whole reason sites like https://istlsfastyet.com/ existed. And as 
it turns out it was not an issue at all by the time we got around 
actually implementing it wide scale.

Our hardware evolves faster than our workload. See also NSEC5 - it was 
considered downright impossible to to "live" signing/proof of 
non-existance to prevent zone walking, but lo and behold, what do you 
think we will all be doing in a few years?

DNS-over-TLS will not happen widescale from one day to the next. You 
will have plenty of time to adapt your setup to the new worloads.

>     Of course it will, we might have to throw some more hardware at it
>     though, but more likely said hardware will have been naturally
>     replaced with newer hardware before we reach high adoption of
>     dns-over-tls. Adoption will not happen overnight.
>
>
> ​No, it is not just a question of different hardware. It is a 
> completely different model because a DNS over UDP resolver is entirely 
> stateless and a DNS over TCP resolver is not.​

Just because it has been stateless historically does not mean it has to 
be stateless for all eternity. Stuff changes, deal with it.

Whatsapp could do well over 2 million simultaneous TCP connections five 
years ago on a single FreeBSD server, yet you want to throw in the towel 
on this before we even give it a shot? smh

>
> ​The group was told repeatedly that this was a show stopper and they 
> ignored us. And now their work is being ignored. DPRIV was not a waste 
> of time, it was much worse than that.​
>

Well that tends to happen when you yell your point at people. I am 
tempted to ignore you myself, so there's that. :)


/Thomas


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20170306/191a022e/attachment.html>

More information about the dns-operations mailing list