[dns-operations] DNSSEC deployment incentives

Paul Wouters paul at nohats.ca
Wed Jun 19 23:53:52 UTC 2019

On Wed, 19 Jun 2019, Phillip Hallam-Baker wrote:

> That is not what they told me.
> The big selling point for Google Chrome has been delivering the Web page as fast as possible. The development team is very concerned with latency. So any proposal that requires more round trips is a non
> starter for them.

tls-dnssec-chain addressed that concern. And "they" did not want that

Luckilly, it seems users are jumping of the latency bandwagon and back
onto the security/privacy bandwagon. Especially since the latency gains
do not go to the user, but the advertising gods. And using an adblocker
gains you orders or magnitudes of reduced latency compared to adding
a DNS lookup (or adding a processing call for the the free tls-dnssec
chain that came in with the TLS handshake)

> This is why I proposed a DPRIV type protocol several years before that WG got started. The only way to meet the latency requirement is to upgrade the DNS client-resolver protocol. One of the big limitations
> in the design/implementation of the DNS is that the query protocol effectively only allows one RR query per request and only one UDP response per request.

We resolved that with RFC 7901 DNS chain queries. For which we needed
to clarify TCP support too via RFC 7828 to faciliate long lived
TCP DNS sessions.

> To get the browsers on board you would need to be able to offer the TLSA records with reduced latency. That is not that difficult.

It is not. tls-dnssec-chain offers it with 0 extra roundtrips.

> But I am not addressing that problem right now because browser providers are fighting their own battles among themselves and not that interested in security. If you want to improve the situation there, you
> need to look at other deployment areas that are not already committed to one approach. Which is why I am focused on Web Services. I don't need a single browser provider to adopt my approach. 

I won't speculate over what browsers vendors want, but I do believe the
IETF process with respect to tls-dnsesc-chain failed pretty badly.


More information about the dns-operations mailing list