<div dir="ltr"><div class="gmail_default" style="font-size:small">On Mon, Mar 6, 2017 at 11:01 AM, Thomas Steen Rasmussen <span dir="ltr"><<a href="mailto:thomas@gibfest.dk" target="_blank">thomas@gibfest.dk</a>></span> wrote:<br></div><div class="gmail_extra"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"><span>
On 03/06/2017 04:31 PM, Phillip Hallam-Baker wrote:<br>
</span><blockquote type="cite">
<div dir="ltr">
<div class="gmail_extra"><span>On Mon, Mar 6, 2017 at 9:13 AM, Thomas
Steen Rasmussen <span dir="ltr"><<a href="mailto:thomas@gibfest.dk" target="_blank">thomas@gibfest.dk</a>></span>
wrote:<br>
</span><span><div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">Hello,<br>
<br>
If providers running large resolvers today are unwilling
to use the extra resources that dns-over-tls will
require then maybe they should stop running large
resolvers.</div>
</blockquote>
<div><br>
</div>
<div>
<div style="font-size:small">Or
maybe:</div>
<div style="font-size:small"><br>
</div>
<div style="font-size:small">PEOPLE
WHO WANT TO PROPOSE SECURITY STANDARDS FOR US TO USE
SHOULD LISTEN TO US FIRST.</div>
<br>
</div>
<div>
<div style="font-size:small">Just a
suggestion you know..</div>
</div>
<div><br>
</div>
<div> </div>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> This is no
different from the people who used to complain loudly
that HTTPS will never work large scale. </div>
</blockquote>
<div><br>
</div>
<div>
<div style="font-size:small">Actually
no it is not. I never argued that HTTPS would not scale.
I did point out that certain aspects of PKIX would not
scale, CRLs for example. But nobody I know of ever
argued TLS does not scale.</div>
</div>
</div>
</span></div>
</div>
</blockquote>
<br>
Maybe you personally didn't, but the biggest concern about https has
always been the performance hit, right up until maybe 5 years ago.
This is the whole reason sites like <a class="m_-3333368304281345496m_17340738143153739moz-txt-link-freetext" href="https://istlsfastyet.com/" target="_blank">https://istlsfastyet.com/</a>
existed. And as it turns out it was not an issue at all by the time
we got around actually implementing it wide scale.<br></div></blockquote><div><br></div><div><div class="gmail_default" style="font-size:small">The performance hit is not a scaling issue. It was always a performance issue and we knew back in 1993 when the first Web security protocols were developed that it would be solved by 2000 or so.</div></div><div><br></div><div> <br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div bgcolor="#FFFFFF" text="#000000">
Our hardware evolves faster than our workload. See also NSEC5 - it
was considered downright impossible to to "live" signing/proof of
non-existance to prevent zone walking, but lo and behold, what do
you think we will all be doing in a few years?<br></div></blockquote><div><br></div><div><div class="gmail_default" style="font-size:small">NSEC5 uses a set of cryptographic primitives that are entirely novel in IETF work and use them in a completely original way. Regardless, the scheme is only practical today because of the expiry of various patent claims on the use of elliptic curves.</div></div><div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div bgcolor="#FFFFFF" text="#000000">
DNS-over-TLS will not happen widescale from one day to the next. You
will have plenty of time to adapt your setup to the new worloads.<span><br></span></div></blockquote><div><br></div><div><div class="gmail_default" style="font-size:small">No DNS over TLS won't happen at all.</div><br></div><div><div class="gmail_default" style="font-size:small">I can't buy a TCP load balancer that works at the same speed as a UDP balancer without spending vastly more money because the UDP balancer is stateless and the TCP is not.</div><div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default" style="font-size:small">HTTP load balancing is possible because each host has a separate IP and that is what makes load balancing stateless.</div><div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default" style="font-size:small">You can't use the same capability for DNS resolution because it is the DNS resolution layer that enables it.</div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div bgcolor="#FFFFFF" text="#000000"><span><blockquote type="cite"><div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">Of course it will,
we might have to throw some more hardware at it though,
but more likely said hardware will have been naturally
replaced with newer hardware before we reach high
adoption of dns-over-tls. Adoption will not happen
overnight.<br>
</div>
</blockquote>
<div><br>
</div>
<div>
<div style="font-size:small">No, it
is not just a question of different hardware. It is a
completely different model because a DNS over UDP
resolver is entirely stateless and a DNS over TCP
resolver is not.</div>
</div>
</div>
</div>
</div>
</blockquote>
<br></span>
Just because it has been stateless historically does not mean it has
to be stateless for all eternity. Stuff changes, deal with it. <br></div></blockquote><div><br></div><div><div class="gmail_default" style="font-size:small">Just because some group of individuals decide to write a spec that doesn't meet blocking deployment requirements does not mean people have to implement. Deal with it.</div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div bgcolor="#FFFFFF" text="#000000"><span><blockquote type="cite"><div dir="ltr"><div class="gmail_extra"><div class="gmail_quote"><div>The
group was told repeatedly that this was a show stopper
and they ignored us. And now their work is being
ignored. DPRIV was not a waste of time, it was much
worse than that.<br></div></div></div></div></blockquote></span>
Well that tends to happen when you yell your point at people. I am
tempted to ignore you myself, so there's that. :)<span class="m_-3333368304281345496HOEnZb"><font color="#888888"><br></font></span></div></blockquote><div> </div></div><div class="gmail_default" style="font-size:small">Complaining about the way a point is raised is a classic form of agenda denial. There was no way in which that point could have been raised that would have produced a different outcome. The group wanted something that got to RFC as fast as possible and they did not want to listen to any deployment issues from anyone.</div><div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default" style="font-size:small">Now you might think that given that I work for a company that has one of the public resolvers you would like to see change and you are the person asking me for the favor, that maybe you might want to take your own advice. </div><br></div><div class="gmail_extra"><div class="gmail_default" style="font-size:small">Like Tweetler, you are very good at seeing how other people are being nasty and mean to you but utterly incapable of seeing what you are doing to them. Being gaslighted by Paul does not make me at all inclined to accept his position.</div><br></div></div>