Re: [dns-privacy] [Ext] I-D Action: draft-ietf-dprive-phase2-requirements-02.txt

Peter van Dijk <> Sun, 15 November 2020 13:52 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 3C4363A128E for <>; Sun, 15 Nov 2020 05:52:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.621
X-Spam-Status: No, score=-1.621 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, KHOP_HELO_FCRDNS=0.276, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id KQ81YBL65_lt for <>; Sun, 15 Nov 2020 05:52:42 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 0B8EA3A1288 for <>; Sun, 15 Nov 2020 05:52:41 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by (Postfix) with ESMTPS id 1D5206A25C; Sun, 15 Nov 2020 14:52:40 +0100 (CET)
Received: from plato ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPSA id DAB253C0306; Sun, 15 Nov 2020 14:52:39 +0100 (CET)
Message-ID: <>
From: Peter van Dijk <>
To: "" <>
Date: Sun, 15 Nov 2020 14:52:38 +0100
In-Reply-To: <>
References: <> <> <>
Organization: PowerDNS.COM B.V.
Content-Type: text/plain; charset="UTF-8"
User-Agent: Evolution 3.30.5-1.1
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Archived-At: <>
Subject: Re: [dns-privacy] [Ext] I-D Action: draft-ietf-dprive-phase2-requirements-02.txt
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 15 Nov 2020 13:52:43 -0000

On Wed, 2020-11-04 at 15:04 +0000, Paul Hoffman wrote:
> It would be useful if a resolver could tell in advance, and at a cost less than port-checking. There could be a new protocols developed to do that. I don't see this as a requirement, though, given the low cost of port-checking.

The cost of port checking is not low.

Variant 1: try 853 and 53 in parallel. High code complexity and a high likelihood that the first query to a 'new' auth (where 'new' might be measured in minutes) will be plain text anyway.

Variant 2: try 853 first. How long do we wait for a timeout? In DNS, 500ms is a long time.

This is not happy eyeballs where both transports (v4 and v6) tend to have identical security properties. 

DNS Flag Day 2019 (no more EDNS fallbacks) was designed to reduce probing and guessing in the resolver process. I'd love for us to not add probing and guessing in other parts of that process.

Kind regards,
Peter van Dijk