Re: [dns-privacy] [Ext] Re: ADoT requirements for authentication?
Ted Hardie <ted.ietf@gmail.com> Fri, 01 November 2019 16:37 UTC
Return-Path: <ted.ietf@gmail.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6537E120A60 for <dns-privacy@ietfa.amsl.com>; Fri, 1 Nov 2019 09:37:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3oPdMBg7kCqJ for <dns-privacy@ietfa.amsl.com>; Fri, 1 Nov 2019 09:37:15 -0700 (PDT)
Received: from mail-io1-xd32.google.com (mail-io1-xd32.google.com [IPv6:2607:f8b0:4864:20::d32]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 05C05120A4D for <dns-privacy@ietf.org>; Fri, 1 Nov 2019 09:37:15 -0700 (PDT)
Received: by mail-io1-xd32.google.com with SMTP id 18so11523576ion.6 for <dns-privacy@ietf.org>; Fri, 01 Nov 2019 09:37:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=FO+kn5fBYsvOPg3VIQfS2YY2PGX2vkR4rjujDMVuVII=; b=ZhrdrLdcvJ53P+IMqsyqndxgllJE/Md75/E58i/TBaQDR0SlsSal8ZNmRRnROq+bdi O8aNH+mh6S41c0vGHpuPQcpvP1msMdj62Kqez49l7SlRWyky/kmr3zTrb/9DySwsX6VA afJwDfO9w1NVpgxdd6iaSz4Vgda8e48kRtqYXMOGEqbXKDjlehBjUOkZKeiBYBCg8Dsr EkAAhA7jxxvxihna56tRaJmS689dTJ9Z9lbK6x26mg1cNTbb9V514u8a/SBlbo97fI+J bLQFD+ZA6gNl1G5xZEc0eSXcD1XmO1THovMSQsI9DjQwF7sUnhcxFgoWHVisDDDFsN8g R3+Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=FO+kn5fBYsvOPg3VIQfS2YY2PGX2vkR4rjujDMVuVII=; b=AY8RFXzz4il+YEyJy0r9n+k3hSMlwsQwNDwuFP3jSOAXHw2EvbEek5jLOFwqK84vnX wF+bDzuAVbRsDBbksp+REfW6k9yk1m8jqpRe6gR4nbdgXydhdpYDRxwvPZKUflp88c+0 ViLDxo19ev19rDoZq/tk0sj9lxpHr0YIi5MGtcubJaJQwFNpKNSehREloeTqv5OVUjd/ Dvn4OUwqdR0EyjDaT/l8cfTLh/re6apO2Q0yAWjioAgbe4hn0lwLGPjwvs94E4rknvg9 i8fnwxy3iR5HVKySE9bdJBBmiqILmF3uZeOLUOstz14DSX8HQrFlrni81EsGni5kQkZ3 cMrQ==
X-Gm-Message-State: APjAAAV/JYJhm0YXVupuQQj0o+243udXz3q6uAHBCN64mUtWtU+LjfgF 4nwEhKEjEGhfn19N96HChk41kxnnHCn9nGiAMtA=
X-Google-Smtp-Source: APXvYqyRgRlQSCjFH0yDl4iMKsA7jW3QeGyFkcG3eqF3uWHvPS9p0+r3P2D9yhra7872j0b3MBW7doi+PBCkF8RyLaU=
X-Received: by 2002:a02:b817:: with SMTP id o23mr4645854jam.42.1572626234019; Fri, 01 Nov 2019 09:37:14 -0700 (PDT)
MIME-Version: 1.0
References: <CAHbrMsDwDoTQN8Y5Zk7rSVepjwwyatEyAA6f0oJ9DESmAfHfXg@mail.gmail.com> <20191031211222.A6422DBC1C7@ary.qy> <CAH1iCiqYoXMZ0U3yt8AjUXyZVRdDnmHzSpHvYmg++ACZ-U6=zA@mail.gmail.com> <CABcZeBP-k23ZY=f6Lv5A+B+Z_4ar_9ea=G7O+KRriXNLUzKGqw@mail.gmail.com> <95e65176-0b80-fbe0-8409-11fada175c67@nic.cz> <CABcZeBPCMBDEGTpVULJgQEz_5Ddv27jayMxaW-fqXL3HQrqbyw@mail.gmail.com> <CAH1iCirJHDFVEW_vdcVOyGx1KK0zkwmrUEpP=ft-gWHbx7x8fw@mail.gmail.com>
In-Reply-To: <CAH1iCirJHDFVEW_vdcVOyGx1KK0zkwmrUEpP=ft-gWHbx7x8fw@mail.gmail.com>
From: Ted Hardie <ted.ietf@gmail.com>
Date: Fri, 01 Nov 2019 09:36:47 -0700
Message-ID: <CA+9kkMDKJ08RL8dk=O5-Z7Gj4fTkMpV71RtWWkPEvCKE_9FWFw@mail.gmail.com>
To: Brian Dickson <brian.peter.dickson@gmail.com>
Cc: Eric Rescorla <ekr@rtfm.com>, "dns-privacy@ietf.org" <dns-privacy@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000000b146c05964b94a7"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/7rVST5If4v9ghhmAnvfHdnwQGXE>
Subject: Re: [dns-privacy] [Ext] Re: ADoT requirements for authentication?
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Nov 2019 16:37:17 -0000
Hi Brian, On Fri, Nov 1, 2019 at 8:35 AM Brian Dickson <brian.peter.dickson@gmail.com> wrote: > > 1. The operational cost of serving ADoT answers is prohibitive, due to > a number of factors: > 1. Maintaining state, for TCP and for TLS > > > 1. Set-up overhead for TLS > 2. Ongoing encryption of traffic after set-up, e.g. AES > computational cost, vs "copy bytes" (possible with DMA and no CPU) > > You do realize that exactly this set of arguments has been used in the past, to say that web servers would not be able to switch to TLS by default? And yet, the queries per second for popular sites served over TLS keeps going up and up, and the elastic compute and delivery of services means that similar methods are available at relatively low incremental costs? For an authoritative serving a typical zone (an enterprise, a modest web site, a government agency), none of these incremental costs matter, given the expected query load. They matter for TLDs and popular second level zones like co.uk, and we should care as a result. But there is no need to despair. If you are willing to see DNS data delivery as a standard application scaling question, rather than as a special case, there are a lot of tools available already. > 1. Deployment of ADoT without providing means for managing these costs > is highly unlikely to happen > 2. Developing means to manage ADoT costs (in the standards, and in > implementations) is highly non-trivial. > > There's a lot of work to crib from, and there are also, bluntly, people who can sell you this capacity if you don't want to care. > 1. *Deploying ADoT is not cheap, not easy, and won't happen fast*. > (Cheap, easy, fast, choose two, currently zero are available to choose.) > > It's our job to make this better. Bold-faced assertions which don't look at wider contexts aren't much help there, I'm afraid. regards, Ted > Brian > > _______________________________________________ > dns-privacy mailing list > dns-privacy@ietf.org > https://www.ietf.org/mailman/listinfo/dns-privacy >
- [dns-privacy] DPRIVE Interim: 10/29 Brian Haberman
- Re: [dns-privacy] DPRIVE Interim: 10/29 Allison Mankin
- Re: [dns-privacy] DPRIVE Interim: 10/29 tjw ietf
- Re: [dns-privacy] DPRIVE Interim: 10/29 Brian Haberman
- Re: [dns-privacy] [Ext] Re: DPRIVE Interim: 10/29 Paul Hoffman
- Re: [dns-privacy] [Ext] Re: DPRIVE Interim: 10/29 Brian Haberman
- Re: [dns-privacy] [Ext] Re: DPRIVE Interim: 10/29 Livingood, Jason
- Re: [dns-privacy] [Ext] Re: DPRIVE Interim: 10/29 Alexander Mayrhofer
- Re: [dns-privacy] DPRIVE Interim: 10/29 Brian Haberman
- Re: [dns-privacy] [Ext] Re: DPRIVE Interim: 10/29 Brian Dickson
- Re: [dns-privacy] [Ext] Re: DPRIVE Interim: 10/29 Rob Sayre
- Re: [dns-privacy] DPRIVE Interim: 10/29 Eric Vyncke (evyncke)
- Re: [dns-privacy] [Ext] Re: DPRIVE Interim: 10/29 Paul Hoffman
- [dns-privacy] ADoT requirements for authenticatio… Paul Hoffman
- Re: [dns-privacy] ADoT requirements for authentic… Ted Hardie
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Paul Hoffman
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Ted Hardie
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Ben Schwartz
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Brian Dickson
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Paul Wouters
- Re: [dns-privacy] [Ext] Re: DPRIVE Interim: 10/29 Brian Dickson
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Ted Hardie
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Brian Dickson
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Ben Schwartz
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Ted Hardie
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Eric Rescorla
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Ben Schwartz
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Eric Rescorla
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Brian Dickson
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Ben Schwartz
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Eric Rescorla
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Christian Huitema
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… John Levine
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Jim Reid
- [dns-privacy] DoT at the DNS root Jim Reid
- Re: [dns-privacy] DoT at the DNS root Jim Reid
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Watson Ladd
- Re: [dns-privacy] [Ext] Re: DPRIVE Interim: 10/29 Alexander Mayrhofer
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Ralf Weber
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Paul Wouters
- Re: [dns-privacy] ADoT requirements for authentic… Tony Finch
- Re: [dns-privacy] [EXTERNAL] Re: [Ext] Re: DPRIVE… Livingood, Jason
- Re: [dns-privacy] [Ext] Re: DPRIVE Interim: 10/29 Livingood, Jason
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Livingood, Jason
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… John Levine
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Jim Reid
- [dns-privacy] ADoT deployment at the root Jim Reid
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Jim Reid
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Brian Dickson
- Re: [dns-privacy] ADoT deployment at the root Ted Hardie
- Re: [dns-privacy] ADoT deployment at the root Warren Kumari
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… John Levine
- Re: [dns-privacy] ADoT deployment at the root John Levine
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… John Levine
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Ben Schwartz
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Stephen Farrell
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Brian Dickson
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… John R Levine
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Eric Rescorla
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Vladimír Čunát
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Vladimír Čunát
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Hollenbeck, Scott
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Eric Rescorla
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Vladimír Čunát
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Brian Dickson
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Eric Rescorla
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Eric Rescorla
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Brian Dickson
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Brian Dickson
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Vladimír Čunát
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… John R Levine
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Ted Hardie
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… Brian Dickson
- Re: [dns-privacy] [Ext] Re: ADoT requirements for… John R Levine
- Re: [dns-privacy] DPRIVE Interim: 10/29 Brian Haberman