IETF Logo Mail Archive

Re: [dns-privacy] [Step 2] More discussion needed: state your opinion

John Heidemann <johnh@isi.edu> Fri, 16 December 2016 01:04 UTC

Return-Path: <johnh@isi.edu>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 741FC129BEB for <dns-privacy@ietfa.amsl.com>; Thu, 15 Dec 2016 17:04:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.796
X-Spam-Level:
X-Spam-Status: No, score=-9.796 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-2.896] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u0BMVGELwnak for <dns-privacy@ietfa.amsl.com>; Thu, 15 Dec 2016 17:04:14 -0800 (PST)
Received: from boreas.isi.edu (boreas.isi.edu [128.9.160.161]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 10E0C129BC3 for <dns-privacy@ietf.org>; Thu, 15 Dec 2016 17:04:14 -0800 (PST)
Received: from dash.isi.edu (vir.isi.edu [128.9.160.91]) by boreas.isi.edu (8.13.8/8.13.8) with ESMTP id uBG13cVT016840; Thu, 15 Dec 2016 17:03:38 -0800 (PST)
Received: from dash.isi.edu (localhost6.localdomain6 [IPv6:::1]) by dash.isi.edu (Postfix) with ESMTP id 66FE8280545; Thu, 15 Dec 2016 17:03:37 -0800 (PST)
From: John Heidemann <johnh@isi.edu>
To: Stephane Bortzmeyer <bortzmeyer@nic.fr>
In-reply-to: <20161215090916.GC4348@sources.org>
References: <20161213105936.opaqw6hwwkx3txk2@nic.fr> <20161213154625.6b314fe6@pallas.home.time-travellers.org> <11704.1481652111@dash.isi.edu> <20161214124025.4031172a@pallas.home.time-travellers.org> <5872.1481734676@dash.isi.edu> <20161215090916.GC4348@sources.org>
X-url: http://www.isi.edu/~johnh/
MIME-Version: 1.0 (generated by SEMI 1.14.7 - "Harue")
Content-Type: text/plain; charset="US-ASCII"
Date: Thu, 15 Dec 2016 17:03:37 -0800
Message-ID: <27857.1481850217@dash.isi.edu>
X-ISI-4-43-8-MailScanner: Found to be clean
X-MailScanner-From: johnh@isi.edu
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/HRteEeuw5Zjccck3uWxX__z8snk>
Cc: Shane Kerr <shane@time-travellers.org>, dns-privacy@ietf.org
Subject: Re: [dns-privacy] [Step 2] More discussion needed: state your opinion
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Dec 2016 01:04:15 -0000

On Thu, 15 Dec 2016 10:09:16 +0100, Stephane Bortzmeyer wrote: 
>On Wed, Dec 14, 2016 at 08:57:56AM -0800,
> John Heidemann <johnh@isi.edu> wrote 
> a message of 49 lines which said:
>
>> There's a bunch of possible trade-offs: client latency, server
>> memory, client memory, novelty vs. maturity of design, maturity of
>> libraries, support by other groups, design complexity, ...
>
>Added to the future next version of the draft
><https://github.com/bortzmeyer/ietf-dprive-step-2/commit/5779cbf94605fbcd174bd5d57544150fc636e620>

If you're updating, you might also add out protocol agility, something else that has
come up in this thread and before.

>> You suggested earlier in the thread that rfc7858 was weaker than
>> some alternatives for recurisive-to-auth traffic, so I was trying to
>> figure out for which metrics you think it is weaker.
>
>The point was raised by Mukund Sivaraman at the Seoul meeting. If I
>remember correctly, his main concern was the state to keep in the
>client, because a resolver will talk to hundreds, even thousands of
>authoritative name servers.

Thank you---state for outgoing connections on a recursive resolver
could be an issue, and to my knowledge it has not been studied yet.

My initial guess is it's not much different from state for incoming
connections on a large authoritative, and that resource limits can be
handled the same way (start closing when you're low on resources).  But
a careful study here would be useful.

And of course, there is still state on the recursive resolver if queries
are sent over DTLS or IPsec, it's just different state in a slightly
different place in the stack.

   -John Heidemann

v2.23.0 | Report a Bug | By Email