IETF Logo Mail Archive

Re: [dns-privacy] Demultiplexing HTTP and DNS on the same listener [New Version Notification for draft-dkg-dprive-demux-dns-http-02]

Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 04 May 2017 01:14 UTC

Return-Path: <dkg@fifthhorseman.net>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BBA94127058 for <dns-privacy@ietfa.amsl.com>; Wed, 3 May 2017 18:14:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.8
X-Spam-Level:
X-Spam-Status: No, score=0.8 tagged_above=-999 required=5 tests=[BAYES_50=0.8] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id buHVmzMk7Wp1 for <dns-privacy@ietfa.amsl.com>; Wed, 3 May 2017 18:14:07 -0700 (PDT)
Received: from che.mayfirst.org (che.mayfirst.org [162.247.75.118]) by ietfa.amsl.com (Postfix) with ESMTP id B229B1294F8 for <dns-privacy@ietf.org>; Wed, 3 May 2017 18:14:06 -0700 (PDT)
Received: from fifthhorseman.net (unknown [38.109.115.130]) by che.mayfirst.org (Postfix) with ESMTPSA id 33263F98C; Wed, 3 May 2017 21:14:07 -0400 (EDT)
Received: by fifthhorseman.net (Postfix, from userid 1000) id 5972620C10; Wed, 3 May 2017 21:14:02 -0400 (EDT)
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: Patrick McManus <mcmanus@ducksong.com>
Cc: HTTP Working Group <ietf-http-wg@w3.org>, DNS Privacy Working Group <dns-privacy@ietf.org>
In-Reply-To: <CAOdDvNpRRAKs02qhhRwOYa=Hs6QYH6h5C=F1_txSaox0wip2Rg@mail.gmail.com>
References: <87tw51remp.fsf@fifthhorseman.net> <CAOdDvNoNPXNXzpVcX7TZX=Z++kWMBhG_+uDH3Vk1Jp8+adcHLQ@mail.gmail.com> <CAOdDvNruCCyB2rsF9VgaVEOjQGD82wA0AiLAghiGjDM0SpBFPQ@mail.gmail.com> <87lgqdr0fr.fsf@fifthhorseman.net> <CAOdDvNpRRAKs02qhhRwOYa=Hs6QYH6h5C=F1_txSaox0wip2Rg@mail.gmail.com>
Date: Wed, 03 May 2017 21:13:58 -0400
Message-ID: <8760hhqv8p.fsf@fifthhorseman.net>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/IqU_ZRNCCqm9lVB7y4CaVHwW8ZA>
Subject: Re: [dns-privacy] Demultiplexing HTTP and DNS on the same listener [New Version Notification for draft-dkg-dprive-demux-dns-http-02]
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 May 2017 01:14:09 -0000

On Wed 2017-05-03 20:49:22 -0400, Patrick McManus wrote:
> the http/1 share of https:// traffic is dwindling fast. Its down to about
> 1/3 of https for me. So if you're looking to hide in a big pool, that's a
> shrinking segment.

1/3 of https traffic is still huge collateral damage to inflict, if a
network adversary were to try to block things to stamp out encrypted DNS
traffic.

> imo its a bigger problem because any rfc that required h1 would
> dis-incentivize h2 which is something the IETF should surely not want to do
> for many reasons.

I also wouldn't want to disincentivize h2.  But any server which still
offers h1, at any time in the future could implement this approach with
relatively little overhead (and no impact on h2 adoption) and it already
works today.

So an updated draft would be intended mainly as a stopgap measure while
we're getting DNS-over-h2 spec'ed and implemented, and as something a
server can offer to clients that don't yet speak h2.

        --dkg

v2.23.0 | Report a Bug | By Email