Re: [dns-privacy] DNS-over-TLS query/answer framing.
"Mankin, Allison" <amankin@verisign.com> Tue, 08 September 2015 22:22 UTC
Return-Path: <amankin@verisign.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AF1E21A00DC for <dns-privacy@ietfa.amsl.com>; Tue, 8 Sep 2015 15:22:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2tfjxKm6_Iy4 for <dns-privacy@ietfa.amsl.com>; Tue, 8 Sep 2015 15:22:41 -0700 (PDT)
Received: from mail-oi0-f98.google.com (mail-oi0-f98.google.com [209.85.218.98]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EA5831A8889 for <dns-privacy@ietf.org>; Tue, 8 Sep 2015 15:22:40 -0700 (PDT)
Received: by oixx17 with SMTP id x17so6468260oix.2 for <dns-privacy@ietf.org>; Tue, 08 Sep 2015 15:22:40 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:thread-topic:thread-index :date:message-id:references:in-reply-to:accept-language :content-language:content-type:content-id:content-transfer-encoding :mime-version; bh=PHDGagNjw2L9wNLEHVjJQ1fJcPI9aZdkAMq25g/BqFs=; b=DEUQtH9ugxJbqHsNiutV01zX10UZj6ey5ZU7UXgTmuE+qhnszgoSR3c0v3TgEQTlkf AlCvRhfgPXJ5hmO5LCqcdgLT0U3LmF5CL5eHIeNKGAQ+vrFpQm4aQXtuNaVJ4n1ADXLm v4xM9BdHQwVligp4xDOlaqE7X1C+4FTwrLK7yAgBD67+hRuwf91Iv1MEw/WVxua/cotT YFnI36GkFMGcT56bCTmnnP9kkOq3bCsoU6qYmFvrdMI2BwihIydAVWd0w051pxBHRxnP 7hJT0DZXD8tpkepB0MyrurS7rb1n87FrvD7w3GafoPo2+5jG6TRVCIT54th5lDk45HZ4 IWgg==
X-Gm-Message-State: ALoCoQlGN321WQdfkyC3zkCfB2wiMa5qYrvjjj6JCx/qRzc26QDEHCIWgDwKzRnBQ3qmK7zqCbE9imRIY44Thb3XDHPR9WqHpQ==
X-Received: by 10.141.23.149 with SMTP id z143mr39369846qhd.67.1441750960249; Tue, 08 Sep 2015 15:22:40 -0700 (PDT)
Received: from brn1lxmailout02.verisign.com (brn1lxmailout02.verisign.com. [72.13.63.42]) by smtp-relay.gmail.com with ESMTPS id r70sm352266qkl.9.2015.09.08.15.22.40 (version=TLSv1 cipher=RC4-SHA bits=128/128); Tue, 08 Sep 2015 15:22:40 -0700 (PDT)
X-Relaying-Domain: verisign.com
Received: from BRN1WNEXCHM01.vcorp.ad.vrsn.com (brn1wnexchm01 [10.173.152.255]) by brn1lxmailout02.verisign.com (8.13.8/8.13.8) with ESMTP id t88MMdI4021564 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Tue, 8 Sep 2015 18:22:39 -0400
Received: from BRN1WNEXMBX01.vcorp.ad.vrsn.com ([::1]) by BRN1WNEXCHM01.vcorp.ad.vrsn.com ([::1]) with mapi id 14.03.0174.001; Tue, 8 Sep 2015 18:22:39 -0400
From: "Mankin, Allison" <amankin@verisign.com>
To: Simon Kelley <simon@thekelleys.org.uk>
Thread-Topic: [dns-privacy] DNS-over-TLS query/answer framing.
Thread-Index: AQHQ6nv/xXX2xUK650KtnrjUO+ak5Z4zd9GA
Date: Tue, 08 Sep 2015 22:22:38 +0000
Message-ID: <44DBA275-BAFC-4179-B9A8-FFF3BFE12364@verisign.com>
References: <55EF50C2.2000305@thekelleys.org.uk>
In-Reply-To: <55EF50C2.2000305@thekelleys.org.uk>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.173.152.4]
Content-Type: text/plain; charset="utf-8"
Content-ID: <03770FAAE612C74A96A5936B50153DB7@verisign.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/dns-privacy/eOYWI4e4VLDnhKO-nNtgH3OSUR4>
Cc: "dns-privacy@ietf.org" <dns-privacy@ietf.org>
Subject: Re: [dns-privacy] DNS-over-TLS query/answer framing.
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Sep 2015 22:22:42 -0000
Hi, Having many queries in flight at once (aka pipelining) is a central recommendation of the DNSOP WG document draft-ietf-dnsop-5966bis, and the DNS-over-TLS draft just cites that draft rather than repeating it. We hope to cite it normatively soon, once the DNSOP WG sends it to Last Call. Do you think DNS-over-TLS needs to mention a few more details from 5966bis in order to avoid confusion? Allison P.S. I wrote “we” due to being one of the authors on both DNS-over-TLS and 5966bis... > On Sep 8, 2015, at 5:18 PM, Simon Kelley <simon@thekelleys.org.uk> wrote: > > draft-ietf-dprive-start-tls-for-dns-01 section 2.1.5 > > "DNS queries SHOULD take place, following DNS-over-TCP framing > ([RFC1035], section 4.2.2)" > > Plus lots of stuff about managing TCP connections, re-using TCP > connections, etc etc. > > "Alternatively they may prefer to use UDP to a DNS-over-TLS > enabled caching resolver on the same machine that then uses a system- > wide TCP connection to the recursive resolver." > > > I'm thinking here, very much in the context of such a caching resolver, > talking to a recursive DNS server upstream, at an ISP or 8.8.8.8 etc. > Mainly because I maintain the most common such caching resolver in real > life. > > The current proposal is a huge pain, because 1035 framing only allows > one query-in-flight per TCP/TLS connection. Take common scenario of > hitting a busy web page: 50 DNS queries go to the system-wide resolver > and wants to forward them all to the recursive server. To do that it has > to open 50 TCP/TLS connections. Now the answers come back, and to avoid > having to do the same for the next batch, it keeps those 50 connections > open. Are ISP DNS servers or Google DNS going to scale from stateless > UDP to 50 TLS sessions per client? Seems unlikely. > > Since DNS-over-TLS is distinguished from DNS-over-TCP, 1035-style, could > it also elaborate the framing to allow multiple in-flight queries over > _one_ TLS session. Maybe something as simple as prepending a tag to > queries as well as the length, with the same tag prepended to answers. > > Now the system cache can send all the queries over one TLS session, and > get back the answers as they become available. There would still be the > need to maintain connections, handle hard closes, etc. but the task of > optimising connections pools would be much simpler, and ISP-scale > recursive servers would scale much better. > > > > Cheers, > > Simon. > > > _______________________________________________ > dns-privacy mailing list > dns-privacy@ietf.org > https://www.ietf.org/mailman/listinfo/dns-privacy
- [dns-privacy] DNS-over-TLS query/answer framing. Simon Kelley
- Re: [dns-privacy] DNS-over-TLS query/answer frami… Mankin, Allison
- Re: [dns-privacy] DNS-over-TLS query/answer frami… Simon Kelley
- Re: [dns-privacy] DNS-over-TLS query/answer frami… Tony Finch