Re: [dns-privacy] DNS + 0-RTT
Daniel Kahn Gillmor <dkg@fifthhorseman.net> Mon, 11 April 2016 13:33 UTC
Return-Path: <dkg@fifthhorseman.net>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5EF8512EEBD for <dns-privacy@ietfa.amsl.com>; Mon, 11 Apr 2016 06:33:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pjjIMcXqqBtI for <dns-privacy@ietfa.amsl.com>; Mon, 11 Apr 2016 06:33:43 -0700 (PDT)
Received: from che.mayfirst.org (che.mayfirst.org [162.247.75.118]) by ietfa.amsl.com (Postfix) with ESMTP id 5712912EE7B for <dns-privacy@ietf.org>; Mon, 11 Apr 2016 06:33:43 -0700 (PDT)
Received: from fifthhorseman.net (unknown [38.109.115.130]) by che.mayfirst.org (Postfix) with ESMTPSA id 21BFDF991; Mon, 11 Apr 2016 09:33:41 -0400 (EDT)
Received: by fifthhorseman.net (Postfix, from userid 1000) id B4FE81FFC4; Mon, 11 Apr 2016 09:33:30 -0400 (EDT)
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: Shane Kerr <shane@time-travellers.org>, Colm MacCárthai gh <colm@allcosts.net>
In-Reply-To: <20160411145244.1f111f43@pallas.home.time-travellers.org>
References: <5703F0CF.3050306@gmail.com> <87egaidh3y.fsf@alice.fifthhorseman.net> <CAAF6GDcwGJmrPcFj_o+tCe7PTL5jFj=YZ+2LCgCTVZ=64CpOdA@mail.gmail.com> <87vb3rm7d9.fsf@alice.fifthhorseman.net> <CAAF6GDfp9X0=P1j0xPBsSniHWNEi7Vu=xwR71GGbwJ9jbQkeGA@mail.gmail.com> <20160411145244.1f111f43@pallas.home.time-travellers.org>
User-Agent: Notmuch/0.21+124~gbf604e9 (http://notmuchmail.org) Emacs/24.5.1 (x86_64-pc-linux-gnu)
Date: Mon, 11 Apr 2016 09:33:30 -0400
Message-ID: <87egacuv6d.fsf@alice.fifthhorseman.net>
MIME-Version: 1.0
Content-Type: text/plain
Archived-At: <http://mailarchive.ietf.org/arch/msg/dns-privacy/h825f_bQzFr6djxkj9PhbAEnEBM>
Cc: "dns-privacy@ietf.org" <dns-privacy@ietf.org>
Subject: Re: [dns-privacy] DNS + 0-RTT
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Apr 2016 13:33:49 -0000
On Mon 2016-04-11 08:52:44 -0400, Shane Kerr <shane@time-travellers.org> wrote: > People who know more can correct me if I'm wrong, but my understanding > is that this sort of RRset rotation is intended to work around clients > that would always pick use first RR from an RRset. Back in the day, > that meant that one gopher server would take all the load. ;) > > Obviously a DNS server would prefer not to have to do the work of > ordering queries. If you use cyclic order, then you have to maintain > state about the last answer. If you randomize it, then you need some > source of entropy. randomized doesn't require a lot of entropy -- it just requires some small chunk at system startup to seed a CSRPNG that you can use indefinitely. > My own recommendation would be that a fixed order be used in all > on-the-wire communication, and that we rely on client-side libraries > to either understand that multiple answers may appear to a question or > at alternatively to randomize the one answer they use. (Note that this > is independent of the privacy concerns, as it results in simpler code > and more deterministic behavior all around.) :) I do like the simplicity and clarity of your proposal, but relying on client-side libraries to be fixed seems like a non-starter, unfortunately. This is the classic IETF problem for any protocol with a deployed base; the folks who have the incentive and capacity to fix some endpoints aren't necessarily the folks who control the "right" endpoints to fix :/ --dkg
- [dns-privacy] DNS + 0-RTT Tim Wicinski
- Re: [dns-privacy] DNS + 0-RTT Daniel Kahn Gillmor
- Re: [dns-privacy] DNS + 0-RTT Colm MacCárthaigh
- Re: [dns-privacy] DNS + 0-RTT Daniel Kahn Gillmor
- Re: [dns-privacy] DNS + 0-RTT Colm MacCárthaigh
- Re: [dns-privacy] DNS + 0-RTT Shane Kerr
- Re: [dns-privacy] DNS + 0-RTT Daniel Kahn Gillmor
- Re: [dns-privacy] DNS + 0-RTT Colm MacCárthaigh
- Re: [dns-privacy] DNS + 0-RTT Robert Edmonds
- Re: [dns-privacy] DNS + 0-RTT Colm MacCárthaigh
- Re: [dns-privacy] DNS + 0-RTT Shane Kerr