IETF Logo Mail Archive

Re: [dns-privacy] Multiple DNS requests per packet, multiple packet responses

Tony Finch <dot@dotat.at> Thu, 20 March 2014 10:14 UTC

Return-Path: <fanf2@hermes.cam.ac.uk>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BB00A1A07C4 for <dns-privacy@ietfa.amsl.com>; Thu, 20 Mar 2014 03:14:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.447
X-Spam-Level:
X-Spam-Status: No, score=-2.447 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.547] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Kzwq8jtbexZP for <dns-privacy@ietfa.amsl.com>; Thu, 20 Mar 2014 03:14:34 -0700 (PDT)
Received: from ppsw-40.csi.cam.ac.uk (ppsw-40-v6.csi.cam.ac.uk [IPv6:2001:630:212:8::e:f40]) by ietfa.amsl.com (Postfix) with ESMTP id 1D9DA1A08A0 for <dns-privacy@ietf.org>; Thu, 20 Mar 2014 03:14:33 -0700 (PDT)
X-Cam-AntiVirus: no malware found
X-Cam-ScannerInfo: http://www.cam.ac.uk/cs/email/scanner/
Received: from hermes-1.csi.cam.ac.uk ([131.111.8.51]:56019) by ppsw-40.csi.cam.ac.uk (smtp.hermes.cam.ac.uk [131.111.8.156]:25) with esmtpa (EXTERNAL:fanf2) id 1WQZzR-00061v-kL (Exim 4.82_3-c0e5623) (return-path <fanf2@hermes.cam.ac.uk>); Thu, 20 Mar 2014 10:14:21 +0000
Received: from fanf2 by hermes-1.csi.cam.ac.uk (hermes.cam.ac.uk) with local id 1WQZzR-0004Lr-AA (Exim 4.72) (return-path <fanf2@hermes.cam.ac.uk>); Thu, 20 Mar 2014 10:14:21 +0000
Date: Thu, 20 Mar 2014 10:14:21 +0000
From: Tony Finch <dot@dotat.at>
X-X-Sender: fanf2@hermes-1.csi.cam.ac.uk
To: Phillip Hallam-Baker <hallam@gmail.com>
In-Reply-To: <CAMm+LwiSQygK7KXjA6_XSTMDGar3EJtjTeKwEZaj89-AfriqcQ@mail.gmail.com>
Message-ID: <alpine.LSU.2.00.1403201005170.31260@hermes-1.csi.cam.ac.uk>
References: <CAMm+LwgXExHH6YxpvQLEsgZ+C4uUjvv0E=+g0XBmWVBrQnG_-w@mail.gmail.com> <alpine.LSU.2.00.1403191801520.31260@hermes-1.csi.cam.ac.uk> <CAMm+LwjMuy9OcjG6XK9LY2pjig65caoKOL_j0vW+bRVOmdaaMw@mail.gmail.com> <alpine.LFD.2.10.1403191427450.2170@bofh.nohats.ca> <CAMm+LwiSQygK7KXjA6_XSTMDGar3EJtjTeKwEZaj89-AfriqcQ@mail.gmail.com>
User-Agent: Alpine 2.00 (LSU 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
Sender: Tony Finch <fanf2@hermes.cam.ac.uk>
Archived-At: http://mailarchive.ietf.org/arch/msg/dns-privacy/rpO_Sb3g9MqpfSHoYg4HuS3D43A
Cc: dns-privacy@ietf.org, Paul Wouters <paul@nohats.ca>
Subject: Re: [dns-privacy] Multiple DNS requests per packet, multiple packet responses
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Mar 2014 10:14:37 -0000

Phillip Hallam-Baker <hallam@gmail.com> wrote:
>
> Wow, so we have the capability there in the infrastructure but people
> are saying that they can't check for DANE records or other policy
> records and other people are saying that we shouldn't 'change' the
> protocol?

The problems that browsers have is NOT lack of concurrency in the DNS.
For example I pointed a computer at Google Public DNS which is about
12ms away, and observed plenty of concurrent DNS requests - see below for
tcpdump output.

The problem with DANE is more to do with middleboxes (especially home CPE)
breaking DNSSEC. If that were not the case it would be straightforward for
browsers to request all the necessary DANE records at the same time as the
site's address records, without harming latency.

The problem with TLS policy records is that the browser does not know
ahead of time what queries it will need to make, so looking up the records
adds latency between receiving the certificate and being able to use the
TLS connection.

10:06:19.874220 IP 172.24.193.148.55349 > google-public-dns-a.google.com.domain: 61217+ A? www.ietf.org. (30)
10:06:19.874335 IP 172.24.193.148.60888 > google-public-dns-a.google.com.domain: 63087+ AAAA? www.ietf.org. (30)
10:06:19.874462 IP 172.24.193.148.59022 > google-public-dns-a.google.com.domain: 48942+ A? www.iab.org. (29)
10:06:19.874588 IP 172.24.193.148.52688 > google-public-dns-a.google.com.domain: 57512+ AAAA? www.iab.org. (29)
10:06:19.874713 IP 172.24.193.148.59194 > google-public-dns-a.google.com.domain: 37286+ A? www.rfc-editor.org. (36)
10:06:19.874834 IP 172.24.193.148.51605 > google-public-dns-a.google.com.domain: 62361+ AAAA? www.rfc-editor.org. (36)
10:06:19.886559 IP google-public-dns-a.google.com.domain > 172.24.193.148.55349: 61217 1/0/0 A 4.31.198.44 (46)
10:06:19.886733 IP google-public-dns-a.google.com.domain > 172.24.193.148.60888: 63087 1/0/0 AAAA 2001:1900:3001:11::2c (58)
10:06:19.886894 IP google-public-dns-a.google.com.domain > 172.24.193.148.59194: 37286 1/0/0 A 209.208.19.211 (52)

Tony.
-- 
f.anthony.n.finch  <dot@dotat.at>  http://dotat.at/
Trafalgar: Variable 3 or 4, becoming southwesterly 4 or 5 later in northwest.
Moderate. Occasional drizzle. Moderate or good.

v2.23.0 | Report a Bug | By Email