Re: [Doh] DoT and DoH at Cambridge
bert hubert <bert.hubert@powerdns.com> Thu, 06 September 2018 11:41 UTC
Return-Path: <bert@hubertnet.nl>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F05FE130E79 for <doh@ietfa.amsl.com>; Thu, 6 Sep 2018 04:41:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.65
X-Spam-Level:
X-Spam-Status: No, score=-1.65 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.25, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0Rpr_E_1EAgk for <doh@ietfa.amsl.com>; Thu, 6 Sep 2018 04:41:56 -0700 (PDT)
Received: from xs.powerdns.com (xs.powerdns.com [82.94.213.34]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E669E130EC4 for <doh@ietf.org>; Thu, 6 Sep 2018 04:41:55 -0700 (PDT)
Received: from server.ds9a.nl (unknown [86.82.68.237]) by xs.powerdns.com (Postfix) with ESMTPS id 1A6D99FB55; Thu, 6 Sep 2018 11:41:52 +0000 (UTC)
Received: by server.ds9a.nl (Postfix, from userid 1000) id C9781AC6D67; Thu, 6 Sep 2018 13:41:52 +0200 (CEST)
Date: Thu, 06 Sep 2018 13:41:52 +0200
From: bert hubert <bert.hubert@powerdns.com>
To: Tony Finch <dot@dotat.at>
Cc: Erik Kline <ek=40google.com@dmarc.ietf.org>, doh@ietf.org
Message-ID: <20180906114152.GB13373@server.ds9a.nl>
References: <alpine.DEB.2.20.1809061011520.5965@grey.csi.cam.ac.uk> <CAAedzxpM=+TtH0wEyePWXLFKtgeFxkYpYyvCjz+aeG6PLrzV2g@mail.gmail.com> <alpine.DEB.2.20.1809061116410.5965@grey.csi.cam.ac.uk>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <alpine.DEB.2.20.1809061116410.5965@grey.csi.cam.ac.uk>
User-Agent: Mutt/1.5.24 (2015-08-30)
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/XGyvI6PD94KHjNqkiSlbMnUjVt8>
Subject: Re: [Doh] DoT and DoH at Cambridge
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Sep 2018 11:41:58 -0000
Hi, Thanks for this experiment, I'd been hoping someone would run it! Of specific interest in terms of CPU sizing is how long the TLS connection stays open, if and how it resumes the TLS connection later on and perhaps what algorithms you see in use. We are attempting to convince millions of user scale deployments to turn this on but we can't yet give any estimate on CPU load. Knowing how efficient the actual connections are would be very good. Can you see? Fwiw, Firefox appears to eke out only a few DNS connections per TCP/IP connection before reconnecting (at least on doh.powerdns.org). Bert On Thu, Sep 06, 2018 at 11:32:51AM +0100, Tony Finch wrote: > Erik Kline <ek=40google.com@dmarc.ietf.org> wrote: > > > > Ben Schwartz can comment further on whether there's an experiment > > ongoing or not. However, these kind of queries are also used by the > > DoT code in Pie to help validate whether the DoT answering thing > > actually speaks DNS (as opposed to someone's random webserver they > > left running or whatnot). I wouldn't have necessarily expected the > > disparity between dnsotls queries and actual subsequent DoT traffic. > > Hmm... > > Yes, I thought at first that they were "tap tap tap is this thing on?" > queries but the lack of followup real queries made me think otherwise. > > I'm looking again now and there's a lot more real traffic, so it must have > been just the time of day (early evening) when I was examining the traffic > yesterday so there was a misleadingly low volume of traffic. > > I should not be so quick to make inferences from too little data :-) > > At the moment there's a roughy 1:10 ratio of probe queries to real > queries, typical TLS session is 30-40 milliseconds. > > Thanks for prompting me to look again! > > (X-proxied-for support would make this a bit easier...) > > Tony. > -- > f.anthony.n.finch <dot@dotat.at> http://dotat.at/ > democracy, participation, and the co-operative principle > > _______________________________________________ > Doh mailing list > Doh@ietf.org > https://www.ietf.org/mailman/listinfo/doh
- [Doh] DoT and DoH at Cambridge Tony Finch
- Re: [Doh] DoT and DoH at Cambridge Erik Kline
- Re: [Doh] DoT and DoH at Cambridge Tony Finch
- Re: [Doh] DoT and DoH at Cambridge Tony Finch
- Re: [Doh] DoT and DoH at Cambridge bert hubert
- Re: [Doh] DoT and DoH at Cambridge Tony Finch
- Re: [Doh] DoT and DoH at Cambridge Daniel Stenberg
- Re: [Doh] DoT and DoH at Cambridge Tony Finch