Re: [Doh] [Ext] DNS over HTTP/3?

Paul Hoffman <paul.hoffman@icann.org> Mon, 19 November 2018 14:12 UTC

Return-Path: <paul.hoffman@icann.org>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CE615130DC8 for <doh@ietfa.amsl.com>; Mon, 19 Nov 2018 06:12:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id klIG4Bgy2ebA for <doh@ietfa.amsl.com>; Mon, 19 Nov 2018 06:12:22 -0800 (PST)
Received: from out.west.pexch112.icann.org (out.west.pexch112.icann.org [64.78.40.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1111012008A for <doh@ietf.org>; Mon, 19 Nov 2018 06:12:22 -0800 (PST)
Received: from PMBX112-W1-CA-1.pexch112.icann.org (64.78.40.21) by PMBX112-W1-CA-2.pexch112.icann.org (64.78.40.23) with Microsoft SMTP Server (TLS) id 15.0.1367.3; Mon, 19 Nov 2018 06:12:20 -0800
Received: from PMBX112-W1-CA-1.pexch112.icann.org ([64.78.40.21]) by PMBX112-W1-CA-1.PEXCH112.ICANN.ORG ([64.78.40.21]) with mapi id 15.00.1367.000; Mon, 19 Nov 2018 06:12:19 -0800
From: Paul Hoffman <paul.hoffman@icann.org>
To: bert hubert <bert.hubert@powerdns.com>
CC: "doh@ietf.org" <doh@ietf.org>
Thread-Topic: [Ext] [Doh] DNS over HTTP/3?
Thread-Index: AQHUf/AQSCvsgY2gXkOTrPQmqQiX0aVXqf4A
Date: Mon, 19 Nov 2018 14:12:18 +0000
Message-ID: <5BE15B68-1C61-4462-AE84-901E2CF0F9F9@icann.org>
References: <20181119100954.GA6704@server.ds9a.nl>
In-Reply-To: <20181119100954.GA6704@server.ds9a.nl>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [192.0.32.234]
Content-Type: multipart/signed; boundary="Apple-Mail=_97356FDC-D7A0-4123-AE66-26FF72674864"; protocol="application/pkcs7-signature"; micalg=sha1
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/bvYHpq_srGHgWp2o-XPE7xx7w04>
Subject: Re: [Doh] [Ext] DNS over HTTP/3?
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Nov 2018 14:12:24 -0000

On Nov 19, 2018, at 2:09 AM, bert hubert <bert.hubert@powerdns.com> wrote:
> 
> Hi everyone,
> 
> Now that we are still here, perhaps some work is left for us, but I'm not
> sure. 
> 
> I've observed that the thousands of users of doh.powerdns.org (I also do not
> know how this happened) take around 22 packets per DNS query/response. 

It would be valuable to know if this is this because your DoH server kills the entire connection after every DNS query, or because the clients are doing so.

> Larger scale adoption of TLSv1.3 might improve this somewhat, but it is a
> big number.

DoH was designed for long-lived connections, so the number would normally be smaller after the initial connection.

> I've also personally observed that a "slightly suboptimal" network
> absolutely kills browsing performance in Firefox Nightly using DoH.  A naive
> calculation shows that 0.5% packet loss turns into a 5% failure rate per DoH
> query, which then can cause Head of Line blocking for further queries, which
> cascades into "blank pages" getting rendered. 

When you say "naive calculation", do you mean this is observed in the clients hitting your DoH server? That would indeed be scary. However, the Mozilla numbers tell a very different story. It would be good to know which one is true.

> Of course, once we have HTTP/3, DNS over HTTP/3 would suffer way less from
> incidental packet loss, and in general there would be a lot less packets
> too.
> 
> My question now is, is there any specific work to be done for DoH/3? Are
> there number, priorities, features you'd want or not want to use to make
> things work well?

DoH is just a specification for how to do a normal HTTP interaction, so there should be litter or no changes to DoH if the transport under HTTP changes. We'll know more when HTTP/3 is finished, but probably not before then.

> In other words, to the sound of a groaning camel, do we need a draft? Or a
> section in the HTTP/3 I-D?

We might, but we can't tell now.

> And, perhaps somewhat more provocatively, should we maybe not start pushing
> DoH/2 if it leaves people with a sub-standard experience, causing them to
> disable DoH?

If the implementations on the client or server side make using DoH bad, those implementations should be fixed. If they don't get fixed, we'll certainly hear about it.

> DoH/3 might be somewhat of a wait but it might prevent that
> sour taste from developing.

Without sufficient data, it's hard to say if there really is a sour taste.

--Paul Hoffman