Re: [Doh] Authoritative DoT or DoH

"Martin Thomson" <mt@lowentropy.net> Fri, 15 March 2019 11:04 UTC

Return-Path: <mt@lowentropy.net>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6A9E5130DD8 for <doh@ietfa.amsl.com>; Fri, 15 Mar 2019 04:04:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lowentropy.net header.b=n3h3sF+2; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=R1NCEDkI
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2FULKDgSi8Ob for <doh@ietfa.amsl.com>; Fri, 15 Mar 2019 04:04:36 -0700 (PDT)
Received: from out2-smtp.messagingengine.com (out2-smtp.messagingengine.com [66.111.4.26]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9DD261286CD for <doh@ietf.org>; Fri, 15 Mar 2019 04:04:36 -0700 (PDT)
Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.nyi.internal (Postfix) with ESMTP id AA05522221; Fri, 15 Mar 2019 07:04:35 -0400 (EDT)
Received: from imap2 ([10.202.2.52]) by compute1.internal (MEProxy); Fri, 15 Mar 2019 07:04:35 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lowentropy.net; h=mime-version:message-id:in-reply-to:references:date:from:to :cc:subject:content-type; s=fm1; bh=6JTzpAw1Pr6FA7SktTSdtecCImSR 8MetTWTeXtsPwgI=; b=n3h3sF+2yR0Nx7LwZdv1OkjAxmQiDltjHiY+U7k+j8Ph mZApIK9+Xo+XZ22ZMPegOKEp0EkdkZKeaJUGvXhCRGVP7Uxvyzd7a0iB2ZUFY1j4 TNTqGmcnHAoTPXVXjJ9QzgtFy3YshfFllyb50J4NsQin7PWTVz0GIeb40x+LeUUt vFBaEue+0x8URMHOx5+yzO7msVOGz7Buf7O0/zUfWd+gSoN2GcCzJapYGlyqbYDH aCGxASmx8lwCiqkn+9NuRmUUjxk1e6yUb4BTcEtqBYXUz5udTdDZ3vV8LnXCV8Ks DgFOQIMJYqelmo6mRAUuHGlZw8bvGMFol9HxRgqq1Q==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=6JTzpA w1Pr6FA7SktTSdtecCImSR8MetTWTeXtsPwgI=; b=R1NCEDkIzmb7rpMTfksOo3 UpnMe32QBvHININcPfKndpmv7vCty8I5f6iHwUTBIwJwkR+Hakzbxpg/cogKqQk6 5o6mAI18jcTUR68afUADw8W+fM1GZ+AjItt3NMYKyHsrXNkm/+zYbf6SffoZIDUM 4QMY6VfUBsqK8LCn3Xg6NEosYWuVlxz7B3NEEcupwpsKod6atXgo9pVuWPmt5Zbc 5kQBSWzYU0tY6NWLb8qYJkHlOSjV6UiNM8o4IGs3/dLP9BlrtSWkL4NUbAndUAvc 6cQ11gMWgyr6ib+ttanh4KR+OMwpvU4B70442q4+1vi3kC+EGexVVnWoyOWlaKIg ==
X-ME-Sender: <xms:woaLXKqRMsQmi_h6R6bIiSNbylKlRZ14fvYl_spSc4-KiFkD3R2GmQ>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedutddrheehgddvfecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenuc fjughrpefofgggkfgjfhffhffvufgtsehttdertderredtnecuhfhrohhmpedfofgrrhht ihhnucfvhhhomhhsohhnfdcuoehmtheslhhofigvnhhtrhhophihrdhnvghtqeenucffoh hmrghinhepihgvthhfrdhorhhgnecurfgrrhgrmhepmhgrihhlfhhrohhmpehmtheslhho figvnhhtrhhophihrdhnvghtnecuvehluhhsthgvrhfuihiivgeptd
X-ME-Proxy: <xmx:woaLXNl2q7p-Za6SSMlU6yrss2q7xTp2o2kg-MGw4gSPgUSDpnuG0Q> <xmx:woaLXDfAVMdNY43pH_4HXnRn4wHQMuQqfgnFOyniot4QohaozPGlGA> <xmx:woaLXJr3HPp4eIiCzAMaqb3DdNlO801aClHFOQv-gD-NnXVuJY2JPA> <xmx:w4aLXGa_v2xp7xX_5Hspa6-aCBdu4jKq0eLqO4o3CFfbo-enqzD90A>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id A531F7C32E; Fri, 15 Mar 2019 07:04:34 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.1.5-976-g376b1f3-fmstable-20190314v3
Mime-Version: 1.0
X-Me-Personality: 92534000
Message-Id: <2f18ea6a-89e7-418b-82cf-70a8af70e8c1@www.fastmail.com>
In-Reply-To: <CAAedzxqFMe_tZkBbXSWjfAgajaO1v=sX6umzcpfv+OaaQKOn6g@mail.gmail.com>
References: <C8284F2D-F46A-484E-A145-99C0D8ADBC58@verisign.com> <73eb005a-da34-41cb-a05d-1cb8268060d2@www.fastmail.com> <CAAedzxqFMe_tZkBbXSWjfAgajaO1v=sX6umzcpfv+OaaQKOn6g@mail.gmail.com>
Date: Fri, 15 Mar 2019 07:04:36 -0400
From: "Martin Thomson" <mt@lowentropy.net>
To: "Erik Kline" <ek@loon.co>
Cc: doh@ietf.org
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/puDAWUQa7cGoZzXGrFvF2WVTTd8>
Subject: Re: [Doh] Authoritative DoT or DoH
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Mar 2019 11:04:40 -0000

DNS over QUIC (either directly, or as DoH with HTTP/3) will likely exacerbate load problems.  QUIC isn't great about its CPU usage at the current time.  That comes with some advantages, like sharing an encryption context for multiple requests without the head of line blocking inherent in HTTP/2, but it's unlikely to be a total slam dunk.

On Fri, Mar 15, 2019, at 14:23, Erik Kline wrote:
> And on account of the load management issues I would expect some folks 
> to prefer to try out DoQ (DNS over QUIC), does actually bring things 
> back around to DoH.
> 
> On Thu, 14 Mar 2019 at 19:27, Martin Thomson <mt@lowentropy.net> wrote:
> > There is far less reason to use DoH for connections to authoritative servers. DoT seems far more appropriate (than both DoH and the unencrypted variants).
> > 
> >  I expect there to be a lot of discussion about DoS (not DNS over SCTP, sadly) and load management in any such document. I don't see much of the stuff that has generated so much heat lately to be relevant in the authoritative context.
> > 
> >  On Fri, Mar 15, 2019, at 06:18, Henderson, Karl wrote:
> >  > 
> >  > In the last couple of days there has been a lot of activity concerning 
> >  > DNS over HTTPS (DoH) - Hoffman and Alibaba presentations at ICANN and 
> >  > IETF drafts: 
> >  > draft-reid-doh-operator/draft-livingood-doh-implementation-risks-issues/draft-betola-bcp-doh-clients.
> >  > 
> >  > 
> >  > These discussions have focused on DoH for client (typically web 
> >  > browser) communication with recursive resolvers, and its comparisons 
> >  > with DoT for this purpose.
> >  > 
> >  > 
> >  > Is there any compelling reason at this point to be considering DoH for 
> >  > recursive resolver-to-authoritative name server communications?
> >  > 
> >  > 
> >  > As I noted at the DPRIVE interim meeting, the working group needs 
> >  > empirical studies looking at performance and attack vectors for 
> >  > authoritative DNS encryption.
> >  > 
> >  > 
> >  > Unless there are compelling reasons to consider Authoritative DoH, I 
> >  > propose the working group focus its authoritative DNS encryption 
> >  > assessments around Authoritative DoT.
> >  > 
> >  > 
> >  > In support, I am willing to co-author an Authoritative DoT operational 
> >  > consideration draft in order to outline the operational challenges the 
> >  > community needs to address - similar to the draft-reid-doh-operator 
> >  > draft between client and recursive.
> >  > 
> >  > 
> >  > _______________________________________________
> >  > Doh mailing list
> >  > Doh@ietf.org
> >  > https://www.ietf.org/mailman/listinfo/doh
> >  >
> > 
> >  _______________________________________________
> >  Doh mailing list
> > Doh@ietf.org
> > https://www.ietf.org/mailman/listinfo/doh