Re: QUIC re-chartering: include DNS-over-QUIC?

[Martin Thomson <mt@lowentropy.net>]

Hi Paul,

These are good topics to talk through.

On Sun, Apr 12, 2020, at 09:46, Paul Vixie wrote:
> you're assuming that the loss isn't self-induced. sometimes slowing down is 
> exactly what's needed. for example when a busy full resolver has a queue of 
> hundreds or thousands of requests to be sent to a zone authority, rate 
> limiting of UDP is necessary to prevent a meltdown. bandwidth is finite. we 
> sometimes load-balance toward several of a zone's authority servers even 
> including those known to not have low-ish RTT, just to avoid flooding one of 
> them, or to avoid flooding our nearby links. moving to QUIC won't help with 
> any of that.

I guess it depends on what resource you are attempting to preserve.

The goal of a congestion controller is to avoid over-saturating the network.  But most controllers still assume that you still want saturation of a kind.  QUIC likely doesn't do anything to help here, unless you think that having a stateful context with good feedback about loss and delay is useful.  It seems like something far less sophisticated is what you are imagining.

If the goal is instead to avoid overloading a receiver, then QUIC definitely can help.  The flow control mechanisms in QUIC (limits on streams, per-stream limits on bytes) are all designed to avoid this situation by putting the receiver more in control.  If a resolver is busy handling lots of traffic and you want to avoid swamping it further with zone transfers or similar, then these flow control options allow it to limit the resources it has to commit to different connections. (Of course, that reduces the problem to the previously-unsolved one of prioritizing competing interests.)

If you have good flow control, you might not have to worry about the effect on congestion beyond choosing an appropriately-aggressive controller.
 
> > * Faster resumption and 0RTT behaviors (although you get some of these with
> > TFO + TLS 1.3 0RTT).  But this substantially reduces the performance impact
> > when new connections need to be established.
> 
> in DNS, new connections rarely need to be established. the reason RFC 6013 
> permitted connections to go into a quiet (resumable) state

The resumption part is interesting in this context.  It depends on what you mean by "resume".

If you imagine very long periods of quiescence, but with (full) retention of state at endpoints, then QUIC should work.  Using connection IDs might mean that you can keep using a connection even in the presence of address translation.  

That's different than what TLS and QUIC refer to as "resumption", which is the feature that allows you to make new connections (more) cheaply.  QUIC does a lot to improve that, because the web needs it.  Maybe DNS will also benefit from that, but it might be that you can just use very long-lived connections instead.  I would recommend a regimen of key updates for that, but that's not critical.

Transport people keep saying that you can't save the congestion window.  But then I keep seeing that people do and nothing much breaks, so I guess this debate will just continue.

> while it's theoretically possible to share DNS cookie state (RFC 7873) across 
> many instances of DNS Anycast, the cost:benefit of that complexity is less 
> compelling than the cost:benefit of having to renegotiate during route changes 
> either from mobile-ip or network-in-the-middle attacks. i don't think QUIC has 
> different game theory than DNS cookies have in this regard. route changes are 
> orders of magnitude less frequent than same-pair reuse, and always must be.

You might find that sharing implementations with HTTP servers changes the dynamics there, but I don't know if the equivalent QUIC mechanisms are fundamentally different.  What I've observed with HTTP is that state is shared, sometimes globally, sometimes only at the same location, and sometimes not at all.  But I don't operate any of those services, so I can't speak to details.

> ....my question seems to stand. if the potential motivations you've listed so 
> far were actual, then we'd have had DNS over SCTP decades ago, or something 
> like DTLS that actually worked at scale rather than just in a lab, or we would 
> have been able to get TCPCT the code point we needed to experiment globally, 
> or we would have had UDP options by now.

I think that my answer immediately above speaks to the potential difference here.  Wide deployment of infrastructure that supports the protocol might change the system dynamics sufficiently to make it worthwhile for DNS to use the new protocol.  I don't think that this is certain, but I also don't think that this is a question of serving QUIC more than it is serving DNS.

As you say, DNS has its own version of many (or all) of the same capabilities we're talking about.  It has them because it needs them.  The amount of operational experience with those capabilities is far greater than the experience people have with QUIC, and that will remain the case for a good while (read: more than 3 years, possibly quite a bit more).

However, if QUIC does manage to see wider adoption, it could be that the benefits of sharing infrastructure and experience is worthwhile.  Laying the groundwork for that possibility isn't necessarily a waste of the time of groups like DPRIVE/QUIC.  Recognizing the potential for that work to be unwanted is a good check on excessive ambition though.

I personally think that there is value in sharing a better transport layer, but the costs are pretty significant.  Even if you believe that there is some utopian end state in which everything uses the same protocol, the short- and medium-term costs are carrying around multiple protocols, some of which are awkwardly incompatible.