IETF Logo Mail Archive

Re: QUIC re-chartering: include DNS-over-QUIC?

Erik Nygren <erik+ietf@nygren.org> Thu, 06 February 2020 15:13 UTC

Return-Path: <nygren@gmail.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6EC871208AE for <quic@ietfa.amsl.com>; Thu, 6 Feb 2020 07:13:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.399
X-Spam-Level:
X-Spam-Status: No, score=-1.399 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.249, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rXS0rAE8DfMr for <quic@ietfa.amsl.com>; Thu, 6 Feb 2020 07:13:47 -0800 (PST)
Received: from mail-wm1-f67.google.com (mail-wm1-f67.google.com [209.85.128.67]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6742A12080C for <quic@ietf.org>; Thu, 6 Feb 2020 07:13:47 -0800 (PST)
Received: by mail-wm1-f67.google.com with SMTP id p17so422019wma.1 for <quic@ietf.org>; Thu, 06 Feb 2020 07:13:47 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=y22qqnqvGoTGvxpgro9wLz84GNvMBgJKeNWKiYKakcg=; b=hJT4UnermmSHz3pVKsKOCKftINF7trUc0Ixsbwkwca7E1FH/oVzSG5IHVSQgQ9PVAr 5gIiDL6Kl6UYJdKZYIFvBdUVXTIow9B9Gr1+dNB4w8QruAm/EUUFRbjdwUr7iUHQZIYG vfSJ693iTN8mtJ2Tu3+lbnh+aqNuEqNCXvK4PLcL2S+QgHsvnCGmG6hQujuxeDfaa2/d Sb0EjPNTSNpdURUQpXwaKGQPEqgXzkKyXkiN0/ZB6rDYA0EAgVperDlWWR5owqVCMi+3 CW51/Va10VHf3KS3TPlQFGI5ul0KwyVG34Y7bVYofGGHGEXHpAyVD6/N+RHA5nMJxnoo OrKg==
X-Gm-Message-State: APjAAAXO1XAP9BejZJ2GeCIr0upMBOKykJrwfiuuXo9LGriW9NJGHYyI JMjNyulM6V+fkfgaAFcWK3XPhO83wd8wXX45LsU=
X-Google-Smtp-Source: APXvYqxP4kO8CIGOMuXO3aQVzJMSg+/lBdh/EgkmIWdCoErb6WqpGhsEyM68OG/7dbq9jFOutl9Cd3tpLHFgBtfYPhU=
X-Received: by 2002:a1c:a754:: with SMTP id q81mr4954637wme.139.1581002025298; Thu, 06 Feb 2020 07:13:45 -0800 (PST)
MIME-Version: 1.0
References: <A56547B6-2E3B-4ABE-8C9B-BA9ACC489FB2@mnot.net> <CAKC-DJiuhJurq4ojJwPD0Ag3Eoz_4KwFssuuP5Ts1+EH6C9C2A@mail.gmail.com> <0FD71EED-6095-4989-A81B-1FEC12044E80@apple.com> <367135c9-ea82-9fe7-8d80-a1b47440e2a1@huitema.net> <CADZyTkk1LYaEQWeniqbN_iq2SMZ=nqHaSn-bYb8wQjvx2B6m2g@mail.gmail.com>
In-Reply-To: <CADZyTkk1LYaEQWeniqbN_iq2SMZ=nqHaSn-bYb8wQjvx2B6m2g@mail.gmail.com>
From: Erik Nygren <erik+ietf@nygren.org>
Date: Thu, 06 Feb 2020 10:13:33 -0500
Message-ID: <CAKC-DJhqd0Z04Jc73LRuuzR36Ljg1jiXK4mGo6FPi5mk=cPdDA@mail.gmail.com>
Subject: Re: QUIC re-chartering: include DNS-over-QUIC?
To: Daniel Migault <mglt.ietf@gmail.com>
Cc: Christian Huitema <huitema@huitema.net>, Tommy Pauly <tpauly=40apple.com@dmarc.ietf.org>, Lars Eggert <lars@eggert.org>, Mark Nottingham <mnot@mnot.net>, IETF QUIC WG <quic@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000001b7175059de9b883"
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/FmgsAT2uEwNf0asI3H440GnYE68>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Feb 2020 15:13:49 -0000

It sounds like a good path forwards might be to take the
draft-huitema-quic-dnsoquic
<https://tools.ietf.org/html/draft-huitema-quic-dnsoquic-07>
to dprive in Vancouver and/or Madrid if the authors are interested and
willing?

For encrypting recursive-to-authoritative I'm hopefully that we can pick
one (or at most
two) things as "MTI" for interop, and I suspect if we had a pros/cons
matrix for the various
options that a DoQ solution has a good chance as being the contender for
being the preferred
option for reasons stated above, as well as for other functionality that
exists in QUIC
that may make scaling and robustness easier for authority operators.

    Erik



On Thu, Feb 6, 2020 at 9:57 AM Daniel Migault <mglt.ietf@gmail.com> wrote:

> I support DoQ being done here or somewhere else to prevent including the
> attack surface of the web platform as well as to have a non HTTP use case
> for quic. I also expect that previous work on DoT, DoH will reduce the
> effort on DoQ. It is true one could question the advantages of having yet
> another transport, but on the other hand, it might be better we can have
> the choice now rather than later.
> Yours,
> Daniel
>
> On Thu, Feb 6, 2020 at 6:36 AM Christian Huitema <huitema@huitema.net>
> wrote:
>
>> On 2/4/2020 4:17 PM, Tommy Pauly wrote:
>>
>> > My main question in doing DNS-over-QUIC is what benefit it provides
>> > over DNS-over-HTTP/3 (DoH3?). DoH3 seems like a more practical
>> > deployment model, since it allows relatively seamless upgrade from
>> > DoH2 to DoH3, and allows a resolver to support consistent semantics on
>> > both. The overhead of the HTTP layer is pretty minimal, and while I
>> > appreciate the desire to define a non-HTTP protocol over QUIC, I
>> > imagine there would be ones that would be more useful to adopt in the
>> > near term.
>>
>> There are significant differences between DoQ and DoH. My main worry is
>> that protocol written to run over HTTP tend to be developed on top of
>> web platforms, and so you end up bringing the entire attack surface of
>> the web platforms in your DNS implementation. That's OK if your DNS
>> usage is directly dependent on your web traffic, for example if a
>> browser is sending queries for the pages that it visits. But that's not
>> so good for the resolver to authoritative scenario, in which a leaner
>> protocol seems safer.
>>
>> But there are other issues. Look at the "M" scenario in the Quic Interop
>> runner, loading 2000 small files in parallel. It turns out that several
>> implementations had issues because when doing that they were hitting the
>> OS limit on the number of open files. The way you control that in Quic
>> is by limiting the number of open streams below the number of files that
>> you can maintain open. In a web-oriented implementation of H3 and Quic,
>> you will most likely do that. But you don't need to worry about that in
>> the DNS scenario, because you are certainly not going to write a file
>> for every DNS transaction. Doing an ad hoc application mapping avoids
>> this kind of issues.
>>
>> -- Christian Huitema
>>
>>
>>
>>
>
> --
> Daniel Migault
> Ericsson
>

v2.23.0 | Report a Bug | By Email