IETF Logo Mail Archive

Re: QUIC re-chartering: include DNS-over-QUIC?

Vidhi Goel <vidhi_goel@apple.com> Thu, 06 February 2020 17:26 UTC

Return-Path: <vidhi_goel@apple.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A1F6F12010D for <quic@ietfa.amsl.com>; Thu, 6 Feb 2020 09:26:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=apple.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6mzdm0JsTaYn for <quic@ietfa.amsl.com>; Thu, 6 Feb 2020 09:26:54 -0800 (PST)
Received: from nwk-aaemail-lapp03.apple.com (nwk-aaemail-lapp03.apple.com [17.151.62.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8D4C3120108 for <quic@ietf.org>; Thu, 6 Feb 2020 09:26:54 -0800 (PST)
Received: from pps.filterd (nwk-aaemail-lapp03.apple.com [127.0.0.1]) by nwk-aaemail-lapp03.apple.com (8.16.0.27/8.16.0.27) with SMTP id 016H7j4O053014; Thu, 6 Feb 2020 09:26:49 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=apple.com; h=sender : content-type : content-transfer-encoding : from : mime-version : subject : date : message-id : references : cc : in-reply-to : to; s=20180706; bh=MD8M7rke5q/vsddfwf5GV8u3gCeGQ8radpCXsGBYK9s=; b=AXAy2XV7xuSiw32nrO7C8rUcnQYM/bBZWwm2WrbB3tnzlWHx4tXVl6b88Dv4VUo7Ra2r Wu08EZb3lTg3gE2qr56MWXywRJk+Tw0R90YOso2gf4eHVaukahitMUDw8kBkNDJRHqUI rsxgCTbu+/vao5yGiSe6Z5d5jZKvEYCwEkPuPr7/qK1pA2Wi/yEMjIR4l1/ajb+NsGrN +o+UBIPldcMDkpSOCWQbVSUz42LQIuLf0PU69lQhQLj5wKWQgzLovY3enGXky0b6JURX n7v9KL93+Nf9slxj+ooz702MIez6U4bMa2asJjS7DCYZZeA47j2Y2rd5QQaIQzBs3H9f 3Q==
Received: from ma-mailsvcp-mta-lapp02.corp.apple.com (ma-mailsvcp-mta-lapp02.corp.apple.com [10.226.18.134]) by nwk-aaemail-lapp03.apple.com with ESMTP id 2xykayw41r-3 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Thu, 06 Feb 2020 09:26:49 -0800
Received: from ma-mailsvcp-mmp-lapp01.apple.com (ma-mailsvcp-mmp-lapp01.apple.com [17.32.222.14]) by ma-mailsvcp-mta-lapp02.corp.apple.com (Oracle Communications Messaging Server 8.1.0.1.20190704 64bit (built Jul 4 2019)) with ESMTPS id <0Q5A008J5J4OPLB0@ma-mailsvcp-mta-lapp02.corp.apple.com>; Thu, 06 Feb 2020 09:26:48 -0800 (PST)
Received: from process_milters-daemon.ma-mailsvcp-mmp-lapp01.apple.com by ma-mailsvcp-mmp-lapp01.apple.com (Oracle Communications Messaging Server 8.1.0.1.20190704 64bit (built Jul 4 2019)) id <0Q5A00Z00J45AY00@ma-mailsvcp-mmp-lapp01.apple.com>; Thu, 06 Feb 2020 09:26:48 -0800 (PST)
X-Va-A:
X-Va-T-CD: c8b10700d71aad692d44400dd5e552ae
X-Va-E-CD: 50ace2a2c7a519dfea16dd2e6ff08205
X-Va-R-CD: 5ea96b195aba36741a99102bfdbc7bae
X-Va-CD: 0
X-Va-ID: a6f08016-7121-4948-91c5-5d0373c624a9
X-V-A:
X-V-T-CD: c8b10700d71aad692d44400dd5e552ae
X-V-E-CD: 50ace2a2c7a519dfea16dd2e6ff08205
X-V-R-CD: 5ea96b195aba36741a99102bfdbc7bae
X-V-CD: 0
X-V-ID: 4154a14e-7bb7-4cc6-a991-22429a778c7a
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.138, 18.0.572 definitions=2020-02-06_01:2020-02-06, 2020-02-06 signatures=0
Received: from [17.234.226.103] (unknown [17.234.226.103]) by ma-mailsvcp-mmp-lapp01.apple.com (Oracle Communications Messaging Server 8.1.0.1.20190704 64bit (built Jul 4 2019)) with ESMTPSA id <0Q5A00TAYJ4MJW40@ma-mailsvcp-mmp-lapp01.apple.com>; Thu, 06 Feb 2020 09:26:48 -0800 (PST)
Sender: vidhi_goel@apple.com
Content-type: multipart/alternative; boundary="Apple-Mail-96067D01-E527-420D-B44A-74DA983293B3"
Content-transfer-encoding: 7bit
From: Vidhi Goel <vidhi_goel@apple.com>
MIME-version: 1.0 (1.0)
Subject: Re: QUIC re-chartering: include DNS-over-QUIC?
Date: Thu, 06 Feb 2020 09:26:46 -0800
Message-id: <69F63EAA-B7AB-4874-9AD5-7C8F98A92C77@apple.com>
References: <CAKcm_gNf43tXizw9D2jdtTieh+=zS7PKVDiNNV-UEbP8Gw+mHg@mail.gmail.com>
Cc: Christopher Wood <caw@heapingbits.net>, IETF QUIC WG <quic@ietf.org>
In-reply-to: <CAKcm_gNf43tXizw9D2jdtTieh+=zS7PKVDiNNV-UEbP8Gw+mHg@mail.gmail.com>
To: Ian Swett <ianswett=40google.com@dmarc.ietf.org>
X-Mailer: iPhone Mail (18A195a)
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2020-02-06_01:, , signatures=0
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/R-ZiZxXlqb4tPvIiA5sVS7WWcJc>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Feb 2020 17:26:57 -0000

I support DoQ for the use cases that are based on non HTTP application protocol. DoQ implicitly provides benefits of QUIC which DoT doesn’t have.

Vidhi

> On Feb 6, 2020, at 8:47 AM, Ian Swett <ianswett=40google.com@dmarc.ietf.org> wrote:
> 
> 
> +1 as well.  I think this work is worth doing, and I would hope it does not require the QUIC WG's active involvement.
> 
>> On Thu, Feb 6, 2020 at 11:13 AM Christopher Wood <caw@heapingbits.net> wrote:
>> 
>> 
>> On Thu, Feb 6, 2020, at 7:13 AM, Erik Nygren wrote:
>> > It sounds like a good path forwards might be to take the 
>> > draft-huitema-quic-dnsoquic 
>> > <https://tools.ietf.org/html/draft-huitema-quic-dnsoquic-07>
>> > to dprive in Vancouver and/or Madrid if the authors are interested and 
>> > willing?
>> 
>> +1 — I think taking it to DPRIVE makes sense.
>> 
>> Best,
>> Chris
>> 
>> > 
>> > For encrypting recursive-to-authoritative I'm hopefully that we can 
>> > pick one (or at most
>> > two) things as "MTI" for interop, and I suspect if we had a pros/cons 
>> > matrix for the various
>> > options that a DoQ solution has a good chance as being the contender 
>> > for being the preferred 
>> > option for reasons stated above, as well as for other functionality 
>> > that exists in QUIC
>> > that may make scaling and robustness easier for authority operators. 
>> > 
>> >  Erik
>> > 
>> > 
>> > 
>> > On Thu, Feb 6, 2020 at 9:57 AM Daniel Migault <mglt.ietf@gmail.com> wrote:
>> > > I support DoQ being done here or somewhere else to prevent including the attack surface of the web platform as well as to have a non HTTP use case for quic. I also expect that previous work on DoT, DoH will reduce the effort on DoQ. It is true one could question the advantages of having yet another transport, but on the other hand, it might be better we can have the choice now rather than later. 
>> > > Yours, 
>> > > Daniel
>> > > 
>> > > On Thu, Feb 6, 2020 at 6:36 AM Christian Huitema <huitema@huitema.net <mailto:huitema@huitema..net>> wrote:
>> > >> On 2/4/2020 4:17 PM, Tommy Pauly wrote:
>> > >> 
>> > >>  > My main question in doing DNS-over-QUIC is what benefit it provides
>> > >>  > over DNS-over-HTTP/3 (DoH3?). DoH3 seems like a more practical
>> > >>  > deployment model, since it allows relatively seamless upgrade from
>> > >>  > DoH2 to DoH3, and allows a resolver to support consistent semantics on
>> > >>  > both. The overhead of the HTTP layer is pretty minimal, and while I
>> > >>  > appreciate the desire to define a non-HTTP protocol over QUIC, I
>> > >>  > imagine there would be ones that would be more useful to adopt in the
>> > >>  > near term.
>> > >> 
>> > >>  There are significant differences between DoQ and DoH. My main worry is
>> > >>  that protocol written to run over HTTP tend to be developed on top of
>> > >>  web platforms, and so you end up bringing the entire attack surface of
>> > >>  the web platforms in your DNS implementation. That's OK if your DNS
>> > >>  usage is directly dependent on your web traffic, for example if a
>> > >>  browser is sending queries for the pages that it visits.. But that's not
>> > >>  so good for the resolver to authoritative scenario, in which a leaner
>> > >>  protocol seems safer.
>> > >> 
>> > >>  But there are other issues. Look at the "M" scenario in the Quic Interop
>> > >>  runner, loading 2000 small files in parallel. It turns out that several
>> > >>  implementations had issues because when doing that they were hitting the
>> > >>  OS limit on the number of open files. The way you control that in Quic
>> > >>  is by limiting the number of open streams below the number of files that
>> > >>  you can maintain open. In a web-oriented implementation of H3 and Quic,
>> > >>  you will most likely do that. But you don't need to worry about that in
>> > >>  the DNS scenario, because you are certainly not going to write a file
>> > >>  for every DNS transaction. Doing an ad hoc application mapping avoids
>> > >>  this kind of issues.
>> > >> 
>> > >>  -- Christian Huitema
>> > >> 
>> > >> 
>> > >> 
>> > > 
>> > > 
>> > > -- 
>> > > Daniel Migault
>> > > Ericsson
>>

v2.23.0 | Report a Bug | By Email