On Nov 19, 2014, at 4:05 AM, Phillip Hallam-Baker <[email protected]> wrote:
> On Wed, Nov 19, 2014 at 2:43 AM, 🔓Dan Wing <[email protected]> wrote: >> >> On Nov 13, 2014, at 10:24 AM, Phillip Hallam-Baker <[email protected]> >> wrote: >> >>> I see two distinct use cases: >>> >>> 1) Web browsing >>> 2) Everything else. >>> >>> The challenges for (1) are latency, latency and latency. >>> >>> Shaving 10ms off the response of a browser is very important to the >>> Web browser team. Folk can argue that it should not be, but that is >>> the situation. >>> >>> If we are going to do DNS over TLS then looking at the existing Back >>> to my MAC protocol makes sense. But the caveat is that does not look >>> like an application where ultra-low latency is a requirement. >>> >>> >>> There are two ways to address the latency issue for Web browsing: >>> >>> 1) Design a protocol tuned for ultra low latency with 1 round trip over UDP. >>> 2) Combine the DNS requests with other data requests that the browser >>> would make. >>> >>> Private-DNS takes approach 1 >> >> (D)TLS 1.3 takes approach 1 with TLS 1.3, which is optimizing for 0 round >> trip (for servers previously used) or 1 round trip (for new servers). > > If its 1 round trip then we are talking about DTLS not TLS. > > The thing I didn't like about using DTLS is that I have to profile > pretty severely to make the code footprint minimal. And once you > profile you have to rewrite libraries to only use the profile > features. Umkay. It is good you have personally concluded that a completely new library and new protocol is better than profiling DTLS, but I don't yet share that conclusion. > TLS has a stateless session resumption option but it would need to be > mandatory for DNS over TLS to be viable. And it would have to be > possible to set decent sized timeouts for the negotiated sessions. Acknowledged. However, that requirement for how long to retain 0-RTT capability is not unique to DTLS's session resumption. > On the performance side, PRIVATE-DNS is providing better performance > for the typical approach of doing an A and a AAAA record lookup in > parallel since these are typically handled in one request/response > packet rather than two. If also SRV and arbitrary other resource records invented in the future, that sounds compelling. -d _______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
