On Wed, Nov 19, 2014 at 12:08 PM, 🔓Dan Wing <[email protected]> wrote: > > On Nov 19, 2014, at 4:05 AM, Phillip Hallam-Baker <[email protected]> > wrote: > >>> On Nov 13, 2014, at 10:24 AM, Phillip Hallam-Baker <[email protected]> >>> wrote:
>> The thing I didn't like about using DTLS is that I have to profile >> pretty severely to make the code footprint minimal. And once you >> profile you have to rewrite libraries to only use the profile >> features. > > Umkay. It is good you have personally concluded that a completely new > library and new protocol is better than profiling DTLS, but I don't yet share > that conclusion. I don't think it is helpful to thing in terms of the number of libraries or protocols involved. I would rather add a new library of 10K code than grow an existing library from 200Kb to 300Kb. I am really not writing a whole new protocol here. What I am doing is decoupling the key negotiation part of TLS from the framing part by introducing a small amount of JSON. >> On the performance side, PRIVATE-DNS is providing better performance >> for the typical approach of doing an A and a AAAA record lookup in >> parallel since these are typically handled in one request/response >> packet rather than two. > > If also SRV and arbitrary other resource records invented in the future, that > sounds compelling. SRV, TLSA, plus new security policy records to be defined all with DNSSEC. So lets say you want to connect to www.example.com via HTTP, the DNS queries might be: www.example.com ? A www.example.com ? AAAA _80._tcp.www.example.com ? TSLA _http._tcp.www.example.com ? SRV _http._tcp.www.example.com ? ESRV (A security policy record TBS) Note that while the existing DNS protocol supports multiple queries in theory, it does not support multiple response codes which makes it pretty useless. So the above would be five separate DNS protocol messages all framed in a single UDP packet. In most cases the results will fit in a single packet as well. Taking away the performance penalty for multiple record lookups would make a huge difference to the viability of proposals to extend DNS discovery services. _______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
