On Mon, Mar 02, 2015 at 07:49:08AM -0500, Phillip Hallam-Baker wrote: > > Having long experience of trying to persuade browser providers to do OCSP > with TLS, I do not see any possibility that DNS over TCP is going to be > acceptable to them. > > I don't care how many graphs are presented showing that TCP is as fast > under lab conditions or with a specific stack or with new extensions etc. I > would not be convinced and I see no reason why Google is going to be. > Reducing the time to load of the first page is a really big deal for the > Chrome team. > > So when people are saying 'DNS over TCP isn't a major overhead' what the > Chrome team are probably hearing is 'giving up half your annual bonus to do > privacy our way shouldn't be a problem'.
Are you talking about: - Overhead of establishing (secured) TCP connection (AFAIK, 2RTT without extensions)? - Bad handling of packet loss by TCP (don't know)? - Latency increase from increased bandwidth and encryption/decryption (AFAICT, on order of 0.1ms or so)? The hot assoication performance looks acceptable. Are you talking about cold association performance being important? Also, the end that bears the burnt of keeping hot associations is the server end (recursive resolver in case of stub<->recursive), not the client (stub) end. I have heard of single system image managing to keep 1 million TCP connections at once (that was some time ago, likely higher now). I would see the point of using UDP (which means increased complexity): - If cold case 2RTT is unacceptable. - If packet loss handling of TCP proves too troublesome. - If maintaining enough associations is problem for recursive servers. Using UDP does virtually nothing to extra bandwidth latency. And finally, if one compares to OCSP: - OCSP cold-case performance matters much more due to amount of OCSP responders involved (to-recursive DNS only has 1 + backup(s) if primary fails). - OCSP makes privacy issues worse, not better (by introducing another party). -Ilari _______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
