On Sun, Apr 19, 2015 at 07:38:18AM -0700, Paul Hoffman wrote: > [BJust to clarify: draft-hzhwm-dprive-start-tls-for-dns does not > propose to switch 100% of DNS to TCP. It only proposes switching the > traffic between stubs and recursives that agree to the new TCP-based > protocol. Even that at scale changes considerably how DNS works. Let's consider a DNS server that handles 10000 qps, which almost every server today should be capable of. At major ISPa we see on average around 0.1 queries per subscriber per second, so this single server will handle 100000 subsribers and this means it will have 100000 open TCP connections. And that is only if the connections are coming from the home gateway. Now consider that they are coming from the end devices. I have three kids who each have a laptop and and smartphone. I also have an AppleTV and a central server that serves video, music, etc. That is 10 devices, so we are now talking about 1 million connections to that DNS resolver. And then there are resolver that can do a lot more queries per second.
> If a recursive doesn't want to do TLS, it simply doesn't > advertise that it is willing to do so, in the same way that in the > other proposals, if the recursive doesn't want to encrypt, it simply > doesn't advertise that. Why are we doing it than? If we don't assume that everybody will use it for our scaling of the protocol then we are doing something wrong IMHO. I fear that if we design something that has a large deployment cost we will not get it deployed. So long -Ralf _______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
