Tariq,

At 2016-12-01 12:50:16 +0500
Tariq Saraj <tariqsa...@gmail.com> wrote:

> My question is that, at one side "Specification for DNS over Transport
> Layer Security (TLS) i.e. RFC7858" is a proposed standard now.
> Whereas, on the other side in the "draft-ietf-dprive-dnsodtls-13",
> The motivations for proposing DNS-over-DTLS are that
> 
>    o  TCP suffers from network head-of-line blocking, where the loss of
>       a packet causes all other TCP segments to not be delivered to the
>       application until the lost packet is re-transmitted.  DNS-over-
>       DTLS, because it uses UDP, does not suffer from network head-of-
>       line blocking.
> In the very next point of this draft it is also mentioned that " However,
> with TCP Fast Open [RFC7413], the implementation can achieve the same RTT
> efficiency as DTLS."
> In addition to that, in the recent IETF97 meeting regarding the DNS privacy
> they have presented a technique of OOOP for TCP.
> So, why the community still need DTLS for DNS?

TCP Fast Open does not work for the first connection between hosts.
This makes it effective in cases where you expect repeated connections
(such as in the stub to resolver case), but possibly less effective in
cases where you do not expect repeated connections, or where you
expect connections to happen a long time apart.

Further, the specific drawback is about the case of lost packets. Since
TCP (and thus TLS) is a stream-oriented protocol, it cannot deliver
data until all packets in the sequence are available. So if packet #2 is
lost, packets #3, #4, and all later packets cannot be delivered to the
application until packet #2 is re-sent. DTLS, since it is a datagram
protocol, does not have this limitation.

To be honest, there has not been a strong push for DNS over DTLS. Even
with DNS over DTLS, we need DNS over TLS as a fallback in the case of
truncation. So adding DNS over DTLS is always an extra cost. It might
be that DNS over DTLS is worth the extra code and complexity, but I
think it is safe to say that we do not have enough operational
experience yet to know for sure.

Cheers,

--
Shane

Attachment: pgpdo4STMKY7T.pgp
Description: OpenPGP digital signature

_______________________________________________
dns-privacy mailing list
dns-privacy@ietf.org
https://www.ietf.org/mailman/listinfo/dns-privacy

Reply via email to