Re: [dns-privacy] User Perspective

Tue, 25 Sep 2018 14:31:17 -0700 

Hi Christian

On Tue, Sep 25, 2018 at 01:40:59PM -0700, Christian Huitema wrote:
> On 9/25/2018 12:15 PM, Tony Finch wrote:
> 
> > For DNS-over-QUIC I think that could drop to 2RTT, or maybe 1RTT? I don't
> > know QUIC's handshake.
> >
> > The warm start time should soon be 0RTT.
> 
> The basic QUIC handshake will be 1-RTT before sending the first query,
> with two exceptions:
> 
> 1) The server may require a token exchange (similar to SYN cookies or
> DNS cookies) to protect against DOS attacks, in which case the handshake
> will take 2 RTT.
> 
> 2) If the client has established a connection previously and obtained a
> "resume token", it could use 0-RTT, and send the first query immediately
> after the initial QUIC packet -- in fact in the same UDP packet as the
> initial QUIC packet.
> 
> Using 0-RTT is a trade-off between security and performance, because
> 0-RTT packets can be subject to replay attacks. That's true for 0-RTT in
> QUIC and also 0-RTT in TLS. If you are really concerned about privacy,
> the prudent decision is to not use 0-RTT.
> 
> I ran a number of simulations comparing DNS over QUIC to DNS over UDP or
> TCP, considering QUIC with and without 0RTT. The high level summary is
> that for traffic from client to recursive, there is very little difference:

I'm not familiar with the QUIC protocol, but following what you're
saying:

QUIC handshake + query = 2 roundtrips

If there's a "connection" previously, query = 1 roundtrip

RFC 1035 UDP query = 1 roundtrip

RFC 1035 TCP query = 1 roundtrip if connection exists, 2 for syn,ack+query

The 0 roundtrip case occurs only when there are no fetches involved
(e.g., when the answer is found in cache, but there are other cases).

So there will be a difference (at least double RTT latency vs. DNS over
UDP) when the query requires talking to a new nameserver. Some desired
security features such as DHE for forward secrecy may need additional
round trips, so pros and cons of what is picked will need discussion.
It looks like the parent of this thread wants to gather usage stories
only and does not want us to discuss implementation details, so let's
continue this discussion at another time when the requirements are
gathered.

                Mukund

_______________________________________________
dns-privacy mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dns-privacy

Reply via email to