On Wed, 2020-11-04 at 15:04 +0000, Paul Hoffman wrote: > It would be useful if a resolver could tell in advance, and at a cost less > than port-checking. There could be a new protocols developed to do that. I > don't see this as a requirement, though, given the low cost of port-checking.
The cost of port checking is not low. Variant 1: try 853 and 53 in parallel. High code complexity and a high likelihood that the first query to a 'new' auth (where 'new' might be measured in minutes) will be plain text anyway. Variant 2: try 853 first. How long do we wait for a timeout? In DNS, 500ms is a long time. This is not happy eyeballs where both transports (v4 and v6) tend to have identical security properties. DNS Flag Day 2019 (no more EDNS fallbacks) was designed to reduce probing and guessing in the resolver process. I'd love for us to not add probing and guessing in other parts of that process. Kind regards, -- Peter van Dijk PowerDNS.COM BV - https://www.powerdns.com/ _______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
