> On Mar 31, 2021, at 10:51 PM, Rob Sayre <say...@gmail.com> wrote: > > > > On Wed, Mar 31, 2021 at 1:29 PM Bill Woodcock <wo...@pch.net> wrote: > > >>> > On Mar 31, 2021, at 9:55 PM, Rob Sayre <say...@gmail.com> wrote: >>> > I still don't understand the resistance here. Some data on what the >>> > impact would be still seems like the most helpful thing to move the >>> > conversation forward. >>> >> We have that: >> >> https://vaibhavbajpai.com/documents/papers/proceedings/dot-pam-2021.pdf >> > That paper is about home measurements, and says: > > "Previous work [8,17,26] has studied the support and response times of DoT > (and DoH). However, the studies performed response time measurements from > proxy networks and data centers, which means that results might not > appropriately reflect the latency of regular home users...”
…and it’s measuring latency rather than server-side load. I just checked with our engineers, and it sounds like the server load per-query is more like 3x-5x higher for the encrypted queries. > only measures DoT, rather than the more popular DoH. DoH isn’t that much worse than DoT from a load perspective, but it's a web-browser thing… It’s difficult for me to imagine anyone with enough clue to operate a recursive resolver wanting to use DoH to query an authoritative server. What would be the point? >> Could you state the problem that’s being solved? >> > Sure, it's in the first sentence of > https://tools.ietf.org/html/draft-ietf-dprive-opportunistic-adotq-00: > > "A recursive resolver using traditional DNS over port 53 may wish instead to > use encrypted communication with authoritative servers in order to limit > passive snooping of its DNS traffic." Right, so that just means the wording of the draft is over-broad, in that it just says “authoritative” rather than “authoritative SLD” or something. It’s quite a stretch to think that anything sensitive would be disclosed between a well-behaved recursive and a _root_ server, since it doesn’t disclose either the individual nor the domain being queried. So, again, what problem would be solved? -Bill
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ dns-privacy mailing list dns-privacy@ietf.org https://www.ietf.org/mailman/listinfo/dns-privacy