On Wed, Mar 31, 2021 at 2:16 PM Bill Woodcock <wo...@pch.net> wrote: > > …and it’s measuring latency rather than server-side load. I just checked > with our engineers, and it sounds like the server load per-query is more > like 3x-5x higher for the encrypted queries. >
Plenty of folks have evaluated the costs here. I'd prefer to discuss data rather than "checking with engineers". It's not really reasonable to measure "server load per-query" without a bunch of other data on how the TLS sessions are being created and maintained. So, if you have some data you'd like to share with the list, that would be most welcome. > > > only measures DoT, rather than the more popular DoH. > > DoH isn’t that much worse than DoT from a load perspective, but it's a > web-browser thing… It’s difficult for me to imagine anyone with enough > clue to operate a recursive resolver wanting to use DoH to query an > authoritative server. What would be the point? > I think the idea is roughly that DoT/DoQ will just reinvent what's in DoH, but without as much support and reuse. Here's Mozilla's latest numbers on DoH: https://blog.mozilla.org/futurereleases/2019/04/02/dns-over-https-doh-update-recent-testing-results-and-next-steps/ (yes, it's latency) > > >> Could you state the problem that’s being solved? > >> > > Sure, it's in the first sentence of > https://tools.ietf.org/html/draft-ietf-dprive-opportunistic-adotq-00: > > > > "A recursive resolver using traditional DNS over port 53 may wish > instead to use encrypted communication with authoritative servers in order > to limit passive snooping of its DNS traffic." > > Right, so that just means the wording of the draft is over-broad, in that > it just says “authoritative” rather than “authoritative SLD” or something. > It’s quite a stretch to think that anything sensitive would be disclosed > between a well-behaved recursive and a _root_ server, since it doesn’t > disclose either the individual nor the domain being queried. > > So, again, what problem would be solved? > In that case, I think the goal would be to prevent aggregate measurements, rather than individual data. thanks, Rob
_______________________________________________ dns-privacy mailing list dns-privacy@ietf.org https://www.ietf.org/mailman/listinfo/dns-privacy
