Dne 17. 07. 23 v 21:41 Brian Dickson napsal(a):
TCP traffic is several orders of magnitude more expensive than UDP.
This might be true, but it must be carefully considered. Yes, a performant authoritative server is able to answer (for example) 10 Mqps over UDP or 10 kqps over TCP. One could conclude, that a TCP query is 1000x more expensive than a UDP query.
However, typical authoritative server (anywhere) faces up to 10 kqps of legitimate traffic, or often less. For reliable DNS over UDP service though, it needs to have giant overhead in performance, in order to mitigate possible UDP DoS attacks, which can't be mitigated otherwise. So it needs to be able to answer 10 Mqps at peak.
I'm not sure how much overhead is needed to handle possible TCP DoS attacks. Most of them are SYN attacks, which can be handled already in some firewall/BPF (hand waving). The rest -- dunno. Let's say that you need 2x overhead for TCP, that is 20 kqps, that is two servers.
In the end, in my example (the figures may be waaaay wrong), TCP looks like 2x more expensive than UDP. Even if all the DNS queries were TCP.
(In Knot DNS, we implemented TCP-over-XDP, which offers great performance leap. I admit that it is not entirely production-quality yet, but we expected to keep improving it while getting feedback from users. We promoted it on some impacted DNS community meetings, but AFAIK it earned no attention at all. Therefore, I suspect that there is little concern about DNS-over-TCP performance.)
I think its short-sighted attempting to keep authoritative DNS be mostly UDP. Especially vetoing any kind of progress that would "threaten" increased usage of TCP. We have RFC 7766 and soon we'll have authoritative DoQ.
Libor
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
