> On Jul 8, 2025, at 10:57, Joe Abley <[email protected]>
> wrote:
> On 8 Jul 2025, at 10:18, Carlos Horowicz
> <[email protected]> wrote:
>> I must say I’m not particularly sympathetic to DNS over TCP. While it’s a
>> necessary fallback in some cases, it slows things down due to handshake
>> overhead, increased latency from retries, and the need to maintain state per
>> connection.
> Setup and teardown handshake overhead is in principle able to be amortised
> over the many messages that might be exchanged over a single session, so over
> a busy session the aggregate cost tends towards zero and the cost for a
> message over a session that is already established is as close to zero as
> makes no odds.
> The ability to handle large aggregate session state is something that has
> turned out to be manageable for HTTP and many other protocols. I don't know
> why we would assume that it's an insurmountable problem.
Just chiming in to register agreement with Joe. Essentially all DNS traffic is
either stub-recursive or recursive-authoritative. Stubs typically use a single
recursive, and should ideally be using DoT anyway, so that’s efficiently
handled using TLS already. The _vast_ majority of recursive-authoritative
traffic is long-lived flows between relatively small numbers of servers (with a
small minority of traffic spread over a long tail of infrequently-queried
authoritatives). So there, too, there’s high efficiency in ensuring that the
majority of the traffic is running over ADoT.
Next up, bidirectional TLS auth FTW!
-Bill
Please consider the environment before using AI to process this email.
_______________________________________________
DNSOP mailing list -- [email protected]
To unsubscribe send an email to [email protected]
