On Mon, Mar 02, 2015 at 11:28:54AM -0500, Phillip Hallam-Baker wrote: > On Mon, Mar 2, 2015 at 9:00 AM, Ilari Liusvaara <[email protected] > > wrote: > > > > > I would see the point of using UDP (which means increased complexity): > > > No it does not. > > UDP is a lot simpler than any of the TCP proposals. > > * Fewer states > * Smaller library > * Fewer options
- TCP orders the packets - TCP retransmits - TCP does error correction. - TCP deals with reflection. Sure, one can do all the above with UDP-based protocols, but that means extra code. DNS requires TCP already (as fallback for when packet limits get busted). > TLS is a big complicated specification and the open source libraries are in > a woeful state. Take a look at the date the tutorial on the OpenSSL API was > written. There is UDP counterpart to TLS called DTLS. It is more complicated than TLS (due to above factors). > The expeditious approach to setting up a client-service binding is to > leverage TLS. But that is separate from the DNS session transport question > and something that can be revisited later. I think (D)TLS is too complicated for stub<->recursive protocol (even if profiled down). Also, can't deal with fast session startup until TLS 1.3 (which is still quite complex and doesn't look even near finished, let alone DTLS 1.3). Plus the scope of present challenge looks much smaller than TLS (e.g. no client authentication, server recon is feasible, etc...). Of course, designing a new crypto protocol is pretty scary prospect (I have seen one that has even simpler scope and looks totally messed up). -Ilari _______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
