On Wed, May 3, 2017 at 6:59 PM, Viktor Dukhovni <ietf-d...@dukhovni.org> wrote:
> > > On May 3, 2017, at 9:39 PM, Colm MacCárthaigh <c...@allcosts.net> wrote: > > > > As it happens, DNS queries are not idempotent. Queries have > side-effects, > > This is sufficiently misleading to be false. What I'm trying to get at is that idempotency is hard. Even the simplest things that seem idempotent often are not. It's really really hard to do a deep review. And that's if people even know to perform the review. ,<Your next two points are good, just cut for length> > Many providers throttle DNS queries (and TLS is intended as a mechanism > > to help prevent the ordinary spoof ability of DNS queries). > > Again the client is unauthenticated, throttling is by IP address, there's > no need to repeat the same payload, indeed that's less effective since > throttling is biased towards queries for non-existent names, ... > It's not always by IP address. Anti-DDOS is much more nuanced in my experience, often take the QNAME into account. > > Throttling is mostly for UDP, for lack of BCP-38 implementation. DNS > over TLS *is* a good candidate for 0-RTT. [ I would have chosen a more > simple protocol for DNS security than TLS, but given that DNS over TLS > seems to be moving forward, 0-RTT makes sense. ] > +1 to that too! -- Colm
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
