[perhaps trimming to just ietf@ was overzealous?] On Sat, Aug 11, 2018 at 10:16:04AM -0400, John Levine wrote: > In article <153397442482.20828.13036371457377811227@xxxxxxxxxxxxxx> you write: > >This document is almost ready, but requires some clarifications and, more > >importantly, an analysis of the impact of switching from a connection-less > >protocol (UDP) to a connection-oriented protocol (HTTPS/TCP) for DNS resolution. > > But DNS resolution has always worked over TCP. See RFC 1035, section > 4.2.2. Tbe usual case is retry on TCP when a UDP response is > truncated, but it's equally valid to do TCP in the first place. > > Is there a reason that the security threats of DOH over TCP would be > any diferent from existing DNS over TCP? Well, HTTPS pulls in the TLS crypto and its potential increased resource consumption, but in general TLS tries to avoid DoS opportunites where a client can make the server do lots of work without having first provided some indication that the client is "real". -Ben
