S. Bortzmeyer ✅ utilise mastodon.gougere.fr. Vous pouvez læ suivre et interagir si vous possédez un compte quelque part dans le "fediverse". Si ce n’est pas le cas, vous pouvez en créer un ici.

There are three categories of broken resolvers, regarding ATR: "can't receive fragments", "can't retry with TCP" and those who have both curses. What are the sizes of these categories?

Working Group, second session, at DNS privacy, DNS over TLS, etc.

Colin Petrie about the deployment of the DNS-over-TLS resolver at the meeting

Uses Knot Resolver with 10 lines of a plugin to improve DNS64. (Because BIND still has no QNAME minimisation and no TLS ; Unbound has almost everything but no address-specific DNS64)

Anand Buddhev on the RIPE-NCC services. New K-root instances in Lyon (second one in France), Duchanbe, Panama...

zone transfers of RIPE-NCC services are now exclusively on (just one IPv4 fallback remaining, for Afrinic).

config (zones under ip6.arpa and in-addr.arpa) is checked with zonemaster.ripe.net/ Soon to be integrated under RIPEstat.

Victoria Risk on stage about a survey done by ISC.

"Business benefits and costs of for operators". The US approach to privacy online... Very oriented questions such as "do you think [ ] is another example of over-engineering?"

Around 100 answers, and results are displayed with four digits...

"What is every home router would have a persistent TCP connection with the ISP resolver?" Is it realistic? Could we switch off UDP?

Meausrement: queries generated with a custom C progrem + running on Grid5000

At the beginning, the resolver can answer all queries then sustain a fixed rate, even when the queries number increases.

S. Bortzmeyer ✅ @bortzmeyer

UDP still 4x better for high query handling, except when there are few TCP clients.

· Web · 1 · 0

Best test :-) 6.5 M TCP simultaneous connections to the resolver (Linux and Unbound still work).

Executive summary: DNS over TCP works, and scales. Just buy some hardware.

Another over TCP+TLS benchmark, by Sara Dickinson.

Willem Toroop "Who Needs Reasons, When You've Got Heroes?"

Do we need when we have ? (Executive summary: yes, for instance for redirections - SRV or MX, where TLS does not provide end-to-end security. And of course the biggest flaw of TLS is the CAs, something that DNSSEC+DANE solves.)