TLS connection reuse implementation timeline (#4089)
Eric Luehrsen
ericluehrsen at gmail.com
Thu Jul 5 19:03:42 UTC 2018
On 07/05/2018 04:53 AM, nusenu via Unbound-users wrote:
> Hi,
>
> Since unbound's missing TLS connection reuse feature
> is now used as a justification [1] why DoH [2] has better software
> than DoT I was wondering if you had any timeline
> for TLS connection reuse in unbound, which is already in your bugzilla:
>
> https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=4089
>
> I'm looking for a rough estimate, something like:
> will be released within
> - 3 month,
> - before the end of the year
> - in 2019
>
> thanks!
> nusenu
>
>
> [1] https://twitter.com/FiloSottile/status/1014603362204028935
> [2] https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=1200
>
Unbound current behavior may be a bit inefficient, but at least it is a
robust and repeatable behavior. If Unbound cache and prefetch parameters
are configured properly, they can mitigate the TLS handshake overhead.
For the limited users of DOT (or DOH) this is not so awful.
I could see outstanding design decisions to make: what is a minimum time
to wait for new queries before closing an idle connection? what is a
maximum time to wait to drop and redo a connection? will minimum timer
reset on any new query, or does it extend with some weight function? how
will this affect the client and server relationship? how long should a
public DNS accept a dangling connection (thinking about 1.1.1.1)?
As far as DOH vs DOT, the rhetoric is becoming a little silly. As with
all things, there is and will be the right tool for the right job. It
seems a minor stumble in deploying a specification should not be used as
justification for another. That is, if we use a disciplined scientific
method.
Eric
More information about the Unbound-users
mailing list