Bind and HTTPS?

[Lefteris Tsintjelis]

On 12/7/2019 2:42, Mark Andrews wrote:
> 
> 
>> On 12 Jul 2019, at 8:54 am, Lefteris Tsintjelis via bind-users <bind-users at lists.isc.org> wrote:
>>
>> On 11/7/2019 22:56, @lbutlr wrote:
>>> On 11 Jul 2019, at 10:52, Lefteris Tsintjelis via bind-users <bind-users at lists.isc.org> wrote:
>>>> On 11/7/2019 15:35, Tony Finch wrote:
>>>>> Lefteris Tsintjelis via bind-users <bind-users at lists.isc.org> wrote:
>>>>>>
>>>>>> Why would you want something like that?
>>>>> https://datatracker.ietf.org/wg/dprive/about/
>>>>
>>>> If you are willing to sacrifice speed.
>>> Not really. Using DOH servers now doesn’t have any noticeable impact on speed of DNS.
>>
>> Doesn't the packet size have any impact at all just by itself, excluding packet encryption/decryption times? For me the difference was quite noticeable when I first enabled DNSSEC, specially when I first tested it with SHA256/512. Packets would easily exceed fragmentation limits and that alone is just by using DNSSEC only! I don't know what the impact of DOH would be on the packet size, but I am pretty sure it would be even worst combined with DNSSEC, would it not?
> 
> Having fragmented packets doesn’t slow down DNS noticeably as long as your firewall allows them through.  Having to perform PMTUD does however and this applies to both UDP and TCP.

I believe most modern firewalls allow them now days and the speeds are 
pretty huge for such packets so I guess fragmentation by itself may not 
be as noticeable, but everything all together adds up, and I mean 
including DNSSEC and DOH overhead.

Yes, PMTUD applies to both of course and this is the biggest delay of 
all. Perhaps it would help if the default packet size of 4000 changed to 
a lower value such as 1200-1300 and use ECDSAP256SHA256 as defaults? In 
any case, for me, changing those two things made quite a noticeable 
response difference and it was not small.

Lefteris