Re: [dns-privacy] [Ext] ALPN protocol ID for DoT
Paul Hoffman <paul.hoffman@icann.org> Thu, 12 December 2019 15:34 UTC
Return-Path: <paul.hoffman@icann.org>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9A4AC1208F9 for <dns-privacy@ietfa.amsl.com>; Thu, 12 Dec 2019 07:34:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CUCtLzkt1LO5 for <dns-privacy@ietfa.amsl.com>; Thu, 12 Dec 2019 07:34:21 -0800 (PST)
Received: from ppa3.lax.icann.org (ppa3.lax.icann.org [192.0.33.78]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2C429120916 for <dns-privacy@ietf.org>; Thu, 12 Dec 2019 07:34:13 -0800 (PST)
Received: from PFE112-CA-1.pexch112.icann.org (out.west.pexch112.icann.org [64.78.40.7]) by ppa3.lax.icann.org (8.16.0.27/8.16.0.27) with ESMTPS id xBCFYCiw012477 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT) for <dns-privacy@ietf.org>; Thu, 12 Dec 2019 15:34:12 GMT
Received: from PMBX112-W1-CA-1.pexch112.icann.org (64.78.40.21) by PMBX112-W1-CA-2.pexch112.icann.org (64.78.40.23) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Thu, 12 Dec 2019 07:34:10 -0800
Received: from PMBX112-W1-CA-1.pexch112.icann.org ([64.78.40.21]) by PMBX112-W1-CA-1.PEXCH112.ICANN.ORG ([64.78.40.21]) with mapi id 15.00.1497.000; Thu, 12 Dec 2019 07:34:10 -0800
From: Paul Hoffman <paul.hoffman@icann.org>
To: "dns-privacy@ietf.org" <dns-privacy@ietf.org>
Thread-Topic: [Ext] [dns-privacy] ALPN protocol ID for DoT
Thread-Index: AQHVsPz6ZQ20cExv9Um/mB5nyYLqhqe3J1OA
Date: Thu, 12 Dec 2019 15:34:09 +0000
Message-ID: <7F87E623-3D21-4061-816B-1B18FAED36FB@icann.org>
References: <D59215DB-15F4-40F1-9606-C8BB6829BEE6@akamai.com>
In-Reply-To: <D59215DB-15F4-40F1-9606-C8BB6829BEE6@akamai.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [192.0.32.234]
x-source-routing-agent: Processed
Content-Type: multipart/signed; boundary="Apple-Mail=_BF5C5B1C-F522-4D90-AAFB-BA16A973F1D4"; protocol="application/pkcs7-signature"; micalg="sha-256"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2019-12-12_03:, , signatures=0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/02RiWqI8E-Qb14mSRhvzcUpdSQ4>
Subject: Re: [dns-privacy] [Ext] ALPN protocol ID for DoT
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Dec 2019 15:34:23 -0000
On Dec 12, 2019, at 7:01 AM, Reed, Jon <jreed@akamai.com> wrote: > > Hi all, > > I'm planning to request a registration of an ALPN ID[1] for DNS-over-TLS. One primary use case we have is supporting both DoT and DoH on port 443, when port 853 is blocked between clients and the servers (this is by mutual agreement, as discussed in RFC 7858 ยง 3.1). I plan on requesting the protocol ID 0x64 0x6F 0x74 ("dot"), following the conventions of using all lowercase in registrations. > > Per discussion with one of the expert reviewers, I'm polling the list to see if anyone has objections -- if so, please let me know. I'd be interested in hearing the objections, and what alternatives might be proposed. > > Thanks, > Jon > > [1] https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids This was discussed during the creation of RFC 7858. I would summarize the WG discussion as follows: - It is fine technically. - It will cause confusion because there will be two ways to do DoT, so a client might have to test each way in order to know if the resolver supports DoT. - It is easier for clients to configure a different port than to configure ALPN. In fact, many clients cannot configure ALPN at all. Others may have different summaries from the discussion. Certainly, some folks will have strong support or objections to those points; WG consensus was not particularly easy on this topic. Having said that, Jon brings up a good point that we did not predict four years ago, namely that some resolvers might already be offering privacy services on port 443. --Paul Hoffman
- [dns-privacy] ALPN protocol ID for DoT Reed, Jon
- Re: [dns-privacy] [Ext] ALPN protocol ID for DoT Paul Hoffman
- Re: [dns-privacy] [Ext] ALPN protocol ID for DoT Martin Thomson
- Re: [dns-privacy] ALPN protocol ID for DoT Allison Mankin
- Re: [dns-privacy] ALPN protocol ID for DoT Martin Thomson
- Re: [dns-privacy] ALPN protocol ID for DoT Allison Mankin
- Re: [dns-privacy] ALPN protocol ID for DoT Martin Thomson
- Re: [dns-privacy] [Ext] ALPN protocol ID for DoT John Levine
- Re: [dns-privacy] [Ext] ALPN protocol ID for DoT Reed, Jon
- Re: [dns-privacy] [Ext] ALPN protocol ID for DoT John R Levine