IETF Logo Mail Archive

Re: [dns-privacy] Early port allocation request for dns-over-TLS

Warren Kumari <warren@kumari.net> Mon, 17 August 2015 13:42 UTC

Return-Path: <warren@kumari.net>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 320A61B2E5B for <dns-privacy@ietfa.amsl.com>; Mon, 17 Aug 2015 06:42:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.978
X-Spam-Level:
X-Spam-Status: No, score=-1.978 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uwd5TGtWRCn0 for <dns-privacy@ietfa.amsl.com>; Mon, 17 Aug 2015 06:42:24 -0700 (PDT)
Received: from mail-oi0-f43.google.com (mail-oi0-f43.google.com [209.85.218.43]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3C5AD1B2E5A for <dns-privacy@ietf.org>; Mon, 17 Aug 2015 06:42:24 -0700 (PDT)
Received: by oip136 with SMTP id 136so80109641oip.1 for <dns-privacy@ietf.org>; Mon, 17 Aug 2015 06:42:23 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=TN3AfHJs1SCid/6MVS2GluQ8UlpgKGADs4ndJiqNgz4=; b=fqZ9jA3lkjQ55KbGXisDXxbXJ2ZsnNNNcVxwZZ6Q4oo2kXV9Y7eFvWTuM4ASoqpJ7r 6kL8F34EHfLE7XaNvWY8X9jj+/d5PIh+IyMfyk06r4b0a9WNmeuy3KzvfKPSwHYFuY5P UofXxM8lQawMSOeVAUIRW8acbF7taQ9wEqqWCjpMn9fkl/mL14dWLjdIvDqSLom3Y8EG WKpv4ftKEktp6lfPsmz8DOLL17P2kNHRvUYnNJHDMvr0te1qw+FxXG9W3O+s02sy3Z99 60IWFHOTw1swyVIrpRo16MgnjFikAIBbbjXakRFHzdP3hSA1bp391y2dk9mIU0Fbr44d ox7g==
X-Gm-Message-State: ALoCoQkTCS2NhL1pGtq2EmLtWAgKRbLeZUjE6HoS1gjcbjlP4LsySsCVPZ56WvrHYlPfbe/qh6Su
MIME-Version: 1.0
X-Received: by 10.202.179.87 with SMTP id c84mr1201206oif.110.1439818943411; Mon, 17 Aug 2015 06:42:23 -0700 (PDT)
Received: by 10.202.174.144 with HTTP; Mon, 17 Aug 2015 06:42:23 -0700 (PDT)
In-Reply-To: <55CA382A.9020707@isi.edu>
References: <CAHw9_iJ8QPyHqg2emJm4RfSnsiUcHFY7tGS3K9nL5HJYTyww_Q@mail.gmail.com> <55CA382A.9020707@isi.edu>
Date: Mon, 17 Aug 2015 09:42:23 -0400
Message-ID: <CAHw9_iJEHztVOdsLZz6Xtmk-UK+CTdrrJFnk3Ojh1-9-+0dD7Q@mail.gmail.com>
From: Warren Kumari <warren@kumari.net>
To: Joe Touch <touch@isi.edu>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/dns-privacy/4CnJ1oQWAMbOLC7gxTBi-sxemJM>
Cc: "dns-privacy@ietf.org" <dns-privacy@ietf.org>
Subject: Re: [dns-privacy] Early port allocation request for dns-over-TLS
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Aug 2015 13:42:26 -0000

On Tue, Aug 11, 2015 at 2:00 PM, Joe Touch <touch@isi.edu> wrote:
>
>
> On 8/7/2015 6:03 AM, Warren Kumari wrote:
>> Hi all,
>>
>> The chairs believe that there is sufficient interest in the working
>> group for early allocation of a port for dns over TLS, following RFC
>> 7120.
>
> Hi, Warren,
>
> It might be useful to summarize on this list the rationale for this
> allocation and the plan for its use.
>
> In particular:
>
>         - why port 53 is not sufficient using STARTTLS
>

- The WG decided that using a new port instead of a STARTTLS or
octet-matching would better suite our operational goals.
We had significant discussions on this, and we have concerns about
things like middle boxes reacting to non-DNS on 53.


>         - why a system port, rather than a user port, is appropriate


- A system port is appropriate because DNS is, and always has been, a
system service.

>         - whether TLS-protected DNS would ever be expected on port 53
>

- TLS- or DTLS-protected DNS is not expected to ever appear on port 53.



> Speaking as an individual (though I also chair the IANA port expert
> review team, which reviews applications not through the standards
> process), my view is that:
>
>         a) it would have been preferable to use the existing
>         assigned port for DNS (e.g., using STARTTLS), as I note
>         in RFC7605
>
>         b) the existing ubiquity of DNS ALGs will make (a) difficult
>         (this does not apply to new protocols but would here)
>
>         c) if the secure variant has a separate port, then it would
>         be confusing to run the same service on multiple ports
>
>         d) if this service is assigned a new port, it should be
>         a system port; although system ports do not often afford
>         the protections once assumed, it seems reasonable to stay
>         with the same type of port as the original service
>
> As a result, I concur with the assignment of a port for "dns-s" (FWIW,
> that's what I would suggest, as it is the convention for most new secure
> variants) as a system port.

Thank you. We had similar discussions in the WG, but it is very
helpful to have someone who evaluates these sorts of requests come to
the same conclusion.
W

>
> Joe



-- 
I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.
   ---maf

v2.23.0 | Report a Bug | By Email