Re: [dns-privacy] Discovery of DNS over (not 53) and ALPN
Paul Wouters <paul@nohats.ca> Fri, 13 December 2019 14:27 UTC
Return-Path: <paul@nohats.ca>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 333891201DC for <dns-privacy@ietfa.amsl.com>; Fri, 13 Dec 2019 06:27:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9eidwFkX43ww for <dns-privacy@ietfa.amsl.com>; Fri, 13 Dec 2019 06:27:57 -0800 (PST)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1FCFB12011D for <dns-privacy@ietf.org>; Fri, 13 Dec 2019 06:27:57 -0800 (PST)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 47ZCgb1v3NzDRm; Fri, 13 Dec 2019 15:27:55 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1576247275; bh=4Rgdy3ia//Yl0I7L0Kh5VOxC99e1L/fBx7VHiDaFUJI=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=ak5vCqAnDKXk2c569qJbt6t1bLlVOYP69Edpw1UBXotsT4Z/T6h0wIhIJKsZ3hBxj oXSgxJmXsRPlrzHjh9yv+g2SJF3UpphTzGLslelPnUUGvxOgePdF2QZGYh3Cnb8sLp 16XHDy4HdaNB3fKRmchALb+lMVYe6ZoIkvaKd5Ug=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id kYziYhs78jV8; Fri, 13 Dec 2019 15:27:54 +0100 (CET)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Fri, 13 Dec 2019 15:27:54 +0100 (CET)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id 6943E6007ADD; Fri, 13 Dec 2019 09:27:53 -0500 (EST)
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 6576966AA8; Fri, 13 Dec 2019 09:27:53 -0500 (EST)
Date: Fri, 13 Dec 2019 09:27:53 -0500
From: Paul Wouters <paul@nohats.ca>
To: Erik Nygren <erik+ietf@nygren.org>
cc: Ted Hardie <ted.ietf@gmail.com>, dns-privacy@ietf.org
In-Reply-To: <CAKC-DJhiZAv8gESrhvUc5v86TcRXrfASq4ujQ3BxOYnuENrBjg@mail.gmail.com>
Message-ID: <alpine.LRH.2.21.1912130922170.8529@bofh.nohats.ca>
References: <CA+9kkMAmsK746ViRb9tXkJX+t_paOGpWCN3i78WK_t86bLGUnQ@mail.gmail.com> <CAKC-DJhiZAv8gESrhvUc5v86TcRXrfASq4ujQ3BxOYnuENrBjg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/Pw4SW0sOwRmaXNBMGmqL1AmOpoQ>
Subject: Re: [dns-privacy] Discovery of DNS over (not 53) and ALPN
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Dec 2019 14:27:58 -0000
On Fri, 13 Dec 2019, Erik Nygren wrote: > Linking ALPN and port defeats the purpose of ALPN. Indeed. > The main driving factor for having an ALPN token is for cases when there > is a desire to configure dot and doh to share a port (especially 443) > for some use-case. But take into account that DoH is partially motivated by fighting against DNS censorship, so in those cases using ALPN would be a non-starter. Sure, services like Google DNS or Cloudflare, that would be running DoH and DoT on port 443 to make it easier to bypass unintended filters (eg blocking of port 853) while still not trying to hide their DoH traffic from Paul Vixie's home network, could use this ALPN setting to demux, although I wonder if they couldn't determine this by the incoming stream somehow anyway. Especially if the services use the same TLS key/cert. Although I doubt we would need to write an RFC with ALPN for this use case. It's pretty easy to enumerate all public DoH servers for those who want to block them to offer their own DNS security services. ALPN did come up in the DoH discussion. It was a conscious decision not to require it because it defeated some of the goals of DoH. Paul
- [dns-privacy] Discovery of DNS over (not 53) and … Ted Hardie
- Re: [dns-privacy] Discovery of DNS over (not 53) … Erik Nygren
- Re: [dns-privacy] Discovery of DNS over (not 53) … Paul Wouters
- Re: [dns-privacy] Discovery of DNS over (not 53) … Ted Hardie
- Re: [dns-privacy] Discovery of DNS over (not 53) … Martin Thomson
- Re: [dns-privacy] Discovery of DNS over (not 53) … Tom Pusateri
- Re: [dns-privacy] Discovery of DNS over (not 53) … Martin Thomson
- Re: [dns-privacy] Discovery of DNS over (not 53) … Tom Pusateri
- Re: [dns-privacy] Discovery of DNS over (not 53) … Vittorio Bertola
- Re: [dns-privacy] Discovery of DNS over (not 53) … Vladimír Čunát
- Re: [dns-privacy] Discovery of DNS over (not 53) … Martin Thomson
- Re: [dns-privacy] Discovery of DNS over (not 53) … Dan Wing