Re: [dns-privacy] Early port allocation request for dns-over-TLS
Joe Touch <touch@isi.edu> Tue, 18 August 2015 18:03 UTC
Return-Path: <touch@isi.edu>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CDD041A9022 for <dns-privacy@ietfa.amsl.com>; Tue, 18 Aug 2015 11:03:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rcMz1cfxs6AT for <dns-privacy@ietfa.amsl.com>; Tue, 18 Aug 2015 11:03:56 -0700 (PDT)
Received: from nitro.isi.edu (nitro.isi.edu [128.9.208.207]) (using TLSv1 with cipher ECDHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 275881A8F4B for <dns-privacy@ietf.org>; Tue, 18 Aug 2015 11:03:56 -0700 (PDT)
Received: from [128.9.160.211] (mul.isi.edu [128.9.160.211]) (authenticated bits=0) by nitro.isi.edu (8.13.8/8.13.8) with ESMTP id t7II3JQb026594 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Tue, 18 Aug 2015 11:03:20 -0700 (PDT)
To: Mark Andrews <marka@isc.org>, "Wessels, Duane" <dwessels@verisign.com>
References: <CAHw9_iJ8QPyHqg2emJm4RfSnsiUcHFY7tGS3K9nL5HJYTyww_Q@mail.gmail.com> <55CA382A.9020707@isi.edu> <CAHw9_iJEHztVOdsLZz6Xtmk-UK+CTdrrJFnk3Ojh1-9-+0dD7Q@mail.gmail.com> <ACC0BEF3-BF37-47CB-8188-37EE2AD1E5F4@verisign.com> <20150818011636.566B635289C6@rock.dv.isc.org>
From: Joe Touch <touch@isi.edu>
Message-ID: <55D37367.8070607@isi.edu>
Date: Tue, 18 Aug 2015 11:03:19 -0700
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.1.0
MIME-Version: 1.0
In-Reply-To: <20150818011636.566B635289C6@rock.dv.isc.org>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 7bit
X-MailScanner-ID: t7II3JQb026594
X-ISI-4-69-MailScanner: Found to be clean
X-MailScanner-From: touch@isi.edu
Archived-At: <http://mailarchive.ietf.org/arch/msg/dns-privacy/T9CnLmcNk0ymytzgSpo13R72xxg>
Cc: "dns-privacy@ietf.org" <dns-privacy@ietf.org>, Warren Kumari <warren@kumari.net>, touch@isi.edu
Subject: Re: [dns-privacy] Early port allocation request for dns-over-TLS
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Aug 2015 18:03:58 -0000
FWIW, it would be useful if these issues were documented in the draft, e.g., in the IANA considerations section. Joe On 8/17/2015 6:16 PM, Mark Andrews wrote: > In message <ACC0BEF3-BF37-47CB-8188-37EE2AD1E5F4@verisign.com>, "Wessels, Duane > " writes: >>> On Aug 17, 2015, at 6:42 AM, Warren Kumari <warren@kumari.net> wrote: >>> >>> On Tue, Aug 11, 2015 at 2:00 PM, Joe Touch <touch@isi.edu> wrote: >>>> >>>> Hi, Warren, >>>> >>>> It might be useful to summarize on this list the rationale for this >>>> allocation and the plan for its use. >>>> >>>> In particular: >>>> >>>> - why port 53 is not sufficient using STARTTLS >>>> >>> >>> - The WG decided that using a new port instead of a STARTTLS or >>> octet-matching would better suite our operational goals. >>> We had significant discussions on this, and we have concerns about >>> things like middle boxes reacting to non-DNS on 53. >> >> Additionally: >> >> - A separate port avoids the 1xRTT incurred by STARTTLS negotiation. >> >> - DNS-over-DTLS can't use STARTTLS (at least not as currently described), >> although >> it does claim that it can run on port 53. That relies on an unaware >> server >> mis-interpreting a DTLS ClientHello message as a DNS message with >> Opcode=15. That, >> in turn, takes Opcode 15 off the table for future allocation, etc. >> >> >> DW > > More correctly DTLS traffic is DNS reply traffic (QR=1) which is > why there is no response from DNS servers. The traffic is processed > as a broken unexpected reply. >
- [dns-privacy] Early port allocation request for d… Warren Kumari
- Re: [dns-privacy] Early port allocation request f… Stephane Bortzmeyer
- Re: [dns-privacy] Early port allocation request f… Warren Kumari
- Re: [dns-privacy] Early port allocation request f… Colm MacCárthaigh
- Re: [dns-privacy] Early port allocation request f… Paul Hoffman
- Re: [dns-privacy] Early port allocation request f… Colm MacCárthaigh
- Re: [dns-privacy] Early port allocation request f… Joe Touch
- Re: [dns-privacy] Early port allocation request f… Joe Touch
- Re: [dns-privacy] Early port allocation request f… Joe Touch
- Re: [dns-privacy] Early port allocation request f… Paul Wouters
- Re: [dns-privacy] Early port allocation request f… Joe Touch
- Re: [dns-privacy] Early port allocation request f… Warren Kumari
- Re: [dns-privacy] Early port allocation request f… Wessels, Duane
- Re: [dns-privacy] Early port allocation request f… Mark Andrews
- Re: [dns-privacy] Early port allocation request f… Joe Touch
- Re: [dns-privacy] Early port allocation request f… Mankin, Allison