Re: [DNSOP] Multiplexing DNS & HTTP over TLS
Warren Kumari <warren@kumari.net> Fri, 15 February 2019 21:22 UTC
Return-Path: <warren@kumari.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8928F12426A for <dnsop@ietfa.amsl.com>; Fri, 15 Feb 2019 13:22:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=kumari-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CKBvZcMmy95c for <dnsop@ietfa.amsl.com>; Fri, 15 Feb 2019 13:22:28 -0800 (PST)
Received: from mail-wr1-x442.google.com (mail-wr1-x442.google.com [IPv6:2a00:1450:4864:20::442]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F1958131028 for <dnsop@ietf.org>; Fri, 15 Feb 2019 13:22:27 -0800 (PST)
Received: by mail-wr1-x442.google.com with SMTP id o17so11784727wrw.3 for <dnsop@ietf.org>; Fri, 15 Feb 2019 13:22:27 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kumari-net.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=6HHyAjzwJ+suP69I1USStw6KCHHEOYSEwzQy/n7yEO8=; b=teD5PEErFHFIRAMb6Vf0RWPGRiVSAeGV8SCoJDwXZg6kibsm7jFmuo9bAOtJHmKMSU C6o1yj7gl7hJaR+armUSKFOWzW7QHnlStcLW5Yy8jRbq768s/hzJJrn0dUT33gamdgPG jFgbjYT5aWJV5fHhQfH9FnSawlwVLliKZueHm83UvHXTLLtEnGC/TmSyDZPXRf3HAzqD JOIRWn4XI5d4iyzSEOf58u7gYrBQCWbZdxmGCl75QDK6AblIqh1Iv9PTMNSCEbYHuKxx ocx4HKhBP0C3AvvhA0FxaJRslWGNrFpWhPquvR+OkWuzhhY9i0sGCtoC+pbtMi3Gmlx5 M+Pw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=6HHyAjzwJ+suP69I1USStw6KCHHEOYSEwzQy/n7yEO8=; b=QbMTrg5B7wvBOOynjCsj/l2+pUvHo5y1EpiygmcUJ5doOShbnKnllOGeukhY7E1Eon /6Rme4o48Qz3wJERttEWz+5ZZ0xXQzyxWYFEyCb8afrDEkazkDrMqkMNNN12iigqO1sk YDkyHw8Oqj+wO4ZzTfo1K5+ippFfezFUWrZeXKtym1nhSzEJmV/HTmtATzNSC27auf/4 JfHepCwj/2+6XRvf2IFteVu9HalsNsSbTm8pmu2Gr82ERE0SuvKysDUtZJp9JPIt91st h3R9PQ6T7GNH86v0gYH0rXMJPTM9k0SbSlDnNqpBY+roe5vPtGyLOvCUst9hBH8qlFum AHow==
X-Gm-Message-State: AHQUAuansWK1mlxg2I9ACTpT+JcYx2uLAg+JfDQrqYZmQ/fALlpuBepd DtBXQohDZ/TRJ234/TMMUMgq5ZaN6NH1moPz5McifpmICnY=
X-Google-Smtp-Source: AHgI3IZWibFYCmLMjxloOTLuFKIVNl+qm7CF/17fCwyQZ+qMeAymCz6ktsxzwsOmT4eyNy147Qj50QqbVXtGbBT4QlY=
X-Received: by 2002:a5d:5504:: with SMTP id b4mr5559383wrv.291.1550265745933; Fri, 15 Feb 2019 13:22:25 -0800 (PST)
MIME-Version: 1.0
References: <C5525DE2-DCF3-43E5-8C41-BAA58049DC3A@verisign.com> <edc1d393-ad19-2f8e-5f58-367d9b7e3290@nic.cz> <20190214080508.zab7r6hzkbj7kp54@nic.fr> <3baf795c-46ff-3993-4cb1-fff10295bc0a@time-travellers.org> <01d20441-8533-9a35-70f1-58cb4b6d8960@knipp.de> <9a7b4bc4-018a-9f8c-d3fd-2428356d6605@time-travellers.org>
In-Reply-To: <9a7b4bc4-018a-9f8c-d3fd-2428356d6605@time-travellers.org>
From: Warren Kumari <warren@kumari.net>
Date: Fri, 15 Feb 2019 16:21:50 -0500
Message-ID: <CAHw9_iJ1_a3rt75ZxqDsfqU1F9AztpiN+8vgmQL0nKM1tEZb=w@mail.gmail.com>
To: Shane Kerr <shane@time-travellers.org>
Cc: dnsop <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000181b890581f55f00"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/KutTH3eeLhAvAnDq28xe1_Xe6Kc>
Subject: Re: [DNSOP] Multiplexing DNS & HTTP over TLS
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Feb 2019 21:22:32 -0000
On Thu, Feb 14, 2019 at 8:24 AM Shane Kerr <shane@time-travellers.org> wrote: > Klaus, > > On 14/02/2019 14.00, Klaus Malorny wrote: > > On 14.02.19 11:03, Shane Kerr wrote: > > > >> Is there a write-up on this? > >> > >> Thinking about it naively, a demultiplexer really only needs to say > >> "is there a non-ASCII character in the first 2 or 3 bytes of a TLS > >> session?". > >> > > please think of HTTP/2, which is a binary protocol (although I don't > > know what the first bytes are). But I guess ALPN (RFC 7301) would do the > > trick. > > I think that HTTP/2 preserves the initial handshake of HTTP/1.1. > > But looking at ALPN, it was designed for exactly this the multiplexing > use case. In principle all that would be needed is adding an identifier > to the ALPN protocol IDs: > > > https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids > > It would also address Joe's concerns about other protocols. > > Maybe creating an ALPN protocol ID for DNS-over-TLS is something for the > DPRIVE working group? 🤔 > https://mailarchive.ietf.org/arch/browse/dns-privacy/?q=ALPN https://tools.ietf.org/html/draft-hoffman-dprive-dns-tls-alpn-00 https://www.ietf.org/archive/id/draft-dkg-dprive-demux-dns-http-03.txt I'd encourage folk to go read the archive (and, again, there is a WG for this -- https://datatracker.ietf.org/wg/dprive/about/ ). W > > Cheers, > > -- > Shane > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop > -- I don't think the execution is relevant when it was obviously a bad idea in the first place. This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. ---maf
- [DNSOP] extension of DoH to authoritative servers zuopeng@cnnic.cn
- Re: [DNSOP] extension of DoH to authoritative ser… Stephane Bortzmeyer
- Re: [DNSOP] extension of DoH to authoritative ser… Stephane Bortzmeyer
- Re: [DNSOP] extension of DoH to authoritative ser… Stephane Bortzmeyer
- Re: [DNSOP] extension of DoH to authoritative ser… Jeremy Rand
- Re: [DNSOP] extension of DoH to authoritative ser… Paul Wouters
- Re: [DNSOP] extension of DoH to authoritative ser… Stephane Bortzmeyer
- Re: [DNSOP] extension of DoH to authoritative ser… Paul Vixie
- Re: [DNSOP] extension of DoH to authoritative ser… Paul Wouters
- Re: [DNSOP] extension of DoH to authoritative ser… Joe Abley
- Re: [DNSOP] extension of DoH to authoritative ser… David Conrad
- Re: [DNSOP] extension of DoH to authoritative ser… Paul Vixie
- Re: [DNSOP] extension of DoH to authoritative ser… Ted Lemon
- Re: [DNSOP] extension of DoH to authoritative ser… Paul Vixie
- Re: [DNSOP] extension of DoH to authoritative ser… Stephane Bortzmeyer
- Re: [DNSOP] extension of DoH to authoritative ser… Ted Lemon
- Re: [DNSOP] extension of DoH to authoritative ser… Ted Lemon
- Re: [DNSOP] extension of DoH to authoritative ser… Paul Vixie
- Re: [DNSOP] extension of DoH to authoritative ser… Patrik Fältström
- Re: [DNSOP] extension of DoH to authoritative ser… Paul Vixie
- Re: [DNSOP] extension of DoH to authoritative ser… Ted Lemon
- Re: [DNSOP] extension of DoH to authoritative ser… Paul Vixie
- Re: [DNSOP] extension of DoH to authoritative ser… Ted Lemon
- Re: [DNSOP] extension of DoH to authoritative ser… Paul Vixie
- Re: [DNSOP] extension of DoH to authoritative ser… David Conrad
- Re: [DNSOP] extension of DoH to authoritative ser… Paul Vixie
- Re: [DNSOP] extension of DoH to authoritative ser… David Conrad
- Re: [DNSOP] extension of DoH to authoritative ser… Paul Vixie
- Re: [DNSOP] extension of DoH to authoritative ser… zuopeng@cnnic.cn
- Re: [DNSOP] extension of DoH to authoritative ser… zuopeng@cnnic.cn
- Re: [DNSOP] extension of DoH to authoritative ser… Benno Overeinder
- Re: [DNSOP] extension of DoH to authoritative ser… Vittorio Bertola
- Re: [DNSOP] extension of DoH to authoritative ser… VladimĂr ÄŚunát
- Re: [DNSOP] extension of DoH to authoritative ser… Stephane Bortzmeyer
- Re: [DNSOP] extension of DoH to authoritative ser… Stephane Bortzmeyer
- Re: [DNSOP] extension of DoH to authoritative ser… Stephane Bortzmeyer
- Re: [DNSOP] extension of DoH to authoritative ser… Stephane Bortzmeyer
- Re: [DNSOP] extension of DoH to authoritative ser… Stephane Bortzmeyer
- Re: [DNSOP] extension of DoH to authoritative ser… Stephane Bortzmeyer
- Re: [DNSOP] extension of DoH to authoritative ser… Stephane Bortzmeyer
- Re: [DNSOP] extension of DoH to authoritative ser… Stephane Bortzmeyer
- Re: [DNSOP] extension of DoH to authoritative ser… David Conrad
- Re: [DNSOP] extension of DoH to authoritative ser… Henderson, Karl
- Re: [DNSOP] extension of DoH to authoritative ser… VladimĂr ÄŚunát
- [DNSOP] DoH vs DoT vs network operators, and requ… Brian Dickson
- Re: [DNSOP] DoH vs DoT vs network operators, and … Warren Kumari
- Re: [DNSOP] extension of DoH to authoritative ser… zuopeng@cnnic.cn
- Re: [DNSOP] extension of DoH to authoritative ser… Paul Wouters
- Re: [DNSOP] extension of DoH to authoritative ser… Jim Reid
- Re: [DNSOP] extension of DoH to authoritative ser… Stephane Bortzmeyer
- Re: [DNSOP] extension of DoH to authoritative ser… zuopeng@cnnic.cn
- Re: [DNSOP] extension of DoH to authoritative ser… zuopeng@cnnic.cn
- Re: [DNSOP] extension of DoH to authoritative ser… Stephane Bortzmeyer
- Re: [DNSOP] extension of DoH to authoritative ser… zuopeng@cnnic.cn
- Re: [DNSOP] extension of DoH to authoritative ser… Stephane Bortzmeyer
- Re: [DNSOP] extension of DoH to authoritative ser… Stephane Bortzmeyer
- Re: [DNSOP] extension of DoH to authoritative ser… Stephane Bortzmeyer
- Re: [DNSOP] extension of DoH to authoritative ser… Jim Reid
- [DNSOP] Multiplexing DNS & HTTP over TLS (was: ex… Shane Kerr
- Re: [DNSOP] extension of DoH to authoritative ser… VladimĂr ÄŚunát
- Re: [DNSOP] extension of DoH to authoritative ser… Bjørn Mork
- Re: [DNSOP] Multiplexing DNS & HTTP over TLS (was… Joe Abley
- Re: [DNSOP] Multiplexing DNS & HTTP over TLS Klaus Malorny
- Re: [DNSOP] Multiplexing DNS & HTTP over TLS Shane Kerr
- Re: [DNSOP] extension of DoH to authoritative ser… Tony Finch
- Re: [DNSOP] Multiplexing DNS & HTTP over TLS John Levine
- Re: [DNSOP] extension of DoH to authoritative ser… Henderson, Karl
- Re: [DNSOP] Multiplexing DNS & HTTP over TLS Warren Kumari