Re: [DNSOP] extension of DoH to authoritative servers

Stephane Bortzmeyer <bortzmeyer@nic.fr> Thu, 14 February 2019 08:05 UTC

Return-Path: <bortzmeyer@nic.fr>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 35A2B13102D for <dnsop@ietfa.amsl.com>; Thu, 14 Feb 2019 00:05:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.9
X-Spam-Level:
X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CLnRuMZTrknp for <dnsop@ietfa.amsl.com>; Thu, 14 Feb 2019 00:05:10 -0800 (PST)
Received: from mx4.nic.fr (mx4.nic.fr [IPv6:2001:67c:2218:2::4:12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1C9C812D4EF for <dnsop@ietf.org>; Thu, 14 Feb 2019 00:05:10 -0800 (PST)
Received: from mx4.nic.fr (localhost [127.0.0.1]) by mx4.nic.fr (Postfix) with SMTP id 2A4EC28047F; Thu, 14 Feb 2019 09:05:08 +0100 (CET)
Received: from relay01.prive.nic.fr (pa-th3.interco.nic.fr [192.134.4.74]) by mx4.nic.fr (Postfix) with ESMTP id 2418C2803DE; Thu, 14 Feb 2019 09:05:08 +0100 (CET)
Received: from b12.nic.fr (b12.tech.ipv6.nic.fr [IPv6:2001:67c:1348:7::86:133]) by relay01.prive.nic.fr (Postfix) with ESMTP id 1E795642A7A1; Thu, 14 Feb 2019 09:05:08 +0100 (CET)
Received: by b12.nic.fr (Postfix, from userid 1000) id 176994010D; Thu, 14 Feb 2019 09:05:08 +0100 (CET)
Date: Thu, 14 Feb 2019 09:05:08 +0100
From: Stephane Bortzmeyer <bortzmeyer@nic.fr>
To: =?utf-8?B?VmxhZGltw61yIMSMdW7DoXQ=?= <vladimir.cunat+ietf@nic.cz>
Cc: "Henderson, Karl" <KHenderson=40verisign.com@dmarc.ietf.org>, "dnsop@ietf.org" <dnsop@ietf.org>
Message-ID: <20190214080508.zab7r6hzkbj7kp54@nic.fr>
References: <C5525DE2-DCF3-43E5-8C41-BAA58049DC3A@verisign.com> <edc1d393-ad19-2f8e-5f58-367d9b7e3290@nic.cz>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <edc1d393-ad19-2f8e-5f58-367d9b7e3290@nic.cz>
X-Operating-System: Debian GNU/Linux 9.7
X-Kernel: Linux 4.9.0-8-amd64 x86_64
X-Charlie: Je suis Charlie
Organization: NIC France
X-URL: http://www.nic.fr/
User-Agent: NeoMutt/20170113 (1.7.2)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/kXC0sKv9mmmfZmtGRakyurZewUI>
Subject: Re: [DNSOP] extension of DoH to authoritative servers
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Feb 2019 08:05:13 -0000

On Wed, Feb 13, 2019 at 10:51:00PM +0100,
 Vladimír Čunát <vladimir.cunat+ietf@nic.cz>; wrote 
 a message of 118 lines which said:

> Technically you can run DoT on whatever port you like.

> Example: with knot-resolver it's easy - you just add @443, either on
> side of server and/or on the side of forwarding over TLS.

The problem is that you cannot then share this port with HTTPS
services (the dkg draft on demultiplexing was abandoned, apparently
because it doesn't work). In a world of scarce IPv4 public addresses,
this is a serious problem.