[Doh] Dedicated DoH port

Tomas Krizek <tomas.krizek@nic.cz> Thu, 11 April 2019 17:41 UTC

Return-Path: <tomas.krizek@nic.cz>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2240A120607 for <doh@ietfa.amsl.com>; Thu, 11 Apr 2019 10:41:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7
X-Spam-Level:
X-Spam-Status: No, score=-7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nic.cz
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sMMIcP82L5g7 for <doh@ietfa.amsl.com>; Thu, 11 Apr 2019 10:41:39 -0700 (PDT)
Received: from mail.nic.cz (mail.nic.cz [217.31.204.67]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A9A06120608 for <doh@ietf.org>; Thu, 11 Apr 2019 10:40:56 -0700 (PDT)
Received: from [192.168.42.125] (ip-89-102-31-19.net.upcbroadband.cz [89.102.31.19]) by mail.nic.cz (Postfix) with ESMTPSA id D81B260710; Thu, 11 Apr 2019 19:40:52 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=nic.cz; s=default; t=1555004452; bh=JMHQk5HpZHmPVyNfZmH4c8GMZXR0Yb9XIh/+ZeS0fnc=; h=From:To:Date; b=BPzSfG6yuyisrZDdPvFW5gc6S6YDBea/phYMOaeIXso+EZQok0sFsk3VBjq2DYXLS /0dmyeXwxjyq0PG4QDCPIl1XTc7wdtb7hQ3o9XzyftaC7vIH9OGF2PjuqSAErH2I8R 1rdXIDRZ5cqlOVieKMtkhJA8ZWTD6DaPaTEp2uYg=
From: Tomas Krizek <tomas.krizek@nic.cz>
Openpgp: preference=signencrypt
Autocrypt: addr=tomas.krizek@nic.cz; prefer-encrypt=mutual; keydata= mQINBFhITjsBEACn+jYk59OSa7eul+bIaZERXTfhgfC6esfC5WPV0NmCig0W1JbunWglYX3B s1FJR4OCpchrbAQW3bEYDsddvy5rCbaG0IoOqNsd5GEhCmegDLNU/l36P83UUw8kkSJhlKr/ U+EO+bFyKljmF+dE+OvIky1A+wd1zgRkcljr9DOfdLsAqL4nIb/LC99ZD27laSEAoaZagHXW MVP0EExM3+T4V5sPJ3ghrK1hAk5spAX9yHUSF242zo+5Sj/l/dGL/PXDeCJPHjfdQNUkKcRT VlbAIjfl5mk//73z3XmRSKp9R5HsCKQjBC5Q38a/ZVDdaiSwIxw2sDLrI4+91ycsJ3gjtyiq yO43a4Y6mQHw9VZxudYG1hJ1+pAEPyLo/xIpGIlOo6BmmSz7gYgTPKB/dmGFOx/Qtrt8jNti y3oyRRMPdQ2Vl/MRAZ+OVSsSplf0uGFrhWOX6OPl6h7hu1mMbmHrQtgs835ZVfMf2IoK6QkF NFkn6HbdgF+4IZaX4br1WqZN2c51hKcIE4AHTSVSXwXRgdN/7Q2bmOH2IvfqTOX3HyfrIqUL nqUuD4tZB5Q+z7V5H6vzG5GR2CFlwkSgaayoplLG7h4Xh6Hyman95tl/xS61TeSfnv7NYIZj 6fw4veUUALQlTwDkOh17wByJitvYfBkoiCY7ShAxYyBckGGFxQARAQABtCJUb21hcyBLcml6 ZWsgPHRvbWFzLmtyaXpla0BuaWMuY3o+iQJXBBMBCABBAhsDBQsJCAcCBhUICQoLAgQWAgMB Ah4BAheAAhkBFiEESoukjCrtkzvUlcUJoful9++MSGkFAlwZInQFCQXe2rkACgkQoful9++M SGnRWw//f6g+dd4ddcsocUpn4dCJGOQ9HqWMhAKItTq4UI8H337LATFCB8vKPmaDkKXIJYtw +4eZzhlZqTIzH6VUUnZWdM/Aifwnj2nCnfUD1wHUuEU7ZwNUEenl6YZfFHFqKaThcv8UNOss TUdWL752LwRMvaBscert2Jnc4siOYTRNcLJiqev36LXFwc/pbuH8TBrLVszB3MGrrMNv+NCy yCrk5vgGlzBXGJWwVKwf/7pPjN+0DiEeSbSFnxnFCUiyMYTVOhs5DanxNcdYu7cBMbLwp1cw EP+RzUSeOOrKcVdb839EXb0KtXQ6w9dAkpp7XeQs+os6bq8M9Mx6tdIv7bX/KUJWVRUed5ow SG6AJvRdSdvxpKom14CgWLM96tJVdz+Pttc29ObSGcucEvmAIAUtdFSmxYLnKVXq1EGfkZXX PDr/cSr2Lfedc+kb7GDqal6St4uYTo0Q3nVFwiHs19ZRqvf+6TCbOvv8PStxD4YbwlzNkcyF nKceU2a8dyvOhDR3s/5OONsjLT5srEmnArZy/0gtlzPEhserHhnnE7o0dnzy02QmktLaqhw2 MXX1zIifR4tf+MGY2rAm2YtilD78fcsFPOZ5w7GDufflxz2uzOQ1CtPiazoI7tNYSYJELTxD g9Es2KUNnT5sja5gKPpGSjK4mhOzvYrxIZnG4p7i5gO5Ag0EWimwOAEQANIie73DMB4rO0WE mJ4qXfJotkZEViX7MUMo+gh1Gb+zcC08gsY2rdtVXwydkjHimk90qupL0WvP2caYpGyeZrn8 4fuiNpbzDWM3r/EhArizGWgpiEh8B9Pp0Q7K1meA7Rkwk6C1O+Jns9RhXJFE2KPIPBBqwWG5 rNIChnPOt/ZpSmQ9fnqplMT+N83xeN9GDU9EwEPcwzLsq+nCgVcAam1zMUUGKNeiHj9pcg+U TfvTROSKkRQ0UGTKm7+vYi9+jbQDGeTNSoEUp/wqgneryhKISfBODTqCn5mjoBqWJqQB3u8G Kj0R1WNK/kmmNA5cNDZmzfx24a3I8DI110AoKBGvGkmzR+c1F3ScjrCrBf3ce4wj0tAVtpmr h1Zj8DA9Waa2MxYi2BNVH0nJf2m7xrc7K/NsCC3zdMLML7KF8oBmiVFMJCxozla1e1iDq/F8 aCjkeX6qtdycdYulVcQqgaXRpe821yYRreTjAdO9j05CSfqQ0CZUmPq/Ff5YJ928FJF4rJOU g6djm4CYaDH9/1kcIiAczpUvvd8U643oKOiN5cEooFKqc3uOLaiTQFc09pZm19rGY2wmn7qE Q6KoMuPXkrFOHkCpyqtW6dfHHJeimLBbvxLotdWrUaMtKjmwG61MueKCRPlysaA2HWcaqQiA Jk5U16eKb2ImjpO9UBepABEBAAGJBHIEGAEIACYCGwIWIQRKi6SMKu2TO9SVxQmh+6X374xI aQUCXBki0QUJA/15GQJAwXQgBBkBCAAdFiEEFe8t8KwPEBnPn+loGFnIJjkFVmwFAlopsDgA CgkQGFnIJjkFVmya5BAA0JPGtGHpCLnLPjxdLnIpUbQbaKA7AiYskJReIEqPOXWb9WguXYa0 j8PsO8d7sn/tBMqw7XdezjWcJWKutipV9tw6bWQfsx37dyplLwQ6FvuaAMAEXBdxS2Zvf5ff nq1/Sy+TZSRzVH9GkkP7LgjFfjt4sXTi6KT3zv25ILblJk/Am8qpBt5Iia6hLibDtaz54o3C motHi2JQLayWwQZ6A1a4/hlI7DczsEZfANxd2AItQOQQHvoTEuxFR0ew0dIdv5pLWrW2HfPi LCFUk2tPImpLvUsmHTQ0kRp5RunObplWIkb7MqCb8DhJ7rbU4eur+qW046pNxci94m0zpEBh dsgC2P+gYSfohYvpEdVMmUOETdxbEUREF1aud72+onyPSvLR6nTwM3Br/v1NK3o8t6K9zkUn BFDtjqXn7vsf0CA1eszcygsAi06CSgpv8qnU4j7YoBspbCjEINhip5iNigI3SN49gA9ON+0+ FszDZU3sokvIu2xfvePyZ7OhQD6lu+KITlwUH2EDIVpirH1ubO3VhxY6M9qBWs49UuCQbBaG BwpHlhg7n+wggx+k6Z59kU+4cd1Q9XNfbk2hVvYdCvHbtH78rh8maLBdGsiyoWrLvcDF+z3G /afej3QVAP2LdWkurAxhUp7sAf7VBKvcXCQ0/PGrfRpgdofxmNcQG1sJEKH7pffvjEhpdFUP /0dEjCqXFocJh+brbecd5UOAxZ8LmmBKcxyB0jr4oeiZBjhBy7Id55YwGRRAYm6MYW6S+g9g yoH5qw0u1fmAcxanXq3i7tLp6NZP+O4ZN0UP7G145VfgTU7qpj6KszvFaoWhMDIQk7ADry1k FrOPpB0q8fc2kIdcsTmAvl3l3oKrq4pEeUGuBoKZpoF/5tG6krv1tOjYXAmZ/hxR6ktBG3PK B1Q/rWu5RLhwrEofTtoxAGOL2XKm0FdvMlE0KWxSKgmJzZbQokm2mF1WbY2xCJLjaqUgaDpT tzGvihOlomFENrkQsWy75ywkcZoxXRKux6SU3xmodVeXTwI2BiPkwp+eaj3luZyfgD/f3x3Z MfNY3txJX1EATbF/0PM/EqJN3ZfdUu7fBfdKlf5tNnM+nfvHGG0VX6gooC2JzEjJARIl32rb WPdaNxOSkgWqXnH0YNv4195bAFet1wFjls3xbiFqwQr39ExwOQ8pneQ4pAOlq8evY8VDf6wh pjWyr5eNQNUjex1n2chF8GWLGTAggNpAxhO9QxXgKWvtg8uD1qyUPGc+S0kRwHtgGmbtVmPu TDk8kzECxV6x2tCnvqDwfGmX9DWfT+Aivu1n+0zigFQJbaJ4thhrZj7ls0jX0gqO720ogjCk SnRQFWnvzUH5Z4nhfq0nELZDO11mSAJuf3mCuQINBFopsMIBEADTHIG17I/eGluDtAgq5ryD bXc2q8NMNWotsNJvj9MbT6sCOq7gwHCrsbPMylxPTAsz/LIfaFzF5eIKJs4BfQJkgLrNPN6D r40zq/+rfl4tjrfpEzxFRYrqTRHIVEhc2TETdBkQNf351H+dAMrctjFvCzoEhap0MorxWmub uHLXqdsNPCAmnLCkn4nuBm49qBPtxZOalbKQx2OpBxkrvhHvTYh078WNqBFi3y2EW2RYqxVr I5u4fL2A2b505uaavup2gQIOuIgsnUciIw1iGUDRHlQt15w2H1y6w0rI5qYDKwVbO8cM6g3R CCh1A+sYYyXhPtxAqk+zcCswU15fuaf4PmcdS8js7CJxXJVeUD/1xrXDVMLSyrTJCLDT5Ki+ jAToqt8UzGeDyP6kUvz7f25O2eeR+myy8yDw8dF/CPHQLorHIczeQNRxvbWEwuBgMKNDQvyB Tx9jpmAjZ+oAc7n6eALwZF06hlhAu+T7aTg2DHCoobDSSG1xWfv1esBPjSMr4QpurTONMJXJ BMiBubVI7jsLltAIagpggimmZfDTO+lmI+/u69iK/LZTd0r960HhixmmHccNkc7wWnrSJr0s 6zTNi7ddscLdL+z9+g61g2LunQze4wHO9Bd5xcoDWUOY7TYKXKxkwapfHHdBG9oK6F3IZO/q vt4BALiSw0+KLQARAQABiQI8BBgBCAAmAhsMFiEESoukjCrtkzvUlcUJoful9++MSGkFAlwZ ItIFCQP9eI8ACgkQoful9++MSGkeTQ/9F5mW8VPQf6XOraSigIqfjb4WrrGc0kQwYlzILWiA 9jdmINHnX6gFriMkUuOcuntROmNUxOPxrTkBLZYvdF502O68LT2Je9aPo4loPyZancbIZAMN bYRp76zQHFjSJEdSW5I/rSsV7iufFQZ9Q7f6+UdSFfLmNBnlKKBYGfj7TmnyOk9u//J22nV0 Sinu1cmsYwcBSoHydu89YbSFs5Tu4vgbkA1D+ggCE9/XkoS+0nPEoyBalRKmm4oXt91+ArLn b62RxPYwo28axDAcg1jk4IC1kdRKa+X7dWfYFcknRa932m+SK2MY0yPNECZdva897yo1IylX y50zRSw4gujo+3cExFUuyfX71L4yG9ndQOPEtXJt2kQbbdvVOMFmNJjA4+l8DUyiRBwLfjhW VAF2WUI7YGbrwIxW5AqogBgFvx/iV3fgUHTeEU5/Jmzok/BI9cjlrd1ialNwyjQqBls8cjgk hGnPB8cZSUYiWm1WN6gqCmXTDzXVRoqaV68TJF2QMhficAHq1PgD9cFnOz9cfMaqVUputKUR R3anYpkxlDe8MGvoS3HCfnQwiOWRDDWfsmFfB64RROMDvojkhrJ6vgcpPH3R4lh8ZomGJUWS b9+pupY0mI26hpV4woYD0nQCGXJ58Hfh84DmufQuppdfoJwS50O9WO9B6Mpns/Ab61+JAjwE GAEIACYCGyAWIQRKi6SMKu2TO9SVxQmh+6X374xIaQUCXBki0gUJA8IjjgAKCRCh+6X374xI aY5tD/9Fw9WHqaFvcNu41M5oQjUbWl1jY6FutXgm+tapmHsWdQ6nTEA8Ch93HRUJC4I8grNR e4xd9qEZLGw+lrlmKhhroNqrzoaCIbl2/zRE4Pl0UOaMV/xR8x01Jr9kE6rrkHQt9HuSMffJ M76sqHEh95ZTfTWW6m228gRN3Wduqt2Mu0vlSQSdegog8DP7KnR5i/LcdgUfAm5D5NlBvJwR W55PJ24bp/zFCFZAQXMN75so4OLiig/yWgsnz2yxEsg/79aRf6p4R4jOy+aP/V43iJJKQkDx BG5X08kh+QBaGTaUHqalnOccIX9DcM4G9bz2WZySg3njmXVjRyD5ayNmy+WixhaMjKgudAAv zKqHpT6qKBwc4r+kqGxySvsVIU6IUxs9zzrUrwgyB5WRO45JZ5ZOXPOOFyEEIfb+VcMSzu5N 4U9vOAxGCTBhjEjJyai7Zz4hgx3c48rNMDmByHL9sd8GwwGoCdoCDiZti62fBYxUfsHtoaxb kSnXMtN0LeQclHSjQpDMO/k2Ow8/19sG8XqW+d4nLz+7se4QjmNEf8xAkice+t7hEtu8sqcu vfISaURjPOEYzPdTymo7Bd9aYICCewHgCJEP1n0Fk5dj6ZMmUR86vDE2wm7qaEDc9M5sDqV3 pHNUGPUm3ANtW8nHF/R57lLE9IGZBe82eO9g+s9qtg==
To: doh@ietf.org
Message-ID: <d74add8f-8964-1c0f-cd2e-f10867390883@nic.cz>
Date: Thu, 11 Apr 2019 19:41:42 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.6.1
MIME-Version: 1.0
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="K2rrw6pkMrRybeHphJmOBkfgJ5Mq7I56u"
X-Virus-Scanned: clamav-milter 0.99.2 at mail
X-Virus-Status: Clean
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/pP_zlnt0AhjXQAn7DJwegoZBTfs>
Subject: [Doh] Dedicated DoH port
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Apr 2019 17:41:42 -0000

Disclaimer: I don't adocate the use of a dedicated DoH port rather than
using port 443 for most DoH traffic. I'm simply trying to establish
reasonable defaults as a software developer and packager.

Knot Resolver will use 44353 as the default port for DoH. We've
considered using port 443 by default, but it presents many challenges.

If an admin is already running an https service on the machine, the
clash with DoH resolver can be quite problematic. In best case scenario,
the admin runs into an error (not able to bind to port 443 - quite
cryptical for someone trying to run DNS resolver who's not up to date
about DoH development). In a worse case scenario, the DoH service might
actually seem to successfully start and run alongside the unrelated
https service (e.g. when both services use systemd socket activation
with ReusePort=true - basically SO_REUSEPORT under systemd).

Those who know what they're doing will have no issues configuring their
DoH service to run on port 443. However, I think it's reasonable to use
a different, dedicated port as DoH default for packaging, documentation etc.

Since there is currently no IANA assigned DoH port, I've filed the
following user port request with IANA to establish a common default that
could be used among DNS vendors.

Service Name:         [domain-doh]
Desired Port Number:  [44353]
Description:          [DNS query-response protocol over HTTPS]
-- 
Tomas Krizek
PGP: 4A8B A48C 2AED 933B D495  C509 A1FB A5F7 EF8C 4869