Re: [dnsext] draft-mohan-dns-query-xml-00.txt

[Paul Vixie <vixie@isc.org>]

On Saturday, October 01, 2011 05:33:29 pm Paul Wouters wrote:
> If you truly think you are addressing the middlebox problem, most likely
> you could just run the DNS over port 54 or 80/443.

no, because all-that-is-not-allowed-is-denied for most firewalls.  random udp 
ports especially low numbered ones just don't work in a lot of places.  it's 
not that UDP/53 is special by being middleboxed, it's that UDP/53 is special 
by being allowed to work at all (where "work" and "middlebox" are at odds.)

> ... (with 80/443 having a slightly better chance then a random port.

indeed, 80 and 443 are often cleaner.  especially 443 with private keys (no 
CA).  especially if the request is a POST.

> Doing DNS-over-HTTP is still going to get broken results in captive
> portals.

alas, you are right, there is no universal way to get our packets through, 
since just about everybody between the dns requestor and the dns responder 
wants a piece of the action these days, or thinks they know better, or both.  
however, TCP/80 and TCP/443 are "the RS232 of the new millenium" and i expect 
good results on average from making these available as a fallback to the long 
corrupted UDP/53 and TCP/53.

> Doing dns-over-http for broken middlewhere alone is going to be a partial
> solution that is not going to be very useful on its own.

right, agreed, but the things it will work better alongside are also useful in 
their own right, like "send me the trust chain from the QNAME back to the 
deepest trust anchor i've currently validated".  therefore that proposal is 
going to come separately.

paul
_______________________________________________
dnsext mailing list
dnsext@ietf.org
https://www.ietf.org/mailman/listinfo/dnsext