Re: [dnsext] draft-mohan-dns-query-xml-00.txt

[Mohan Parthasarathy <suruti94@gmail.com>]

On Wed, Sep 28, 2011 at 12:32 PM, Paul Wouters <paul@xelerance.com> wrote:
> On Wed, 28 Sep 2011, Mohan Parthasarathy wrote:
>
>> DNSSEC validation is stub resolver is dependent on DNSSEC-aware CPEs,
>> recursive servers etc. Here is a draft that we submitted yesterday to
>> address this problem.
>>
>> http://www.ietf.org/id/draft-mohan-dns-query-xml-00.txt
>>
>> Please send your comments/feedback to the list.
>
> Have you done any research on running DNS over port 80/443? That seems
> to work quite often (after hotspot auth that breaks all dns)
>
> I'm wondering about the difference in working with running dns over http
> on port 80/443 and running plain dns over port 80/443
>

If I want to be able to run both my web service and DNS service from
the same address, then I can't just run DNS alone over 80/443.

> Also, if this is considered a good idea (of which I am not yet convinced),
> why not add a mode similar to the "dnssec chains" proposal to speed things
> up
> for the resolver, as we're already on TCP so response size shouldn't matter
> as much as latency does.
>

I am not sure I understand. It is not about speed. It is about the
stub validator being able to get the DNSSEC records when sitting
behind CPEs and recursive servers (and other middle boxes) that are
not DNSSEC aware.

-mohan


> You can test running dns over port 80/443 using ounbound and forwarding it
> to open.nlnetlabs.nl
>
> Paul
>
_______________________________________________
dnsext mailing list
dnsext@ietf.org
https://www.ietf.org/mailman/listinfo/dnsext