Re: UDP Ports and QUIC version

Paul Vixie <paul@redbarn.org> Wed, 24 November 2021 20:17 UTC

Return-Path: <paul@redbarn.org>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3830F3A0BD8 for <quic@ietfa.amsl.com>; Wed, 24 Nov 2021 12:17:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.731
X-Spam-Level:
X-Spam-Status: No, score=-3.731 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-1.852, T_SPF_HELO_TEMPERROR=0.01, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 75wfNoqiWaGZ for <quic@ietfa.amsl.com>; Wed, 24 Nov 2021 12:17:14 -0800 (PST)
Received: from family.redbarn.org (family.redbarn.org [24.104.150.213]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EF7F13A0BD6 for <quic@ietf.org>; Wed, 24 Nov 2021 12:17:11 -0800 (PST)
Received: from [IPv6:2001:559:8000:c9:f065:c89a:99f4:2ace] (unknown [IPv6:2001:559:8000:c9:f065:c89a:99f4:2ace]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by family.redbarn.org (Postfix) with ESMTPSA id 993397597E for <quic@ietf.org>; Wed, 24 Nov 2021 20:17:08 +0000 (UTC)
Subject: Re: UDP Ports and QUIC version
To: IETF QUIC WG <quic@ietf.org>
References: <CAM4esxRqTdYYSw5EMkLXjnRdhsYOgW1BDjVHdxG01md5dkEwCw@mail.gmail.com> <20211124185823.GU6443@akamai.com> <07540fa9-92e3-1c13-2965-f884aca7c795@huitema.net>
From: Paul Vixie <paul@redbarn.org>
Message-ID: <c0cfff38-50b5-4f55-25f3-b308da74b04e@redbarn.org>
Date: Wed, 24 Nov 2021 12:17:07 -0800
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 PostboxApp/7.0.52
MIME-Version: 1.0
In-Reply-To: <07540fa9-92e3-1c13-2965-f884aca7c795@huitema.net>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/RDhWLBlCJ3mdkYf0XD-qsJwVMUs>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Nov 2021 20:17:22 -0000


Christian Huitema wrote on 2021-11-24 12:02:
> ...
> 
> Note that port 853 is a bit of a special case. TCP port 853 was first 
> reserved for DNS over TLS. UDP port 853 was then reserved for DNS over 
> DTLS, which was defined in an experimental RFC. Turns out that several 
> years later we are not aware of any deployment of DNS over DTLS. So we 
> believe that having UDP port 853 for DNS over QUIC and TCP port 853 for 
> DNS over TLS would keep the nice symmetry that was originally intended. 

who is "we"?

> It would for example make management of firewalls easier, "port 853 is 
> encrypted DNS for both UDP and TCP". The downside would the case of 
> servers trying to run both DNS over QUIC and DNS over DTLS. We don't 
> know any such server, but it is nice to have a fallback mechanism in the 
> unforeseen case of some server somewhere trying to do that. The ability 
> of multiplexing QUIC and DTLS on the same port gives us that.

i likewise think UDP/853 for both DoD and DoQ is fine.

the reason for widespread lack of deployment of DoT (TCP/853) and DoD 
(UDP/853) is simply because the TLS (middleware) supply chain does not 
broadly know how to authenticate a server whose domain name is unknown. 
that is, all DNS has at the time it wishes to transmit some kinds of 
queries is an IP6/IP4 address. putting these into presentation form and 
comparing the certificate's common name with that converted string can 
be done, but the logic to do so is in the TLS library not the DNS 
server. so, deployment of DoD (DTLS, UDP/853) is "stuck" at the moment.

vixie

-- 
Sent from Postbox
<https://www.postbox-inc.com/?utm_source=email&utm_medium=siglink&utm_campaign=reach>