Re: UDP Ports and QUIC version
Paul Vixie <paul@redbarn.org> Wed, 24 November 2021 20:17 UTC
Return-Path: <paul@redbarn.org>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3830F3A0BD8 for <quic@ietfa.amsl.com>; Wed, 24 Nov 2021 12:17:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.731
X-Spam-Level:
X-Spam-Status: No, score=-3.731 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-1.852, T_SPF_HELO_TEMPERROR=0.01, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 75wfNoqiWaGZ for <quic@ietfa.amsl.com>; Wed, 24 Nov 2021 12:17:14 -0800 (PST)
Received: from family.redbarn.org (family.redbarn.org [24.104.150.213]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EF7F13A0BD6 for <quic@ietf.org>; Wed, 24 Nov 2021 12:17:11 -0800 (PST)
Received: from [IPv6:2001:559:8000:c9:f065:c89a:99f4:2ace] (unknown [IPv6:2001:559:8000:c9:f065:c89a:99f4:2ace]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by family.redbarn.org (Postfix) with ESMTPSA id 993397597E for <quic@ietf.org>; Wed, 24 Nov 2021 20:17:08 +0000 (UTC)
Subject: Re: UDP Ports and QUIC version
To: IETF QUIC WG <quic@ietf.org>
References: <CAM4esxRqTdYYSw5EMkLXjnRdhsYOgW1BDjVHdxG01md5dkEwCw@mail.gmail.com> <20211124185823.GU6443@akamai.com> <07540fa9-92e3-1c13-2965-f884aca7c795@huitema.net>
From: Paul Vixie <paul@redbarn.org>
Message-ID: <c0cfff38-50b5-4f55-25f3-b308da74b04e@redbarn.org>
Date: Wed, 24 Nov 2021 12:17:07 -0800
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 PostboxApp/7.0.52
MIME-Version: 1.0
In-Reply-To: <07540fa9-92e3-1c13-2965-f884aca7c795@huitema.net>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/RDhWLBlCJ3mdkYf0XD-qsJwVMUs>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Nov 2021 20:17:22 -0000
Christian Huitema wrote on 2021-11-24 12:02: > ... > > Note that port 853 is a bit of a special case. TCP port 853 was first > reserved for DNS over TLS. UDP port 853 was then reserved for DNS over > DTLS, which was defined in an experimental RFC. Turns out that several > years later we are not aware of any deployment of DNS over DTLS. So we > believe that having UDP port 853 for DNS over QUIC and TCP port 853 for > DNS over TLS would keep the nice symmetry that was originally intended. who is "we"? > It would for example make management of firewalls easier, "port 853 is > encrypted DNS for both UDP and TCP". The downside would the case of > servers trying to run both DNS over QUIC and DNS over DTLS. We don't > know any such server, but it is nice to have a fallback mechanism in the > unforeseen case of some server somewhere trying to do that. The ability > of multiplexing QUIC and DTLS on the same port gives us that. i likewise think UDP/853 for both DoD and DoQ is fine. the reason for widespread lack of deployment of DoT (TCP/853) and DoD (UDP/853) is simply because the TLS (middleware) supply chain does not broadly know how to authenticate a server whose domain name is unknown. that is, all DNS has at the time it wishes to transmit some kinds of queries is an IP6/IP4 address. putting these into presentation form and comparing the certificate's common name with that converted string can be done, but the logic to do so is in the TLS library not the DNS server. so, deployment of DoD (DTLS, UDP/853) is "stuck" at the moment. vixie -- Sent from Postbox <https://www.postbox-inc.com/?utm_source=email&utm_medium=siglink&utm_campaign=reach>
- UDP Ports and QUIC version Martin Duke
- Re: UDP Ports and QUIC version Benjamin Kaduk
- Re: UDP Ports and QUIC version Christian Huitema
- Re: UDP Ports and QUIC version Paul Vixie
- Re: UDP Ports and QUIC version David Schinazi
- Re: UDP Ports and QUIC version Christian Huitema
- Re: UDP Ports and QUIC version Zaheduzzaman Sarker