On Tue 2015-05-12 14:40:12 -0400, Simon Josefsson wrote: > What I'm basically wondering, and advocating, is if perhaps one method > would be sufficient. This would reduce complexity on the protocol and > implementation level.
I agree that a single mechanism would be cleaner, but perhaps the two mechanisms serve different purposes? It seems to me that the STARTTLS variant is useful for opportunistic dns-privacy, while the distinct-port-based TLS-wrapped variant is useful for pre-configured non-opportunistic dns-privacy. People might want to argue about whether opportunistic dns-privacy is relevant or useful, but if we concede that it does defend against some relevant attackers, then it might be useful? I don't imagine a "happy eyeballs" approach happening -- if someone isn't sure which will be available, they will just use the STARTTLS approach. If someone *is* sure, they will use DNS-over-TLS-over-TCP. Perhaps this distinction could be handled differently, though (e.g. with some external signalling, such as a DHCP option) so that everything could be collapsed to the DNS-over-TLS-over-TCP case (since it appears to be 1RTT faster). > The preference in IETF has been for the inband STARTTLS approach I think recent discussions have indicated that there isn't any consensus for either approach these days. see, for example, the 'is one or two ports "more secure"' discussion in saag (hopefully i haven't greivously misinterpreted it): http://thread.gmane.org/gmane.ietf.saag/4916 --dkg _______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
