> On any other topic I would agree. Breaking DNS should be one of the > things to worry about.
Maybe we should make the distinction between "stub resolver" and "iterative resolver" part of the architecture. This would be very much the same split as between an mail client and an e-mail server. Email evolved to use different port numbers for message transmission by SMTP and message submission via SMTP, not to mention wholly separate protocols for email retrieval. Given that, I would vote for having a distinct port for "stub to iterative DNS," and of course make TLS mandatory on that port. Anything else has to be motivated by NAT and firewall traversal, and the need to sometime fallback to some dirty compromise. In that case, I cannot see how STARTTLS on TCP port 53 is the answer. If a firewall blocks outgoing TLS on unknown ports, chances are that it will also mess with port 53. NAT the connection, drop the STARTTLS, and voila, MITM on 53. If we need a "dirty fallback," then it has to be port 443. The same dirty fallback that other applications use. -- Christian Huitema _______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
