On Sat, 25 Jul 2015, Tim WIcinski wrote:
The rough consensus in the room was to
request an early port allocation request; and to
start with a new port directly.
I thought that at least one of these had a third hum option that was not
insignificant (although not as strong as the actions listed here)
I am still very much concerned about both using a new port and concerned
using a starttls option - mostly focused on the stub to (external)
recursive.
For one, I really don't want us to hurt port 53's current freedom, and
fear if we open that up to basically an encrypted stream of unknown but
presumed DNS traffic that we will see an increase in port 53 manipulation
and filtering. (middleware boxes also basically killed IKE port 500,
and we had to switch to port 4500 for most of it to the point where we
could now almost obsolete port 500)
On the other side, I really want encryption to be part of the standard
so it becomes harder to filter out my queries just because these are
encrypted. Using a separate port could mean an instant death sentence
for such deployment.
That said, I guess I'm leaning towards a new port and not mucking with
the current port 53.
Paul
_______________________________________________
dns-privacy mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dns-privacy
