On Tue, Aug 11, 2015 at 2:00 PM, Joe Touch <[email protected]> wrote: > > > On 8/7/2015 6:03 AM, Warren Kumari wrote: >> Hi all, >> >> The chairs believe that there is sufficient interest in the working >> group for early allocation of a port for dns over TLS, following RFC >> 7120. > > Hi, Warren, > > It might be useful to summarize on this list the rationale for this > allocation and the plan for its use. > > In particular: > > - why port 53 is not sufficient using STARTTLS >
- The WG decided that using a new port instead of a STARTTLS or octet-matching would better suite our operational goals. We had significant discussions on this, and we have concerns about things like middle boxes reacting to non-DNS on 53. > - why a system port, rather than a user port, is appropriate - A system port is appropriate because DNS is, and always has been, a system service. > - whether TLS-protected DNS would ever be expected on port 53 > - TLS- or DTLS-protected DNS is not expected to ever appear on port 53. > Speaking as an individual (though I also chair the IANA port expert > review team, which reviews applications not through the standards > process), my view is that: > > a) it would have been preferable to use the existing > assigned port for DNS (e.g., using STARTTLS), as I note > in RFC7605 > > b) the existing ubiquity of DNS ALGs will make (a) difficult > (this does not apply to new protocols but would here) > > c) if the secure variant has a separate port, then it would > be confusing to run the same service on multiple ports > > d) if this service is assigned a new port, it should be > a system port; although system ports do not often afford > the protections once assumed, it seems reasonable to stay > with the same type of port as the original service > > As a result, I concur with the assignment of a port for "dns-s" (FWIW, > that's what I would suggest, as it is the convention for most new secure > variants) as a system port. Thank you. We had similar discussions in the WG, but it is very helpful to have someone who evaluates these sorts of requests come to the same conclusion. W > > Joe -- I don't think the execution is relevant when it was obviously a bad idea in the first place. This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. ---maf _______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
