In message <[email protected]>, "Wessels, Duane " writes: > > On Aug 17, 2015, at 6:42 AM, Warren Kumari <[email protected]> wrote: > > > > On Tue, Aug 11, 2015 at 2:00 PM, Joe Touch <[email protected]> wrote: > >> > >> Hi, Warren, > >> > >> It might be useful to summarize on this list the rationale for this > >> allocation and the plan for its use. > >> > >> In particular: > >> > >> - why port 53 is not sufficient using STARTTLS > >> > > > > - The WG decided that using a new port instead of a STARTTLS or > > octet-matching would better suite our operational goals. > > We had significant discussions on this, and we have concerns about > > things like middle boxes reacting to non-DNS on 53. > > Additionally: > > - A separate port avoids the 1xRTT incurred by STARTTLS negotiation. > > - DNS-over-DTLS can't use STARTTLS (at least not as currently described), > although > it does claim that it can run on port 53. That relies on an unaware > server > mis-interpreting a DTLS ClientHello message as a DNS message with > Opcode=15. That, > in turn, takes Opcode 15 off the table for future allocation, etc. > > > DW
More correctly DTLS traffic is DNS reply traffic (QR=1) which is why there is no response from DNS servers. The traffic is processed as a broken unexpected reply. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
