On Tue, 08 Mar 2016 22:35:39 +0000, "Wessels, Duane" wrote:
>Hi Brian,
>
>
>> On Mar 8, 2016, at 7:38 AM, Brian Haberman <[email protected]> wrote:
>>
>>
>> I am a definite Yes on this work, but just have a couple of comments...
>>
>> * Section 3.1 says "By mutual agreement with its server, the client MAY,
>> instead, use a port other than port 853 for DNS-over-TLS. Such an other
>> port MUST NOT be port 53..." It would be useful to *briefly* explain the
>> MUST NOT. If it is by mutual agreement, what's the harm?
>
>This text was recently added during a review of 5966bis (DNS-over-TCP)
>where there was a concern that neither that nor this document said anything
>about not mixing cleartext and ciphertext.
>
>I suppose another reason is that middleware boxes might want to "inspect"
>port 53 and TLS over port 53 will fail.
>
>Would you be okay with adding this sentence or similar?
>
> Use of port 53 for DNS-over-TLS is prohibited
> because mixing cleartext and ciphertext can result in false privacy.
Wrt this comment, I would suggest:
Use of port 53 for DNS-over-TLS is prohibited to avoid
complication in selecting use or non-use of TLS,
and to reduce risk of downgrade attacks.
to be more explicit about "false privacy". (Multiple other reviewers
commented on both complexity and downgrade risks---my understanding is
that is why we ended up so strict, and without STARTTLS.)
("complications" means in implementation, but I omitted that word to
keep it short.)
The other comments and changes all look good to me.
-John
_______________________________________________
dns-privacy mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dns-privacy
