Hi Duane, On 3/8/16 5:35 PM, Wessels, Duane wrote: > Hi Brian, > > >> On Mar 8, 2016, at 7:38 AM, Brian Haberman <[email protected]> wrote: >> >> >> I am a definite Yes on this work, but just have a couple of comments... >> >> * Section 3.1 says "By mutual agreement with its server, the client MAY, >> instead, use a port other than port 853 for DNS-over-TLS. Such an other >> port MUST NOT be port 53..." It would be useful to *briefly* explain the >> MUST NOT. If it is by mutual agreement, what's the harm? > > This text was recently added during a review of 5966bis (DNS-over-TCP) > where there was a concern that neither that nor this document said anything > about not mixing cleartext and ciphertext. > > I suppose another reason is that middleware boxes might want to "inspect" > port 53 and TLS over port 53 will fail. > > Would you be okay with adding this sentence or similar? > > Use of port 53 for DNS-over-TLS is prohibited > because mixing cleartext and ciphertext can result in false privacy. >
A spec really can't prohibit somebody from doing something, but I get the rationale. How about: The use of port 53 for DNS-over-TLS is not recommended since mixing cleartext and ciphertext could result in interoperability issues or a reduction in privacy. > >> >> * I do not understand the last sentence of section 3.2, especially the >> "SHOULD". > > > You are referring to this sentence: > > At this point, normal DNS queries SHOULD take place. > > I believe it is sort of an artifact from the time when the draft included > a "STARTTLS for DNS" option whereby an unencrypted TCP connection could > be upgraded. Dropping the sentence is fine with me. Dropping the sentence works for me. Regards, Brian
signature.asc
Description: OpenPGP digital signature
_______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
