Hi John, On 3/9/16 1:14 AM, John Heidemann wrote: > On Tue, 08 Mar 2016 22:35:39 +0000, "Wessels, Duane" wrote: >> Hi Brian, >> >> >>> On Mar 8, 2016, at 7:38 AM, Brian Haberman <[email protected]> wrote: >>> >>> >>> I am a definite Yes on this work, but just have a couple of comments... >>> >>> * Section 3.1 says "By mutual agreement with its server, the client MAY, >>> instead, use a port other than port 853 for DNS-over-TLS. Such an other >>> port MUST NOT be port 53..." It would be useful to *briefly* explain the >>> MUST NOT. If it is by mutual agreement, what's the harm? >> >> This text was recently added during a review of 5966bis (DNS-over-TCP) >> where there was a concern that neither that nor this document said anything >> about not mixing cleartext and ciphertext. >> >> I suppose another reason is that middleware boxes might want to "inspect" >> port 53 and TLS over port 53 will fail. >> >> Would you be okay with adding this sentence or similar? >> >> Use of port 53 for DNS-over-TLS is prohibited >> because mixing cleartext and ciphertext can result in false privacy. > > Wrt this comment, I would suggest: > > Use of port 53 for DNS-over-TLS is prohibited to avoid > complication in selecting use or non-use of TLS, > and to reduce risk of downgrade attacks.
I missed this follow-up prior to responding to Duane... My suggestion is replacing "prohibited" with "not recommended". Regards, Brian
signature.asc
Description: OpenPGP digital signature
_______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
