Re: [dns-privacy] Brian Haberman's Yes on draft-ietf-dprive-dns-over-tls-07: (with COMMENT)

Thu, 10 Mar 2016 21:08:08 -0800 

On Wed, 09 Mar 2016 13:23:19 +0000, Warren Kumari wrote: 
>On Wed, Mar 9, 2016 at 1:22 PM Brian Haberman <[email protected]> wrote:
>
>    Hi John,
>   
>    On 3/9/16 1:14 AM, John Heidemann wrote:
>    > On Tue, 08 Mar 2016 22:35:39 +0000, "Wessels, Duane" wrote:
>    >> Hi Brian,
>    >>
>    >>
>    >>> On Mar 8, 2016, at 7:38 AM, Brian Haberman <[email protected]> 
> wrote:
>    >>>
>    >>>
>    >>> I am a definite Yes on this work, but just have a couple of comments...
>    >>>
>    >>> * Section 3.1 says "By mutual agreement with its server, the client 
> MAY,
>    >>> instead, use a port other than port 853 for DNS-over-TLS.  Such an 
> other
>    >>> port MUST NOT be port 53..." It would be useful to *briefly* explain 
> the
>    >>> MUST NOT. If it is by mutual agreement, what's the harm?
>    >>
>    >> This text was recently added during a review of 5966bis (DNS-over-TCP)
>    >> where there was a concern that neither that nor this document said 
> anything
>    >> about not mixing cleartext and ciphertext.
>    >>
>    >> I suppose another reason is that middleware boxes might want to 
> "inspect"
>    >> port 53 and TLS over port 53 will fail.
>    >>
>    >> Would you be okay with adding this sentence or similar?
>    >>
>    >>   Use of port 53 for DNS-over-TLS is prohibited
>    >>   because mixing cleartext and ciphertext can result in false privacy.
>    >
>    > Wrt this comment, I would suggest:
>    >
>    >    Use of port 53 for DNS-over-TLS is prohibited to avoid
>    >    complication in selecting use or non-use of TLS,
>    >    and to reduce risk of downgrade attacks.
>   
>    I missed this follow-up prior to responding to Duane...
>   
>    My suggestion is replacing "prohibited" with "not recommended".
>
>No hats here, but I like that.

I checked in with this text:

          This recommendation against use of port 53 for DNS-over-TLS
          is to avoid
          complication in selecting use or non-use of TLS,
          and to reduce risk of downgrade attacks.


to avoid the "...not recommended to avoid..." double negative.

   -John

_______________________________________________
dns-privacy mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dns-privacy

Reply via email to