On Dec 12, 2019, at 7:01 AM, Reed, Jon <[email protected]> wrote: > > Hi all, > > I'm planning to request a registration of an ALPN ID[1] for DNS-over-TLS. > One primary use case we have is supporting both DoT and DoH on port 443, when > port 853 is blocked between clients and the servers (this is by mutual > agreement, as discussed in RFC 7858 ยง 3.1). I plan on requesting the > protocol ID 0x64 0x6F 0x74 ("dot"), following the conventions of using all > lowercase in registrations. > > Per discussion with one of the expert reviewers, I'm polling the list to see > if anyone has objections -- if so, please let me know. I'd be interested in > hearing the objections, and what alternatives might be proposed. > > Thanks, > Jon > > [1] > https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids
This was discussed during the creation of RFC 7858. I would summarize the WG discussion as follows: - It is fine technically. - It will cause confusion because there will be two ways to do DoT, so a client might have to test each way in order to know if the resolver supports DoT. - It is easier for clients to configure a different port than to configure ALPN. In fact, many clients cannot configure ALPN at all. Others may have different summaries from the discussion. Certainly, some folks will have strong support or objections to those points; WG consensus was not particularly easy on this topic. Having said that, Jon brings up a good point that we did not predict four years ago, namely that some resolvers might already be offering privacy services on port 443. --Paul Hoffman
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
