On Fri, Dec 13, 2019, at 02:34, Paul Hoffman wrote: > This was discussed during the creation of RFC 7858. I would summarize > the WG discussion as follows: > > - It is fine technically. > > - It will cause confusion because there will be two ways to do DoT, so > a client might have to test each way in order to know if the resolver > supports DoT.
This is a curious assertion. HTTPS operated for many years without ALPN. Right now, you negotiate HTTP/1.1 with the tag "http/1.1" OR by omitting ALPN. The same would seem to apply here equally. Of course, using DoT on port 443 means that you might not get the default you want, so this is a fine thing. > - It is easier for clients to configure a different port than to > configure ALPN. In fact, many clients cannot configure ALPN at all. This depends very much on deployment. But there is another consideration: without ALPN, you have the potential for client and server to disagree on what the protocol is. We've seen practical attacks based on that confusion. I think that using ALPN for new protocols is not just OK, but virtually a necessity. _______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
