On Fri, 13 Dec 2019, Erik Nygren wrote:
Linking ALPN and port defeats the purpose of ALPN.
Indeed.
The main driving factor for having an ALPN token is for cases when there is a desire to configure dot and doh to share a port (especially 443) for some use-case.
But take into account that DoH is partially motivated by fighting against DNS censorship, so in those cases using ALPN would be a non-starter. Sure, services like Google DNS or Cloudflare, that would be running DoH and DoT on port 443 to make it easier to bypass unintended filters (eg blocking of port 853) while still not trying to hide their DoH traffic from Paul Vixie's home network, could use this ALPN setting to demux, although I wonder if they couldn't determine this by the incoming stream somehow anyway. Especially if the services use the same TLS key/cert. Although I doubt we would need to write an RFC with ALPN for this use case. It's pretty easy to enumerate all public DoH servers for those who want to block them to offer their own DNS security services. ALPN did come up in the DoH discussion. It was a conscious decision not to require it because it defeated some of the goals of DoH. Paul _______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
