On 11/24/2021 12:17 PM, Paul Vixie wrote:
Christian Huitema wrote on 2021-11-24 12:02:
...
Note that port 853 is a bit of a special case. TCP port 853 was first
reserved for DNS over TLS. UDP port 853 was then reserved for DNS
over DTLS, which was defined in an experimental RFC. Turns out that
several years later we are not aware of any deployment of DNS over
DTLS. So we believe that having UDP port 853 for DNS over QUIC and
TCP port 853 for DNS over TLS would keep the nice symmetry that was
originally intended.
who is "we"?
The DNS over QUIC draft authors. Sorry, I should have specified.
It would for example make management of firewalls easier, "port 853
is encrypted DNS for both UDP and TCP". The downside would the case
of servers trying to run both DNS over QUIC and DNS over DTLS. We
don't know any such server, but it is nice to have a fallback
mechanism in the unforeseen case of some server somewhere trying to
do that. The ability of multiplexing QUIC and DTLS on the same port
gives us that.
i likewise think UDP/853 for both DoD and DoQ is fine.
the reason for widespread lack of deployment of DoT (TCP/853) and DoD
(UDP/853) is simply because the TLS (middleware) supply chain does not
broadly know how to authenticate a server whose domain name is
unknown. that is, all DNS has at the time it wishes to transmit some
kinds of queries is an IP6/IP4 address. putting these into
presentation form and comparing the certificate's common name with
that converted string can be done, but the logic to do so is in the
TLS library not the DNS server. so, deployment of DoD (DTLS, UDP/853)
is "stuck" at the moment.
Yes. In theory, practical solutions must exist. In practice, we need
practice...
-- Christian Huitema
