On 2/14/19 9:05 AM, Stephane Bortzmeyer wrote: >> Technically you can run DoT on whatever port you like. >> >> Example: with knot-resolver it's easy - you just add @443, either on >> side of server and/or on the side of forwarding over TLS. > The problem is that you cannot then share this port with HTTPS > services (the dkg draft on demultiplexing was abandoned, apparently > because it doesn't work). In a world of scarce IPv4 public addresses, > this is a serious problem.
You can still multiplex based on SNI sent by the client. HTTPS clients surely send it commonly. DoT clients perhaps not so often, but that's just an implementation detail (which I was fixing in the past few weeks in knot-resolver, incidentally). I'm not sure how easy SNI-based multiplexing is to configure with nowadays software, but I believe I've heard of some such setup with nginx. And I don't have any idea whether SNI encryption would interfere with that, but I hope not. ESNI will be a key part of DNS privacy, though mainly for the non-DNS traffic. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop