Christian Huitema wrote on 2021-11-24 12:02:
...
Note that port 853 is a bit of a special case. TCP port 853 was first
reserved for DNS over TLS. UDP port 853 was then reserved for DNS over
DTLS, which was defined in an experimental RFC. Turns out that several
years later we are not aware of any deployment of DNS over DTLS. So we
believe that having UDP port 853 for DNS over QUIC and TCP port 853 for
DNS over TLS would keep the nice symmetry that was originally intended.
who is "we"?
It would for example make management of firewalls easier, "port 853 is
encrypted DNS for both UDP and TCP". The downside would the case of
servers trying to run both DNS over QUIC and DNS over DTLS. We don't
know any such server, but it is nice to have a fallback mechanism in the
unforeseen case of some server somewhere trying to do that. The ability
of multiplexing QUIC and DTLS on the same port gives us that.
i likewise think UDP/853 for both DoD and DoQ is fine.
the reason for widespread lack of deployment of DoT (TCP/853) and DoD
(UDP/853) is simply because the TLS (middleware) supply chain does not
broadly know how to authenticate a server whose domain name is unknown.
that is, all DNS has at the time it wishes to transmit some kinds of
queries is an IP6/IP4 address. putting these into presentation form and
comparing the certificate's common name with that converted string can
be done, but the logic to do so is in the TLS library not the DNS
server. so, deployment of DoD (DTLS, UDP/853) is "stuck" at the moment.
vixie
--
Sent from Postbox
<https://www.postbox-inc.com/?utm_source=email&utm_medium=siglink&utm_campaign=reach>
