Reading this thread made me worder if we should cover this analysis in the applicability draft or not. I have opened an issue regarding this (https://github.com/quicwg/ops-drafts/issues/428#issue-1064583264).
BR Zahed On 2021-11-24, 21:29, "QUIC on behalf of Christian Huitema" <[email protected] on behalf of [email protected]> wrote: On 11/24/2021 12:17 PM, Paul Vixie wrote: > > > Christian Huitema wrote on 2021-11-24 12:02: >> ... >> >> Note that port 853 is a bit of a special case. TCP port 853 was first >> reserved for DNS over TLS. UDP port 853 was then reserved for DNS >> over DTLS, which was defined in an experimental RFC. Turns out that >> several years later we are not aware of any deployment of DNS over >> DTLS. So we believe that having UDP port 853 for DNS over QUIC and >> TCP port 853 for DNS over TLS would keep the nice symmetry that was >> originally intended. > > who is "we"? The DNS over QUIC draft authors. Sorry, I should have specified. > >> It would for example make management of firewalls easier, "port 853 >> is encrypted DNS for both UDP and TCP". The downside would the case >> of servers trying to run both DNS over QUIC and DNS over DTLS. We >> don't know any such server, but it is nice to have a fallback >> mechanism in the unforeseen case of some server somewhere trying to >> do that. The ability of multiplexing QUIC and DTLS on the same port >> gives us that. > > i likewise think UDP/853 for both DoD and DoQ is fine. > > the reason for widespread lack of deployment of DoT (TCP/853) and DoD > (UDP/853) is simply because the TLS (middleware) supply chain does not > broadly know how to authenticate a server whose domain name is > unknown. that is, all DNS has at the time it wishes to transmit some > kinds of queries is an IP6/IP4 address. putting these into > presentation form and comparing the certificate's common name with > that converted string can be done, but the logic to do so is in the > TLS library not the DNS server. so, deployment of DoD (DTLS, UDP/853) > is "stuck" at the moment. Yes. In theory, practical solutions must exist. In practice, we need practice... -- Christian Huitema
