From: dns-privacy [mailto:[email protected]] On Behalf Of Phillip Hallam-Baker
We have to avoid loaded terms like minimal changes. What is a minimal change is a very subjective question. We have middlebox issues. Since a middlebox can't do anything useful to an encrypted message and because my objective is to bypass government censorship schemes, my approach is to bypass the middleboxen wherever possible. So I see no value in port 53 whether UDP or TCP. Changing the port number isn't really a major change in the protocol in my view. Sure we could tunnel e-DNS over DNS. In fact I started off doing that three years ago. I even wrote code for that. But why bother when there are plenty of uncluttered UDP ports? -------------------------------- [Hosnieh] Don't make mistake... first of all the discussion is not about whether this or that proposal is good or bad. The discussion is about having EQUAL chance for all proposals to present themselves while this haven't happened at least for CGA-TSIGe and everytime dropped from agenda. [Hosnieh] The similarity of all proposals IMO are as follows: 1- the purpose of all proposals are to avoid government censorship. 2- encrypting the DNS messages The differences of these proposals are: 1- How to do the encryption of DNS message Now let's back to any proposals with the need of using other ports than DNS. To be realistic, at the moment in all middle boxes like a firewall , port 53 have been defined for DNS and open for that purpose. In most large enterprises there are restricted policies and mostly the keep close all unnecessary ports. In none of my message I said it is not possible to re-configure all of these devices, but would say it is not easy not only technically but also non-technically. I am not talking about a small network with perhaps one firewall or a router, but large corporates. I know that many big enterprises have a lot of bureaucracy to change any single things in their network. furthermore, this Is too much administrative works. I hope it is clear. Best, Hosnieh _______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
