Hi Kevin, Paul, On 12/23/24 12:08, Kevin P. Fleming wrote:
The DSYNC record contains the name of the target and a port number, but no indication of which flavor of DNS transport should be used to connect to that port to deliver the NOTIFY. If the port is 53 then Do53 over UDP seems like a reasonable choice, but if the port is 853 then it could be either DoT or DoQ. if the port is 443 then presumably DoH would be used. if it's not one of those... then plain DNS over UDP?
Thank you for pointing this out! The intention is to use "plain DNS", for multiple reasons: - The protocol specifies how to send messages to a notification listener service. Unlike typical DNS queries, this does not involve a resolver, so resolver-style alpn for figuring out the auth transport cannot be used; - The authors think that these hints don't require cryptographic protection. If the WG feels that encrypted transport needs to be available, we suggest adding scheme=2 for DoQ. (Note that this can also be done easily at a later time when someone has an actual need; only expert review is required); To clarify this, we've added in Section 2.3: "using conventional [RFC1035] DNS transport" Regarding the port field: It is literally just the port number where the listener service listens, and should not be used to infer the transport. (The listener service is not a nameserver, so port 53 should not be assumed). Best, Peter + co-authors _______________________________________________ DNSOP mailing list -- dnsop@ietf.org To unsubscribe send an email to dnsop-le...@ietf.org
