[Dnssec-trigger] port 443 vs port 80?

W.C.A. Wijngaards wouter at nlnetlabs.nl
Thu Jan 26 21:45:54 UTC 2012 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Paul,

On 01/26/2012 08:59 PM, Paul Wouters wrote:
> 
> Hi,
> 
> See these results:
> 
> results from probe at 2012-01-26 14:49:28
> 
> ssl443 193.110.157.123: OK tcp80 193.110.157.123: OK authority
> 128.8.10.90: error timeout
> no cache: no DNS servers have been supplied via DHCP
> 
> DNSSEC results fetched from open resolvers over TCP

Yes it prefers port 80 above port 443.

Port 80 is unencrypted plain-DNS-over-TCP.

> I think "over TCP" means port 80, not port 443. But I recommend telling
> the user whether tcp80 or ssl443 is used.
> 
> Second, if indeed it is using tcp80, I suggest that since we can do
> ssl443, we might as well use that to give the user some query privacy.
> 
> So I propose to use ssl443 over port80 if both are available.

Well without SSL is a lot easier on resources, also much faster in msec
roundtrip time.  The query itself, if someone interested was bothered,
could easily be traced anyway (because it would have been sent to the
local cache, through the local firewall, unencrypted if the local cache
supported the DO flag).

So, its not about privacy, but about the difference in resources.

You could, of course, simply not configure tcp80 entries in the config file.

Best regards,
   Wouter
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.15 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPIcmSAAoJEJ9vHC1+BF+NhOwP/R4r6MwiEwg78Kez12ejdBtH
mK3qi9ArPAaXBfASQAWMW7nFr35+YiGr05JJs7T3PngKplxPb9HzNEMFrnfFXpUa
IFaN0PF6avzSu0C2ngEnOMFsrjY1X8NpKKJ9qeVAOR6NyFAAqAYNublFq7OMg29f
LETBerA5fvJLKFz8Q3S2d/dq8UScpnFgDXU4yASNcS5d9av46wuqOBFm36H4Qrxi
IYX6GuNvDKfh1brSeVnsu3tlOTGBX4aEG99pfb8mfoLJbQ5uG3xWB21Z4AcvScy2
TsbcMNiFwGlEMRw8V+2k0HfMgkKRhOXVRDcYRhra6lOqExROm74vLoQDF3L4Lwcx
FPHNHF9TfE6W5BiEnt9MUXPGOtrJOjHRPPLsKiHQL4/vT6XXEqlAg/cFXnoPJXyR
Orq1MQDs5fEOHViqXsyW3DiyhP6quc8TTiHGH4vHz8AdC03sBt23MkXEEXh4QArK
UPttgyIF+8N3lOWGL3NbaDIsB0h71aihF2TOcp5H6J3gFpIEy1XxpzMKqxBpX87f
H/07U9aacTy3tdk82rp8IaGYtMJaSvCceDRrcZFeJYT1u1qUzO/YHOtjebDI6OwP
9UkyvkISmu6exDLUvMDpDT1dv1hbKTj0xspzrDLe+ux+YaBfXYvZ/2VeRS9aw/fm
TwolKV+9HHpqV0ukg3w+
=ZKz6
-----END PGP SIGNATURE-----

More information about the dnssec-trigger mailing list