[getdns-api] Addition of new dns transport option

Wessels, Duane dwessels at verisign.com
Thu Mar 12 18:32:22 CET 2015


This all seems unfortunately complex.  In hindsight it may have been better
to define more simple transport types (UDP, TCP, TLSPORT, STARTTLS) and
then set them in the context as an ordered list.  If the first one in the
list doesn't work, fallback to the next one, and so on...

Too late to change now?

DW

On Mar 12, 2015, at 10:11 AM, Sara Dickinson <sara at sinodun.com> wrote:

> Hi All, 
> 
> As I mentioned yesterday in the meeting there would need to be some additional transport types as arguments to the getdns_context_set_dns_transport() method to support DNS-over-TLS. The current set are:
> 
> GETDNS_TRANSPORT_UDP_FIRST_AND_FALL_BACK_TO_TCP
> GETDNS_TRANSPORT_UDP_ONLY 
> GETDNS_TRANSPORT_TCP_ONLY
> GETDNS_TRANSPORT_TCP_ONLY_KEEP_CONNECTIONS_OPEN
> 
> To provide flexibility to perform different scenarios (depending on the privacy requirements of the client) as described in http://tools.ietf.org/html/draft-hzhwm-dprive-start-tls-for-dns-01 we could consider adding the following:
> 
> GETDNS_TRANSPORT_TLS_ONLY_KEEP_CONNECTIONS_OPEN
> GETDNS_TRANSPORT_TLS_FIRST_AND_FALL_BACK_TO_STARRTLS_KEEP_CONNECTIONS_OPEN
> GETDNS_TRANSPORT_TLS_FIRST_AND_FALL_BACK_TO_STARRTLS_THEN_TCP_KEEP_CONNECTIONS_OPEN
> GETDNS_TRANSPORT_STARTTLS_ONLY_KEEP_CONNECTIONS_OPEN
> GETDNS_TRANSPORT_STARTTLS_AND_FALL_BACK_TO_TCP_KEEP_CONNECTIONS_OPEN
> 
> 
> 1) Does anyone object to adding all 5 of these options? (Implementation note: there are 10 enums reserved in the getdns code for transport options)
> 
> 2) The names here are explicit, but verbose. Should we consider condensing them?
> 
> 3) Is there a mechanism to mark those containing STARTTLS as ‘experimental’ in the spec?
> 
> One other note, the API does support specifying a set of upstream resolvers for stub mode (including a port), but there is no mechanism currently to specify a port to use for pure TLS.  We could extend the API or, more pragmatically for now, always use port 1022 (based on Allison’s comments) on the assumption one will hopefully be assigned by IANA. Thoughts?
> 
> Regards
> 
> Sara.
> 
> 
> 
> -------------------------
> Sara Dickinson
> 
> http://sinodun.com
> 
> Sinodun Internet Technologies Ltd.
> Magdalen Centre
> The Oxford Science Park
> Oxford
> OX4 4GA
> U.K.
> 
> _______________________________________________
> getdns-api mailing list
> getdns-api at vpnc.org

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://getdnsapi.net/pipermail/spec/attachments/20150312/d4b6f065/attachment.bin>
-------------- next part --------------
_______________________________________________
getdns-api mailing list
getdns-api at vpnc.org


More information about the spec mailing list