NNPS / TCP port 433

Julien ÉLIE julien at trigofacile.com
Sat Dec 11 19:57:06 UTC 2021 

Hi Grant and Russ,

>> I'm of the mind that we as the NNTP using community make a server rule
>> -- a la. "house rule" -- that the NNSP port 433 be implicitly TLS
>> protected much like NNTPS port 563 is.  -- I say this because the
>> current industry best practices are to use implicit encryption.  So if
>> the NNSP port 433 is largely unused and we want to start making use of
>> it, why not impose implicit encryption.
> 
> Unfortunately, there is quite substantial existing use of 433 unencrypted
> and innd among others doesn't support TLS on that port right now.  So I
> think there's some work ahead of us before we could get to that point.
> The flag day of switching port 433 from unencrypted to encrypted is a bit
> tricky to navigate.

Making use of SRV records in DNS may be a useful use case for that scenario.

Following the syntax of RFC 2782 (which was declined in RFC 6186 for 
mail), one could add:

_nnsp._tcp     SRV 10 1 119 news.server.com.
_nntp._tcp     SRV 10 1 119 news.server.com.
_nntps._tcp    SRV  0 1 563 news.server.com.
_nnsps._tcp    SRV  0 1 433 news.server.com.

to say that nntps has more priority (0) than nntp (10).  As well as 
nnsps (0) has over nnsp (10).  Port 433 uses implicit TLS, as mentioned 
for NNSPS.
If NNSP pointed to 433 (or even both 119 and 433), it would have meant 
that port 433 does not use implicit TLS.

_nnsp._tcp     SRV 20 1 119 news.server.com.
_nnsp._tcp     SRV 10 1 433 news.server.com.

(saying that port 433 is preferred over 119)

Format is: priority weight port target.



FWIW, I've just added SRV records for my news server:

_nnsp._tcp     SRV 10 1 119 news.trigofacile.com.
_nntp._tcp     SRV 10 1 119 news.trigofacile.com.
_nntps._tcp    SRV  0 1 563 news.trigofacile.com.
_nnsps._tcp    SRV  0 0 0   .

[RFC 2782]
         A Target of "." means that the service is decidedly not
         available at this domain.


I believe using such SRV records could be interesting in the use case 
mentioned in this discussion.

The client only has to resolve:

% dig SRV _nnsp._tcp.trigofacile.com. +short
10 1 119 news.trigofacile.com.

% dig SRV _nnsps._tcp.trigofacile.com. +short
0 0 0 .

-- 
Julien ÉLIE

« – Il t'arrive une tuile ?
   – Oui, je ne peux pas payer mon ardoise. »

More information about the inn-workers mailing list