IETF Logo Mail Archive

Re: [DNSOP] draft-ietf-dnsop-edns-tcp-keepalive-05

joel jaeggli <joelja@bogus.com> Tue, 26 January 2016 07:53 UTC

Return-Path: <joelja@bogus.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A96021A6FC3 for <dnsop@ietfa.amsl.com>; Mon, 25 Jan 2016 23:53:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.601
X-Spam-Level:
X-Spam-Status: No, score=-1.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_8BIT_HEADER=0.3, RP_MATCHES_RCVD=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BjfggXHTxP2h for <dnsop@ietfa.amsl.com>; Mon, 25 Jan 2016 23:53:50 -0800 (PST)
Received: from nagasaki.bogus.com (nagasaki.bogus.com [IPv6:2001:418:1::81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 98ECC1A6FC2 for <dnsop@ietf.org>; Mon, 25 Jan 2016 23:53:50 -0800 (PST)
Received: from mb-2.local ([IPv6:2601:647:4204:51:35e4:10ba:ddf9:c30]) (authenticated bits=0) by nagasaki.bogus.com (8.14.9/8.14.9) with ESMTP id u0Q7rhpN077538 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Tue, 26 Jan 2016 07:53:44 GMT (envelope-from joelja@bogus.com)
To: 🔓Dan Wing <dwing@cisco.com>, Tim Wicinski <tjw.ietf@gmail.com>
References: <568E8479.9090400@bogus.com> <56A0FBB2.6000403@gmail.com> <E1AA00BE-9B1E-47FC-BB27-D36296DDC60D@cisco.com>
From: joel jaeggli <joelja@bogus.com>
Message-ID: <56A72606.7080600@bogus.com>
Date: Mon, 25 Jan 2016 23:53:42 -0800
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:44.0) Gecko/20100101 Thunderbird/44.0
MIME-Version: 1.0
In-Reply-To: <E1AA00BE-9B1E-47FC-BB27-D36296DDC60D@cisco.com>
Content-Type: multipart/signed; micalg="pgp-sha1"; protocol="application/pgp-signature"; boundary="gxtRbcMcGMvEGwpCxxoIpL8hiPDqk6l7J"
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/qMvEVdtg4R_UJ5MdjyvApIUv5Uk>
Cc: "dnsop@ietf.org" <dnsop@ietf.org>, "dnsop-chairs@tools.ietf.org" <dnsop-chairs@tools.ietf.org>
Subject: Re: [DNSOP] draft-ietf-dnsop-edns-tcp-keepalive-05
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Jan 2016 07:53:52 -0000

On 1/25/16 2:38 PM, 🔓Dan Wing wrote:
> 
> On 21-Jan-2016 07:39 am, Tim Wicinski <tjw.ietf@gmail.com> wrote:
>> 
>> DNSOP,
>> 
>> Joel our AD sent this note out two weeks ago to get some working
>> group consensus on this discussion which came up during the IESG
>> telechat on tcp-keepalive
>> 
>> I am in agreement with Joel on this (tcp-keepalive is not the
>> mechanism for DTLS), but it should be thought of.
>> 
>> any opinions? I'd like to get some resolution so we can move this
>> along
> 
> The TCP mechanism (edns-tcp-keepalive) negotiates the ability of the
> client and the server to send multiple DNS queries on the same TCP
> connection.  As such, it seems ill-named (that is, a title adjustment
> seems important).  This does not actually "keep the connection
> alive", which is the traditional meaning of "keepalive" in IETF
> protocols.  This EDNS0 option is useful for both DNS-over-TCP, as
> well as DNS-over-TLS-over-TCP.
> 
> For DNS-over-DTLS-over-UDP, we should not need to negotiate the
> client or server capability to send multiple DNS queries over the
> same DTLS connection; the mere act of negotiating DTLS indicates the
> ability to handle subsequent DNS queries using that same DTLS
> connection.  The same might also be true of DNS-over-TLS-over-TCP, in
> fact?  I mean, is there a client or a server that wants to use
> DNS-over-TLS-over-TCP and _not_ also have the ability to keep their
> TCP connection alive for later DNS queries over that same TLS
> connection?  Perhaps for both DNS-over-TLS, and DNS-over-DTLS, the
> semantics of edns-tcp-keepalive are implied?

that is an interesting reading. though I'd want to hear an implementor
or two say they interpreted it that way.

> -d
> 
> 
> 
> 
> 
> 
> 
>> 
>> thanks tim
>> 
>> 
>> 
>> On 1/7/16 10:30 AM, joel jaeggli wrote:
>>> From Stephens discuss, this is a question we should probably
>>> answer for ourselves. (it's no longer a consideration as a
>>> discuss.
>>> 
>>> The question: how does this option play with DNS over DTLS? [1]
>>> 
>>> The reason I ask is that there may be a need in that case for
>>> some similar option (or a TLS extension maybe) though for the
>>> DTLS session lifetime and not a TCP session lifetime. At present
>>> you are saying that this option is not it. And that's a fine
>>> answer but you could also have said that this could also be used
>>> for DTLS session lifetime handling. And that last might make
>>> sense for operational reasons (not sure really, but could be).
>>> 
>>> [1] https://tools.ietf.org/html/draft-ietf-dprive-dnsodtls-03
>>> 
>>> My take personally is tcp keepalive option is not the mechanism
>>> for dtls, but then we get multiple options specifying essentially
>>> the same sort of value at some point in the future.
>>> 
>>> I just want to make sure we have a good reading on this.
>>> 
>> 
>> _______________________________________________ DNSOP mailing list 
>> DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
> 
> 
> _______________________________________________ DNSOP mailing list 
> DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
>

v2.23.0 | Report a Bug | By Email