Re: [dnssd] Genart last call review of draft-ietf-dnssd-push-20

David Schinazi <> Mon, 08 July 2019 23:05 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 419D5120384; Mon, 8 Jul 2019 16:05:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.702
X-Spam-Status: No, score=-0.702 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, PDS_NO_HELO_DNS=1.295, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id YbAOsi1SArb0; Mon, 8 Jul 2019 16:05:32 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:4864:20::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id B046C120354; Mon, 8 Jul 2019 16:05:31 -0700 (PDT)
Received: by with SMTP id m23so17589342lje.12; Mon, 08 Jul 2019 16:05:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Y6EH5ujmCSeGDYZ3ylnNPCo1M9YGamS7J3jcwalt3no=; b=tCGS+JCz8q2Q2KbQs/CDFxG2pE2QpzoJprqV7UGV1iXERBXReakhyxVw3lruh5MnSV 9R8XSmVC0BYhcIJHusT8YbkN+pI7Xx42Sc3YZEhhpDLk/9/+ev93VwK0TG9B61QTjhd0 Ff/oxkao/QOdJONd80bTKKniBHOOWkuYxerKeon1VZ4o8ckPCFoYa+ZYY3eq4eVIc+cy umdkGLQE0bDUMP8hntCYRKzNLH6tdHvVcEPZEEsS4EG+MUcP2mRUkRMk8pDLz4b7JD21 xIDpA13rweCF0f7SkH8eYw0ECERemfjeRlqBTJF4dMTkpni7P8SptjU2l0eFTkUSbZYM oFZQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Y6EH5ujmCSeGDYZ3ylnNPCo1M9YGamS7J3jcwalt3no=; b=dWJBlZjmSPs2N46cIL9TcctA8VhPpNTqgswbmOSNjx3D3SPkcCeWXTFMdtzsO6tNj6 CRXHqVnGHXyc2toykrBEZYnHsV+d+fzCrU0bz2UOR4/OB0yA2DBYGknMfj33aJZq3DRW TDSbCYOs22M6V5qkVFrEJOkPA95tjUTFGIGtpjVhGjT3EYiKYC3RlU2JMirmxfDjLVLj EPWhgv6lrToA1Ixuj6H07KoB36ECahWJDKPa3nq/GKEfxy66Xi/ub3Ju8dV3ZkrjrkC9 0e9zQVe6RWyuLmTpThLwDcffn8qWaAM6Zimn80AWjJDW+Zv43WA7aT+KMpOqEf2ZQRG0 ft1g==
X-Gm-Message-State: APjAAAUA+zQ3ycCKg0nQw0UJzI3kUuZXoM4SMckDaj4OkfsUovRMrt9M oJdFvjp+36hRMHZB+MdZ7Z6gnOZRXR+0p+wBugw=
X-Google-Smtp-Source: APXvYqwVgRplkP3mtRIoqiH47WsPRLCyNtxt6kXXJrQesFnwWgn5z4MPtXUf/rBr4YkYAgrzWB3Zmg+lw8nKu/wLF+4=
X-Received: by 2002:a2e:2c14:: with SMTP id s20mr11653099ljs.54.1562627129826; Mon, 08 Jul 2019 16:05:29 -0700 (PDT)
MIME-Version: 1.0
References: <> <> <> <>
In-Reply-To: <>
From: David Schinazi <>
Date: Mon, 08 Jul 2019 16:05:18 -0700
Message-ID: <>
To: Stuart Cheshire <>
Cc: Tom Pusateri <>, Robert Sparks <>,, DNSSD <>, Eric Rescorla <>
Content-Type: multipart/alternative; boundary="000000000000fd6333058d337a80"
Archived-At: <>
Subject: Re: [dnssd] Genart last call review of draft-ietf-dnssd-push-20
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Discussion of extensions to DNS-based service discovery for routed networks." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 08 Jul 2019 23:05:41 -0000

In general the "TLS Alerts" error codes are specific to the operation of
TLS itself, not the application running over TLS.

If you want to send a graceful close, the tool of choice is close_notify.
If you detect an unrecoverable error and want to abort the connection, I
see two options:
(1) forcibly terminate the connection at the DNS layer by sending a DNS
error message followed by a TLS close_notify
(2) forcibly terminate the connection at the TCP layer by sending a RST

As a client sending, I don't see much value in (1) since all the server can
do in either case is free the resources associated with this connection.
As a server sending, I suspect (1) is best unless you were unable to parse
anything in which case (2) makes sense.


On Mon, Jul 8, 2019 at 3:53 PM Stuart Cheshire <> wrote:

> On 2 Jul 2019, at 12:36, David Schinazi <> wrote:
> > Hi Tom,
> >
> > If the protocol is restricted to TLS over TCP, it should send a TLS
> close_notify, not a TCP RST.
> > TLS close_notify is cryptographically guaranteed to originate from the
> peer,
> > whereas TCP RST can be injected by an on-path entity to cause truncation
> attacks.
> In TCP we use FIN for a graceful close, and RST for an abortive close. The
> former is normal operation; the latter means your code has a bug you need
> to fix.
> Is there an appropriate equivalent in TLS? It would be good to
> differentiate normal operation from a fatal protocol error that causes a
> forcible termination.
> I see in the TLS 1.3 spec, RFC 8446, Section 6.2. “Error Alerts” says:
>    Whenever an implementation encounters a fatal error condition, it
>    SHOULD send an appropriate fatal alert and MUST close the connection
>    without sending or receiving any additional data.
> <>
> Are any of these error alerts appropriate to perform this abortive
> disconnect, like perhaps the decode_error code?
>    decode_error:  A message could not be decoded because some field was
>       out of the specified range or the length of the message was
>       incorrect.  This alert is used for errors where the message does
>       not conform to the formal protocol syntax.  This alert should
>       never be observed in communication between proper implementations,
>       except when messages were corrupted in the network.
> Or are these TLS error alerts reserved for TLS-layer error conditions?
> Stuart Cheshire