Re: [dnssd] Genart last call review of draft-ietf-dnssd-push-20

"Christopher Wood" <> Sat, 06 July 2019 13:50 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id A25311201D0 for <>; Sat, 6 Jul 2019 06:50:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key) header.b=Y7X6FG8t; dkim=pass (2048-bit key) header.b=yW42+t7B
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id IL0wwhhASqz8 for <>; Sat, 6 Jul 2019 06:50:38 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id A9DBD1201CA for <>; Sat, 6 Jul 2019 06:50:38 -0700 (PDT)
Received: from compute6.internal (compute6.nyi.internal []) by mailout.west.internal (Postfix) with ESMTP id 1AE7F48D for <>; Sat, 6 Jul 2019 09:50:38 -0400 (EDT)
Received: from imap4 ([]) by compute6.internal (MEProxy); Sat, 06 Jul 2019 09:50:38 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; h=mime-version:message-id:in-reply-to:references:date:from:to :subject:content-type:content-transfer-encoding; s=fm1; bh=1427O EQdGF6/z5C6ppd28pwc3GLzeZrukwfG91E/CdU=; b=Y7X6FG8tObfpWDoCSkQx9 YopAzawLBiFSawRZ708G4uLMD8g0zZ0OrBA/E3iQ/K6mvgvijb88ondwk+7Rt7hm xJZNOId4MkWqy0xUY1IzMhY4TtNVr9ui7JajJNmpuVBZSa2toSRIBelqm/LfIYo3 CcbsbBRDLf1y4bCSFbLRGv340lK/yRUu5E5l3q8b6syFRcPy1z8HZZiNhka2M9kA iHNenov9YV55qyguNJiUODTPUKaalSYF1B0BA8fUG0ePuthNqAwiyLf2iaaWrJRw VimNy0XT7FXOPk5HAccHF1jLnhsuXuNTYEL1Z05syZ0S4mXLYkgS1AS+3MUXN1uL Q==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=; h=content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm3; bh=1427OEQdGF6/z5C6ppd28pwc3GLzeZrukwfG91E/C dU=; b=yW42+t7BeBvQzR1VMHJ8W9KvhVtK4M4iEW8sD7Sh52DYQKhzOZfxuGUxd YsfHJwvaNzaGbERbolEG4/KFhuG6O3aO5Ri2VdasfyciB9hfRxL1c9urMTv5ZILV 8VyIH20cGUb3XqfppYOA7Z9ZTVmN0C/mZ8IOwxVgkYmxw9hLa02kDol/L1ue2HDb BmVT/2s4AoSdLjudzwzcLAkk/8uyJNtZljJsU9j6Olvqw+vNExR/lT+PUP9vLlSj 74sKFXHjcyC6UOsPRzGljj7cPQOnxpML9rP7/qPSjwZ1CFysX30hAgUAylP8nAWJ IHWX6ak3X9bo0Er3OWgxOqB2e7I1w==
X-ME-Sender: <xms:LacgXVFTLMacGj8TmbndBCN-bnIiM6R2nxBMgr_tJfqyH6M73T1hTQ>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduvddrfeeigdeilecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecunecujfgurhepofgfggfkjghffffhvffutgfgsehtqh ertderreejnecuhfhrohhmpedfvehhrhhishhtohhphhgvrhcuhghoohgufdcuoegtrgif sehhvggrphhinhhgsghithhsrdhnvghtqeenucfrrghrrghmpehmrghilhhfrhhomheptg grfieshhgvrghpihhnghgsihhtshdrnhgvthenucevlhhushhtvghrufhiiigvpedt
X-ME-Proxy: <xmx:LacgXRlJRViXRHo_qUqKL0thnZyTeoCoYQugdIQ8dJgzXKJcE9ppww> <xmx:LacgXb0UQLzhvUUPUtfbtZ9Ll5DuzGleO3Ns9HfNLNipLSd18-dtrQ> <xmx:LacgXXyCgmeubX8ilSJ46I5rbM00b4GPI6LvGIoG2LMGwcptty2Z0Q> <xmx:LacgXXAEgNrtc6QjPHRcGG0vPg3rtIVe53DF5wKiicR4yqRNAwbkjg>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 328BC3C00A1; Sat, 6 Jul 2019 09:50:37 -0400 (EDT)
X-Mailer: Webmail Interface
User-Agent: Cyrus-JMAP/3.1.6-731-g19d3b16-fmstable-20190627v1
Mime-Version: 1.0
Message-Id: <>
In-Reply-To: <>
References: <> <> <> <> <> <>
Date: Sat, 06 Jul 2019 06:50:36 -0700
From: Christopher Wood <>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <>
Subject: Re: [dnssd] Genart last call review of draft-ietf-dnssd-push-20
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Discussion of extensions to DNS-based service discovery for routed networks." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 06 Jul 2019 13:50:41 -0000

On Fri, Jul 5, 2019, at 5:45 PM, David Schinazi wrote:
> On Thu, Jul 4, 2019 at 9:52 AM Tom Pusateri <> wrote:
> >> On Jul 3, 2019, at 11:12 AM, Ted Lemon <> wrote:
> >> And thanks for the advice about how to terminate TLS connections—I had missed that nuance. Are TLS implementations actually able to do this (to reject RST packets)?
> > 
> > This was actually a comment from David Schinazi (and a good one). I’ve adjusted the working copy on github but there’s still one section I’m wrestling with regarding TCP RST.
> On most operating systems today, TCP is in the kernel and TLS is in 
> user-space, so most implementations of TLS over TCP do not have the 
> ability to discard TCP RSTs that were injected by attackers. However, 
> the TLS close_notify alert allows endpoints to be able to tell the 
> difference between a connection that was closed gracefully by the peer 
> and one that was forcefully terminated (possibly by an attacker). So 
> upon receipt of a TCP RST without prior TLS close_notify, the 
> connection will die, but the application will know that the latest 
> message could have been truncated halfway through transmission and 
> should therefore be discarded.

+1 (though some applications might choose to use the partial message)