Re: [dnssd] Genart last call review of draft-ietf-dnssd-push-20

Robert Sparks <> Wed, 03 July 2019 14:45 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 51D941202E1; Wed, 3 Jul 2019 07:45:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.679
X-Spam-Status: No, score=-1.679 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, T_SPF_HELO_PERMERROR=0.01, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: (amavisd-new); dkim=fail (1024-bit key) reason="fail (message has been altered)"
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 2eQbsDOxrewZ; Wed, 3 Jul 2019 07:45:49 -0700 (PDT)
Received: from ( [IPv6:2001:470:d:1130::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id B260A1202E0; Wed, 3 Jul 2019 07:45:36 -0700 (PDT)
Received: from unescapeable.local ([]) (authenticated bits=0) by (8.15.2/8.15.2) with ESMTPSA id x63EjXIx002170 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Wed, 3 Jul 2019 09:45:33 -0500 (CDT) (envelope-from
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;; s=default; t=1562165134; bh=PVz9jStHdbwIBJX3nOPjU7Q6wHQQJLJP4x4bRHscPz4=; h=Subject:To:Cc:References:From:Date:In-Reply-To; b=bkwVllZgO1ielA9biHplkOBU/BYmrtbVu/+LKEU/HjuEbXb4ofWaNgFigUxDnGsu8 UBIs+Eoqd1Sm8FlKGHI4z5sbeCvf2+zRqJjlXwh2kET1KyQWR147esHnGsLYrXfq/P vwlpJ7qgfPFupjsFBpl2rshiIMqrC9uMktrxAxFo=
X-Authentication-Warning: Host [] claimed to be unescapeable.local
To: Tom Pusateri <>
Cc:,,, IETF <>
References: <> <>
From: Robert Sparks <>
Message-ID: <>
Date: Wed, 03 Jul 2019 09:45:32 -0500
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:60.0) Gecko/20100101 Thunderbird/60.7.2
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Content-Language: en-US
Archived-At: <>
Subject: Re: [dnssd] Genart last call review of draft-ietf-dnssd-push-20
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Discussion of extensions to DNS-based service discovery for routed networks." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 03 Jul 2019 14:45:52 -0000

On 7/2/19 4:24 PM, Tom Pusateri wrote:
>> On Jun 28, 2019, at 4:03 PM, Robert Sparks via Datatracker <> wrote:
>> Issue:
>> The discussion of recursive resolvers in section 6.1 may need additional
>> consideration. In particular, the recommendation to pass a received error code
>> along to a client has, I think, some unintended consequences for the client. If
>> the recursive server receives a NOTIMP, for example, passing that to the client
>> tells the client the wrong thing about the server it is connected to. Perhaps
>> it would be better for the recursive server to return SERVFAIL in this
>> circumstance? (Similar to what it would do if it couldn't connect to the next
>> server as described at the bottom of page 10).
> The only time NOTIMP is returned is in the case where DSO stateful operations (over which DNS PUSH runs) is not supported. This error code is due to the fact that DSO uses a different Opcode than the standard Query/Response Opcode. DSO defines a new opcode. The effect of this is that NOTIMP is the correct response if a server doesn’t support the new Opcode.
> Similarly, if DSO is supported but DNS Push TLV type is not supported, we return a new RCODE for DSO type not implemented DSOTYPENI.
> These are both required by existing specifications.
> If a client begins the connection with a DSO Keepalive to a resolver and the resolver accepts the connection, subsequent SUBSCRIBE operations that return NOTIMP will be obvious that the authoritative server does not support DSO.
> However, if the client begins with a SUBSCRIBE and receives NOTIMP from the resolver, it’s not clear if the NOTIMP was originated by the resolver or the authoritative server.

And I think that's a problem.

What does a NOTIMP mean to the client? Most of the draft says "The 
server doesn't implement DSO". It doesn't say "doesn't implement DSO for 
this particular set of bits in this query". Section 6.2.2 says the 
client should assume a retry delay of 1 hour before talking to the 
server (the resolver) again.

Now, other parts of the document imply "for this particular set of bits" 
- in the overview, near the bottom of page 5, it says to use NOTIMP 
(actually it says NOTIMPL, maybe those are different things and I'm 
confused?) if a message is received for a class other than "IN" and the 
server has only implemented push for "IN". Again, that "assume a retry 
delay" kicks in.

> Right now, we allow either DSO TLV to setup the state. In the case that the client begins with a SUBSCRIBE and the resolver returns NOTIMP, the client should attempt a connection with the authoritative server directly as described in 6.1. If the authoritative server returns NOTIMP, then PUSH notifications are not possible.
But there's fate sharing, at least as I'm reading the document now. That 
resolver could have been authoritative (or could reach an authoritative 
server) for some other subscription. But you've told the client that 
it's not ok to talk to this resolver for any subscription (for an hour 
at least).
> While we could be more explicit about every error case, I don’t think the document says anything wrong here.
And I used NOTIMP as an example. I think there may be fate sharing 
issues with other response codes as well.
> Thanks,
> Tom