Re: [dnssd] Genart last call review of draft-ietf-dnssd-push-20

David Schinazi <> Sat, 06 July 2019 00:45 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id E4F9E1200DB; Fri, 5 Jul 2019 17:45:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 3BEj2RhiqC3J; Fri, 5 Jul 2019 17:45:25 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:4864:20::141]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 8EB691200A3; Fri, 5 Jul 2019 17:45:24 -0700 (PDT)
Received: by with SMTP id q26so7315013lfc.3; Fri, 05 Jul 2019 17:45:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=8BCl72kwFPqkJdUT9Jz6oxBvNtrbjhUR3CfM1OC2Inc=; b=B5SKjWCZ72oXqXiJ+vMLB5v3qV7opXRgWZKxssOkHFPgW8yB6VrTfaXuBnwjkpNQNH LICqxmmvD0YNsuWHPfI4TvlhBLzoS1rNVItovBVbtAVC+MN4i4duam7Qt3btvB9CmoUr RQvK+Qzowrukp7xgODeuuJy+ovzGuV3MGIKHGz8d3MzVb15vlRkPql7ZWuFGJa9N68r4 2uamNT1j6dLCFIoHfhfh6Iu4YGzsq50lQbNbf7dVrqVv0//W91Nh3fGJ2GxIgmgOzqHf hCx14V6SaR7Lz3OuZHmqCZeGuLRlxLft61gDUZw6F1amQOSSJYX+dGnG5tBM6yROIu+n Ra9Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=8BCl72kwFPqkJdUT9Jz6oxBvNtrbjhUR3CfM1OC2Inc=; b=bm39IYOfRajoIFOP/CmirvkZ8PSYBVU26S0I/5UAq0pkEH0+9d4mR1dWDHUnxAMYr0 4HP+aIqLrKU2iUtPEeHvB0AkiDhDbyDrKCItfLOXLiVP5ViTN5mCqJh4YjkXm1Ke4l22 dZWaeNAuWIEVZLd1JX78Gd1QriOLu0SH1Fpe/l437FJdov7CwdH/FmPOHxJsK10W3rYk +pVc3ExGUMOsq1eNngb18nVOeoOvFQDJ8Q8nTnze18QHL17yCTu5UU4dZSnclUxT9Z+G U7uHmdcNGV0eMICLBK+ITvH5OxRbR1weiTOn/FyZP+cQzdTZAwAh3j4/Wo/4gcvk5fD4 fJ+Q==
X-Gm-Message-State: APjAAAW8P33oOINqlU4F0+V9UiJC5VV+EwRpIHquWUjLpNef+WKdsXVJ Gh4itAnv6ZzMFNvIubJXNT9mO13k6FcPtIHDh6Zi5w==
X-Google-Smtp-Source: APXvYqz5xymLKZJlJgalHmayIPD51RpV2/zrpUq91x0PjDm2DSJyaC79/JLXRdXaIWdlQdwz1n3DWpq7KK0VOoeRDPU=
X-Received: by 2002:ac2:46ce:: with SMTP id p14mr3310396lfo.148.1562373922700; Fri, 05 Jul 2019 17:45:22 -0700 (PDT)
MIME-Version: 1.0
References: <> <> <> <> <>
In-Reply-To: <>
From: David Schinazi <>
Date: Fri, 05 Jul 2019 17:45:11 -0700
Message-ID: <>
To: Tom Pusateri <>
Cc: Ted Lemon <>,, DNSSD <>
Content-Type: multipart/alternative; boundary="000000000000ab4121058cf8862f"
Archived-At: <>
Subject: Re: [dnssd] Genart last call review of draft-ietf-dnssd-push-20
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Discussion of extensions to DNS-based service discovery for routed networks." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 06 Jul 2019 00:45:27 -0000

On Thu, Jul 4, 2019 at 9:52 AM Tom Pusateri <> wrote:

> On Jul 3, 2019, at 11:12 AM, Ted Lemon <> wrote:
> And thanks for the advice about how to terminate TLS connections—I had
> missed that nuance.  Are TLS implementations actually able to do this (to
> reject RST packets)?
> This was actually a comment from David Schinazi (and a good one). I’ve
> adjusted the working copy on github but there’s still one section I’m
> wrestling with regarding TCP RST.

On most operating systems today, TCP is in the kernel and TLS is in
user-space, so most implementations of TLS over TCP do not have the ability
to discard TCP RSTs that were injected by attackers. However, the TLS
close_notify alert allows endpoints to be able to tell the difference
between a connection that was closed gracefully by the peer and one that
was forcefully terminated (possibly by an attacker). So upon receipt of a
TCP RST without prior TLS close_notify, the connection will die, but the
application will know that the latest message could have been truncated
halfway through transmission and should therefore be discarded.