Re: [dnssd] [DNSOP] Working Group Last Call - draft-ietf-dnsop-session-signal

Ted Lemon <> Wed, 14 February 2018 22:22 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 56050126C0F for <>; Wed, 14 Feb 2018 14:22:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id aAJJSc2IHsbN for <>; Wed, 14 Feb 2018 14:22:41 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:400d:c09::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 606141201FA for <>; Wed, 14 Feb 2018 14:22:41 -0800 (PST)
Received: by with SMTP id l23so4874736qkk.11 for <>; Wed, 14 Feb 2018 14:22:41 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=Va/WnRcXkAVQ7RmBTM2qWR0Jt7LMH1XDRxKLreaKw8Y=; b=ajep751TJKDRT0Wa21TH7que9tRmEDdbR3HOCq3+0Yyi0XIX73MAy+Fa3/nkz6cC9J 4sVY2WfqRo++tgDpVjx46alWa3h6S9hZhZn62m5OOhth22kZzgm3tyOPm0MufvJD6Zkh YwrgnP2QQkTTWU3sfn/wSK/bHju4KwSZiFr1HmPuUdjd1891uLlABbY+pzDKO+FRSHY/ DzNKBeCTJG5+AUQ2kBpl2sTW0KxWF2HAtu0Bbvm5r16Ib8C9QIgvyHYaOIIgb2FJgaY5 XW1s8k15YITSkpSrYEgJB/h5+TFLY5j/WSXiRrD0LKc2suWI+dwl7X//RBYarT/tZp6o Ebxg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=Va/WnRcXkAVQ7RmBTM2qWR0Jt7LMH1XDRxKLreaKw8Y=; b=A8ANPTaThntAxIqWlnkLG3EFgP2c6STItbfvPNmjP1fWxOKuHOTuE8KvLuNSXJxD/O /6tCEKiOw9JwvrVb4TSfU4DPV3Nn/P5VYZpJX7vXXCJmvnd+JdeXcHcga+PBMOwwbk0A sE+7E4MTDMy3P1AjAEp4Wpatg+lHXAIcqzRClD+QRH12Q4pLXNxXU69+SIKzdeVqWyld urmLOFBS9f1VvM9UBaNSYs6LcKXg8JSahLBLBULogCWOM1qsGqdsvyy9gTlfaPd61aEy 7fniN6NhAqcozbHPRZxtHW3aXTowUlBCDN8hl/Sy5XMX7uK4oAxMHPAnWBNXVQqAr/iN 7fGQ==
X-Gm-Message-State: APf1xPBjlUxIE59Fk1VcaR6i9TJD5TNrbLf5OH07NrnSlFEbrj4MSSjh 6DoGIAmCeMIrL5mr6W6nspKcXA==
X-Google-Smtp-Source: AH8x226x9yEXS91ogH/bJ60toKV6PCc+/yRoVhhGQ6CymFupAzKkFQ+zX2tj/YchSceR8iju/YII+w==
X-Received: by with SMTP id a128mr1021837qkc.122.1518646960576; Wed, 14 Feb 2018 14:22:40 -0800 (PST)
Received: from [] ([]) by with ESMTPSA id g42sm1044260qtb.96.2018. (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 14 Feb 2018 14:22:40 -0800 (PST)
From: Ted Lemon <>
Message-Id: <>
Content-Type: multipart/alternative; boundary="Apple-Mail=_7307901A-0BFE-4C86-8B0D-9CEB69592114"
Mime-Version: 1.0 (Mac OS X Mail 11.2 \(3445.5.20\))
Date: Wed, 14 Feb 2018 17:22:38 -0500
In-Reply-To: <>
Cc: Paul Hoffman <>, dnsop <>, "" <>, "" <>
To: "Jan Komissar (jkomissa)" <>
References: <> <> <>
X-Mailer: Apple Mail (2.3445.5.20)
Archived-At: <>
Subject: Re: [dnssd] [DNSOP] Working Group Last Call - draft-ietf-dnsop-session-signal
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Discussion of extensions to DNS-based service discovery for routed networks." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 14 Feb 2018 22:22:43 -0000

On Feb 14, 2018, at 5:12 PM, Jan Komissar (jkomissa) <> wrote:
> 1: I think that it would be better to require TLS for all DSO connections. This document (DSO) specifies that it should use TCP or TLS for connections, but the DNS Push Notification (DPN) draft requires TLS. This would complicate matters if a standard TCP connection was opened for one purpose and later a DPN operation over the same connection was attempted. Also, it improves security for all DSO operations.

Jan, I'm having trouble following your reasoning here.   The client that makes the connection presumably knows whether or not it's going to do DPN.   Why would there be any confusion?

DNS-over-TCP and DNS-over-TLS are standards.   It's hard to see where the interop issue would be.   Can you expand on that?

Also, do you think that DNS-over-TCP should be formally deprecated?   If so, perhaps that's the right way to address this.   If not, can you say why DSO is special and requires TLS, when DNS-over-TCP does not?