Re: [Doh] [dnssd] [DNSOP] Working Group Last Call - draft-ietf-dnsop-session-signal

Ted Lemon <> Wed, 14 February 2018 22:22 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 69C651201FA for <>; Wed, 14 Feb 2018 14:22:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 9-rcLud9NUq2 for <>; Wed, 14 Feb 2018 14:22:43 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:400d:c09::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 764EC126B6E for <>; Wed, 14 Feb 2018 14:22:41 -0800 (PST)
Received: by with SMTP id s198so12541902qke.5 for <>; Wed, 14 Feb 2018 14:22:41 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=Va/WnRcXkAVQ7RmBTM2qWR0Jt7LMH1XDRxKLreaKw8Y=; b=ajep751TJKDRT0Wa21TH7que9tRmEDdbR3HOCq3+0Yyi0XIX73MAy+Fa3/nkz6cC9J 4sVY2WfqRo++tgDpVjx46alWa3h6S9hZhZn62m5OOhth22kZzgm3tyOPm0MufvJD6Zkh YwrgnP2QQkTTWU3sfn/wSK/bHju4KwSZiFr1HmPuUdjd1891uLlABbY+pzDKO+FRSHY/ DzNKBeCTJG5+AUQ2kBpl2sTW0KxWF2HAtu0Bbvm5r16Ib8C9QIgvyHYaOIIgb2FJgaY5 XW1s8k15YITSkpSrYEgJB/h5+TFLY5j/WSXiRrD0LKc2suWI+dwl7X//RBYarT/tZp6o Ebxg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=Va/WnRcXkAVQ7RmBTM2qWR0Jt7LMH1XDRxKLreaKw8Y=; b=EVyHabk6UsDe1+xipkiyqTX3LpH1cEMS30kbwa1UXk7Z4gIuqEF5chDJHP0gZdRlFh x5CEMmAPN2XBRxQrbgsjwhCgHvFGdc4NrulO6+poPqAXxdGxrzitf0+V431ZpON+G3oD wrUz+dPqJivuGpEi0yQ6soj16LbyLKxpD0FLVUh9FQrF9OjQXkoh5u1Dylpb/7BkzfiY nmtsc54uB0mKPaOaTz5RD61lg3XfhmFe2Di8P3haC29x35B6KZ/CrTli1iQ5T6m4pFCj jMiBz7pQ3U36rGhrQO7BVBWdIjxDCY2lYJWDfQmVEKfEQQviMV2d5AT4FdYQC4pLNkE+ lhfw==
X-Gm-Message-State: APf1xPATj7gLCggKuoXEPFTLozILveAIHdxJGoHQRbkBeE1dHIZFcul7 z8nsr+FNJaGkykwIIIw4ayJ2JA==
X-Google-Smtp-Source: AH8x226x9yEXS91ogH/bJ60toKV6PCc+/yRoVhhGQ6CymFupAzKkFQ+zX2tj/YchSceR8iju/YII+w==
X-Received: by with SMTP id a128mr1021837qkc.122.1518646960576; Wed, 14 Feb 2018 14:22:40 -0800 (PST)
Received: from [] ([]) by with ESMTPSA id g42sm1044260qtb.96.2018. (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 14 Feb 2018 14:22:40 -0800 (PST)
From: Ted Lemon <>
Message-Id: <>
Content-Type: multipart/alternative; boundary="Apple-Mail=_7307901A-0BFE-4C86-8B0D-9CEB69592114"
Mime-Version: 1.0 (Mac OS X Mail 11.2 \(3445.5.20\))
Date: Wed, 14 Feb 2018 17:22:38 -0500
In-Reply-To: <>
Cc: Paul Hoffman <>, dnsop <>, "" <>, "" <>
To: "Jan Komissar (jkomissa)" <>
References: <> <> <>
X-Mailer: Apple Mail (2.3445.5.20)
Archived-At: <>
Subject: Re: [Doh] [dnssd] [DNSOP] Working Group Last Call - draft-ietf-dnsop-session-signal
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DNS Over HTTPS <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 14 Feb 2018 22:22:44 -0000

On Feb 14, 2018, at 5:12 PM, Jan Komissar (jkomissa) <> wrote:
> 1: I think that it would be better to require TLS for all DSO connections. This document (DSO) specifies that it should use TCP or TLS for connections, but the DNS Push Notification (DPN) draft requires TLS. This would complicate matters if a standard TCP connection was opened for one purpose and later a DPN operation over the same connection was attempted. Also, it improves security for all DSO operations.

Jan, I'm having trouble following your reasoning here.   The client that makes the connection presumably knows whether or not it's going to do DPN.   Why would there be any confusion?

DNS-over-TCP and DNS-over-TLS are standards.   It's hard to see where the interop issue would be.   Can you expand on that?

Also, do you think that DNS-over-TCP should be formally deprecated?   If so, perhaps that's the right way to address this.   If not, can you say why DSO is special and requires TLS, when DNS-over-TCP does not?