Also: We'll want to add guidance here and/or in 5966bis though that helps implementations avoid sending a two byte TCP segment followed by another segment immediately. This came up during questions during John Dickinson's 5966bis presentation in DNSOP.
> On Nov 13, 2014, at 7:28, "John Heidemann" <[email protected]> wrote: > >> On Thu, 13 Nov 2014 08:03:02 +0100, Francis Dupont wrote: >> Does DNS over TLS use the TLS framing (aka TLS Record Protocol) or >> does it prefix messages by a two byte length field as for DNS over TCP >> (cf RFC 1035 4.2.2 TCP usage)? I believe it is the second but *no* >> DNS over TLS proposal specify this point. > > Good question. > > draft-hzhwm-dprive-start-tls-for-dns-00 > frames as per DNS over TCP, not TLS. > > It says: > > After TLS negotiation completes, the connection will be encrypted and > is now protected from eavesdropping and normal DNS queries SHOULD > take place. > > I guess "normal DNS queries" should be "normal DNS queries (with > DNS-over-TCP framing as per RFC1035 section 4.2.2)" to be clearer. > > This choice is consistent with the goal of minimal changes to existing > DNS software. Once you negotiate TLS, you basically end up just calling > the TLS-specific read/write functions rather than standard read/write. > > This approach is also consistent with other STARTTLS uses---they preserve > to "native" framing (like SMTP, RFC3207). > > -John Heidemann > > > _______________________________________________ > dns-privacy mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dns-privacy _______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
