Two items related to this:
1: I think that it would be better to require TLS for all DSO connections. This
document (DSO) specifies that it should use TCP or TLS for connections, but the
DNS Push Notification (DPN) draft requires TLS. This would complicate matters
if a standard TCP connection was opened for one purpose and later a DPN
operation over the same connection was attempted. Also, it improves security
for all DSO operations.
2: I also believe this document should only support DSO over TLS, not session
based protocols in general. If there is a need/desire for doing DSO over other
protocols, a new RFC allowing each protocol would be required. This requirement
will ensure that all implementations of this draft would interoperate. (If
DSO-over-X and DSO-over-Y both are compliant with this document, they are not
likely to interoperate even if both X and Y are session based, which would
defeat the purpose of a standard.)
Regards,
Jan.
On 2/2/18, 4:58 PM, "DNSOP on behalf of Paul Hoffman" <dnsop-boun...@ietf.org
on behalf of paul.hoff...@vpnc.org> wrote:
The current draft is hand-wavy when it comes to which transports DSO can
run on.
Section 2 says "such as":
The term "connection" means a bidirectional byte stream of reliable,
in-order messages, such as provided by using DNS over TCP
[RFC1035][RFC7766] or DNS over TLS [RFC7858].
Section 4.1 says "are suitable":
Standard DNS over TCP [RFC1035][RFC7766], and DNS over TLS [RFC7858]
are suitable protocols.
The document should explicitly list which protocols are currently
acceptable, and say that the list can change in the future based on
standards-track documents. Proposed wording for both of these above are:
Section 2:
The term "connection" means a bidirectional byte stream of reliable,
in-order messages.
Section 4.1 says "are suitable":
DSO MUST be run as standard DNS over TCP [RFC1035][RFC7766]
or DNS over TLS [RFC7858]. This list might expand in the future,
such
an expansion MUST be in standards-track RFCs.
Having developers know exactly which protocols can be used is important
so that they do not use protocols that they accidentally think are
reliable and in-order. For example, the DOH WG is working on a protocol
that might initially seem attractive, but it does *not* qualify for DSO.
--Paul Hoffman
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
