On Feb 14, 2018, at 5:12 PM, Jan Komissar (jkomissa) <jkomi...@cisco.com> wrote:
> 1: I think that it would be better to require TLS for all DSO connections. 
> This document (DSO) specifies that it should use TCP or TLS for connections, 
> but the DNS Push Notification (DPN) draft requires TLS. This would complicate 
> matters if a standard TCP connection was opened for one purpose and later a 
> DPN operation over the same connection was attempted. Also, it improves 
> security for all DSO operations.

Jan, I'm having trouble following your reasoning here.   The client that makes 
the connection presumably knows whether or not it's going to do DPN.   Why 
would there be any confusion?

DNS-over-TCP and DNS-over-TLS are standards.   It's hard to see where the 
interop issue would be.   Can you expand on that?

Also, do you think that DNS-over-TCP should be formally deprecated?   If so, 
perhaps that's the right way to address this.   If not, can you say why DSO is 
special and requires TLS, when DNS-over-TCP does not?

DNSOP mailing list

Reply via email to