Hi Ted,

I’ll try to clarify:

Currently, there are only plans for DPN, and that would force every connection 
to be TLS. However, if a future protocol “Z-over-DSO” does not require TLS, it 
is possible that a client would create a TCP connection for Z and later would 
want to send DPN operation to the same server. Note that the DSO client may 
represent a single computer, while the Z and DPN requests represent 
applications on that computer that implicitly depend on those two protocols. I 
guess a new connection could be created, but it would be better if not 

The interop issue is related to section 4.1 that says that any session based 
protocol is suitable for DSO. If you make a server that only supports DSO over 
TCP and I make a client that only supports DSO over QUIC, they are both 
compliant with the draft, but they cannot communicate with each other. To avoid 
this, I suggest that this draft only supports TLS (and possibly TCP), and 
supporting DSO on any other underlying protocol would require a new document.




From: Ted Lemon <mel...@fugue.com>
Date: Wednesday, February 14, 2018 at 5:22 PM
To: "Jan Komissar (jkomissa)" <jkomi...@cisco.com>
Cc: Paul Hoffman <paul.hoff...@vpnc.org>, dnsop <dnsop@ietf.org>, 
"dn...@ietf.org" <dn...@ietf.org>, "d...@ietf.org" <d...@ietf.org>
Subject: Re: [dnssd] [DNSOP] Working Group Last Call - 

On Feb 14, 2018, at 5:12 PM, Jan Komissar (jkomissa) 
<jkomi...@cisco.com<mailto:jkomi...@cisco.com>> wrote:
1: I think that it would be better to require TLS for all DSO connections. This 
document (DSO) specifies that it should use TCP or TLS for connections, but the 
DNS Push Notification (DPN) draft requires TLS. This would complicate matters 
if a standard TCP connection was opened for one purpose and later a DPN 
operation over the same connection was attempted. Also, it improves security 
for all DSO operations.

Jan, I'm having trouble following your reasoning here.   The client that makes 
the connection presumably knows whether or not it's going to do DPN.   Why 
would there be any confusion?

DNS-over-TCP and DNS-over-TLS are standards.   It's hard to see where the 
interop issue would be.   Can you expand on that?

Also, do you think that DNS-over-TCP should be formally deprecated?   If so, 
perhaps that's the right way to address this.   If not, can you say why DSO is 
special and requires TLS, when DNS-over-TCP does not?

DNSOP mailing list

Reply via email to