On 1/25/16 2:38 PM, 🔓Dan Wing wrote: > > On 21-Jan-2016 07:39 am, Tim Wicinski <tjw.i...@gmail.com> wrote: >> >> DNSOP, >> >> Joel our AD sent this note out two weeks ago to get some working >> group consensus on this discussion which came up during the IESG >> telechat on tcp-keepalive >> >> I am in agreement with Joel on this (tcp-keepalive is not the >> mechanism for DTLS), but it should be thought of. >> >> any opinions? I'd like to get some resolution so we can move this >> along > > The TCP mechanism (edns-tcp-keepalive) negotiates the ability of the > client and the server to send multiple DNS queries on the same TCP > connection. As such, it seems ill-named (that is, a title adjustment > seems important). This does not actually "keep the connection > alive", which is the traditional meaning of "keepalive" in IETF > protocols. This EDNS0 option is useful for both DNS-over-TCP, as > well as DNS-over-TLS-over-TCP. > > For DNS-over-DTLS-over-UDP, we should not need to negotiate the > client or server capability to send multiple DNS queries over the > same DTLS connection; the mere act of negotiating DTLS indicates the > ability to handle subsequent DNS queries using that same DTLS > connection. The same might also be true of DNS-over-TLS-over-TCP, in > fact? I mean, is there a client or a server that wants to use > DNS-over-TLS-over-TCP and _not_ also have the ability to keep their > TCP connection alive for later DNS queries over that same TLS > connection? Perhaps for both DNS-over-TLS, and DNS-over-DTLS, the > semantics of edns-tcp-keepalive are implied?
that is an interesting reading. though I'd want to hear an implementor or two say they interpreted it that way. > -d > > > > > > > >> >> thanks tim >> >> >> >> On 1/7/16 10:30 AM, joel jaeggli wrote: >>> From Stephens discuss, this is a question we should probably >>> answer for ourselves. (it's no longer a consideration as a >>> discuss. >>> >>> The question: how does this option play with DNS over DTLS? [1] >>> >>> The reason I ask is that there may be a need in that case for >>> some similar option (or a TLS extension maybe) though for the >>> DTLS session lifetime and not a TCP session lifetime. At present >>> you are saying that this option is not it. And that's a fine >>> answer but you could also have said that this could also be used >>> for DTLS session lifetime handling. And that last might make >>> sense for operational reasons (not sure really, but could be). >>> >>> [1] https://tools.ietf.org/html/draft-ietf-dprive-dnsodtls-03 >>> >>> My take personally is tcp keepalive option is not the mechanism >>> for dtls, but then we get multiple options specifying essentially >>> the same sort of value at some point in the future. >>> >>> I just want to make sure we have a good reading on this. >>> >> >> _______________________________________________ DNSOP mailing list >> DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop > > > _______________________________________________ DNSOP mailing list > DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop >
signature.asc
Description: OpenPGP digital signature
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
