Telechat Review of draft-ietf-dnssd-push-19
review-ietf-dnssd-push-19-secdir-telechat-xia-2019-05-17-00

Request Review of draft-ietf-dnssd-push
Requested rev. no specific revision (document currently at 25)
Type Telechat Review
Team Security Area Directorate (secdir)
Deadline 2019-06-02
Requested 2019-05-11
Requested by √Čric Vyncke
Authors Tom Pusateri, Stuart Cheshire
Draft last updated 2019-05-17
Completed reviews Secdir Telechat review of -19 by Liang Xia (diff)
Tsvart Early review of -19 by Brian Trammell (diff)
Secdir Last Call review of -20 by Liang Xia (diff)
Genart Last Call review of -20 by Robert Sparks (diff)
Genart Telechat review of -23 by Robert Sparks (diff)
Assignment Reviewer Liang Xia
State Completed
Review review-ietf-dnssd-push-19-secdir-telechat-xia-2019-05-17
Posted at https://mailarchive.ietf.org/arch/msg/secdir/zHBrhCzkL3JJff-8wPjRFj3kz1w
Reviewed rev. 19 (document currently at 25)
Review result Has Issues
Review completed: 2019-05-17

Review
review-ietf-dnssd-push-19-secdir-telechat-xia-2019-05-17

Nit:
1. Section 6.1, s/This connection is made to TCP port 853, the default port for DNS-over-TLS DNS over TLS [RFC7858]./This connection is made to TCP port 853, the default port for DNS-over-TLS [RFC7858].
2. Table 2, RECONFIRM should be C-U TLV type.

Comments:
1. why are UNSUBSCRIBE and RECONFIRM the client unidirectional message?
2. In UNSUBSCRIBE message, why do you choose to use SUBSCRIBE MESSAGE ID, not NAME+TYPE+CLASS?
3. In the section of Security Considerations:
    1) you should also mention that TLS provides the anti-replay protection service for DNS Push;
    2) maybe you need to consider the client authentication to achieve policy control and detect illegal client;
    3) TLS WG are specifying the SNI encryption mechanism, will it influence your TLS name authentication?