On Wed, Jan 13, 2016 at 08:06:17PM -0000, John Levine wrote:
> > _service._client.node.example. IN TLSA ...
>
> Ah, we're getting closer.
Well, I can live with the above, *if* there's a good reason to
expect conflicts that block use of CNAMEs.
> >I still don't see any use for _tcp/_udp in there.
>
> RFC 6698 has _tcp _udp and _sctp protocols as part of the names for
> TLSA.
For a good reason, because the full prefix is "_<portnumber>._<proto>".
Without "_proto", we get TLSA records applied to the wrong service
endpoint, because UDP ports with the same number don't reach have
the same service as the TCP ports.
> It seems rather odd to have the protocol name for the server
> certificate but not for the client.
Because the client prefix-label a service *name*, so so the port
collision issue goes away. We should not cargo-cult designs,
the rationale has to carry over logically, and false analogies
need to be avoided.
--
Viktor.
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
