On Mon, 1 Aug 2016, Paul Hoffman wrote:
Jakob and I think this addresses all the actionable comments we got in WG
Last Call.
You added:
9.1. Response Size
To prevent amplification attacks, an Authoritative
DNS server MAY
wish to prevent returning SMIMEA records over UDP
unless the source
IP address has been confirmed with [RFC7873]. Such
servers MUST NOT
return REFUSED, but answer the query with an empty
answer section and
the truncation flag set ("TC=1").
I do not find this text very clear. I propose:
To prevent amplification attacks, an Authoritative
DNS server MAY
wish to prevent returning SMIMEA records over UDP
unless the source
IP address has been confirmed with [RFC7873]. If a
query is received
via UDP without source IP address verification, the
server MUST NOT
return REFUSED, but answer the query with an empty
answer section and
the truncation flag set ("TC=1").
All other issues I raised were resolved with this updated draft.
Paul
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
