Hi John, On 2013-11-18, at 17:53, John Levine <[email protected]> wrote:
>> So, we got some good review and feedback on this from Tony Finch, anyone >> else? > > I read the draft, and as a spec it looks fine to me. Once there are a > few empty.as112.arpa servers, you can send any branch of the DNS to > oblivion by pointing a DNAME at them. I have 2 1/2 questions: > > * Anyone can point a DNAME to empty.as112.arpa, not just subtrees of > rDNS. Is that a security issue? I thought of it as a feature. AS112 is for everyone, not just IANA! :-) > * I don't know what fraction of the Internet's DNS caches understand > DNAME and will synthezize responses from a cached DNAME. The ones > that don't will presumably continue to hammer on the server(s) with > the DNAMEs. Is that a performance or security issue? See the appendix regarding experimental indications regarding DNAME support in the world (as far as we need it, e.g. using synthesised CNAMEs or understanding DNAMEs). I don't think I quite see what you're getting at, though. Could you expand a little on the potential you see for increased traffic on authority servers? > * (the half question) Since DNAME only redirects names below the DNAME > and not the name itself, something a lot of people don't seem to > understand very well,* should the document offer any advice about what > else you might want to put at the name with the DNAME? That's an interesting point. For the reverse tree uses of AS112 we don't care, since the redirection point is never a well-formed QNAME in the reverse/1034 sense. What advice do you think is pertinent? Joe
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
