On 15/03/2018 10:01, Ray Bellis wrote: > > On 14/03/2018 22:07, Paul Wouters wrote: > >> It could mention DNS-COOKIES as one way to avoid spoofing issues. > > That sounds like a good idea.
On reflection (and discussion with one of my co-authors) we think that would be problematic. Don't forget that the issue here is non-spoofability of the internal channel _between the front-end forwarder and the back-end server_, and not end-to-end. Using DNS Cookies there would require manipulation of the packet contents of exactly the sort that earlier versions of this draft had when it used EDNS instead of a meta-RR. Ray _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
