On Thu, 15 Mar 2018, Ray Bellis wrote:
It could mention DNS-COOKIES as one way to avoid spoofing issues.
That sounds like a good idea.
On reflection (and discussion with one of my co-authors) we think that
would be problematic.
Don't forget that the issue here is non-spoofability of the internal
channel _between the front-end forwarder and the back-end server_, and
not end-to-end.
Makes sense. So forget about DNS-COOKIES :)
Paul
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
