On Tue, Oct 27, 2020 at 08:31:29PM -0400, Tim Wicinski wrote:
> This starts a Working Group Last Call for draft-ietf-dnsop-rfc7816bis
>
> Current versions of the draft is available here:
> https://datatracker.ietf.org/doc/draft-ietf-dnsop-rfc7816bis/
>
> The Current Intended Status of this document is: "Standards Track"
A potential improvement to the algorithm that's not mentioned in the
draft is avoiding probing for zone cuts at non-LDH A-labels, e.g.
labels starting with "_" used in SRV records, DANE, ...
Such labels should rarely represent privacy-relevant administrative
boundaries, and e.g. with DANE and sometimes flawed support for
denial of existence, probes for "_tcp.example.com" sometimes return
invalid NXDomain proofs (poor handling of ENTs, missing wildcards
from NSEC chains, ...).
Therefore, it is best to avoid breaking the queue name below special-use
labels (_tcp, ...). After asking for "smtp.example.com", ask for
"_25._tcp.smtp.example.com" and not "_tcp.smtp.example.com" followed
by "_25._tcp.smtp.example.com".
--
Viktor.
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
