On Wed, Jul 07, 2021 at 08:46:17PM +0200, Peter Thomassen wrote: > Especially because of the last reason above, I tend towards MAY. > > However, I would endorse SHOULD / RECOMMENDED if the wording is > changed such that "skipping a split" is done "up to the lowest-level" > underscore label. In other words, jumping from example.com to > _25._tcp.example.com would be RECOMMENDED, but jumping from > example.com to foobar._openpgpkey.example.com would not, because > "foobar" is no an underscore label. Generally, if there are N > consecutive underscore labels, minimization SHOULD be skipped for the > N-1 of them which are closest to the root.
I appreciate the caution, but resuming qname minimisation after skipping a few labels does look rather complex, it also defeats the main goal of avoiding known issues with likely ENTs at a name that is rarely a zone cut, and even if a zone cut, likely not privacy relevant. There are upcoming drafts on DANE client auth where the leaf label will not be an "_" special-use label, but its parent is. For the same reason that asking for "_tcp.smtp.example.com IN A" is likely to run into trouble or at least impose excessive latency when the leaf label is "_25", I'd like to *recommend* that qname minimisation will do more harm than good even if the leaf label is "some-client-id". I'd like to the see the tradeoff lean heavily towards "practical" privacy enhancement. -- Viktor. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop