On Wed, Jul 07, 2021 at 08:46:17PM +0200, Peter Thomassen wrote:
> Especially because of the last reason above, I tend towards MAY.
>
> However, I would endorse SHOULD / RECOMMENDED if the wording is
> changed such that "skipping a split" is done "up to the lowest-level"
> underscore label. In other words, jumping from example.com to
> _25._tcp.example.com would be RECOMMENDED, but jumping from
> example.com to foobar._openpgpkey.example.com would not, because
> "foobar" is no an underscore label. Generally, if there are N
> consecutive underscore labels, minimization SHOULD be skipped for the
> N-1 of them which are closest to the root.
I appreciate the caution, but resuming qname minimisation after skipping
a few labels does look rather complex, it also defeats the main goal of
avoiding known issues with likely ENTs at a name that is rarely a zone
cut, and even if a zone cut, likely not privacy relevant.
There are upcoming drafts on DANE client auth where the leaf label will
not be an "_" special-use label, but its parent is.
For the same reason that asking for "_tcp.smtp.example.com IN A" is
likely to run into trouble or at least impose excessive latency when the
leaf label is "_25", I'd like to *recommend* that qname minimisation
will do more harm than good even if the leaf label is "some-client-id".
I'd like to the see the tradeoff lean heavily towards "practical"
privacy enhancement.
--
Viktor.
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
