In your letter dated 13 Jan 2023 12:02:18 -0500 you wrote: >This isn't exactly the same thing, but over in e-mail land we see lots of >small sysems with silly configurations that are so locked down that they >don't work. Someone said they are "more secure." Same idea. Well, it >works for me, everyone else will just have to change all their software to >match my super-secure requirements. In pratice we ignore what they say >and do something reasonable instead.
I think the difference is that for the local DNS proxy this would happen on a single system. I'm not aware of this being an issue in this context. For example, a TLS client could require the TLS library to only make TLS connections using TLS 1.3 and the library could silent allow 1.2 as well. I'm not aware of any application being that silly. Obviously, the world is not perfect. But this issue does not seem widespread among components of a single host system. >> Though there is also the desire to be feature complete. Today, Firefox >> allows the user to select DoH to a specific upstream. So the draft would >> not be feature complete if that behavior cannot be specified. > >I can see the diagnostic angle, but if that's the main benefit I'd think >there'd be easier ways to do it. Feature completeness for the sake of >feature completeness is unpersuasive. I mean, my DNS server doesn't do >the additional processing for L32 records and I don't think anyone cares. There is a difference between an experiemental feature that didn't get much traction and a feature implemented by major web browsers. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
