Ben Schwartz <[email protected]> writes: > I wanted to remind DNSOP to take another look at > draft-ietf-dnsop-svcb-dane [1], which is intended as a straightforward > clarification of how DANE interacts with SVCB/HTTPS records (and > QUIC/HTTP/3). I don't think this document is controversial, and I'd > like to proceed to WGLC soon.
A few comments: 1. the MUST NOT in the first paragraph in 5.2 really feels like it should be a SHOULD NOT. Though its not wise, there could be scenarios where someone really wants to do it and if they feel it's operationally possible then they should be allowed to. [I had a really hard time writing this, as I think you're right about the importance, but we do try to opt for SHOULD NOTs unless it always breaks something] 2. in the security considerations, the first sentence in the second paragraph seems like it should have a solid requirement in it. Maybe "The SVCB and associated TLSA records MUST be validated by DNSSEC." And this is one of those cases where the MUST feels right as it significantly degrades the security of the protocol if only a SHOULD is used. As such, I'd drop the rest of the paragraph. -- Wes Hardaker USC/ISI _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
