On Fri, Jan 30, 2015 at 11:54 AM, Rob Stradling <[email protected]> wrote:
> Thanks again, DKG. Option 2 it is then. > > 2. "?." matching =1 redacted label. > > > Do you think we should support redacting (for example) " > public.secret.example.com" to "public.?.example.com" ? > > Or, to keep it simple, shall we disallow unredacted labels to the left of > a redacted label? > >From an operations viewpoint I would say to disallow them: * It will at best be rarely used, with few, if any, non-contrived use cases. * It is begging humans or software to miss seeing/correctly processing the unusual "?" buried in the middle of what is easily mistaken for a normal FQDN. * Additional (if only slightly) code complexity and testing will be required but rarely used and unimportant to most customers. Often such low priority features get poorly implemented/tested. * The preceding two points suggest some implementations and deployments could end up with vulnerabilities from a little known feature.. * (Remembering non-contiguous subnet masks) It potentially could prevent some sort of optimization for the other 99+% of cases. * An attacker (or mistake) could exploit the increased chance of human misreading. Detecting/fixing this mistake may be difficult for those who made it in the first place. Without a really strong use case it seems the negatives easily win over the minor increase in flexibility. -Scott-
_______________________________________________ Trans mailing list [email protected] https://www.ietf.org/mailman/listinfo/trans
