On 23 Feb 2016, at 8:00, Ben Laurie wrote:
As we've mentioned several times, we've been working on a way to retrieve CT data over DNS to improve the privacy properties of inclusion proofs.
This is a good idea, and the motivation mentioned in the not-yet-a-draft is good. However, I have some questions about the protocol that you show.
https://github.com/google/certificate-transparency-rfcs/blob/master/dns/draft-ct-over-dns.md
1) Why do you create a new Opcode for the header? These are kind of precious values. You are already using prefixes on the QNAME for STH queries; you could easily do so for the others as well.
2) Standard practice these days is to have prefixed labels start with an underscore (_).
3) In the STH Query example, the Question section in the response is different than the Question section in the request. I hope this is a typo, given that RFC 1034 says that the two must be the same.
4) If you sure that the RData values for the responses are less than 256 characters, that's fine; if they can be longer than that, you should probably add a note about the TXT records having more than one character-data string.
--Paul Hoffman _______________________________________________ Trans mailing list [email protected] https://www.ietf.org/mailman/listinfo/trans
