On Fri, Sep 02, 2016 at 04:36:26PM -0000, John Levine wrote:
> >I'd argue to ditch the two-level thing and go to one,
> >e.g. "mta-sts.example.com" or whatever string you like
> >for that hostname.
>
> You might want to pass that by dnsop and see how much heartburn a
> reserved hostname is going to cause.
>
> For this application, I don't see any alternative since there
> are apparently too many systems that haven't been upgraded
> since SRV was introduced 20 (yes really) years ago.
>
> But I can promise you there will be pushback and not ridiculous
> suggestions that since this is a new service and it is exactly the
> sort of thing that SRV was invented for, use it.
SRV cannot be used here, because presumptively DNSSEC is not in
use, and thus the client's reference identifier for the STS policy
server must be deterministically constructed from the nexthop
domain.
I had suggested the simpler approach of using the domain itself
with no prefix, but apparently folks don't want to have to tie this
service to the zone apex.
So some sort of fixed prefix seems unavoidable.
--
Viktor.
_______________________________________________
Uta mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/uta
