>> So how about if we put in a note saying that the host that the SRV >> points to better be a subdomain of the original, or clients are going >> to be reluctant to believe it. >> >> Yes, that's still a kludge, but it's doesn't cause the mandatory >> collisions that a reserved hostname does. > >That runs afoul of the need to not delegate policy to untrusted >nodes somewhere in one's own domain tree. Some service operators >dole-out leaf nodes to "strangers". Universities may delegate >sub-domains to deparments, that might employ their dedicated IT >staff that are not trusted by the parent organization, ...
So you're saying that if the hostname is hard coded, you somehow know it's not delegated to someone else, but if it comes from a SRV record, you don't? This really strikes me as looking for trouble. If your system is so poorly run that the people who are operating your subdomains are attacking your main domain, you have worse problems than STS can solve. R's, John _______________________________________________ Uta mailing list [email protected] https://www.ietf.org/mailman/listinfo/uta
