> Petr paek wrote: > > That means the proposed protocol would depend on non-minimal authority > > sections. I thought the trend nowadays is the opposite, i.e. providing > > more and more minimal answers. > > Indeed! Condition 1 in 4.1 seems hard to hit, in current operational > reality.
To bring this proposal more in line with DELEG I wonder if it should be changed to the following: Suppose we have $ORIGIN com customer in NS ns.provider.net. Then a resolver will issue queries for ns.provider.net./A and ns.provider.net./AAAA What we could do is specify that the resolver issues an addition query of the form _dns.ns.provider.net./SVCB And any SVCB result is processed according RFC 9461. Advantages are: - no change to authoritative software - can be introduced locally without support from the root or TLDs. - is secure if provider.net. is signed. Disadvantages: - does require an extra query from resolvers - extra load on authoritative servers The case where the delegation requires glue (i.e. customer NS ns.customer) is explicitly excluded. Though resolvers that implement revalidation could try to fetch _ns.customer/SVCB during revalidation. _______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
