On 1 Aug 2016, at 9:17, Paul Wouters wrote:
On Mon, 1 Aug 2016, Paul Hoffman wrote:
Jakob and I think this addresses all the actionable comments we got
in WG Last Call.
You added:
9.1. Response Size
To prevent amplification attacks, an Authoritative DNS server
MAY
wish to prevent returning SMIMEA records over UDP unless the
source
IP address has been confirmed with [RFC7873]. Such servers
MUST NOT
return REFUSED, but answer the query with an empty answer
section and
the truncation flag set ("TC=1").
I do not find this text very clear. I propose:
To prevent amplification attacks, an Authoritative DNS server
MAY
wish to prevent returning SMIMEA records over UDP unless the
source
IP address has been confirmed with [RFC7873]. If a query is
received
via UDP without source IP address
verification, the server MUST NOT
return REFUSED, but answer the query with an empty answer
section and
the truncation flag set ("TC=1").
This seems fine; I'll queue it for the next draft after IETF Last Call.
All other issues I raised were resolved with this updated draft.
Great, thanks.
--Paul Hoffman
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
