The reason to allow non-empty RDATA is to support servers that serve
multiple multi-domain certificates from a single IP address, dispatched by
SNI. This is common on CDNs and other large internet serving systems.
Oh, OK, that's helpful.
So the use case is a web server that serves a zillion domains, with the
domains grouped into clusters that share a certificate. For each cluster,
you pick one of the names as the cover name, and the SNI points to that
name. The cover name doesn't have to be in the DNS, but if it's not, that
makes it stick out like a sore thumb.
Passive DNS on the server's IP address will reveal all of the server's
names, and probes on those names to get the certs will reveal which names
are in which cluster, so all SNI reveals is which names are the cover
names.
Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop