In message <CAMm+Lwj1JZLUh6K1ipYjW_989u6ea+tYHHps4Gavf_d=svn...@mail.gmail.com> , Phillip Hallam-Baker writes: > On Mon, Feb 20, 2017 at 4:08 PM, Ben Schwartz <bem...@google.com> wrote: > > > On Mon, Feb 20, 2017 at 3:39 PM, Phillip Hallam-Baker < > > ph...@hallambaker.com> wrote: > > > >> I really don't like the proposal at all. The idea of beginning the TLS > >> handshake in DNS is sound. But it is a completely new handshake and > >> authentication layer. > >> > > > > What you're proposing does sound like a completely new handshake. To be > > clear, this proposal makes no change to TLS. > > > > Well there is your problem. There is little point in doing this unless > you > feed the result into the TLS handshake to follow. > > > Right now we have a bit of a mess with service discovery. We have a solid > >> proposal that makes sense written up as a standard > >> > > > > Could you point me to which document you're referring to? > > > > https://tools.ietf.org/html/rfc6763 > > > > > and we have a lot of folk saying we should do something different, > either > >> for legacy reasons or because they find it impure. > >> > >> The solid proposal is as follows: > >> > >> * Discover all services using SRV *without exception* > >> > >> * Use TXT records to provide additional data *that is required for > >> discovery and binding* > >> > >> * TXT records may be bound to the service definition, thus covering all > >> hosts or be bound to a specific host instance. > >> > >> * Domain names used for services MAY use CNAME or DNAME. Domain names > >> that identify services MUST NOT. > >> > > > > I'm not sure I understand this distinction. > > > > Ooops... > > Domain names that identify > HOSTS > MUST NOT. > > A service is an abstract Internet service which may be provided by any > host chosen from group of hosts specified in an SRV record. A host is a > physical machine. > > SRV records map services to hosts. > A and AAAA records map hosts to IP addresses. > > > > How many DNS and destination roundtrips does this require? My > impression > > is that SRV records have proven unpopular in part because they generally > > add a DNS roundtrip delay to each initial connection. > > > > One if it is done right.
Zero if it is done right. We can easily extend the DNS to say "Fetch the additional record for the SRV records before answering" if you have this EDNS option present or just have the server do it without the option. There is nothing preventing a recursive server just doing this today. This is the essential difference between a CNAME and SRV records as far as browser vendors are concerned. Waiting for the "full" answer rather than returning a partial answer when there are no cached address records. We already have RFC that say go lookup missing data before constructing a response. We do this for DNS64. We do this for CNAME. If the SRV prefix is _http._tcp or _https._tcp then the recursive server SHOULD fetch any missing additional address records for the SRV server including CNAME records if the server name maps to a CNAME and add them to the addtional section prior to returning the response. You could even just do this for all SRV lookups. A RFC saying something like this would solve the SRV issue over the long term a recursive servers get replaced. Unfortunately brower vendors don't seem to want to say "yes, we will add SRV support if you change the DNS to do this". And if they have a issue with the prefix one can allocate a new TYPE(s) for class IN that does the same as SRV records but is for http and https. Service to address can be done with a single lookup and can include the TLSA records as well. This is a server that prefetches missing additional data and know about looking up TLSA records. You will notice that the additional section get populated just by the client looking up MX records. If you ask with DO=1 you can even get validatible results. Mark [rock:~/git/bind9-marka] marka% dig mx isc.org +dnssec ;; BADCOOKIE, retrying. ; <<>> DiG 9.12.0-pre-alpha+hotspot+add-prefetch+marka <<>> mx isc.org +dnssec ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50368 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ; COOKIE: 5d5611ff91b234cea8fc5d2858ab99833bfd56c3a5adef30 (good) ;; QUESTION SECTION: ;isc.org. IN MX ;; ANSWER SECTION: isc.org. 7200 IN MX 20 mx.ams1.isc.org. isc.org. 7200 IN MX 10 mx.pao1.isc.org. isc.org. 7200 IN RRSIG MX 5 2 7200 20170322234053 20170220234053 13953 isc.org. gH/RpE45SX9aZTGEWmIHcCGYN8ihF/4H3RwYuVkfMPlrZKc/5OsRSuXd AP6wxYgBWNpTWKK3Rl/tCWkDiW9bHA+XjEvhMLeYabdr8Zt8zbXrLFGc mcRGE34YA0uPKkNqTVKjWU6uqFrKkEjxoQU+bWkDnlyd71FRhxIcdZSS hGQ= ;; Query time: 2435 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Tue Feb 21 12:36:03 EST 2017 ;; MSG SIZE rcvd: 279 [rock:~/git/bind9-marka] marka% dig mx isc.org +dnssec ;; BADCOOKIE, retrying. ; <<>> DiG 9.12.0-pre-alpha+hotspot+add-prefetch+marka <<>> mx isc.org +dnssec ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47874 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 3 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ; COOKIE: 577d2fa83b7277682a8675f358ab9986654bdc6b80e4161c (good) ;; QUESTION SECTION: ;isc.org. IN MX ;; ANSWER SECTION: isc.org. 7197 IN MX 20 mx.ams1.isc.org. isc.org. 7197 IN MX 10 mx.pao1.isc.org. isc.org. 7197 IN RRSIG MX 5 2 7200 20170322234053 20170220234053 13953 isc.org. gH/RpE45SX9aZTGEWmIHcCGYN8ihF/4H3RwYuVkfMPlrZKc/5OsRSuXd AP6wxYgBWNpTWKK3Rl/tCWkDiW9bHA+XjEvhMLeYabdr8Zt8zbXrLFGc mcRGE34YA0uPKkNqTVKjWU6uqFrKkEjxoQU+bWkDnlyd71FRhxIcdZSS hGQ= ;; ADDITIONAL SECTION: mx.pao1.isc.org. 3599 IN A 149.20.64.53 mx.pao1.isc.org. 3599 IN RRSIG A 5 4 3600 20170322234239 20170220234239 56778 pao1.isc.org. lCq2rUOEhMVaUReRtetEQpn3ceuw5Y0vJq8wU7quPsrmFLN7SYMtLgyZ DzVAHJThrrO1WERjz2uA3PTkG4KSQFpRCDC33wTWi9hWsdTapgYablmO tOK/uOabKX8invwG/R7EVZ9KQ1lRamtn8gWDRI77NLQ3PWcV+4BnydaG 8bk= ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Tue Feb 21 12:36:06 EST 2017 ;; MSG SIZE rcvd: 467 [rock:~/git/bind9-marka] marka% dig mx isc.org +dnssec ;; BADCOOKIE, retrying. ; <<>> DiG 9.12.0-pre-alpha+hotspot+add-prefetch+marka <<>> mx isc.org +dnssec ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64268 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 5 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ; COOKIE: eb9c5203e623a5489e068cae58ab9988f7a5f11cc716a2df (good) ;; QUESTION SECTION: ;isc.org. IN MX ;; ANSWER SECTION: isc.org. 7195 IN MX 10 mx.pao1.isc.org. isc.org. 7195 IN MX 20 mx.ams1.isc.org. isc.org. 7195 IN RRSIG MX 5 2 7200 20170322234053 20170220234053 13953 isc.org. gH/RpE45SX9aZTGEWmIHcCGYN8ihF/4H3RwYuVkfMPlrZKc/5OsRSuXd AP6wxYgBWNpTWKK3Rl/tCWkDiW9bHA+XjEvhMLeYabdr8Zt8zbXrLFGc mcRGE34YA0uPKkNqTVKjWU6uqFrKkEjxoQU+bWkDnlyd71FRhxIcdZSS hGQ= ;; ADDITIONAL SECTION: mx.pao1.isc.org. 3597 IN A 149.20.64.53 mx.pao1.isc.org. 3598 IN AAAA 2001:4f8:0:2::2b mx.pao1.isc.org. 3597 IN RRSIG A 5 4 3600 20170322234239 20170220234239 56778 pao1.isc.org. lCq2rUOEhMVaUReRtetEQpn3ceuw5Y0vJq8wU7quPsrmFLN7SYMtLgyZ DzVAHJThrrO1WERjz2uA3PTkG4KSQFpRCDC33wTWi9hWsdTapgYablmO tOK/uOabKX8invwG/R7EVZ9KQ1lRamtn8gWDRI77NLQ3PWcV+4BnydaG 8bk= mx.pao1.isc.org. 3598 IN RRSIG AAAA 5 4 3600 20170322234239 20170220234239 56778 pao1.isc.org. rOGdKaW/50E/UWD1Ko0rWwcMDJa9gp2tlX+LS1yoHm95TNZ6v5ZIxugj WUPl73nG3mJ8S15/rP+CLz6twIDJkFi5eCS7wXEmBXjuCVJfBhqDzIVJ tA+9AalM44j77nZpn71FWi50EW8M7NVV89c8BxdOkHtV/o4RjvVEs1iU GV0= ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Tue Feb 21 12:36:08 EST 2017 ;; MSG SIZE rcvd: 667 [rock:~/git/bind9-marka] marka% dig mx isc.org +dnssec ;; BADCOOKIE, retrying. ; <<>> DiG 9.12.0-pre-alpha+hotspot+add-prefetch+marka <<>> mx isc.org +dnssec ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6978 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 7 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ; COOKIE: 1a50a8309bac059e81215eed58ab998ad77ca4375f67865f (good) ;; QUESTION SECTION: ;isc.org. IN MX ;; ANSWER SECTION: isc.org. 7193 IN MX 10 mx.pao1.isc.org. isc.org. 7193 IN MX 20 mx.ams1.isc.org. isc.org. 7193 IN RRSIG MX 5 2 7200 20170322234053 20170220234053 13953 isc.org. gH/RpE45SX9aZTGEWmIHcCGYN8ihF/4H3RwYuVkfMPlrZKc/5OsRSuXd AP6wxYgBWNpTWKK3Rl/tCWkDiW9bHA+XjEvhMLeYabdr8Zt8zbXrLFGc mcRGE34YA0uPKkNqTVKjWU6uqFrKkEjxoQU+bWkDnlyd71FRhxIcdZSS hGQ= ;; ADDITIONAL SECTION: mx.pao1.isc.org. 3595 IN A 149.20.64.53 mx.pao1.isc.org. 3596 IN AAAA 2001:4f8:0:2::2b mx.pao1.isc.org. 3595 IN RRSIG A 5 4 3600 20170322234239 20170220234239 56778 pao1.isc.org. lCq2rUOEhMVaUReRtetEQpn3ceuw5Y0vJq8wU7quPsrmFLN7SYMtLgyZ DzVAHJThrrO1WERjz2uA3PTkG4KSQFpRCDC33wTWi9hWsdTapgYablmO tOK/uOabKX8invwG/R7EVZ9KQ1lRamtn8gWDRI77NLQ3PWcV+4BnydaG 8bk= mx.pao1.isc.org. 3596 IN RRSIG AAAA 5 4 3600 20170322234239 20170220234239 56778 pao1.isc.org. rOGdKaW/50E/UWD1Ko0rWwcMDJa9gp2tlX+LS1yoHm95TNZ6v5ZIxugj WUPl73nG3mJ8S15/rP+CLz6twIDJkFi5eCS7wXEmBXjuCVJfBhqDzIVJ tA+9AalM44j77nZpn71FWi50EW8M7NVV89c8BxdOkHtV/o4RjvVEs1iU GV0= _25._tcp.mx.pao1.isc.org. 3598 IN RRSIG TLSA 5 6 3600 20170322234239 20170220234239 56778 pao1.isc.org. VnV0NTtAdpvfqpLaS2zF4IDKjIN97YPuKSmZ1tXrMLvoVlxutwPiH6El cTCQe/1Pi3QTqTFWr3kste3zIxDgAnnbmCKPbQDH2qsf67MBKM/Rv01O 1jmny3qM18Oqhsf+XTMsYEPe/YYsJzyw9aNydqI2egzkb4X8mpCTl+ge di4= _25._tcp.mx.pao1.isc.org. 3598 IN TLSA 3 0 1 71903FF43D60CA91BDB7AA0DFE9C247B1A2C5A6002C436451C3C1684 0C607AE0 ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Tue Feb 21 12:36:10 EST 2017 ;; MSG SIZE rcvd: 895 [rock:~/git/bind9-marka] marka% dig mx isc.org +dnssec ;; BADCOOKIE, retrying. ; <<>> DiG 9.12.0-pre-alpha+hotspot+add-prefetch+marka <<>> mx isc.org +dnssec ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50265 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 9 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ; COOKIE: 1143a155c849920e213ee6cf58ab998f2fc22d8d9cdeb566 (good) ;; QUESTION SECTION: ;isc.org. IN MX ;; ANSWER SECTION: isc.org. 7188 IN MX 10 mx.pao1.isc.org. isc.org. 7188 IN MX 20 mx.ams1.isc.org. isc.org. 7188 IN RRSIG MX 5 2 7200 20170322234053 20170220234053 13953 isc.org. gH/RpE45SX9aZTGEWmIHcCGYN8ihF/4H3RwYuVkfMPlrZKc/5OsRSuXd AP6wxYgBWNpTWKK3Rl/tCWkDiW9bHA+XjEvhMLeYabdr8Zt8zbXrLFGc mcRGE34YA0uPKkNqTVKjWU6uqFrKkEjxoQU+bWkDnlyd71FRhxIcdZSS hGQ= ;; ADDITIONAL SECTION: mx.pao1.isc.org. 3590 IN A 149.20.64.53 mx.ams1.isc.org. 3597 IN A 199.6.1.65 mx.pao1.isc.org. 3591 IN AAAA 2001:4f8:0:2::2b mx.pao1.isc.org. 3590 IN RRSIG A 5 4 3600 20170322234239 20170220234239 56778 pao1.isc.org. lCq2rUOEhMVaUReRtetEQpn3ceuw5Y0vJq8wU7quPsrmFLN7SYMtLgyZ DzVAHJThrrO1WERjz2uA3PTkG4KSQFpRCDC33wTWi9hWsdTapgYablmO tOK/uOabKX8invwG/R7EVZ9KQ1lRamtn8gWDRI77NLQ3PWcV+4BnydaG 8bk= mx.pao1.isc.org. 3591 IN RRSIG AAAA 5 4 3600 20170322234239 20170220234239 56778 pao1.isc.org. rOGdKaW/50E/UWD1Ko0rWwcMDJa9gp2tlX+LS1yoHm95TNZ6v5ZIxugj WUPl73nG3mJ8S15/rP+CLz6twIDJkFi5eCS7wXEmBXjuCVJfBhqDzIVJ tA+9AalM44j77nZpn71FWi50EW8M7NVV89c8BxdOkHtV/o4RjvVEs1iU GV0= _25._tcp.mx.pao1.isc.org. 3593 IN RRSIG TLSA 5 6 3600 20170322234239 20170220234239 56778 pao1.isc.org. VnV0NTtAdpvfqpLaS2zF4IDKjIN97YPuKSmZ1tXrMLvoVlxutwPiH6El cTCQe/1Pi3QTqTFWr3kste3zIxDgAnnbmCKPbQDH2qsf67MBKM/Rv01O 1jmny3qM18Oqhsf+XTMsYEPe/YYsJzyw9aNydqI2egzkb4X8mpCTl+ge di4= mx.ams1.isc.org. 3597 IN RRSIG A 5 4 3600 20170322234059 20170220234059 13926 ams1.isc.org. AWHYspeFvJNWrYl78Q4XNnrhIFTUgYS40RUD8tYK0lJ/cIm61yMVzfSJ 5goMRIDXGDBFCAhkNoh7Ld09hfxI4rP6p0pxSRZIbuBj/CQDQ9e8/Wry o4WfRnKajj80/aU4p+68JNg8Fy92s2s/MWqsfBbtJ35Bubc4Qq33rvTE YYE= _25._tcp.mx.pao1.isc.org. 3593 IN TLSA 3 0 1 71903FF43D60CA91BDB7AA0DFE9C247B1A2C5A6002C436451C3C1684 0C607AE0 ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Tue Feb 21 12:36:15 EST 2017 ;; MSG SIZE rcvd: 1083 [rock:~/git/bind9-marka] marka% dig mx isc.org +dnssec ;; BADCOOKIE, retrying. ; <<>> DiG 9.12.0-pre-alpha+hotspot+add-prefetch+marka <<>> mx isc.org +dnssec ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24483 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 11 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ; COOKIE: 0d0910d171a5c357fa78b5e458ab999a280908b6527ae8bb (good) ;; QUESTION SECTION: ;isc.org. IN MX ;; ANSWER SECTION: isc.org. 7177 IN MX 10 mx.pao1.isc.org. isc.org. 7177 IN MX 20 mx.ams1.isc.org. isc.org. 7177 IN RRSIG MX 5 2 7200 20170322234053 20170220234053 13953 isc.org. gH/RpE45SX9aZTGEWmIHcCGYN8ihF/4H3RwYuVkfMPlrZKc/5OsRSuXd AP6wxYgBWNpTWKK3Rl/tCWkDiW9bHA+XjEvhMLeYabdr8Zt8zbXrLFGc mcRGE34YA0uPKkNqTVKjWU6uqFrKkEjxoQU+bWkDnlyd71FRhxIcdZSS hGQ= ;; ADDITIONAL SECTION: mx.pao1.isc.org. 3579 IN A 149.20.64.53 mx.ams1.isc.org. 3586 IN A 199.6.1.65 mx.pao1.isc.org. 3580 IN AAAA 2001:4f8:0:2::2b mx.ams1.isc.org. 3589 IN AAAA 2001:500:60::65 mx.pao1.isc.org. 3579 IN RRSIG A 5 4 3600 20170322234239 20170220234239 56778 pao1.isc.org. lCq2rUOEhMVaUReRtetEQpn3ceuw5Y0vJq8wU7quPsrmFLN7SYMtLgyZ DzVAHJThrrO1WERjz2uA3PTkG4KSQFpRCDC33wTWi9hWsdTapgYablmO tOK/uOabKX8invwG/R7EVZ9KQ1lRamtn8gWDRI77NLQ3PWcV+4BnydaG 8bk= mx.pao1.isc.org. 3580 IN RRSIG AAAA 5 4 3600 20170322234239 20170220234239 56778 pao1.isc.org. rOGdKaW/50E/UWD1Ko0rWwcMDJa9gp2tlX+LS1yoHm95TNZ6v5ZIxugj WUPl73nG3mJ8S15/rP+CLz6twIDJkFi5eCS7wXEmBXjuCVJfBhqDzIVJ tA+9AalM44j77nZpn71FWi50EW8M7NVV89c8BxdOkHtV/o4RjvVEs1iU GV0= _25._tcp.mx.pao1.isc.org. 3582 IN RRSIG TLSA 5 6 3600 20170322234239 20170220234239 56778 pao1.isc.org. VnV0NTtAdpvfqpLaS2zF4IDKjIN97YPuKSmZ1tXrMLvoVlxutwPiH6El cTCQe/1Pi3QTqTFWr3kste3zIxDgAnnbmCKPbQDH2qsf67MBKM/Rv01O 1jmny3qM18Oqhsf+XTMsYEPe/YYsJzyw9aNydqI2egzkb4X8mpCTl+ge di4= mx.ams1.isc.org. 3586 IN RRSIG A 5 4 3600 20170322234059 20170220234059 13926 ams1.isc.org. AWHYspeFvJNWrYl78Q4XNnrhIFTUgYS40RUD8tYK0lJ/cIm61yMVzfSJ 5goMRIDXGDBFCAhkNoh7Ld09hfxI4rP6p0pxSRZIbuBj/CQDQ9e8/Wry o4WfRnKajj80/aU4p+68JNg8Fy92s2s/MWqsfBbtJ35Bubc4Qq33rvTE YYE= mx.ams1.isc.org. 3589 IN RRSIG AAAA 5 4 3600 20170322234059 20170220234059 13926 ams1.isc.org. RsCprRb3PCx0I6U5H+F5QVGNZhg978B1UJCHP/OEoZ8tK0cPZFyiXKk/ BhKeW9QjuDPWg2oYEXYmggowvMy3lWxlOODA161vD1DPaaS79lxCSp19 4GRmdl1146FYZD+jFi2OHsOpn2cTcXtw4bAK4KG9YiFytOBEftD58q3B h+g= _25._tcp.mx.pao1.isc.org. 3582 IN TLSA 3 0 1 71903FF43D60CA91BDB7AA0DFE9C247B1A2C5A6002C436451C3C1684 0C607AE0 ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Tue Feb 21 12:36:26 EST 2017 ;; MSG SIZE rcvd: 1283 [rock:~/git/bind9-marka] marka% dig mx isc.org +dnssec ;; BADCOOKIE, retrying. ; <<>> DiG 9.12.0-pre-alpha+hotspot+add-prefetch+marka <<>> mx isc.org +dnssec ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58776 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 13 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ; COOKIE: 9a370fc4fe12b2f891fb40ef58ab9a32f9725da6e638d98c (good) ;; QUESTION SECTION: ;isc.org. IN MX ;; ANSWER SECTION: isc.org. 7025 IN MX 20 mx.ams1.isc.org. isc.org. 7025 IN MX 10 mx.pao1.isc.org. isc.org. 7025 IN RRSIG MX 5 2 7200 20170322234053 20170220234053 13953 isc.org. gH/RpE45SX9aZTGEWmIHcCGYN8ihF/4H3RwYuVkfMPlrZKc/5OsRSuXd AP6wxYgBWNpTWKK3Rl/tCWkDiW9bHA+XjEvhMLeYabdr8Zt8zbXrLFGc mcRGE34YA0uPKkNqTVKjWU6uqFrKkEjxoQU+bWkDnlyd71FRhxIcdZSS hGQ= ;; ADDITIONAL SECTION: mx.pao1.isc.org. 3427 IN A 149.20.64.53 mx.ams1.isc.org. 3434 IN A 199.6.1.65 mx.pao1.isc.org. 3428 IN AAAA 2001:4f8:0:2::2b mx.ams1.isc.org. 3437 IN AAAA 2001:500:60::65 mx.pao1.isc.org. 3427 IN RRSIG A 5 4 3600 20170322234239 20170220234239 56778 pao1.isc.org. lCq2rUOEhMVaUReRtetEQpn3ceuw5Y0vJq8wU7quPsrmFLN7SYMtLgyZ DzVAHJThrrO1WERjz2uA3PTkG4KSQFpRCDC33wTWi9hWsdTapgYablmO tOK/uOabKX8invwG/R7EVZ9KQ1lRamtn8gWDRI77NLQ3PWcV+4BnydaG 8bk= mx.pao1.isc.org. 3428 IN RRSIG AAAA 5 4 3600 20170322234239 20170220234239 56778 pao1.isc.org. rOGdKaW/50E/UWD1Ko0rWwcMDJa9gp2tlX+LS1yoHm95TNZ6v5ZIxugj WUPl73nG3mJ8S15/rP+CLz6twIDJkFi5eCS7wXEmBXjuCVJfBhqDzIVJ tA+9AalM44j77nZpn71FWi50EW8M7NVV89c8BxdOkHtV/o4RjvVEs1iU GV0= _25._tcp.mx.pao1.isc.org. 3430 IN RRSIG TLSA 5 6 3600 20170322234239 20170220234239 56778 pao1.isc.org. VnV0NTtAdpvfqpLaS2zF4IDKjIN97YPuKSmZ1tXrMLvoVlxutwPiH6El cTCQe/1Pi3QTqTFWr3kste3zIxDgAnnbmCKPbQDH2qsf67MBKM/Rv01O 1jmny3qM18Oqhsf+XTMsYEPe/YYsJzyw9aNydqI2egzkb4X8mpCTl+ge di4= mx.ams1.isc.org. 3434 IN RRSIG A 5 4 3600 20170322234059 20170220234059 13926 ams1.isc.org. AWHYspeFvJNWrYl78Q4XNnrhIFTUgYS40RUD8tYK0lJ/cIm61yMVzfSJ 5goMRIDXGDBFCAhkNoh7Ld09hfxI4rP6p0pxSRZIbuBj/CQDQ9e8/Wry o4WfRnKajj80/aU4p+68JNg8Fy92s2s/MWqsfBbtJ35Bubc4Qq33rvTE YYE= mx.ams1.isc.org. 3437 IN RRSIG AAAA 5 4 3600 20170322234059 20170220234059 13926 ams1.isc.org. RsCprRb3PCx0I6U5H+F5QVGNZhg978B1UJCHP/OEoZ8tK0cPZFyiXKk/ BhKeW9QjuDPWg2oYEXYmggowvMy3lWxlOODA161vD1DPaaS79lxCSp19 4GRmdl1146FYZD+jFi2OHsOpn2cTcXtw4bAK4KG9YiFytOBEftD58q3B h+g= _25._tcp.mx.ams1.isc.org. 3448 IN RRSIG TLSA 5 6 3600 20170322234059 20170220234059 13926 ams1.isc.org. IFlqqd2rOCNA/9lj++bw1UnlpwpvNE4AcgFpNj1JFwhHUvW6lbEWBjVY nYraYR1OMypOC+GxFxpxiSfTo+17V9j+PomD4tj7HeFVJNDteE1Uqqs9 iSfFj6pdtKK+DkA04svaO2CIKLONd/TabDb2f8fOMa7AFH/H6cSN69Qt uz4= _25._tcp.mx.pao1.isc.org. 3430 IN TLSA 3 0 1 71903FF43D60CA91BDB7AA0DFE9C247B1A2C5A6002C436451C3C1684 0C607AE0 _25._tcp.mx.ams1.isc.org. 3448 IN TLSA 3 0 1 5EF9B10DA21B2711522982EAD699FBABE77FD07FF07AC810608A85DA 66AFE916 ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Tue Feb 21 12:38:58 EST 2017 ;; MSG SIZE rcvd: 1511 [rock:~/git/bind9-marka] marka% > You are going to want to lock down your client to resolver DNS and you > might as well fix the protocol at the same time. That is why standardizing > on DNS-SD for everything is the way to go. > -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
