On Sun, Jun 30, 2019 at 4:09 AM Ralf Weber <d...@fl1ger.de> wrote: > On 30 Jun 2019, at 1:01, Paul Hoffman wrote: > >> Should there be a fallback (TXT)? > > > > I'm not sure how that would help if it can't be configured due to > > address issues. > DNS proxies can forward stuff and you could put wildcard answers on the > link local/RFC1918 addresses. So you could actually make it work.
This is an interesting idea, but plenty of forwarders aren't on RFC 1918 addresses. To work through forwarders and complex server deployments, I think we would have to go even further, e.g. recommending that participating resolvers respond to _all_ RESINFO queries, whether or not the address matches their own. If that doesn't seem appealing, I think we'd be better off reverting to the "-00" draft's approach of using "resolver-info.arpa". The change to <rev-ip>.in-addr.arpa was made to enable secure validation of the resolver info, in cases where the original IP address was delivered securely (i.e. trusted DHCP). For those use cases, I think we would be better off defining a DHCP option to deliver the I-JSON blob over DHCP alongside the IP address. --Ben
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop