On Sep 20, 2020, at 4:45 PM, Tony Finch <d...@dotat.at> wrote: > > Paul Hoffman <paul.hoff...@icann.org> wrote: >> >> At this point, the only information we defined in the draft is for doing >> client subnet. > > Why can't you just send client-subnet in a request and look at the answer?
That assumes that an attacker in the middle has not removed the answer. The indicator that we used as an initial idea for the capability would be signed, meaning that the resolver would expect a client subnet response and could act if it didn't get one. This is one of the reasons we chose using an RRtype over using EDNS0 for the capabilities (also: it is cacheable). Others seem to not want those features for capabilities. --Paul Hoffman
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
