On 08. 04. 21 16:39, Ben Schwartz wrote:
Thanks for the feedback, Petr. I think the easiest solution is to relax the requirement language. I've proposed a change here: https://github.com/MikeBishop/dns-alt-svc/pull/313 <https://github.com/MikeBishop/dns-alt-svc/pull/313>
Copying the diff here:
- Recursive resolvers SHOULD treat the SvcParams portion of the SVCB RR - as opaque and SHOULD NOT try to alter their behavior based - on its contents. + Recursive resolvers MAY treat the SvcParams portion of the SVCB RR + as opaque. No part of this specification requires recursive resolvers + to alter their behavior based on its contents, even if the contents are + invalid.
This addresses my concern, thank you! Petr Špaček
On Thu, Apr 8, 2021 at 3:55 AM Petr Špaček <pspa...@isc.org <mailto:pspa...@isc.org>> wrote:On 18. 03. 21 21:53, Tim Wicinski wrote: > > This starts a Working Group Last Call for draft-ietf-dnsop-svcb-https > > Current versions of the draft is available here: > https://datatracker.ietf.org/doc/draft-ietf-dnsop-svcb-https/ <https://datatracker.ietf.org/doc/draft-ietf-dnsop-svcb-https/> > <https://datatracker.ietf.org/doc/draft-ietf-dnsop-svcb-https/ <https://datatracker.ietf.org/doc/draft-ietf-dnsop-svcb-https/>> > > The Current Intended Status of this document is: Proposed Standard > > Please review the draft and offer relevant comments. > If this does not seem appropriate please speak out. > If someone feels the document is *not* ready for publication, please > speak out with your reasons. > > This starts a two week Working Group Last Call process, and ends on: 2 > April 2021 I realize I'm already late, but I think this is worth raising with the WG: Version -04 contains this: 4.3. General requirements Recursive resolvers SHOULD treat the SvcParams portion of the SVCB RR as opaque and SHOULD NOT try to alter their behavior based on its contents. When responding to a query that includes the DNSSEC OK bit ([RFC3225]), DNSSEC-capable recursive and authoritative DNS servers MUST accompany each RRSet in the Additional section with the same DNSSEC-related records that they would send when providing that RRSet as an Answer (e.g. RRSIG, NSEC, NSEC3). The catch is that this "SHOULD NOT ... alter behavior" goes against RPZ and any other filtering technique employed by the resolver. As a specific example, operators are already asking resolver vendors to treat ipv4hint and ipv6hint the same way as A/AAAA for purposes of the "Response IP Address" Trigger in the context of RPZ filters. (https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-dns-rpz-00#section-4.3 <https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-dns-rpz-00#section-4.3>) Does WG want to say anything in the HTTPS draft or leave it to the imagination of vendors? In my eyes, 4.3 "SHOULD NOT ... alter behavior" is unnecessary for interoperability, so I think clarification is needed to make it clear that local policy on resolver overrides "SHOULD NOT alter" instruction in section 4.3. General requirements _if_ resolver operator deems necessary. Let me be clear: It would not be very reasonable to believe that HTTPS RR will be in practice allowed to work as a loophole to A/AAAA filtering on resolvers, so the question is if WG prefers to have it mentioned in the RFC text or not.-- Petr Špaček
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
