On Mon, 17 Jul 2023, Shumon Huque wrote:
* Verifiers can't query for the specific data they need from the DNS. They need to get a potentially large blob of data and look for what is applicable to them by examining the rdata for each record in the RRset. This is not a new issue. It is the well known record subtyping problem that was advised against in RFC 5507 (IAB; "Design Choices When Expanding the DNS"). That advice was targeted to new RR type design, but it applies just as well to this type of use of TXT RDATA resident at the same name.
Agreed, but that horse had already left the barn when we published the first SPF RFC 4408.
* You can't delegate the (application specific) domain validation record to a 3rd party. * Even if you don't delegate the name to another party, you may have a shared DNS zone where you need to be able to provide record level permissions to the specific team that is responsible for the application in question. This can't be done if all the apps share the same domain name.
Both good points, worth mentioning in the draft. Regards, John Levine, jo...@taugh.com, Primary Perpetrator of "The Internet for Dummies", Please consider the environment before reading this e-mail. https://jl.ly _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
