On Fri, 10 May 2024, Paul Wouters wrote:
On May 10, 2024, at 05:36, jab...@strandkip.nl wrote:
I'm interested in where this guidance comes from.
RFC 2782 to me is the grandfather of underscore labels, and it pretty much goes
out of its way to encourage a hierarchy of underscore labels to anchor SRV
records under, e.g. under _tcp.name and _udp.name.
But if you look at more recent RFCs such as TLSA records, it is narrowed to one
specific protocol and port, eg _25._tcp.mx.nohats.ca
But this isn't the same thing. The two tags on SRV and TLSA records are
consecutive labels on single records.
As you are both surely aware because you have read the draft, in this
case, the _signal record sits atop an entire subtree, e.g.
_dsboot.example.co.uk._signal.ns1.example.net
_dsboot.example.co.uk._signal.ns2.example.org
means that the name servers ns1.example.net and ns2.example.org have
bootstrap info for example.co.uk. Since parent scanning for every
possible combination of NS and domain would be rather slow, the draft has
suggestions such as putting the _signal name in a separate zone that
parents can walk with NSEC. There might be other tags than _dsboot for
things like synchronizing multi-provider DNS updates, but it's all DNSSEC.
Needless to say, this is quite DNSSEC specific and even someone invents
some other thing that uses two domain names in a similar way, it's
unlikely that you'd want to put it all in the same zone. So I hope we
agree to call it _dnssec or something like that.
Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly
_______________________________________________
DNSOP mailing list -- dnsop@ietf.org
To unsubscribe send an email to dnsop-le...@ietf.org