I'm going to try to answer a few of these John, as acting Document Shepherd, herder of author kittens.
On Tue, Jul 9, 2024 at 5:23 PM John Levine <jo...@taugh.com> wrote: > It appears that Tim Wicinski <tjw.i...@gmail.com> said: > >This is one of those DNSOP documents that may not be relevant to those who > >implement DNS, or those who operate DNS infrastructure. It is relevant to > >Applications that use the DNS, and those who focus on what actually DNS > >records exist in zones. > > I took a look and it is indeed greatly improved. Here are some > implementation issues that may or may not be worth addressing: > > It says to put everything in a text record which is fine, but it > doesn't say anything about how to encode it. There are two competing > approaches. One says that the string boundaries in the record don't > matter, so combine all of the strings into one string. The other is to > treat each string as a token or expression, and the string boundaries > are the token or expression boundaries. The examples suggest the > former way, but it should say so. Alternatively, people checking > domain verification records need to say which way they're doing it. > This is valid, and we had some back and forth on how the encodings should be handled. It seems some of the motivations were left off. I'll leave this to the authors for confirmation. > Wildcards can cause some annoying problems, notably that a wildcard > will match any tagged name so queries for tagged names can get junk > answers. > > A) Should verification records have a tag at the front of the data to > identify the record type? There's plenty of prior art for this, e.g., > the 63 text records at stanford.edu. Or you might say that a > sufficiently long random token in the interesting part will prevent > false positives so there's no need. > Are you referring to the "token=value" ? This gets discussed in the Token Metadata section, and perhaps the document is using the assumption of _ foo-challenge.example.com makes it more relevant? > 2) If you put records at a tagged name that is supposed to be unique > and a query returns some junk records and some plausibly good records, > what do you do? Use what you can? Ignore it all because you probably > stepped on a wildcard? > Wildcards are brought up in Scope of Validation and Security Considerations, but more explicit text on handling is needed. > > Minor nit: why are the CNAME targets quoted? I've never seen a > quoted target name and when I look at RFC 1034 it doesn't look > like it's valid. > > This is totally my fault. I was going through and cleaning up the examples (making sure if all examples say "IN TXT" or had quotes around the TXT records), and in my focus on uniformity, I accidently did this. I'll file an issue to remove this. thanks tim R's, > John >
_______________________________________________ DNSOP mailing list -- dnsop@ietf.org To unsubscribe send an email to dnsop-le...@ietf.org
