Hi all,
Dne 11. 07. 24 v 10:24 Mukund Sivaraman napsal(a):
The DNS works today.
I would dispute this claim. Yes, DNS seems to be mostly working, but as
I understand it, the proposed document's intention is exactly to make
DNS (more) working by ensuring that some DNS stuff is not produced
bigger than the cosumer is configured to accept.
I agree with Philip's ideas to propose both lower and upper limits for
DNS stuff of any kind. Let's take - just for illustrative example (I'd
like to continue the discussion generally, and not to move it to NSEC3
problematics) -- the number of NSEC3 iterations:
1) we might want to declare upper limit X for NSEC3 iterations that
authoritative server (signer) is allowed to generate and publish
2) we might want to declare lower limit Y for NSEC3 iterations that
validating (recursive) server is required to be able to validate
(iterations <= Y ----> validate)
X and Y might differ (even by a lot, current consensus for this specific
example seems to be around X=100 and Y=1) but in other (many) situations
it might be reasonable to set both limits equal.
Actually, this is nothing new, for example RFC 9460 (introduction of
SVCB) already introduces such limit:
"To avoid unbounded alias chains, clients and recursive resolvers MUST
impose a limit on the total number of SVCB aliases they will follow for
each resolution request. This limit MUST NOT be zero, i.e.,
implementations MUST be able to follow at least one AliasMode record.
The exact value of this limit is left to implementations."
I'd say this is the precedence that we should follow.
Libor
_______________________________________________
DNSOP mailing list -- dnsop@ietf.org
To unsubscribe send an email to dnsop-le...@ietf.org
