Eliot Lear <l...@lear.ch> wrote:
> On 23.10.2023 17:27, Michael Richardson wrote:
>> Maybe someone else can explain it back to me in a better way.
> The fundamental issue is this:
> * If you are permitting an IP address in an ACL based on a name in a
> MUD file, the mapping to that address is valid for the greater of the
> TTL on the name or the state of a connection, assuming you have that
> state. If the state isn't there and endpoints inappropriately cache
> the name beyond TTL, That Would Be Bad.
The section involved is about why you can't go from IP address to name.
Assuming that you could make it work once, the point of the section is that
you have to keep doing it every TTL period. It's not the TTL on the name,
but the TTL on the PTR record...
I'm just going to truncate like this (section "Too slow"):
While subsequent connections to the same site (and subsequent packets in
the same flow) will not be affected if the results are cached, the effects
will be felt.
The ACL results can be cached for a period of time given by the TTL of
the DNS results.
--
Michael Richardson <mcr+i...@sandelman.ca>, Sandelman Software Works
-= IPv6 IoT consulting =- *I*LIKE*TRAINS*
signature.asc
Description: PGP signature
_______________________________________________ OPSAWG mailing list OPSAWG@ietf.org https://www.ietf.org/mailman/listinfo/opsawg
