On 06/01/2017 18:43, Wessels, Duane wrote:
> Hi Ray,
>
> The idea of "X-Forwarded-For" for DNS makes me nervous, but it is
> probably inevitable.
>
> It is of course quite similar to EDNS client subnet, except that
> there is no masking and the client cannot opt-out. Might be worth
> saying in
On Fri, Jan 06, 2017 at 06:43:30PM +, Wessels, Duane wrote:
> When a server receives the option from a non-whitelisted client, it
> MUST return a FORMERR response.
+1
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
DNSOP
For folk wondering what Ray is referring to below, I posted this to the
DPRIVE (dns-privacy@) list last night. I was originally going to CC dnsop@
but cross-posting leads to many "your message could not be delivered, you
aren't subscribed" errors. The obvious, bestest solution would just be for
> On Jan 6, 2017, at 6:49 AM, Ray Bellis wrote:
>
> Spurred on by Warren's announcement of a Docker image that uses NGINX to
> proxy TLS connections into DNS servers that don't natively support TLS,
> I've just written up this short draft describing an EDNS0 option that
> allows
On 06/01/2017 18:01, Robert Edmonds wrote:
> It can be rev'd in the same document that introduces a DNS address RR
> for that address family :-)
Fair enough!
I'll rely on you to remind me when the time comes ;-)
Ray
___
DNSOP mailing list
Ray Bellis wrote:
> Yes, that seems like a reasonable suggestion, although it would be a
> shame to have to rev the doc if another IP version should even happen to
> be introduced in the future...
It can be rev'd in the same document that introduces a DNS address RR
for that address family :-)
On 06/01/2017 17:28, Robert Edmonds wrote:
> Hi, Ray:
>
> The values used by the "IP Version" field should be specified:
>
>IP Version: The IP protocol version number used by the client.
>
> Since the field is 4 bits long I would guess this field happens to be
> the same as the version
Ray Bellis wrote:
> Spurred on by Warren's announcement of a Docker image that uses NGINX to
> proxy TLS connections into DNS servers that don't natively support TLS,
> I've just written up this short draft describing an EDNS0 option that
> allows smart proxies to tell the backend server what the
Spurred on by Warren's announcement of a Docker image that uses NGINX to
proxy TLS connections into DNS servers that don't natively support TLS,
I've just written up this short draft describing an EDNS0 option that
allows smart proxies to tell the backend server what the original client
IP address