* Paul Wouters: > On Wed, 21 Nov 2018, Stephen Farrell wrote: > >>> We currently permit >1 RR, but >>> actually >>> I suspect that it would be better to try to restrict this. >> >> Not sure we can and I suspect that'd raise DNS-folks' hackles, >> but maybe I'm wrong. > > I think the SOA record is the only exception allowed (and there > is an exception to that when doing AXFR I believe) > > Usually these things are defined as "pick the first DNS RRTYPE > that satisfies you".
Not sure what you mean by that (RRTYPE?). The DNAME algorithm (RFC 6672) only works if there is a single DNAME record for an owner name. RFC 1034 is also pretty clear that only CNAME record is permitted per owner name. To be honest, I don't expect much opposition from DNS people, as long as there is no expectation that the DNS layer is expected to reject multiple records. If the higher-level protocol treats non-singleton RRsets as a hard error, I expect that would be fine. DNS treats RRsets as an atomic unit, so there is no risk here that a zone file change ends up producing a multi-record RRset due to caching. Thanks, Florian _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls