On Fri, Sep 02, 2016 at 05:52:10PM -0000, John Levine wrote:
> >SRV cannot be used here, because presumptively DNSSEC is not in
> >use, and thus the client's reference identifier for the STS policy
> >server must be deterministically constructed from the nexthop
> >domain.
>
> So how about if we put in a note saying that the host that the SRV
> points to better be a subdomain of the original, or clients are going
> to be reluctant to believe it.
>
> Yes, that's still a kludge, but it's doesn't cause the mandatory
> collisions that a reserved hostname does.
That runs afoul of the need to not delegate policy to untrusted
nodes somewhere in one's own domain tree. Some service operators
dole-out leaf nodes to "strangers". Universities may delegate
sub-domains to deparments, that might employ their dedicated IT
staff that are not trusted by the parent organization, ...
--
Viktor.
_______________________________________________
Uta mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/uta
