> On Mar 27, 2017, at 11:05 AM, Jim Fenton <[email protected]> wrote:
>
> The TXT record is more than an efficiency aid if cloaking it causes the
> policy not to be discovered at all. OTOH, if it is used just to discover
> policy updates, we wouldn't have that problem. But that would increase
> the traffic load on the HTTPS server considerably.
The phrase "the HTTPS server" hides an important assumption, namely
that there is an HTTPS server in the first place. For the majority
of domains there will (for some time) be no STS policies, and no
secure way to discover whether there should be a server or not.
Publishing an STS policy is not a requirement for SMTP, so STS
discovery is opportunistic, and for lack of DNSSEC vulnerable
to downgrades.
The cacheable TXT record is an efficient mechanism for signalling
when to try to load a (new?) policy.
If we did not want to signal expedited updates by changing the id,
the signal could be just the existence of an A record for some
"reserved" hostname in the domain, but that also runs into the issue
that reserved hostnames are not a good idea or popular at the IETF.
--
--
Viktor.
_______________________________________________
Uta mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/uta
