New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Review by Erik Kline #85

Closed

mstojens opened this issue Jul 13, 2022 · 0 comments · Fixed by #91

Assignees

Contributor

mstojens commented Jul 13, 2022

Internet AD comments for {draft-ietf-add-ddr-08}

Comments

S2

I might suggest a slightly less binding wording where port 53 is
concerned for the Unencrypted Resolver definition. Perhaps:

"A DNS resolver using a transport without encryption, historically
TCP or UDP port 53."

S4

I'd be in favor of using more RFC 8174 "SHOULD/SHOULD NOT" text in place
of "ought [not] to". Specifically, for the text about address family
support, consider perhaps something like:

OLD:
... The Designated Resolver can support more
address families than the Unencrypted Resolver, but it ought not to
support fewer.

NEW:
... The Designated Resolver MAY support more
address families than the Unencrypted Resolver, but it SHOULD NOT
support fewer.

S5, S6.3, ...

I wonder if it's good to require that clients MUST NOT/SHOULD NOT accept
certificates claiming to be for resolver.arpa? This might be
over-specifying things and/or it might be a check against some types of
misconfigurations.

mstojens self-assigned this

mstojens mentioned this issue

making address family support normative and clearifying definition for Unencrypted Resolver #91

Merged

tfpauly closed this as completed in #91

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment