You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I might suggest a slightly less binding wording where port 53 is
concerned for the Unencrypted Resolver definition. Perhaps:
"A DNS resolver using a transport without encryption, historically
TCP or UDP port 53."
S4
I'd be in favor of using more RFC 8174 "SHOULD/SHOULD NOT" text in place
of "ought [not] to". Specifically, for the text about address family
support, consider perhaps something like:
OLD:
... The Designated Resolver can support more
address families than the Unencrypted Resolver, but it ought not to
support fewer.
NEW:
... The Designated Resolver MAY support more
address families than the Unencrypted Resolver, but it SHOULD NOT
support fewer.
S5, S6.3, ...
I wonder if it's good to require that clients MUST NOT/SHOULD NOT accept
certificates claiming to be for resolver.arpa? This might be
over-specifying things and/or it might be a check against some types of
misconfigurations.
The text was updated successfully, but these errors were encountered:
Internet AD comments for {draft-ietf-add-ddr-08}
CC @ekline
Comments
S2
I might suggest a slightly less binding wording where port 53 is
concerned for the Unencrypted Resolver definition. Perhaps:
"A DNS resolver using a transport without encryption, historically
TCP or UDP port 53."
S4
I'd be in favor of using more RFC 8174 "SHOULD/SHOULD NOT" text in place
of "ought [not] to". Specifically, for the text about address family
support, consider perhaps something like:
OLD:
... The Designated Resolver can support more
address families than the Unencrypted Resolver, but it ought not to
support fewer.
NEW:
... The Designated Resolver MAY support more
address families than the Unencrypted Resolver, but it SHOULD NOT
support fewer.
S5, S6.3, ...
certificates claiming to be for resolver.arpa? This might be
over-specifying things and/or it might be a check against some types of
misconfigurations.
The text was updated successfully, but these errors were encountered: