On 20 May 2015 at 10:54, John Levine <jo...@taugh.com> wrote: >>Because (AIUI) DBOUND is intended to specify security-relevant zone cuts >>*in DNS* using it to specify names that are reserved in DNS but not _in_ >>DNS might come out a little weird... but it seems like the most relevant >>place to at least take the idea and discuss it. > > Sorry, that's just wrong. DBOUND has nothing whatsoever to do with > zone cuts or reserved names. There's plenty of ambiguity about what > we're trying to do, but neither of those are on or even near the table.
I think I used zone cuts to mean something it's not, I meant "establish separation lines in DNS that parties (like browsers, or anyone using PSL) can use to make security decisions about what is an 'open' domain hierarchy with mutually distrusting participants versus what is a 'shared' domain where all the subdomains are administratively joined." I (hope) that's closer to what DBOUND is after. I didn't think you'd have worked with reserved names, but what I'm curious about is if there could be an easy way to put in a DBOUND record for (say) onion. with a with flag meaning "This name is reserved and should not be resolved unless you know how to specifically handle it." Then if .foo gets the same treatment in N years, no client software changes are needed. -tom _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
