Hi Jared, Thanks a lot for your quick response. > > People have done things similar to this over the years. I remember software > once distributed UNENCODED over sequenced DNS TXT records. > > It seems something like TXT would be the best way to do this, eg: > > dig txt 1.255.42.204.in-addr.arpa.
I might not be aware of that but since you suggested the use of the existing TXT record, Do you think the following conditions for processing this TXT RRs are also supported: Assumption: the admin of the DNS server is different from the admin of different zones in the DNS server 1- If a user is the owner of the domain example.com, it must not be able to add a new txt RR with different reference value if and if this reference value is not already assigned to this domain on the DNS server (prevention of a user to access unauthorized resources) But this user should be able to add this reference txt RR with one of the already existing value to its subdomains. 2- if a user is the owner of only a sub domain such as xx.example.com then it cannot change this RR but it can again assign it to its sub-subdomain such as yy.xx.example.com In other word, the owner of the DNS server can update this txt RR (reference number) but the domain owners (any zones) on this DNS server should not be able to change it but they can assign (update), the already existing assigned reference numbers to domains and subdomains inside their zones. Similar to this, the subdomain owner cannot change this assigned value but can assign 1 or all of these reference Numbers to its sub-subdomain. Just like a tree that each root node have the possibility to use what is available to it and assign it to its leaves and this can continue until the end of the tree.. This is a kind of delegation of access control to the child leaves. If this is already existence in the DNS server, I think I no longer need to suggest such RR or the process to handle such cases. But if this process is not existence, then perhaps it is an advantage to have it. > Nothing really stops you from putting a “Seq-01-Base64-Blob” out there. Right but just my concern is the process behind this that needs to be a kind of tree based authorization. > You might be able to use HINFO for that as well since it’s designed for two > fields already. I will look at them. Thanks, Best, Hosnieh _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
