[Commenting only on technical aspect of the name structure -- discussion of whether the namespace is cluttered, pretty, intuitive, etc, are too abstract for me. Not making light of user confusion issues, just recusing on them.]
I would recommend that you think about how any of these proposed schemes interact with DNS wildcards. Yes, some people use wildcards with TLSA RRs, or even with CNAME RRs pointing to TLSA RRs: this allows one to express "every service on machine foo.example.org uses the same certificate" concisely. So if one buys George's analysis of this as a role vs protocol distinction, the question becomes whether it's more useful to be able to group by roles or by protocols. That is, are you more likely to want to say "all roles for protocol foo use the same certificate", "all protocols for role foo use the same certificate", or just not allow any kind of grouping here at all. The first of these makes the most sense to me, YMMV. Wildcards are probably also the main technical reason for caring about differences between the naming for TLSA and SRV RRs. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
