Ray, At 2016-01-13 17:22:45 +0000 Ray Bellis <r...@bellis.me.uk> wrote:
> On 13/01/2016 17:12, John R Levine wrote: > > > Here's a concrete example. My laptop is named mypc.example.com. Because > > I am a forward thinking guy, I send a DANE-verified client cert whenever > > I connect for submission, POP, IMAP, or jabber, and because I'm still > > lazy, I use the same certificate for all of them. The DNS records to > > tell the world about that are: > > > > $ORIGIN mypc.example.com > > _submission._client._tcp IN TLSA ... cert stuff ... > > _imap._client._tcp IN CNAME _submission._client._tcp > > _imaps._client._tcp IN CNAME _submission._client._tcp > > _pop3._client._tcp IN CNAME _submission._client._tcp > > _pop3s._client._tcp IN CNAME _submission._client._tcp > > _xmpp-client._client._tcp IN CNAME _submission._client._tcp > > > > How would you do it? > > Personally, I wouldn't use those owner names, as that's inconsistent > with _tcp being associated with SRV usage, with the previous label being > one from the IANA port registry. > > I quite like the idea of _client._<service>._<proto>, though. > > Thinking more though, I actually prefer _<service>._<proto>._client. > > The use of _client on the right-hand side would allow this to fit in > Dave Crocker's "underscore registry" as the "most significant label", > with everything to the left of that borrowed from SRV. I tried to mention it in my previous mail, but perhaps I wasn't clear enough. I think that if you are going to encode roles into the namespace, that you should do it in a protocol-specific way. For example, there are protocols that don't have client/server, but rather master/slave relationships (a common setup in replication scenarios). There may be protocols with more complex relationships; I think that Kerberos or other token-passing protocols may fit in this description. Distributed transaction systems may elect a coordinator, and recording that in DNS may speed discovery. And so on... This is why I think that if you encode _client behavior in a label, it should be protocol-specific: _client._fubar._tcp That way you don't have to try to shoehorn master/slave and say "well, a master is basically a server, if you don't think about it too hard..." ;) Cheers, -- Shane _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
