Paul Wouters <p...@nohats.ca> wrote:
> On Tue, 21 Aug 2018, Ólafur Guðmundsson wrote:
>
> > Ted, Would it be acceptable to just do
> > s/TCP/Connection oriented Transport/
>
> For RFC 7901 we used "source-IP-verified transport"
I don't think that's a good idea, because it suggests oversised responses
over UDP with cookies. I wanted minimal-any in order to reduce both UDP
fragmentation and fallback to TCP for all UDP queries from legitimate
clients. (Spoofed queries are dealt with by RRL.)
I suggest:
4.4. Behaviour over different DNS transports
A DNS responder MAY behave differently when processing ANY queries
received over different DNS transports or with different levels
of client authentication, e.g. by providing a conventional
ANY response over TCP whilst using one of the other mechanisms
specified in this document in the case where a query was received
using UDP.
Implementers SHOULD provide configuration options to allow operators
to specify different behaviour over different DNS transports or for
authenticated clients.
(the TCP/UDP e.g. is just a non-normative example; more outre transports
and options are covered by the normative text)
Tony.
--
f.anthony.n.finch <d...@dotat.at> http://dotat.at/
Bailey: Northwest 5 or 6, backing west 5 to 7. Moderate or rough. Showers.
Good.
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
