On Sep 10, 2019, at 10:21 PM, Evan Hunt <e...@isc.org> wrote: > > On Wed, Sep 11, 2019 at 12:42:53AM +0000, Paul Hoffman wrote: >> Thanks. However, I still think this opens a lot of security holes if >> developers try to be "smart" by assuming that some EDEs only make sense >> with some RCODEs. If I'm in the rough, I'll be quiet. > > Sorry, I'm a bit slow tonight; can you explain in more detail the > security hole you foresee, and how Wes's suggestion fails to address > it?
A simple case: A developer writes code that assumes that EDE X must go with RCODE Y because the text for EDE X indicates that. The get a response with EDE X and RCODE Z. The code rejects that, and does not act on RCODE Z. If the WG believes that Wes' text will prevent developers from ever assuming that EDEs need to match RCODEs, that's fine, but I note that TimW suggested that there be a Security Consideration about this as well. --Paul Hoffman _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
