On Wed, Aug 31, 2022, at 18:39, Brian Dickson wrote: > One additional suggested addition to the end of section 3.1 is: >> If DNS responses are cryptographically protected, and at least >> one HTTPS AliasMode record has been received successfully, >> clients MAY apply Section 9.5 (HSTS equivalent) restrictions >> even when reverting to non-SVCB connection modes. Clients >> also MAY treat resolution or connection failures subsequent >> to the initial cryptographically protected AliasMode record >> as fatal. > [Brian's note: this last would provide some guidance to implementers of > clients: a signed HTTPS AliasMode record is a strong signal that the > DNS operator is discouraging fallback, albeit at a "MAY" level.] > > NB: The 2.4.3 change could be removed as it is mostly independent, as > could the last addition to 3.1. > The 1.2 change is very minor, is not too important but presents a > succinct clarification on the hostname vs domain name thing. > The 2.4.2 change and section 3 changes together are fixes for the > prefix/no-prefix issue (which was basically a scrivener's error, and > does not change the semantics at all.) They should stay or go as one > unit.
I somewhat like this change, but I would generalize to receiving any signed HTTPS record during resolution, rather than limiting it to AliasMode. That said, it is somewhat gratuitous. I'd want it standardized if that was what was expected, but I'd prefer to defer that to an extension/follow-up. (In case you hadn't guessed, I tend to agree with those arguing for no change to the spec.) _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
