On Wed, Jul 24, 2024 at 10:18 AM Shumon Huque <shu...@gmail.com> wrote:
>
> On your last point, yes, I think we can say that if a verifier sees
> multiple
> validation records, they can abort.
>
>
I'd think it would be better to allow looking at the full RRset and
succeeding if any of the records match?
This seems less likely to be surprising to operators and more robust
against things like name conflicts,
forgetting to remove records, etc. (ie, this is being generous with what
is accepted but in a way that shouldn't
impact the security properties.). We should be explicit either way though.
Erik
_______________________________________________
DNSOP mailing list -- dnsop@ietf.org
To unsubscribe send an email to dnsop-le...@ietf.org
