On Fri, 26 Jul 2024, Erik Nygren wrote:
On your last point, yes, I think we can say that if a verifier sees
multiple validation records, they can abort.
I'd think it would be better to allow looking at the full RRset and
succeeding if any of the records match?
No. These records are supposed to be at unique prefixed names. If
there's more than one record at the name, something is wrong.
Remember that the robustness principle says to be liberal *when the spec
is unclear*. When the spec is clear and the data is wrong, reject it.
R's,
John
_______________________________________________
DNSOP mailing list -- dnsop@ietf.org
To unsubscribe send an email to dnsop-le...@ietf.org
