- From: Eliot Lear <lear@cisco.com>
- Date: Wed, 24 Oct 2012 10:41:27 +0200
- To: Mark Nottingham <mnot@mnot.net>
- CC: "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
On 10/24/12 9:48 AM, Mark Nottingham wrote: > Can you expand upon that a bit? You mean where the successive DNS > lookups come from different servers, or...? The issue is additional information that Patrik is suggesting that we use (to be fair I may have made the same suggestion without thinking it through earlier). So, take for instance the case where you want to look up what the server on example.com is using. You might have the following SRV response: _http2._tcp.example.com IN SRV 0 10 880 http2server.example.com and additional information of http2server.example.com IN A 192.0.2.1 The problem is that _http2._tcp.example.com may not be in the same zone as http2server.example.com, and the querying resolver can't tell, simply based on one query. The nameserver for _http2._tcp.example.com doesn't really have the right to make claims about anything outside its zone. There are common enterprise deployments in which this is in fact the case. Someone even asked me if it was possible NOT to have a zone cut at _tcp....!!! Now let's take a more nefarious example: _http2._tcp.badguy.com IN SRV 0 880 mybank.com and additional information of mybank.com IN A 192.0.2.18 ;; where this address leads you to the wrong site. A solution to this issue is to use the same name. That guarantees the same authority. Eliot
Received on Wednesday, 24 October 2012 08:42:02 UTC