Hi Miek,
Thanks for your comments. As to your two questions:
> Should the IP proxy care about the TTL of the looked up name?
I believe the answer to this one should be "no". It is fairly well established that clients are permitted to have long-running connections that exceed the DNS TTL, and that is something that DNS-based loadbalancers have to handle. HTTP2 (RFC 9113) made HTTP connections much longer-lived, and I don't see any discussion of TTLs there. Implementations are, of course, free to consult the TTL and reconnect more frequently, but I don't think that is something that we need to require in this draft, as ultimately TTLs only control DNS caching.
> Should the IP Proxy do a DNSSEC lookup or a plain DNS lookup
I believe this is another area where the proxy should use the system configuration. If the local resolver respects DNSSEC, then the proxy would also respect DNSSEC. It is certainly an interesting potential future extension to be considered to allow clients to ask the proxy to require DNSSEC for DNS resolution, but not something I think we need to address in the base draft.
Sincerely,
-Alex
On Sun, Mar 12, 2023 at 5:58 AM R. Gieben via Datatracker <noreply@xxxxxxxx> wrote:
Reviewer: R. Gieben
Review result: Ready with Issues
Hello, I've reviewed draft-ietf-masque-connect-ip specifically for DNS issues.
This is mostly contained in a single section: 4.1: IP Proxy Handling.
In that section a two questions popped up when the 'target' variable is a DNS
name and the IP proxy must then perform a DNS lookup:
- Should the IP proxy care about the TTL of the looked up name? I.e. is it OK
if the TTL expires? Potentially the DNS name can then point to a different IP
address? - Should the IP Proxy do a DNSSEC lookup or a plain DNS lookup? Should
this be configurable or can the IP proxy just not care?
Regards,
Miek
-- last-call mailing list last-call@xxxxxxxx https://www.ietf.org/mailman/listinfo/last-call