> You might note that in the technical discussion, I argued _against_ the idea > that this is a problem with LLMNR. Personally, I consider the fact that mDNS > attaches special semantics to .local to be a problem with mDNS. If the DNSEXT WG wants to document recommended resolver behavior with respect to the .local domain, it can do so. However, your message essentially *orders* the WG to do so, as a precondition for publishing any documents on the topic. That is inappropriate. > Absent any mandatory-to-implement security, we sometimes accept an > applicability statement that explains the environments in which it is safe to > use a protocol without any protocol-specific security mechanism, but I didn't > find that in the LLMNR document either. Is it there? Yes, it is. >From Section 5.2: Limiting the situations in which LLMNR queries are sent, as described in Section 2, is the best protection against these attacks. >From Section 2: While these conditions are necessary for sending an LLMNR query, they are not sufficient. While an LLMNR sender MAY send a query for any name, it also MAY impose additional conditions on sending LLMNR queries. For example, a sender configured with a DNS server MAY send LLMNR queries only for unqualified names and for fully qualified domain names within configured zones. Is this issue only about whether the MAYs are to be upgraded to a SHOULD or MUST? _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf