> > There are some false equivalences floating around here. I don't > > think anyone is suggesting that having provisioning systems or even > > DNS servers themselves check for syntax errors in the contents of > > complex records like DKIM, SPF, DMARC, or whatever is necessarily a > > bad idea. (Whether or not it will actually happen is another > > matter; I'm dubious.) > > > > Rather, the issue is with requiring it to happen in order to deploy > > a new RRTYPE of this sort, which is the result you get if the DNS > > server returns some series of tokens instead of the original text > > string. That's the sort of thing that forces people to upgrade, or > > search around for a script to do the conversion (which won't even > > occur to some), and that's an extra burden we don't need to > > impose. > It would still be possible to work around the need for a plugin, e.g. > by depending on some wizard web site, as in John's thought experiment. > For the rest of us, the possibility to install a plugin that takes > care of all the nitty-gritty details, instead of having to wait for > the release and distribution of the next version of BIND, can make the > difference between deploying a new RR type right away and > procrastinating endlessly. You're still not separating the two cases. Again, an *optional* plugin to check syntax of a record but not produce any sort of tokenized result is fine, a plugin that's *mandatory* to deploy is going to be almost as much of an impediment to deployment as requiring an upgrade. Code is code, and people don't install new code willy-nilly. > The issue is to upgrade once rather than on each new RR type. Exactly. That's why mandatory plugins are a bad idea. > Correct, but when you publish a complex record you are calling forth > that complexity. I don't see much difference if the bug is at mines > or at the remote site, since their effects are comparable. They most certainly are not. A bug in my client only affects me, a bug in the server can easily kill the entire zone. And even if separation techniques are employed, if the plugin fails the best you're going to be able to do is server out a domain with missing entries. Ned _______________________________________________ Ietf mailing list Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf