Subject: Re: Last Call: <draft-ietf-httpbis-http2-16.txt> (Hypertext Transfer Protocol version 2) to Proposed Standard Date: Sun, Jan 04, 2015 at 09:18:35AM +0100 Quoting Eliot Lear (lear@xxxxxxxxx): > > On 1/3/15 10:53 PM, Mark Andrews wrote: > > > > > SRV doesn't require lots of parallel DNS queries. I suspect in > > most cases there would be a single SRV record pointing to the hosting > > service. > > Again, a lot of enterprises in particular cut the zone at _tcp, and so > you can't do authoritative responses in your additional data. A lot of enterprises do not run even the same operating system or management software for their internal non-IANA fakeroot systems as the external one, so one needs to be careful about the source of that data ;-) However, zone cut does of course not have to mean server change, so, if we continue at the same usual practice of cutting at _protocol and then running a separate zone on the same server, the Additional is still sent with signatures. Test case: dig _phantasy._sctp.besserwisser.org SRV +dnssec +norec @primary.se ...which returns: _phantasy._sctp.besserwisser.org. 27 IN SRV 0 0 4711 some.sub.besserwisser.org. Name server primary.se holds besserwisser.org, _sctp.besserwisser.org, sub.besserwisser.org and primary.se. All are signed and the delegations are secure[0]. Asking for a SRV record as above returns data from the two children, the zone for the name server, and implicitly (if this had been a full-service resolver) DNSKEY and RRSIG materials for besserwisser.org as well, because they of course are needed to validate the chain from the SEP. -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE +46 705 989668 The PILLSBURY DOUGHBOY is CRYING for an END to BURT REYNOLDS movies!! [0] thanks to Holger Zuleggers zkt. Marvellous piece of kit.
Attachment:
signature.asc
Description: Digital signature