On 3 January 2015 at 16:53, Eliot Lear <lear@xxxxxxxxx> wrote:
Finally, to address Måns' comments, additional data for the target
doesn't get signed (but correct me if I missed a change). (Actually,
I'm confused by this comment. You're saying (or you appear to be saying) that use of SRV would place greater emphasis on DNSSEC, but additional records don't get signed, and therefore the address record wouldn't be signed in this case.
I'm not clear on where the requirement for DNSSEC comes into this, but given that without SRV (and without DNSSEC that is no longer required), there would be no signature on the address record anyway, I'm not sure it matters.
I would in any case strongly support addition of SRV into HTTP/2 URI resolution, and furthermore, I would strongly support additional work on DNS (and DNSSEC) to address any performance or security issues at that level.
As a final comment, I would note that if "IANA policy" is causing us problems, we should just change it - these are technically speaking not IANA's policies but ours.
Dave.