On Fri, Feb 27, 2015 at 10:24 AM, Pete Resnick <presnick@xxxxxxxxxxxxxxxx> wrote: > On 2/25/15 9:18 PM, Sam Hartman wrote: >> [...] > > After speaking with Patrik, I think you have convinced us: The correct thing > to do at this point is to take out all of the information beyond a simple > description of the RR, beef up the security considerations to describe the > security issue, and make that document Informational. I would much prefer a Standards-Track document that says to authenticate the origin domainname as follows: - use DNSSEC for all DNS queries needed to find the URI RRs and DANE to authenticate the authorities of the resulting URIs or - expect the target authorities to have certificates that authenticate the origin, using SNI if need be. I would still drop everything related to NAPTR and DDDS. Nico --