> On Nov 22, 2016, at 2:52 PM, Ted Lemon <mellon@xxxxxxxxx> wrote: > > I assume y'all have read RFC 6763… I have, but $dayjob i run routers not write web browsers :-) The key here is there are tools to do this, but it requires changing the ecosystem in how all these http transactions occur. As a network operator this is a transparent change to me, and our DNS servers will just see the different QTYPE launched, similar to how we see both A+AAAA queries from the applications our customers operate. The problem is as usual is educating people to move from functions like gethostbyname() to getaddrinfo() and what it would take to move people beyond the registry for port ranges, etc.. should the decision be made to go there. I suspect nothing will change, but the indirection would help with issues seen in the DNSBUNDLED BoF held at IETF-97. It would not exclusively resolve them, but would help in ways that DNAME and other RRTypes have not. it’s way easier to so sin.port=(80||443); vs using dnssd related functions or doing res_query and parsing the types. When we do DDoS mitigation and appliances send 302 to force authentication of the client there are many people who rolled their own HTTP API and didn’t implement following of the redirect and break. We’ve been asked to then turn off the mitigation techniques if there is no good control over the calling API implementers who just claim “$Application is broken” vs “We didn’t think we needed to follow the entire HTTP specification, because we rarely see that case” These are mostly human issues around code re-use, poor or outdated examples and commonly repeated myths combined with actual broken devices that fall into that 1% threshold I mentioned previously. - Jared