Paul Wouters <paul@xxxxxxxxx> wrote: > On Tue, 21 Aug 2018, Ólafur Guðmundsson wrote: > > > Ted, Would it be acceptable to just do > > s/TCP/Connection oriented Transport/ > > For RFC 7901 we used "source-IP-verified transport" I don't think that's a good idea, because it suggests oversised responses over UDP with cookies. I wanted minimal-any in order to reduce both UDP fragmentation and fallback to TCP for all UDP queries from legitimate clients. (Spoofed queries are dealt with by RRL.) I suggest: 4.4. Behaviour over different DNS transports A DNS responder MAY behave differently when processing ANY queries received over different DNS transports or with different levels of client authentication, e.g. by providing a conventional ANY response over TCP whilst using one of the other mechanisms specified in this document in the case where a query was received using UDP. Implementers SHOULD provide configuration options to allow operators to specify different behaviour over different DNS transports or for authenticated clients. (the TCP/UDP e.g. is just a non-normative example; more outre transports and options are covered by the normative text) Tony. -- f.anthony.n.finch <dot@xxxxxxxx> http://dotat.at/ Bailey: Northwest 5 or 6, backing west 5 to 7. Moderate or rough. Showers. Good.
