Re: Last Call: <draft-ietf-httpbis-http2-16.txt> (Hypertext Transfer Protocol version 2) to Proposed Standard

[Måns Nilsson <mansaxel@besserwisser.org>]

Subject: Re: Last Call: <draft-ietf-httpbis-http2-16.txt> (Hypertext Transfer Protocol version 2) to Proposed Standard Date: Sun, Jan 04, 2015 at 09:18:35AM +0100 Quoting Eliot Lear (lear@cisco.com):
> 
> On 1/3/15 10:53 PM, Mark Andrews wrote:
> 
> >
> > SRV doesn't require lots of parallel DNS queries.  I suspect in
> > most cases there would be a single SRV record pointing to the hosting
> > service.  
> 
> Again, a lot of enterprises in particular cut the zone at _tcp, and so
> you can't do authoritative responses in your additional data.

A lot of enterprises do not run even the same operating system or
management software for their internal non-IANA fakeroot systems as the
external one, so one needs to be careful about the source of that data ;-)

However, zone cut does of course not have to mean server change, so,
if we continue at the same usual practice of cutting at _protocol and
then running a separate zone on the same server, the Additional is still
sent with signatures. Test case:

dig _phantasy._sctp.besserwisser.org SRV +dnssec +norec @primary.se

...which returns:

_phantasy._sctp.besserwisser.org. 27 IN	SRV	0 0 4711 some.sub.besserwisser.org.

Name server primary.se holds besserwisser.org, _sctp.besserwisser.org,
sub.besserwisser.org and primary.se. All are signed and the delegations
are secure[0]. Asking for a  SRV record as above returns data from the two
children, the zone for the name server, and implicitly (if this had been
a full-service resolver) DNSKEY and RRSIG materials for besserwisser.org
as well, because they of course are needed to validate the chain from
the SEP.

-- 
Måns Nilsson     primary/secondary/besserwisser/machina
MN-1334-RIPE                             +46 705 989668
The PILLSBURY DOUGHBOY is CRYING for an END to BURT REYNOLDS movies!!

[0] thanks to Holger Zuleggers zkt. Marvellous piece of kit.