Re: Last Call: <draft-ietf-httpbis-http2-16.txt> (Hypertext Transfer Protocol version 2) to Proposed Standard

Måns Nilsson <> Sun, 04 January 2015 12:23 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 04F671A882F for <>; Sun, 4 Jan 2015 04:23:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -3.911
X-Spam-Status: No, score=-3.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id b3_mt0QIwgLt for <>; Sun, 4 Jan 2015 04:23:14 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 4B0B01A882C for <>; Sun, 4 Jan 2015 04:23:14 -0800 (PST)
Received: by (Postfix, from userid 1004) id 89B759D03; Sun, 4 Jan 2015 13:23:11 +0100 (CET)
Date: Sun, 4 Jan 2015 13:23:11 +0100
From: =?utf-8?B?TcOlbnM=?= Nilsson <>
To: Eliot Lear <>
Subject: Re: Last Call: <draft-ietf-httpbis-http2-16.txt> (Hypertext Transfer Protocol version 2) to Proposed Standard
Message-ID: <>
References: <> <> <> <> <> <> <>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="L2Brqb15TUChFOBK"
Content-Disposition: inline
In-Reply-To: <>
X-Purpose: More of everything NOW!
X-happyness: Life is good.
User-Agent: Mutt/1.5.21 (2010-09-15)
Cc: Delan Azabani <>,, Patrik =?utf-8?B?RsOkbHRzdHLDtm0=?= <>
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 04 Jan 2015 12:23:23 -0000

Subject: Re: Last Call: <draft-ietf-httpbis-http2-16.txt> (Hypertext Transfer Protocol version 2) to Proposed Standard Date: Sun, Jan 04, 2015 at 09:18:35AM +0100 Quoting Eliot Lear (
> On 1/3/15 10:53 PM, Mark Andrews wrote:
> >
> > SRV doesn't require lots of parallel DNS queries.  I suspect in
> > most cases there would be a single SRV record pointing to the hosting
> > service.  
> Again, a lot of enterprises in particular cut the zone at _tcp, and so
> you can't do authoritative responses in your additional data.

A lot of enterprises do not run even the same operating system or
management software for their internal non-IANA fakeroot systems as the
external one, so one needs to be careful about the source of that data ;-)

However, zone cut does of course not have to mean server change, so,
if we continue at the same usual practice of cutting at _protocol and
then running a separate zone on the same server, the Additional is still
sent with signatures. Test case:

dig SRV +dnssec +norec

...which returns: 27 IN	SRV	0 0 4711

Name server holds,, and All are signed and the delegations
are secure[0]. Asking for a  SRV record as above returns data from the two
children, the zone for the name server, and implicitly (if this had been
a full-service resolver) DNSKEY and RRSIG materials for
as well, because they of course are needed to validate the chain from
the SEP.

Måns Nilsson     primary/secondary/besserwisser/machina
MN-1334-RIPE                             +46 705 989668

[0] thanks to Holger Zuleggers zkt. Marvellous piece of kit.