tireddy2
commented
1 year ago If there is enough interest to convey the claims via DNS, this issue can be taken up as a new draft. I don't think we should address this issue in this draft. It needs more thought and discussion in the WG to identify an elegant mechanism.
Right now, the draft conveys the Authorization Claims via DHCP or PvD (similar to DNR). However, we could equally well convey these claims via a DNS query (similar to DDR and RESINFO). This would have the advantage of minimizing coupling between the DNS client/server and the rest of the network. It would also reduce DHCP bloat, and allow TTLs to be customized independently of DHCP lifetimes. However, it would likely add some latency to the setup flow, and might require more standardization work to define new formats.
Using RESINFO for this would be convenient, but unfortunately I don't see an elegant way to encode Authorization Claims in RESINFO. (There may be several claims, each of which may contain multiple subdomains.) Maybe someone else can think of a way, or maybe this could be "parallel" to RESINFO.
Credit to @samuelweiler for this notion.