peterthomassen
commented
3 weeks ago Some indicated that "EDNS0 Report-Channel option in the NOTIFY message (RFC 9567)" (option 2 above) is preferable, as it's already standardized.
Open peterthomassen opened 2 months ago
peterthomassen
commented
3 weeks ago Some indicated that "EDNS0 Report-Channel option in the NOTIFY message (RFC 9567)" (option 2 above) is preferable, as it's already standardized.
jrlevine
commented
3 weeks ago That makes sense. There are a few loose ends like whether the notify needs to have the EDNS0 option 18. It's authors will likely be in Kigali so we can ask them if they see issues with using it.
Sent from phone with tiny keyboard, please excuse typos.
On Jun 2, 2024, 15:49, at 15:49, Peter Thomassen @.***> wrote:
Some indicated that "EDNS0 Report-Channel option in the NOTIFY message (RFC 9567)" (option 2 above) is preferable, as it's already standardized.
-- Reply to this email directly or view it on GitHub: https://github.com/peterthomassen/draft-ietf-dnsop-generalized-notify/issues/24#issuecomment-2143860992 You are receiving this because you are subscribed to this thread.
Message ID: @.***>
I was thinking about ways for the NOTIFY receiver (i.e., parent) to communicate an error condition to the DNS operator.
Perhaps good ideas:
In both cases, to prevent reflection attacks, the report target's last labels could be required to be one of the NS hostnames (or something like that).
Probably bad ideas:
_notify-report.$child_signal.ns1.provider.net, or similar (need not be child-specific). The problem here is that there may be multiple NS by different operators, and it's not clear which of the published endpoints is the one related to the NOTIFY that was sent.