[DNSfirewalls] Fwd: New Version Notification for draft-vixie-dns-rpz-01.txt

Anne Bennett anne at encs.concordia.ca
Fri Oct 21 16:44:09 UTC 2016

> Second edition. Thanks for all the feedback, everybody. Care to have another look?

> Htmlized:       https://tools.ietf.org/html/draft-vixie-dns-rpz-01
> Diff:           https://www.ietf.org/rfcdiff?url2=draft-vixie-dns-rpz-01

Typo: overriden -> overridden

I still find the "Name Length" section confusing.  I looked at
section 6.1 of RFC 4034, which defines a "canonical ordering",
but doesn't use the terminology "smaller" or "bigger".  Also,
I don't think that "a label that is a prefix of a second label"
correctly expresses what I'm pretty sure is meant.  For example,
"x.y" is a prefix of "x.y.z", and I'm sure that we *don't*
mean to compare those, but rather we want to compare "x.y.z"
and "y.z", neither of which "is a prefix of" the other, but
one of which results from adding a prefix to the other.

So I'd like to propose something like:

  [...] choose the policy that matches the most specific
  domain name.  For example, "x.y.z" is more specific than "y.z".

Having proposed the above, though, I have two questions:

  - Should "BLAH.y.z" not be considered more specific (and
    a better match) than the wildcard "*.y.z", regardless of
    whether the asterisk sorts lexicographically before or after

  - Are there any other cases where names of equal specificity
    could both match a QNAME or NSDNAME policy?  If not, we
    could avoid the complexity of referring to and summarizing
    the canonical sort order at all.

I'm afraid that the "Prefix Length" and "Tie Breaker" sections
are still obscure to me.  :-(  Can you show some examples?

"Acknowledgements": thank you, and a period is needed at the
end of the sentence.  :-)

Ms. Anne Bennett, Senior Sysadmin, ENCS, Concordia University, Montreal H3G 1M8
anne at encs.concordia.ca                                    +1 514 848-2424 x2285

More information about the DNSfirewalls mailing list