On Nov 20, 2013, at 8:00 PM, John Levine <johnl@taugh.com> wrote:
Yep - you're only allowed SOA, apex NS, glue, DNSSEC records and delegations - nothing else.
That's at the apex of the TLD.
By my count _whois._tcp.tld is two levels down.
R's, John
PS: What threat model do people believe is enabled by _tcp?
Include namespace collisions in the mix and you could possibly divert corporate infrastructure to rogue servers. http://www.icann.org/en/about/staff/security/ssr/name-collision-02aug13-en.p... http://forum.icann.org/lists/comments-name-collision-05aug13/pdfOPzpyE9PtF.p... Name includes _ldap or _kerberos at the lowest level _ldap._tcp.dc._msdcs.<etc.> _kerberos._tcp.dc._msdcs.<etc.> Name includes _sip, _sipinternal, _sipinternaltls, _sipfederationtls, or _sips at the lowest level _sip._udp.<etc.> Rubens