GitLab

A support customer has reported that response-policy filtering is not blocking based on the presence of blocked IPs in the RDATA of SVCB and HTTPS records:

https://support.isc.org/Ticket/Display.html?id=18156

Doing so would have been in conflict with section 4.3 of draft-ietf-dnsop-svcb-https, but a change was accepted in Last Call process to relax this:

https://mailarchive.ietf.org/arch/msg/dnsop/9_GXre5UVskG3VVguTVfnDzggN0/

https://github.com/MikeBishop/dns-alt-svc/pull/313

This would close a loophole that would weaken the purpose of response-policy.