* Alex Bligh:

> Clearly a validating recursive nameserver not supporting
> DOMAIN.LOCAL.ARPA may get a signed denial of existence for
> LOCAL.ARPA, but that's just fine. LOCAL.ARPA doesn't
> exist "there".

Great, then we are in agreement actually.

>> As I've tried to explain, spoofing by the resolver operator itself is
>> the relevant issue here.  It breaks the proposed protocol.  Please
>> tell me how I can explain this in a better way---perhaps I shouldn't
>> say "spoofing" but "DNS rewriting", "NXDOMAIN redirection",
>> "Sitefinder", "online help page", or something else, but it's really
>> spoofing.
>
> Ah. I think I now understand what you mean. Well yes they can do that, but
> they could do it anyway.

There's an additional twist: If I have got a client device (not DNS
proxy) which supports the proposed protocol, it will not work when I
connect it to a network which uses a resolver that performs this type
of spoofing, unless the spoofing resolver has specific support for
this protocol.

It's not "someone could do evil things and make it break", but
"someone already does (perhaps evil) things, and it breaks".

-- 
Florian Weimer                <fwei...@bfk.de>
BFK edv-consulting GmbH       http://www.bfk.de/
Kriegsstraße 100              tel: +49-721-96201-1
D-76133 Karlsruhe             fax: +49-721-96201-99
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to