* Alex Bligh: > Clearly a validating recursive nameserver not supporting > DOMAIN.LOCAL.ARPA may get a signed denial of existence for > LOCAL.ARPA, but that's just fine. LOCAL.ARPA doesn't > exist "there".
Great, then we are in agreement actually. >> As I've tried to explain, spoofing by the resolver operator itself is >> the relevant issue here. It breaks the proposed protocol. Please >> tell me how I can explain this in a better way---perhaps I shouldn't >> say "spoofing" but "DNS rewriting", "NXDOMAIN redirection", >> "Sitefinder", "online help page", or something else, but it's really >> spoofing. > > Ah. I think I now understand what you mean. Well yes they can do that, but > they could do it anyway. There's an additional twist: If I have got a client device (not DNS proxy) which supports the proposed protocol, it will not work when I connect it to a network which uses a resolver that performs this type of spoofing, unless the spoofing resolver has specific support for this protocol. It's not "someone could do evil things and make it break", but "someone already does (perhaps evil) things, and it breaks". -- Florian Weimer <fwei...@bfk.de> BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstraße 100 tel: +49-721-96201-1 D-76133 Karlsruhe fax: +49-721-96201-99 _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop