For a "mail" a secure NXDOMAIN response saying that "mail." doesn't exist
should be fine.
For "foo.home" you actually want a insecure response with a insecure
referal or at least you want "DS home" to come back as a secure
NODATA rather than a secure NXDOMAIN. This assumes we want to
formalise the defacto use of .home for names in the home.
I'm thinking that if a query for foo.home shows up at the roots, that is
evidence of a configuration error. So how about doing a secure NXDOMAIN,
and tell people that if they want to use DNSSEC and their own .home names,
it's up to them to put their own local .home trust anchor into their cache
and a local DNS server to serve it.
Your typical home router is running linux anyway, so it doesn't seem
unduly cruel to say that if it's going to run a validating cache, it needs
to poke its own holes for private names since it's all off the shelf
software.
Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail.
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
