In message <alpine.osx.2.11.1505081704140.30...@ary.lan>, "John R Levine" write s: > > For a "mail" a secure NXDOMAIN response saying that "mail." doesn't exist > > should be fine. > > > > For "foo.home" you actually want a insecure response with a insecure > > referal or at least you want "DS home" to come back as a secure > > NODATA rather than a secure NXDOMAIN. This assumes we want to > > formalise the defacto use of .home for names in the home. > > I'm thinking that if a query for foo.home shows up at the roots, that is > evidence of a configuration error. So how about doing a secure NXDOMAIN, > and tell people that if they want to use DNSSEC and their own .home names, > it's up to them to put their own local .home trust anchor into their cache > and a local DNS server to serve it.
Really, you want to force all home users to sign their own zones and to securly distribute trust anchors (something we don't know how to do yet) to every machine that connects to the network (yes validation happens in applications as well as in the recursive servers) just to avoid installing a insecure delegation for .home in the public internet. We already have insecure delegations for RFC 1918 and ULA reverse namespaces so we don't stuff up validators looking up PTR records. Seeing foo.home just means that a search list with .home in it is in use outside of the home. Think of a laptop moving between home and the office. A validator, with just the public roots's trust anchor configured on it, will validate foo.home without needing to be reconfigured at home or at work if there is a insecure delegation for .home. "DS home" on the other had is a normal artifact of doing validation and if we want to formalise .home then that stops getting a NXDOMAIN response. > Your typical home router is running linux anyway, so it doesn't seem > unduly cruel to say that if it's going to run a validating cache, it needs > to poke its own holes for private names since it's all off the shelf > software. And home routers are not the only place where validation occurs. > Regards, > John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY > Please consider the environment before reading this e-mail. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
