I'd like to make a brief comment to this document. I see some utility in having DNSSEC apply over special use names, because authenticated non-existence is a strong proof of intent, and would make a 'not in this domainspace' switch have a robust basis.
On that understanding, how would DNAME redirection work for returning sigs over the NX? Rays sign-on-the-fly model which we know works, could be used to generate signed denial of almost anything, which I have felt could be applied under ALT quite nicely to ensure a formally non-existent state is declared. Another view, is that having true delegations permits some to be formally denied to exist while others can be allocated for use if the special-use delegation actually has to exist eg a mapping into a local anycast bound on 127/8 is the desired target. Basically, if we did DNSSEC, could we somehow not only say 'doesn't exist' but specifically say (somehow) "we've signed that this is an exit label, and isn't simply a declaration it hasn't yet been delegated" ? Maybe I'm over-thinking it, but it feels like we could do something tricky here to make it NX but also make it clear we know it exists as a label, in denying it. -G _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
