In message <capt1n1kchdzvo+w0jyzx9+ozyi6t-dwuwq7-bz9smuumxsm...@mail.gmail.com>, Ted Lemon writes: > Which do you want? TLSA, or delegation? You can't have both.
>From a technical perspective a insecure delegation for .localhost back to the root servers to break the DNSSEC chain of trust. You can then populate a local .localhost how ever you see fit and have the answers validate as secure / insecure depending on whether the validator has a trust anchor for .localhost. As for the rest, we should not inflict the broken security model used here on every other use of domain names in this namespace. It does not belong to just one service. It the web want a namespace that is has these properties it can request one. It shouldn't highjack an existing space. Mark > On Fri, Nov 18, 2016 at 6:52 AM, Mark Andrews <ma...@isc.org> wrote: > > > > As I said on the sunset4 mailing list this goes too far. > > > > I don't know about you but I want to be able to lookup TLSA records, > > SRV and other records types for foo.localhost and localhost. > > > > And by the way this also requires a insecure delegation in the root > > zone for DNSSEC to work with validating client. > > > > This isn't a good idea. > > > > Mark > > -- > > Mark Andrews, ISC > > 1 Seymour St., Dundas Valley, NSW 2117, Australia > > PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org > > > > _______________________________________________ > > DNSOP mailing list > > DNSOP@ietf.org > > https://www.ietf.org/mailman/listinfo/dnsop -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
