Judging by the existing thread, opinions abound. I admit that I'm not fluent enough in the intricacies of DNSSEC to judge the merits of Mark's objection. I believe the assertion in https://www.ietf.org/mail-archive/web/sunset4/current/msg00456.html that more nuance is required, and I'm happy to do more work to address those concerns, but I'll need y'all's guidance to do so. :)
I'd say Mark's objection is reasonable but not necessarily a deal breaker. As he points out, the two existing special top level .local and .onion are supposed to be resolved without using the DNS, by mDNS and TOR respectively. For .localhost, depending on the implementation it might or might not use the DNS, which is why DNSSEC matters.
The problem is that the DNSSEC solution here is kind of complicated. What you'd want is an opt-out signature in the root, showing that there might be an insecure delegation to .localhost, but the root is signed with NSEC and there's only opt-out in NSEC3. Technically it's not complicated to change from NSEC to NSEC3, but any change to the way the root is managed is a big deal since the consequences of screwing it up are so large.
On the third hand, .localhost has been special forever and this draft essentially codifies what we've assumed all along, so if we approve it things are no worse and arguably better than they are now.
Regards, John Levine, [email protected], Taughannock Networks, Trumansburg NY Please consider the environment before reading this e-mail. https://jl.ly _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
