On Dec 14, 2016, at 12:21 PM, Steve Crocker <st...@shinkuro.com> wrote:
> If it doesn’t have a globally unique meaning, it doesn’t make sense to query 
> the root for an answer.
> 
> What problem is trying to be solved?  I suspect whatever the problem actually 
> is, the answer will be something other than adding an unsecured delegation to 
> the root zone.

When considering problems, it is better to consider the problem first, rather 
than proposing solutions first. :)

The problem is that we (the working group) want DNSSEC validation to be as 
broadly enabled as makes sense.   In my opinion, this means that hosts should 
be doing DNSSEC validation.   However, the expectation is that they will be 
talking to their local caching resolver to get the information they need to do 
validation.   What we want is for the local resolver to be able to present a 
consistent picture of the homenet domain that is locally consistent and will 
not fail validation.   We do not want to have to specially configure 
resolvers—it’s not reasonable to expect end users to do this, and I don’t want 
to open up a security hole by setting up a way to do it automatically.   What 
we want is for validation on the homenet to Just Work.

We can of course in theory design a secure extension that allows DNSSEC 
validation to work on homenets through automatic configuration of trust 
anchors, but we can’t assume that all resolvers will support this 
functionality.   Resolution on the homenet has to work even if we are using a 
validator that doesn’t support special handling of trust anchors for .homenet.  
 And, frankly, we don’t know if we can come up with a secure way to do trust 
anchors on homenets even for hosts that decide to support them.   I want to 
think we can, but we can’t assume that we can.

So while in theory, not querying the root server would be a way to address 
this, not querying the root server indirectly through the cache is not an 
option, because we have to provide valid data from the root about .homenet.   
If that valid data is a secure denial of existence for .homenet, then no name 
in .homenet can possibly validate.

_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to