On Dec 14, 2016, at 12:21 PM, Steve Crocker <st...@shinkuro.com> wrote: > If it doesn’t have a globally unique meaning, it doesn’t make sense to query > the root for an answer. > > What problem is trying to be solved? I suspect whatever the problem actually > is, the answer will be something other than adding an unsecured delegation to > the root zone.
When considering problems, it is better to consider the problem first, rather than proposing solutions first. :) The problem is that we (the working group) want DNSSEC validation to be as broadly enabled as makes sense. In my opinion, this means that hosts should be doing DNSSEC validation. However, the expectation is that they will be talking to their local caching resolver to get the information they need to do validation. What we want is for the local resolver to be able to present a consistent picture of the homenet domain that is locally consistent and will not fail validation. We do not want to have to specially configure resolvers—it’s not reasonable to expect end users to do this, and I don’t want to open up a security hole by setting up a way to do it automatically. What we want is for validation on the homenet to Just Work. We can of course in theory design a secure extension that allows DNSSEC validation to work on homenets through automatic configuration of trust anchors, but we can’t assume that all resolvers will support this functionality. Resolution on the homenet has to work even if we are using a validator that doesn’t support special handling of trust anchors for .homenet. And, frankly, we don’t know if we can come up with a secure way to do trust anchors on homenets even for hosts that decide to support them. I want to think we can, but we can’t assume that we can. So while in theory, not querying the root server would be a way to address this, not querying the root server indirectly through the cache is not an option, because we have to provide valid data from the root about .homenet. If that valid data is a secure denial of existence for .homenet, then no name in .homenet can possibly validate.
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop