Two conversations in one thread is confusing. There is a part which is about the name as a label. in the root? not in the root? under .arpa? which process? why? -Thats mired. I'm trying not to re-ignite flames having covered myself in petrol some time ago.
There is a part which is 'can we do DNSSEC better' about protocol and encoding and technology. This part interests me more right now, because it feels tractable: we're asking questions about how DNSSEC works, and corner-cases. It feels like we're exploring the need for something which isn't NSEC or NSEC3 but is a public signed repudiation of things declaring them as not being in the DNS. Which is kind-of cool because it solves one of the other (6761) questions about how to say 'not in the DNS' if we do it right. The problem is we want it to work with prior code. I'm struggling to understand how that works without a time machine. -G On Thu, Dec 15, 2016 at 10:48 AM, John R Levine <jo...@taugh.com> wrote: >>> But it's worse than that -- if your client software does DNSSEC >>> validation it needs to understand that homenet is a special case and >>> it's OK not to validate. >>> [etc] >> >> >> That is precisely why we need an unsecured delegation. > > > Except that as the [etc] said, it doesn't really solve the problem. > > Regards, > John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY > Please consider the environment before reading this e-mail. https://jl.ly > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
