A stub resolver is expected to query a caching resolver, not the root. So all that is required for this to work is that the resolver advertised on the homenet claim authority for the zone, and that there be an unsecured delegation that validates that the homenet resolver can give to the stub resolver. Stub resolvers that query the root themselves will fail. This is a feature--that behavior is broken.
On Wed, Dec 14, 2016 at 10:30 PM, Brian Dickson < brian.peter.dick...@gmail.com> wrote: > On Wed, Dec 14, 2016 at 6:37 PM, Ted Lemon <mel...@fugue.com> wrote: > >> Brian, there's no need for the complexity you are describing. The >> unsecured delegation of .homenet would just point to AS112. Any trust >> anchor bootstrapping would not involve the root at all. >> > > Is the intent just to have a global NXDOMAIN, provided with no DNSSEC? > > That works at preventing homenet from working unless every resolver inside > the home network is homenet-aware. > (And yes, I realize as currently specified in RFC 7778, that is a > requirement.) > > However, I don't believe that is only (or optimal) path for the homenet. > > Their stated goal is that they want everything to work, plug-and-play. > > What I'm proposing will (I believe) actually produce a working network as > long as a single resolver is homenet-aware. > It automatically gets non-homenet-aware resolvers to point at > homenet-aware resolvers (ie homenet routers), as long as the default > address for homenet routers' DNS service, is the same as the value assigned > in the AS112-like delegation. > > I.e. it turns a broken hybrid of "today" networks plus a "homenet", into a > fully functional homenet with a minimum of deployments/upgrades/replacements. > It also minimizes the "broken Christmas light" aka "missing terminator" > class of problem, if any host is running its own recursive resolver (which > would then fail to properly integrate into the homenet.) > > (Also, I think having things with built-in firmware-based crappy resolvers > actually work without any patching, would be nice.) > > I agree that an unsigned delegation is sufficient for non-hybrid > homenet-aware gear to provide hosts a correct homenet experience. > > Brian >
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
