On Fri, Feb 3, 2017 at 3:02 PM, Brian Dickson <brian.peter.dick...@gmail.com > wrote:
> Stephane wrote: > >> On Wed, Feb 01, 2017 at 03:28:29PM -0500, >> Warren Kumari <warren at kumari.net> wrote >> a message of 103 lines which said: >> >> > or 2: request that the IANA insert an insecure delegation in the >> > root, pointing to a: AS112 or b: an empty zone on the root or c" >> > something similar. >> >> Here, people may be interested by draft-bortzmeyer-dname-root (expired >> but could be revived). The main objection was the privacy issue >> (sending user queries to the "random" operators of AS112.) >> >> > My opinion on these issues are as follows, roughly: > > - I am in favor of AS112 for ALT > - For AS112, I prefer the AS112++ method (DNAME) > - I do not see why the DNAME would/should not be DNSSEC signed > - Any local use of ALT can be served locally and signed using an > alternative trust anchor > - I don't think there is any issue with having both the NXD from the > root, and the local assertion of existence, both present (in cache and > in > authoritative data respectively) > - Maybe there are issues with specific implementations? > - If anyone knows of such problems, it would be helpful to identify > them along with the implementation and version > - For AS112 privacy, perhaps someone should write up a recommendation > to set up local AS112 instances, to provide privacy, as an informational > RFC? > - Even simply through resolver configurations, without a full AS112 > "announce routes"? > - Do any resolver packages offer such a simple AS112 set-up? > - Maybe the efforts for privacy should start there (implement > first, then document)? > - Do any stub resolver packages include host-local AS112 > features/configurations? > > Overall, I'm obviously in favor of use of ALT, and for signing whatever is > done for ALT, and for use of DNAME for ALT. > > Brian "DNAME" Dickson > > I would prefer an UNsigned delegation. If someone wants a signed zone, they can add a trust anchor, I assume. But if they want an unsigned zone there needs to be a way to get that. -- Bob Harold
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
