sorry to be thick, but.. can we have both on a case-by-case basis somehow? it feels like no, because the sign over the zone state implicitly carries either denial of all false, or denial of none. I can't see how it can be in a dualistic middle ground.
but if we could do it somehow, cleverly, it would be neat: those that need to exist with DNSSEC as alternate namespaces can, while more normal odd names, just exist, and those who want to be denied out of all existence, are repudiated. -g On Fri, Feb 3, 2017 at 8:54 PM, Ted Lemon <mel...@fugue.com> wrote: > On Feb 3, 2017, at 8:51 PM, Andrew Sullivan <a...@anvilwalrusden.com> wrote: > > If the resolver "has a local zone for alt" -- I think this means it is > authoritative for that zone -- why would it ask the root about it at > all? > > > This is a rehash of the .homenet discussion we had a few weeks ago. As > long as the stub resolver isn't validating, it's no problem. If it is > validating, then the recursive resolver can't fool the stub resolver if > there's a secure denial of existence. > > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop > _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
