On Mon, Mar 20, 2017 at 06:19:45PM -0400, Paul Wouters wrote: > I am assuming that if stubs are validating, then they must also support > excluding special queries from validation, such as mDNS, .onion and > .homenet. >
What possible basis do you have for this? This is in effect a requirement that every validating stub (or resolver? I dunno) be upgraded to support homenet. That _might_ be ok, but it's not in the design parameters of the original work AFAICT. > The .homenet queries should never reach real DNS servers But they're going to. We've had local since at least the neolithic age, in Internet terms, and yet the global DNS still sees those queries. > not think an insecure delegation in the root is required. If the DNS > resolver doesn't know how to handle .homenet, it is already as wrong > as it can be, regardless of the type of answer. This doesn't follow. If the resolver gets it wrong in the case of a provably-unsigned answer, it can just continue its resolution as it ever wanted. It won't be able to validate, since it does not have a local trust anchor. But it'll work. A -- Andrew Sullivan a...@anvilwalrusden.com _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
