I'm curious what Russ and Steve think about this as an alternative. It seems a bit byzantine to me, but I can't say that I object to it on principal. It does create a lot of extra work for ICANN, though, and it would be a bit more brittle than just doing an unsigned delegation: we now have to have some way to get current versions of these signatures into the homenet resolver.
Further comments inline. On Mar 20, 2017, at 6:08 PM, Brian Dickson <brian.peter.dick...@gmail.com> wrote: > What is required for the above, is generation of DNSSEC records including > RRSIG(NS), NSEC, and RRSIG(NSEC), for "homenet" TLD. Yes. > Since the queries are never meant to reach the root servers, the presence or > absence of "homenet" in the root is mostly moot. Sure. > The only technical requirement is that suitable DNSSEC records be generated, > and that the special-purpose homenet DNS resolvers are able to have > up-to-date copies of these DNSSEC records. Sure. > As a technical matter, this does not require publishing these records in the > root zone, although that would be one way of achieving the necessary > requirement. True. > Perhaps the homenet WG folks could talk to the ICANN folks about ways of > accomplishing the above, without the need for publishing the unsigned > delegation in the root zone? Strictly speaking I think this is something the IESG would have to do. I don't object to this as a solution, but operationally I think it's a lot more work. It may be that it's worth doing it, since it might be applicable to other special-use name allocations. > The benefit of not publishing, is that any queries that do hit the root > servers, would get a signed NXDOMAIN, which IMHO is a more correct response. Yes. I'm not sure that's enough to justify the extra work.
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
