Before addressing the questions you've asked, let me about the rest of the picture. How do names get assigned within the local homenet domain?
Steve Sent from my iPhone > On Mar 20, 2017, at 9:25 PM, Ted Lemon <mel...@fugue.com> wrote: > > I'm curious what Russ and Steve think about this as an alternative. It > seems a bit byzantine to me, but I can't say that I object to it on > principal. It does create a lot of extra work for ICANN, though, and it > would be a bit more brittle than just doing an unsigned delegation: we now > have to have some way to get current versions of these signatures into the > homenet resolver. > > Further comments inline. > >> On Mar 20, 2017, at 6:08 PM, Brian Dickson <brian.peter.dick...@gmail.com> >> wrote: >> What is required for the above, is generation of DNSSEC records including >> RRSIG(NS), NSEC, and RRSIG(NSEC), for "homenet" TLD. > > Yes. > >> Since the queries are never meant to reach the root servers, the presence or >> absence of "homenet" in the root is mostly moot. > > Sure. > >> The only technical requirement is that suitable DNSSEC records be generated, >> and that the special-purpose homenet DNS resolvers are able to have >> up-to-date copies of these DNSSEC records. > > Sure. > >> As a technical matter, this does not require publishing these records in the >> root zone, although that would be one way of achieving the necessary >> requirement. > > True. > >> Perhaps the homenet WG folks could talk to the ICANN folks about ways of >> accomplishing the above, without the need for publishing the unsigned >> delegation in the root zone? > > Strictly speaking I think this is something the IESG would have to do. I > don't object to this as a solution, but operationally I think it's a lot more > work. It may be that it's worth doing it, since it might be applicable to > other special-use name allocations. > >> The benefit of not publishing, is that any queries that do hit the root >> servers, would get a signed NXDOMAIN, which IMHO is a more correct response. > > Yes. I'm not sure that's enough to justify the extra work. > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
