On 08/01/2017 06:23 PM, Mark Andrews wrote: > The query for foo.localhost doesn't need to hit-the-wire for this > to be a issue. Ask your self why RFC 6303, Security section has > > As DNSSEC is deployed within the IN-ADDR.ARPA and IP6.ARPA > namespaces, the zones listed above will need to be delegated as > insecure delegations, or be within insecure zones. This will > allow DNSSEC validation to succeed for queries in these spaces > despite not being answered from the delegated servers. > > or draft-ietf-homenet-dot-10 is doing the same thing for "home.arpa".
RFC 6303 says "as DNSSEC is deployed within...". There's no plan to deploy DNSSEC within .localhost, because it doesn't make sense there; all resolutions should be handled locally. > We didn't add the requirement for insecure delegations for the fun > of it. We added it so that the tools that validate will not break > when those names are being used. Can you tell me more about what type of tools you're thinking of here? Are those tools expected to handle "foo.localhost" domains? If so, what do they currently do with such domains? To put it another way: is your concern about new potential for breakage under this draft, or are you saying that there is existing breakage that we might as well fix as long as we are touching ".localhost"? _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
