On 2 August 2017 at 13:24, Jacob Hoffman-Andrews <j...@eff.org> wrote:
> On 08/01/2017 06:23 PM, Mark Andrews wrote: > > The query for foo.localhost doesn't need to hit-the-wire for this > > to be a issue. Ask your self why RFC 6303, Security section has > > > > As DNSSEC is deployed within the IN-ADDR.ARPA and IP6.ARPA > > namespaces, the zones listed above will need to be delegated as > > insecure delegations, or be within insecure zones. This will > > allow DNSSEC validation to succeed for queries in these spaces > > despite not being answered from the delegated servers. > > > > or draft-ietf-homenet-dot-10 is doing the same thing for "home.arpa". > > RFC 6303 says "as DNSSEC is deployed within...". There's no plan to > deploy DNSSEC within .localhost, because it doesn't make sense there; > all resolutions should be handled locally. > 6303 is talking about what to do with DNS zones for RFC1918 and other local-scope address space when their global-scope parent zones are signed. The correct rephrasing of that quote which would apply to .localhost is "as DNSSEC is deployed within the root namespace..." An event which is long past. In the case where 'localhost' is being passed to DNS resolution software, a validating stub (for example inside a web browser) needs a way to know that the 'localhost' TLD should be treated as insecure. In that case, the only way to accomplish that is with an insecure delegation at the root.
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
