In message <20170817150106.5492.qm...@ary.lan>, "John Levine" writes: > In article <CAKXHy=chbyfempmdtk-tjmkzdl3oeodjdyujxuk2-qh4e5h...@mail.gmail.co > m> you write: > >2. I know I don't have enough expertise in this area to make an informed > >decision, and smart folks on this thread and elsewhere have told me that an > >insecure delegation would be better than status-quo. I added > >https://tools.ietf.org/html/draft-west-let-localhost-be-localhost-05#section > -4.2 > >to the document on that basis. > > The problem with asking for an insecure root delegation is that the > IETF has no process for putting anything in the root. In principle we > could work something out with ICANN, but that process would take > somewhere between a very very long time and forever. It is likely to > be hijacked by other people who also want special treatment for their > pet TLDs which is why my estimate would be closer to forever.
Well start now. 'localhost' was special before DNS, DNSSEC and ICANN came into existence. This is completing work that should have been done at the time the root zone was signed. > So my inclination would be to say that localhost lookups that reach > the root will get a secure NXDOMAIN, which one could take as a hint > that it's time to update the stubs and caches that let the query leak. Insecure NOERROR NODATA for A and AAAA are fine. Secure NOERROR NODATA for DS is what is needed. > We don't have to work this out now, we can adopt the document and > figure out what to fix later. > > R's, > John > > PS: For anyone who was going to say what about .ARPA, it was in the > root a long time before ICANN existed. > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
