Viktor Dukhovni <ietf-d...@dukhovni.org> wrote: > A private sub-domain should return NXDomain on the public side of > the Internet,
Maaaaaybe. That (mostly) requires that DNS servers support views. Obviously in practice, private zones and views are often used together, but DNS purists have also argued that that you don't need views to have private zones (and that is how private.cam.ac.uk was set up). But purism has disadvantages: REFUSED queries to private domains from the public Internet cause retries and traffic amplification so there are non-CAA-related advantages to having a public NXDOMAIN view. Even so, I know that at least one CA has received enough complaints from customers with REFUSED private domains that they have already updated their implementation to permit certificates in unresolvable zones that lack DNSSEC. It worked before CAA and I don't think there's any particular advantage to breaking it. Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ - I xn--zr8h punycode Faeroes, Southeast Iceland: Northerly backing northwesterly gale 8 to storm 10. Very rough or high, occasionally very high in north. Squally wintry showers. Moderate or poor. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
