Stephane Bortzmeyer wrote: ...
Does it mean the privacy problem is solved? Or simply overlooked? Can we delegate RFC 6761 special-use domains such as .internal to AS 112?
any AS112 operator can tell you that the world doesn't care about privacy, based on the amount of organizationally sensitive information that's leaked in queries for PTR in RFC 1918 address blocks. so, privacy was never my concern.
rather, AS112 has no authoritative operator registry. we don't know who is running these servers, and we have no way to assure that they hear a request that they add more secondary DNS zones to such servers. so if we delegate more zones that way, there will be a lot of SERVFAIL except for servers who send REFUSED. either way we have to consider the matter.
i think as long as we keep the traffic away from the ARPA and root servers, we should not care what response is received -- should be NXDOMAIN but could be pretty much anything. ideally we'd sign all of these zones with DNSSEC and put DS RR's into the delegations, to assure that poison wasn't getting believed by modern validating resolvers.
but we should concern ourselves with the question: did the AS112 operators realize that we'd be adding zones over time, and will they see the new RFC and/or announcements here/elsewhere and know to update their configs? and will any of them consider this an imposition?
-- P Vixie _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
