Section 7 says: "In order to be fully functional, there must be a delegation of 'home.arpa' in the '.arpa' zone [RFC3172]. This delegation MUST NOT be signed, MUST NOT include a DS record, and MUST point to one or more black hole servers, for example BLACKHOLE-1.IANA.ORG and BLACKHOLE-2.IANA.ORG. The reason that this delegation must not be signed is that not signing the delegation breaks the DNSSEC chain of trust, which prevents a validating stub resolver from rejecting names published under 'home.arpa' on a homenet name server."
Thats a INSECURE DELEGATION and machines that return NXDOMAIN for *.HOME.ARPA. Note it says “for example”. The names of the servers the zone is delegated to are NOT proscribed there, just the functionality. RFC 6303 has similar requirements and IANA was able to co-ordinate those delegation. "As DNSSEC is deployed within the IN-ADDR.ARPA and IP6.ARPA namespaces, the zones listed above will need to be delegated as insecure delegations, or be within insecure zones. This will allow DNSSEC validation to succeed for queries in these spaces despite no t being answered from the delegated servers.” Mark > On 14 Dec 2017, at 8:46 am, Joe Abley <jab...@hopcount.ca> wrote: > > On 11 Dec 2017, at 19:50, Ted Lemon <mel...@fugue.com> wrote: > >> On Dec 11, 2017, at 11:17 AM, Joe Abley <jab...@hopcount.ca> wrote: >>> Note though that the homenet document specifically requests a delegation. >> >> Please do not read more into the document than was intended. What Mark is >> saying looks to me like an accurate representation of what we intended. >> The goal is simply for it to be the case that there is not an unsigned >> delegation for home.arpa, which means that it has to point _somewhere_. I >> am a bit frustrated to hear that this is turning into a substantial amount >> of effort. It should be extremely simple. There is no wrong answer for >> what the delegation looks like other than "signed." > > So it's fine if the delegation is secure (which is I presume what you mean by > signed) but lame? > > The document actually specifies quite clearly that the delegation "MUST NOT > include a DS record" which seems to be different from what you are saying. It > also specifies that the delegation "MUST point to one or more black hole > servers", which is pretty vague language following a MUST. > > I appreciate that the intention of homenet may well have been clear, but the > text in section 7 is definitely not clear. I think actually it would have > been reasonable for IANA to send it back as ambiguous before it got to the > RFC Editor queue. > > > Joe > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
