On Dec 13, 2017, at 7:31 PM, Joe Abley <jab...@hopcount.ca> wrote: > The ambiguity is (for example) that "point to" is not a well-defined phrase, > given that we have two documented ways of doing this in the AS112 project, > and neither is "black hole server" which from the examples seems it refers to > servers made available from the AS112 project, but which examples surely are > non-normative.
What is wanted is that there be a delegation in .arpa for home.arpa that isn't signed, so that DNSSEC validation will not fail when an answer is presented to the stub that is different than what's in the .arpa zone. There is never a valid use case where a query actually goes to a server to which home.arpa is delegated from the authoritative servers for .arpa. We just need for .arpa not to say something that contradicts what the locally-served zone says. This is the same behavior that is necessary for e.g. 10.in-addr.arpa, in order that a local DNS service can provide answers within that zone without the actual from-the-root delegation authentically contradicting what that server is saying. IOW, if you think that what is being requested here is different than what's needed for 10.in-addr.arpa, we've failed to communicate. The issue is that we hadn't really thought about the secure denial of existence problem prior to the dot-home work.
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
