Ted Lemon <mel...@fugue.com> wrote: > Snipped and edited to add numbering for reference...
> 4. Split DNS, DNSSEC, trust anchor required because the hidden zone is > under or at an unsigned delegation > > 5. Split DNS, DNSSEC, trust anchor required because the hidden zone has > a secure delegation that won't validate [ snip lots of stuff I agree with ] > In cases four and five, you care enough to set up DNSSEC, but either > can't be arsed to do it right, or don't have control over the delegation > point and so can't do it right. In the former case, I would argue that > we should just say too bad. In the latter case, we have just protected > the end user from being attacked by saying too bad. Case 4 is pretty common for RFC 1918 reverse DNS :-) Really, I don't think this is (just) a VPN issue: the question of how to install DNSSEC trust anchors for private zones has not been solved for the general case, so a VPN-only patch seems premature and unhelpfully specific to me. Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ an equitable and peaceful international order _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
