On Thu, 29 Nov 2018, Petr Špaček wrote:
I'm wondering if we could add NXDOMAIN mandatory check and accept INTERNAL_DNSSEC_TA only if "external DNS server" resolves given name to NXDOMAIN.
You cannot do that. Imagine .company being run locally and publicly. They might still be different zones. While it would be ideal for companies to put all their non-public stuff in one internal zone (eg corp.example.com), we cannot and should not require them to do so. Although we surely recommend them to do so.
It seems to me that it would eliminate most problematic cases like com. hijack etc.
And introduce lots of new ones :)
Only problem I can see are cases where "external view" actually serves non-NXDOMAIN answers - I have no idea how common is that.
And I don't know how we would find out how common that is.
What do you think?
I think in an ideal world, yes. but on this internet, no :) Paul _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
