On Tue, 2 Jul 2019, Matthijs Mekking wrote:

Here's a draft with discussion why also the protocol should go
away. We would like to hear what you think about it.

The discussion of the private network use case in section 2 has two minor errors plus one bit that is unclear.

When we designed DLV, we certainly considered a private network use case. RFC5074 does not strictly have public trust anchors take precedence over ("mask") DLV records [1].

I suggest replacing the text in section 2 starting with "One other..." with:

   One other possible reason to keep DLV is to distribute trust anchors
   for private enterprises.  The authors are not aware of any such use
   of DLV.

That does not include the argument in the below bullet, which I find unclear. What does "name redirection" mean in this context?

   o  Since the zones are related to private networks, it would make
      more sense to make the internal network more secure to avoid name
      redirection, rather than complicate the DNS protocol.

-- Sam


[1] Specifically, 5074 says to use public trust anchors first. If they give a validation result other than "Secure", then do DLV processing. I'm not 100% sure of how BIND's logic works here.

_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to