On Jun 18, 2020, at 19:22, Ted Lemon <mel...@fugue.com> wrote: > What I’m getting at is that the secure denial of existence will mean that a > DNSSEC-aware resolver, when asked to look up a name under .xa, for example, > will always return NXDOMAIN.
I think we're speculating about behaviour in software that has not yet been written, software that will have a natural requirement to deal with the environment it finds itself deployed in. But it also occurs to me that if we agree that the great root zone KSK roll melodrama illustrated that we have a root zone trust anchor distribution problem, it's not much of a stretch to generalise that statement and say that we have a trust anchor distribution problem. The root zone and private-use internal zones that anchor private namespaces might all benefit from a robust trust anchor distribution strategy. If validators have the ability to be configured elegantly with all the trust anchors they need without the attention of a knowledgeable administrator (as a validating stub resolver might need with the root zone trust anchor) we might find that the DNSSEC concerns that led to horrors like home.arpa all disappear. Joe _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
