It appears that Brian Dickson <brian.peter.dick...@gmail.com> said: >Private-use TLDs will fail DNSSEC validation which uses the IANA DNSSEC >Root Trust Anchor. >Organizations using names beneath such private-use TLDs while operating >validating recursive resolvers or validating stub resolvers need to also >manage trust anchors for those domains on those hosts. Such a trust anchor >could be used to either sign the domain, or prove the unsigned nature of >the domain.
If your recursive resolver is going to handle a private TLD, you need to configure it so it knows where to find the contents of that TLD. When you do that, the DNSSEC opt-out generally comes along for free. Unbound and BIND have simple commands to do that, haven't looked at other resolvers but those two probably cover half the market. R's, John _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
