Hey Philip, Good question—whether IETF purity (no global NTA) wins over practical DNSSEC deployment.
This is my first time on the mailing list, and IETF 121 in Dublin was my first meeting, so I might be missing something here and could be completely off track. I think there definitely needs to be some consideration around DNSSEC here. Without an NTA, any resolver or validator trying to validate .internal will get an NXDOMAIN from the root, including an NSEC response proving nonexistence. That means unless an NTA is manually set up, validation breaks, and resolution for anything under .internal is dead. From my understanding, DNSOP exists to provide guidance on operational best practices for running DNS rather than dictating how operators configure their systems. If .internal is going to be widely used in private environments, then it seems inevitable that resolver operators will need to configure NTAs for it—otherwise, validation will fail. Maybe this isn’t something the IETF wants to explicitly mandate, but should DNSOP at least document the operational implications of using .internal and recommend best practices? Or does this fall more on resolver developers to decide whether an NTA for .internal should be baked into software by default? Chris Appleyard --- > On 7 Feb 2025, at 09:16, Philip Homburg <pch-dnso...@u-1.phicoh.com> wrote: > >> NTAs are installed by resolvers, not authoritative servers. It >> sounds like this proposal is for a universal NTA; this WG soundly >> rejected that idea when it (barely) agreed to describing NTAs at >> all. > > They need to be installed by validators. A validator doesn't have to be > a resolver. > > Currently the draft says: "Such domains will not resolve in the global DNS, > but can be configured within closed networks as the network operator sees > fit." > > I think that rules out a delegation from the root. > > Assuming no delegation from the root, then absent a negative trust anchor > DNSSEC validation will break. > > Is this case where purity in the IETF (no global negative trust anchor) will > win from practical deployment of DNSSEC? > > > _______________________________________________ > DNSOP mailing list -- dnsop@ietf.org > To unsubscribe send an email to dnsop-le...@ietf.org _______________________________________________ DNSOP mailing list -- dnsop@ietf.org To unsubscribe send an email to dnsop-le...@ietf.org
