It appears that Chris Appleyard - IETF <chrisappleyard.i...@mailbox.org> said: >I think there definitely needs to be some consideration around DNSSEC here. >Without an NTA, any resolver or validator trying >to validate .internal will get an NXDOMAIN from the root, including an NSEC >response proving nonexistence. That means unless >an NTA is manually set up, validation breaks, and resolution for anything >under .internal is dead.
If someone is going to make .internal resolve on their network, they're going to have to use some kind of kludge to serve the records. So what we are really debating is what kind of kludge we think will break less badly. On my network, everything uses the local DNS cache, nothing does endpoint DNSSEC validation, so if the cache says the results are OK, they're OK. I realize that other people may set up their systems differently, but in all of years we've been futzing with DNSSEC I have not seen even a vague agreement on how one might best provide results that are different from what you get by delegation from the root and make it work with DNSSEC. So I think we should not say anything about it, because whatever we say will be wrong at least half the time. R's, John _______________________________________________ DNSOP mailing list -- dnsop@ietf.org To unsubscribe send an email to dnsop-le...@ietf.org
