> If you're going to make local modifications to the DNS tree in some > parts of your setup but not others, it is not much of a surprise > that the results are inconsistent. I think we either need to decide > that since people have been doing local DNS hacks for at least > three decades, either we admit that it does what it does and you > should be aware that some parts don't work. or we should think > about some way to keep the local DNS hacks in sync throughout a > network for the people who don't use their cache as the source of > DNS truth.
There is a simple way to solve this. Just add a negative trust anchor for internal to DNSSEC validating software. But last time I suggested that, it was quite unpopular. It is simply unrealistic to expect that every mobile device that contains a DNSSEC validator gets up-to-date information about the state of internal on every network it connects to. This should be left to recursive resolvers at the core of the network. That's why either the DNSSEC issue should be fixed or we should recommend against using internal. _______________________________________________ DNSOP mailing list -- dnsop@ietf.org To unsubscribe send an email to dnsop-le...@ietf.org
