On Mon, 15 Jan 2018, Stephane Bortzmeyer wrote:
Since you can get the effect of a DNAME in the root zone by putting
a DNAME at the apex of a TLD as Taiwan has done,
No, the goal here is to have no NS delegation (for reasons explained
in RFC 7535). So, this cannot work.
I don't understand this objection. If there's a reason this wouldn't
work, I'd appreciate knowing what it is:
in the root (add DNSSEC to taste):
...
evil. NS ns1.evilsrv.wtf.
evil. NS ns2.evilsrv.wtf.
ns1.evilsrv.wtf. glue ...
ns2.evilsrv.wtf. glue ...
...
in the evilsrv.wtf servers
evil. SOA whatever
evil. NS ns1.evilsrv.arpa.
evil. NS ns2.evilsrv.arpa.
evil. DNAME empty.as112.arpa.
There'd be an initial spike of traffic to the evilsrv.wtf servers but
assuming the DNAME does what you anticipate, that should tail off pretty
fast as caches start synthesizing the answers.
This has the advantage that it involves no new technology and lets us skip
directly down the hall to the policy discussion.
Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly
_______________________________________________
regext mailing list
regext@ietf.org
https://www.ietf.org/mailman/listinfo/regext
