On Jun 12 2012, Tony Finch wrote:
Joe Abley <[email protected]> wrote:
Since these are all junk domains of no global significance, it's hard to
see how they could be signed. The expectation is (as currently) that
they would not be.
And rightly so.
Since it is normal (especially for the RFC1918 zones) for sites to have
local versions of the zones, it is much easier operationally if the zones
are not signed. If they are signed then any site that overrides them would
have to distribute trust anchors to all validators, so that they are able
to resolve the local names without rejecting them as bogus. If the AS112
zones are not signed then distributing trust anchors for local versions is
optional, depending on whether the site wants to bother validating them.
See also RFC 6303, section 7, paragraph 2:
* As DNSSEC is deployed within the IN-ADDR.ARPA and IP6.ARPA
* namespaces, the zones listed above will need to be delegated as
* insecure delegations, or be within insecure zones. This will allow
* DNSSEC validation to succeed for queries in these spaces despite not
* being answered from the delegated servers.
--
Chris Thompson University of Cambridge Computing Service,
Email: [email protected] New Museums Site, Cambridge CB2 3QH,
Phone: +44 1223 334715 United Kingdom.
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
