On Aug 14 2014, Joe Abley wrote: [...]
It seems to me that no delegation is a perfectly reasonable steady state,
It fails to break the chain of trust. Because a validator can "prove" that the names in the putative subzone do not exist, it will consider locally defined content "bogus". The only way around this is either to have all local nameservers be authoritative for the subzone (e.g. by slaving it) or to sign it and have them all configured with a trust anchor. (Negative trust anchors would make this a bit easier, but as we know a certain common nameserver implementation does not support them...) Depending on how large "local" is this can be difficult to achieve, and in the particular use case of 100.64.0.0/10 it is liable to be big.
so long as ARIN doesn't mind the NXDOMAIN load from leaked queries. An alternative to a delegation (if they do care) would be a DNAME redirection to EMPTY.AS112.ARPA once that is available.
Would this last actually work to break the chain of trust (provided that EMPTY.AS112.NET was itself unsigned)? I am having difficulty working out exactly what a validator would do in this situation. -- Chris Thompson University of Cambridge Information Services, Email: [email protected] Roger Needham Building, 7 JJ Thomson Avenue, Phone: +44 1223 334715 Cambridge CB3 0RB, United Kingdom. _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
