On Wed, Apr 06, 2016 at 01:41:40PM -0300, George Michaelson <[email protected]> wrote a message of 25 lines which said:
> I see some utility in having DNSSEC apply over special use names, > because authenticated non-existence is a strong proof of intent, and > would make a 'not in this domainspace' switch have a robust basis. Well, the root is signed so, if the draft is implemented, the DNAMEs will be signed (the target zone, empty.as112.arpa, is not, for good reasons). > On that understanding, how would DNAME redirection work for > returning sigs over the NX? I'm not sure I understand. A DNAME is like any other record (see anything.sink.bortzmeyer.fr which is signed and redirects to the new AS112). Or do you mean a RFC 7535-bis, with "special" signatures for empty.as112.arpa? _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
