I meant a form of signing, which would be a strong signal of repudiation of the label as well as exclusion of other holders of the label, so that it could be a first-class signal "not in the DNS" -> look in another internet-name lookup mechanism.
Delegation via DNAME to the empty serve felt like a weaker form. It conflates moving traffic off the root, with an authenticated denial function. I probably don't understand the protocol implications of things right so may also be confused myself. -G On Wed, Apr 6, 2016 at 2:22 PM, Stephane Bortzmeyer <[email protected]> wrote: > On Wed, Apr 06, 2016 at 01:41:40PM -0300, > George Michaelson <[email protected]> wrote > a message of 25 lines which said: > >> I see some utility in having DNSSEC apply over special use names, >> because authenticated non-existence is a strong proof of intent, and >> would make a 'not in this domainspace' switch have a robust basis. > > Well, the root is signed so, if the draft is implemented, the DNAMEs > will be signed (the target zone, empty.as112.arpa, is not, for good > reasons). > >> On that understanding, how would DNAME redirection work for >> returning sigs over the NX? > > I'm not sure I understand. A DNAME is like any other record (see > anything.sink.bortzmeyer.fr which is signed and redirects to the new > AS112). > > Or do you mean a RFC 7535-bis, with "special" signatures for > empty.as112.arpa? > _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
