> On Nov 20, 2016, at 9:27 PM, Ted Lemon <[email protected]> wrote:
>
> The point is that the current policy for the root precludes an
> unsecure delegation.
Huh? If by "insecure delegation" you mean "no DS record", then are are plenty
such delegations right now:
$ comm -23 tlds tlds_with_ds | wc -l
161
If you're referring to a policy for new delegations, there is indeed a
requirement for the "Class of 2012" gTLDs that they be secure, i.e., have DS
records. So it happens that all recent new TLDs in the root have been secure
delegations, but it doesn't follow that every new delegation has to be a secure
one. That's an issue we (the community) would have to decide upon and document
in whatever document governed adding a hypothetical new TLD with an insecure
delegation.
Personally, I think we'd better have a really good reason for adding a new TLD
without a requirement for DNSSEC. I further think that adding an insecure
delegation in the root for localhost to permit DNSSEC validation of local names
like foo.localhost is bad, because I think doing anything to encourage names
like foo.localhost is a very bad idea. When I see localhost in whatever
context, I think 127.0.0.1 and ::1. Any other answer would cause astonishment.
Matt
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
