>The problem is that the DNSSEC solution here is kind of complicated. >What you'd want is an opt-out signature in the root, showing that there >might be an insecure delegation to .localhost, but the root is signed with >NSEC and there's only opt-out in NSEC3. Technically it's not complicated >to change from NSEC to NSEC3, but any change to the way the root is >managed is a big deal since the consequences of screwing it up are so >large.
What if localhost is just inserted in the root as the equivalent of localhost. IN A 127.0.0.1 localhost. IN AAAA ::1 (of course this can be done by directly inserting those entries in the root, or by using CNAME or DNAME tricks, or even delegating localhost. to something like as112) I assume that anyone who wants different values for localhost can edit /etc/hosts or use one of the many dns resolution tricks. This may break local validating resolvers, but so what? _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
