Stephane wrote:
> On Wed, Feb 01, 2017 at 03:28:29PM -0500,
> Warren Kumari <warren at kumari.net> wrote
> a message of 103 lines which said:
>
> > or 2: request that the IANA insert an insecure delegation in the
> > root, pointing to a: AS112 or b: an empty zone on the root or c"
> > something similar.
>
> Here, people may be interested by draft-bortzmeyer-dname-root (expired
> but could be revived). The main objection was the privacy issue
> (sending user queries to the "random" operators of AS112.)
>
>
My opinion on these issues are as follows, roughly:
- I am in favor of AS112 for ALT
- For AS112, I prefer the AS112++ method (DNAME)
- I do not see why the DNAME would/should not be DNSSEC signed
- Any local use of ALT can be served locally and signed using an
alternative trust anchor
- I don't think there is any issue with having both the NXD from the
root, and the local assertion of existence, both present (in cache and in
authoritative data respectively)
- Maybe there are issues with specific implementations?
- If anyone knows of such problems, it would be helpful to identify
them along with the implementation and version
- For AS112 privacy, perhaps someone should write up a recommendation to
set up local AS112 instances, to provide privacy, as an informational RFC?
- Even simply through resolver configurations, without a full AS112
"announce routes"?
- Do any resolver packages offer such a simple AS112 set-up?
- Maybe the efforts for privacy should start there (implement first,
then document)?
- Do any stub resolver packages include host-local AS112
features/configurations?
Overall, I'm obviously in favor of use of ALT, and for signing whatever is
done for ALT, and for use of DNAME for ALT.
Brian "DNAME" Dickson
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
