In message <[email protected]>, Brian Dickson writes: > The suggestion of DNAME to empty.as112.arpa involves some subtle details, > which IMHO may in combination be the right mix here. > > The DNAME target is an insecure empty zone. > > This avoids the validation issue, and facilitates use of local "alt" > namespaces.
No it doesn't. > The default response to queries under alt would be unsigned NXDOMAINs. No, it would be a secure response saying that foo.alt is covered by a DNAME. The names under empty.as112.arpa are unsigned NXDOMAINs. The difference between the two descriptions is critical to why a DNAME in the root zone will not work. You *have* to leak names to the root to get a DNAME returned by ordinary processing because the DNAME is signed. > I am not seeing a problem with this. > > Am I missing anything? Yes. A solution that *works*. > Brian > > Sent from my iPhone -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
