On Thursday, April 6, 2017 11:53:25 PM GMT David Conrad wrote: > On Apr 6, 2017, 2:32 AM -1000, Paul Vixie <p...@redbarn.org>, wrote: > > if you want to run yeti-style, there are some perl scripts that will > > fetch and verify the root zone, edit the apex NS and DNSKEY RRsets, > > re-sign with your local key, and give you a zone you can run on several > > servers inside your internal network, such that you can point your > > "hints" and your dnssec anchor at servers you control, for all your > > internal-network recursives, > > Not so sure this is something I'd go about recommending to pretty much > anyone other than hardcore, very experienced DNS/DNSSEC protocol geeks > since it pretty much defeats the purpose of DNSSEC (edit the apex? ugh) and > requires all relying devices to configure a "non-default" trust anchor or > suffer SERVFAILs.
other than one proviso and one misstatement, i agree with this. the proviso is, RFC 7706 is also completely unsuitable for non-hardcore or non- experienced or non-protocol-geeks; and both approaches are appropriate only for closed internal networks where the configuration is controlled by a single administration. the misstatement is, dnssec's purpose is not defeated, because iana's signatures are checked before the zone is accepted, and new signatures are added using local keys before publication. for my many-vm's laptop environment, running on a loopback isn't a solution. see also: http://www.circleid.com/posts/20160330_let_me_make_yeti_dns_perfectly_clear/ vixie
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
