On Tue, Jan 30, 2018 at 11:39:31AM -0600, Ted Lemon wrote: > > It is possible to produce a signed answer, because the domain doesn't exist
I think I was arguing yesterday that that is in fact not true. The domain (name) does exist, and it is defined in RFC 6761 precisely to be special. In addition, > > cavall% dig @a.root-servers.net localhost > > ; <<>> DiG 9.10.1b1 <<>> @a.root-servers.net localhost > ; (1 server found) > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 19121 > ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 > ;; WARNING: recursion requested but not available That answer from the root is contrary to RFC 6761 section 6.3 item 5 and maybe 6. Because of that same section, also, signing the answer should also not be controversial because the answer is static. My preference, however, would be for the root servers to REFUSE to answer such queries. Best regards, A -- Andrew Sullivan a...@anvilwalrusden.com _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop