If there's no delegation from the root, and it can be validated that there is no delegation from the root, then the attack surface that this draft provides is that your corporate private DNSSEC on foo.corp can be overridden by the VPN. So as you say, Tony, even in this case, the right way to do this is not to allow the VPN to provide the trust anchor in-band.
On Mon, Nov 26, 2018 at 12:05 PM Tony Finch <d...@dotat.at> wrote: > Joe Abley <jab...@hopcount.ca> wrote: > > > > It seems to me that the intended use-case is access to corporate-like > > network environments where intranet.corporate-like.com might exist on > > the inside but not on the outside. > > More likely cases like corporate-like.local or corporate-like.int or > like.corp etc. usw. :-( > > Private DNSSEC trust anchors should be distributed in the same way that > you would distribute corporate X.509 trust anchors. > > Tony. > -- > f.anthony.n.finch <d...@dotat.at> http://dotat.at/ > an equitable and peaceful international order > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop >
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
