On Mon, 24 Oct 2022, Brian Dickson wrote:
Just to expand on this idea (which I quite like), the original AS112 was enhanced to handle new/arbitrary names, so that AS112 operators don't need to do anything to support being a sink for new domains.This was done in RFC7534 and RFC7535, using the new "empty.as112.arpa" target for use via DNAME. (The DNAME bit is so there isn't a delegation for which the AS112 operator would need to have a zone configured.) Using this via the root zone would be a new kind of entry for the root zone, but is otherwise non-controversial (IMHO). It would basically look like: alt. DNAME empty.as112.arpa
this is dangerous. Anyone who runs an as112 node, or an attacker who compromises one, can then serve a "real" .alt to a percentage of queriers. Imagine millions being lost in some cryptocurrency .alt non-dns scheme. Paul _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
