> What we all keep ignoring is that .internal DOES NOT WORK WITH > BRING YOUR OWN DEVICE scenarios Reverse for RFC1918 addresses > work with BYOD because we have public AS112 servers that serve > UNSIGNED reverse zones. This breaks the DNSSEC chain of trust > cleanly allowing the zones to be used by everyone. We have > FAILED to do this for > .internal. So either every device needs to know a priori that DNSSEC > doesn't work for .internal which makes it a special use domain > or we add .internal to the root with an insecure delegation to > break the chain of trust cleanly.
I think it is clear that IANA (or ICANN) do not want a delegation in the root for internal. So we need to find another way. It is safe to say that the only software running on a host that needs to be aware of .internal is software that does DNSSEC validation. Most stub resolvers, non-validating forwarders, etc. They don't need to do anything special. So the requirement we should place on validators in that they come by default with a negative trust anchor for .internal. So that would indeed make INTERNAL a special-use domain name. _______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
