On 18 Apr 2025, at 10:24, Philip Homburg wrote:
Please review the draft and share your thoughts on the mailing
list, clearly stating whether you support its adoption by DNSOP.
Also let us know if you are willing to contribute text, provide
reviews, or help in other ways.
The current draft contains the following text:
DNSSEC validating resolvers will fail to resolve names ending in
"internal".
In my opinion we should not have a specification that leads to DNSSEC
validation errors.
One option is to simply not have a draft at all. The IETF is not in
charge
of the DNS namespace. The IETF deals with technical aspects of DNS.
A second option is to have a draft that recommends against using this
domain
because doing so leads to DNSSEC validation errors. So the points in
Section
5.1 (in particular point 1) should be changed that the use is not
recommended.
A third option is to find a way to avoid DNSSEC validation errors.
That is
not a technical problem, there are multiple ways. But it seems that
none of those is acceptable.
The draft does not recommend using or not using .internal. It says:
If an organization determines that it requires a private-use DNS
namespace, it should either use sub-domains of a global DNS name
that
is under its organizational and operational control, or use the
"internal" top-level domain. This document does not offer guidance
on when a network operators should choose the "internal" top-level
domain instead of a sub-domain of a global DNS name. This decision
will depend on multiple factors such as network design or
organizational needs, and is outside the scope of this publication.
SAC113 said:
“Using sub-domains of registered public domain names is still the best
practice to name
internal resources.”
I’m not against changing the draft to align more with the advice in
SAC113, but my inclination is to keep the draft agnostic on this point.
When the authors originally discussed it we decided against offering
advice in either direction.
—Andrew
_______________________________________________
DNSOP mailing list -- [email protected]
To unsubscribe send an email to [email protected]
