It appears that Peter Thomassen <[email protected]> said: > > >On 4/18/25 10:24, Philip Homburg wrote: >> The current draft contains the following text: >> DNSSEC validating resolvers will fail to resolve names ending in "internal". >> >> In my opinion we should not have a specification that leads to DNSSEC >> validation errors. > >I agree this is a problem, and therefore I'm against adopting this draft >unless this problem is resolved.
If I were using .internal names, I would configure them in unbound exactly the same way that I configure the rDNS for 192.168/16 and .onion and the other zones it's preconfigured to serve. If you ask for DNSSEC, it says it's unsigned. If someone is about to say but then if I do my own DNSSEC checks in my end device it won't work. That's true, and it won't work if you use 8.8.8.8 or DoH to 1.1.1.1 either. If you splice local names into your local DNS cache, they won't work if a program doesn't use that cache and DNSSEC is the least of your problems. R's, John _______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
