On Sat, 19 Apr 2025, Philip Homburg wrote:
about some way to keep the local DNS hacks in sync throughout a
network for the people who don't use their cache as the source of
DNS truth.
There is a simple way to solve this. Just add a negative trust anchor for
internal to DNSSEC validating software. But last time I suggested that,
it was quite unpopular.
It is simply unrealistic to expect that every mobile device that
contains a DNSSEC validator gets up-to-date information about the
state of internal on every network it connects to. This should be left
to recursive resolvers at the core of the network.
Well, yes, or if the stubs are going to validate, they need some way to
ask the upstream cache about local stuff.
That's why either the DNSSEC issue should be fixed or we should recommend
against using internal.
I think it should be fixed, but I also think it's silly to say this is a
new problem or that .internal breaks in ways different from a zillion
locally added domains.
R's,
John
_______________________________________________
DNSOP mailing list -- [email protected]
To unsubscribe send an email to [email protected]
