Hi, Mark Andrews's point about a DNSSEC insecure delegation today was not I think fully appreciated.
In order to create a top-most label in the domain name that can be used this way and that has the necessary properties, we cannot simply instruct IANA to do it. That is in fact creating a delegation in the root zone of the DNS. I believe that RFC 2860 (the MoU between the IETF and ICANN) does allow us to create special-use domain names at the top-most level. But I do not believe it allows us to create special-use domain names at the top-most level _in the DNS_, because that is control of the root zone and it is unambiguously the province of ICANN. Therefore, if the WG decides to use a top-level label for these purposes, we have to apply to ICANN to get it delegated from the root in a provably insecure fashion. Interestingly, ICANN actually has a policy that it won't delegate things from the root any more that are _not_ DNSSEC signed, and the whole point here is in fact to add an entry that is contrary to that policy, so getting such a delegation would require ICANN to change its policies before it could happen. That is an important practical fact that ought to be taken into consideration when deciding what kind of label to use. Best regards, A -- Andrew Sullivan [email protected] _______________________________________________ homenet mailing list [email protected] https://www.ietf.org/mailman/listinfo/homenet
