Your second suggestion is what I meant. Thanks for taking the time to write it—I totally missed the conflicting meaning of "validate".
> On Jul 7, 2017, at 8:34 AM, Andrew Sullivan <[email protected]> wrote: > > Hi there, > > I have read the -09 draft. I think I am confused (but maybe I am > confused about that). > > It says > > 5. No special processing of '.home.arpa' is required for > authoritative DNS server implementations. However, it is > possible that an authoritative DNS server might attempt to > validate the delegation for a zone before answering > authoritatively for that zone. In this situation, it would find > an invalid delegation, and would not answer authoritatively. A > server that implements this sort of check MUST be configurable so > that either it does not do this check for the 'home.arpa' domain, > or it ignores the results of the check. > > I think the problem here might be "attempt to validate". Since the > point of section 7 is precisely to permit DNSSEC validation not to > "fail" (i.e. not to validate "bogus"), this seems to be an > equivocation on "validate". I think what is probably meant is > > It is possible that an authoritative DNS server might have local > policy that requires positive DNSSEC validation of a delegation > for a zone before answering authoritatively for that zone. In > that situation, it would not find a signed delegation, and would > therefore not answer authoritiatively. A server … > > If that's not what's meant, then I don't know what is meant. The > delegation is certainly not invalid in the DNSSEC sense. It's not > possible to find it in the global DNS servers authoritative for the > parent name space, however. If _that's_ the worry, then the term > "valid" is not what is needed here. In that case, maybe this is > what's wanted: > > It is possible that an authoritative DNS server might attempt to > check the authoritative servers for home.arpa. for a delegation > beneath that name before answering authoritatively for such a > delegated name. In such a case, because the name always has only > local significance there will be no such delegation in the > home.arpa. zone, and so the server would refuse to answer > authoritatively for such a zone. A server … > > Best regards, > > A > > -- > Andrew Sullivan > [email protected] > > _______________________________________________ > homenet mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/homenet _______________________________________________ homenet mailing list [email protected] https://www.ietf.org/mailman/listinfo/homenet
