Dear Mark,
thanks for your kind reply.
in RFC 2672,
"The synthesized CNAME RR, if provided, MUST have
The same CLASS as the QCLASS of the query,
TTL equal to zero,"
In RFC6672
"A CNAME RR with Time to Live (TTL) equal to the corresponding DNAME
RR is synthesized and
In message
The point is that the current policy for the root precludes an
unsecure delegation.
On Sun, Nov 20, 2016 at 9:20 PM, Mark Andrews wrote:
>
> In message
> , Ted
> Lemon writes:
>> Which do you want? TLSA, or
In message
, Ted Lemon
writes:
> Which do you want? TLSA, or delegation? You can't have both.
>From a technical perspective a insecure delegation for .localhost
back to the root servers to break the DNSSEC chain of trust.