The point is that the current policy for the root precludes an unsecure delegation.
On Sun, Nov 20, 2016 at 9:20 PM, Mark Andrews <ma...@isc.org> wrote: > > In message > <capt1n1kchdzvo+w0jyzx9+ozyi6t-dwuwq7-bz9smuumxsm...@mail.gmail.com>, Ted > Lemon writes: >> Which do you want? TLSA, or delegation? You can't have both. > > From a technical perspective a insecure delegation for .localhost > back to the root servers to break the DNSSEC chain of trust. You > can then populate a local .localhost how ever you see fit and have > the answers validate as secure / insecure depending on whether the > validator has a trust anchor for .localhost. > > As for the rest, we should not inflict the broken security model > used here on every other use of domain names in this namespace. It > does not belong to just one service. It the web want a namespace > that is has these properties it can request one. It shouldn't > highjack an existing space. > > Mark > >> On Fri, Nov 18, 2016 at 6:52 AM, Mark Andrews <ma...@isc.org> wrote: >> > >> > As I said on the sunset4 mailing list this goes too far. >> > >> > I don't know about you but I want to be able to lookup TLSA records, >> > SRV and other records types for foo.localhost and localhost. >> > >> > And by the way this also requires a insecure delegation in the root >> > zone for DNSSEC to work with validating client. >> > >> > This isn't a good idea. >> > >> > Mark >> > -- >> > Mark Andrews, ISC >> > 1 Seymour St., Dundas Valley, NSW 2117, Australia >> > PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org >> > >> > _______________________________________________ >> > DNSOP mailing list >> > DNSOP@ietf.org >> > https://www.ietf.org/mailman/listinfo/dnsop > -- > Mark Andrews, ISC > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
