In message <CAPt1N1m8w6YThNB1FG-ZV=UVO9e+i=3-aoywEmVi19=wd1c...@mail.gmail.com>, Ted Lemon writes: > The point is that the current policy for the root precludes an > unsecure delegation. Please quote the relevent documents that preclude this. From all I've seen this is a open issue.
Mark > On Sun, Nov 20, 2016 at 9:20 PM, Mark Andrews <ma...@isc.org> wrote: > > > > In message > > <capt1n1kchdzvo+w0jyzx9+ozyi6t-dwuwq7-bz9smuumxsm...@mail.gmail.com>, Ted > > Lemon writes: > >> Which do you want? TLSA, or delegation? You can't have both. > > > > From a technical perspective a insecure delegation for .localhost > > back to the root servers to break the DNSSEC chain of trust. You > > can then populate a local .localhost how ever you see fit and have > > the answers validate as secure / insecure depending on whether the > > validator has a trust anchor for .localhost. > > > > As for the rest, we should not inflict the broken security model > > used here on every other use of domain names in this namespace. It > > does not belong to just one service. It the web want a namespace > > that is has these properties it can request one. It shouldn't > > highjack an existing space. > > > > Mark > > > >> On Fri, Nov 18, 2016 at 6:52 AM, Mark Andrews <ma...@isc.org> wrote: > >> > > >> > As I said on the sunset4 mailing list this goes too far. > >> > > >> > I don't know about you but I want to be able to lookup TLSA records, > >> > SRV and other records types for foo.localhost and localhost. > >> > > >> > And by the way this also requires a insecure delegation in the root > >> > zone for DNSSEC to work with validating client. > >> > > >> > This isn't a good idea. > >> > > >> > Mark > >> > -- > >> > Mark Andrews, ISC > >> > 1 Seymour St., Dundas Valley, NSW 2117, Australia > >> > PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org > >> > > >> > _______________________________________________ > >> > DNSOP mailing list > >> > DNSOP@ietf.org > >> > https://www.ietf.org/mailman/listinfo/dnsop > > -- > > Mark Andrews, ISC > > 1 Seymour St., Dundas Valley, NSW 2117, Australia > > PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop