> On Nov 20, 2016, at 9:27 PM, Ted Lemon <mel...@fugue.com> wrote: > > The point is that the current policy for the root precludes an > unsecure delegation.
Huh? If by "insecure delegation" you mean "no DS record", then are are plenty such delegations right now: $ comm -23 tlds tlds_with_ds | wc -l 161 If you're referring to a policy for new delegations, there is indeed a requirement for the "Class of 2012" gTLDs that they be secure, i.e., have DS records. So it happens that all recent new TLDs in the root have been secure delegations, but it doesn't follow that every new delegation has to be a secure one. That's an issue we (the community) would have to decide upon and document in whatever document governed adding a hypothetical new TLD with an insecure delegation. Personally, I think we'd better have a really good reason for adding a new TLD without a requirement for DNSSEC. I further think that adding an insecure delegation in the root for localhost to permit DNSSEC validation of local names like foo.localhost is bad, because I think doing anything to encourage names like foo.localhost is a very bad idea. When I see localhost in whatever context, I think 127.0.0.1 and ::1. Any other answer would cause astonishment. Matt _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop