On Wed, Dec 14, 2016 at 6:37 PM, Ted Lemon <mel...@fugue.com> wrote: > Brian, there's no need for the complexity you are describing. The > unsecured delegation of .homenet would just point to AS112. Any trust > anchor bootstrapping would not involve the root at all. >
Is the intent just to have a global NXDOMAIN, provided with no DNSSEC? That works at preventing homenet from working unless every resolver inside the home network is homenet-aware. (And yes, I realize as currently specified in RFC 7778, that is a requirement.) However, I don't believe that is only (or optimal) path for the homenet. Their stated goal is that they want everything to work, plug-and-play. What I'm proposing will (I believe) actually produce a working network as long as a single resolver is homenet-aware. It automatically gets non-homenet-aware resolvers to point at homenet-aware resolvers (ie homenet routers), as long as the default address for homenet routers' DNS service, is the same as the value assigned in the AS112-like delegation. I.e. it turns a broken hybrid of "today" networks plus a "homenet", into a fully functional homenet with a minimum of deployments/upgrades/replacements. It also minimizes the "broken Christmas light" aka "missing terminator" class of problem, if any host is running its own recursive resolver (which would then fail to properly integrate into the homenet.) (Also, I think having things with built-in firmware-based crappy resolvers actually work without any patching, would be nice.) I agree that an unsigned delegation is sufficient for non-hybrid homenet-aware gear to provide hosts a correct homenet experience. Brian
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
