On Wed, Feb 1, 2017 at 3:58 PM, Ted Lemon <mel...@fugue.com> wrote: > On Feb 1, 2017, at 3:50 PM, Ralph Droms <rdroms.i...@gmail.com> wrote: > > It appears to me that requesting an insecure delegation is the right thing > to do, as a "technical use". We have, so far, been very careful in what we > ask for. If ICANN does not agree, then we can discuss other options. > > > I agree. > > > I'm confused. The .ALT TLD is expected to be used for non-DNS name > lookups. So isn't a secure denial of existence exactly what we want for > .ALT? What is the utility in having an un-signed delegation? > > As I understand it, the idea is that if someone incorrectly looks up a .alt name in DNS, we want an answer that causes the requester and recursive resolver to not ask again, both to reduce traffic to the roots, and to minimize leakage of information. If querying 'something.alt', a delegation would be cached at the '.alt' level, but an NXDOMAIN would be cached as 'something.alt', and 'other.alt' would not be covered.
-- Bob Harold
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
