In message <99431a77-7b62-4655-89ef-faa32f2a8...@gmail.com>, Brian Dickson writes: > The suggestion of DNAME to empty.as112.arpa involves some subtle details, > which IMHO may in combination be the right mix here. > > The DNAME target is an insecure empty zone. > > This avoids the validation issue, and facilitates use of local "alt" > namespaces.
No it doesn't. > The default response to queries under alt would be unsigned NXDOMAINs. No, it would be a secure response saying that foo.alt is covered by a DNAME. The names under empty.as112.arpa are unsigned NXDOMAINs. The difference between the two descriptions is critical to why a DNAME in the root zone will not work. You *have* to leak names to the root to get a DNAME returned by ordinary processing because the DNAME is signed. > I am not seeing a problem with this. > > Am I missing anything? Yes. A solution that *works*. > Brian > > Sent from my iPhone -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop