> On Mar 23, 2017, at 2:30 PM, Ted Lemon <mel...@fugue.com> wrote: > > On Mar 23, 2017, at 2:11 PM, Ralph Droms <rdroms.i...@gmail.com > <mailto:rdroms.i...@gmail.com>> wrote: >> No snark intended, but if "the protocol" were really just DNS, we wouldn't >> be having this discussion. Rather, it is the DNS wire protocol using a >> local resolution context rather than the root zone. In any event, yes, the >> locally server homenet zone can function with DNSSEC. > > So do locally-served zones, by this definition, use a different protocol?
I think saying "different protocol" is not accurate and risks being a distraction. Rather, Ralph's comment about "resolution context" is important and gets to the heart of the issue. Before DNSSEC, a recursive name server could also be authoritative for local zones or use other mechanisms (such as stub zones and conditional forwarding) to "short circuit" resolution to handle the local context and not send traffic to the root, and everything resolved just fine. Now, with DNSSEC validation enabled, zones in this "local resolution context" need to chain up to a trust anchor somewhere. If there's not a chain of trust from the root, a local trust anchor is needed for validation to succeed. Consider a corporate split DNS example. Let's say Acme Corp maintains two versions of the zone acme.com <http://acme.com/>, one for external consumption (delegated to from .com) and another version for internal use. Their internal recursive name servers use some mechanism (local authoritative zones, stub zones, etc.) to ensure that internally generated queries resolve against the internal version of acme.com <http://acme.com/>. Let's also say that Acme Corp signs both the internal and external versions of acme.com <http://acme.com/> and that their internal recursive servers have DNSSEC validation enabled. The chain of trust from the root leads to the external acme.com <http://acme.com/>, so the internal recursive servers will need a trust anchor for the internal version of acme.com <http://acme.com/> or validation fails. homenet uses a local resolution context without a local trust anchor, hence the request for special casing in the root. Matt
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
