You should steal the text from the dot home RFC. On Mon, Jun 18, 2018 at 9:30 PM David Schinazi <dschin...@apple.com> wrote:
> Hi, responses inline. > > On Tue, Jun 12, 2018 at 11:16 PM Mark Andrews <ma...@isc.org> wrote: > >> >> This does not meet my requirements. There is zero need for any part of >> the normal DNS resolution > > process to know the IPV4ONLY.ARPA is special if IANA stopped signing the >> zone. > > > Could you take a look at draft-cheshire-sudn-ipv4only-dot-arpa please? It > explains why some parts of the DNS resolution process do need to treat > ipv4only.arpa as special, regardless of DNSSEC. > > On Jun 13, 2018, at 19:19, Warren Kumari <war...@kumari.net> wrote: > > > I read that a few times, and even when squinting I cannot figure out how > that is supposed to work. Can someone enlighten me? I can see how a signed > ipv4only.arpa allows a validating DNS64 server to validate the (well > known!) v4 addresses, but the malicious AAAA RR detection bit confuses me... > > > I agree, there is no point in signing the A records for ipv4only.arpa > since they are well-known, and for the same reason there is no point in > checking it. So having A records signed or unsigned is irrelevant since no > one should be querying for these A records anyway. Similarly, since the > whole purpose of the AAAA records for ipv4only.arpa is to be overridden by > a DNS64 recursive resolver which is not owned by .arpa, checking signatures > will not validate anything useful. > > I agree with Mark's point that queries will fail when the client is behind > a validating resolver that has no special knowledge of ipv4only.arpa. > > To resolve this, we'll update draft-cheshire-sudn-ipv4only-dot-arpa to > mention that ipv4only.arpa MUST NOT be signed. > > Thanks, > David > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop >
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop