On Jun 18, 2020, at 2:24 PM, Warren Kumari <war...@kumari.net> wrote: > ... and I should point out that this was one of the arguments in > https://tools.ietf.org/html/draft-wkumari-dnsop-internal-00#section-4.3 > <https://tools.ietf.org/html/draft-wkumari-dnsop-internal-00#section-4.3> > for an (insecure) delegation (just like home.arpa has). Currently > operating system vendors (and similar) cannot realistically ship > validating stub resolvers - having BYOD users suddenly unable to > resolve www.corp on your shiny new phone/tablet/laptop results in > outrage, and customers buying your competitors widget instead.
This is another way of framing the issue. What I’m trying to get at is that we should be telling people how to do this in a way that doesn’t break validating resolvers. At least, I think we should. I think there are two facets to this: 1. If your stub resolver validates, it must be possible to provision a trust anchor for a private zone. 2. When you set up a private zone, you should use a zone the existence of which isn’t securely denied.
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
