DNSSEC describes the delegation as "insecure".
Old:
In addition, it's necessary, for compatibility with DNSSEC
(Section 6), that an unsigned delegation be present for the name.
There is an existing process for allocating names under '.arpa'
[RFC3172]. No such process is available for requesting a similar
delegation in the root at the request of the IETF, which does not
administer that zone. As a result, the use of '.home' is deprecated.
New:
In addition, it's necessary, for compatibility with DNSSEC
(Section 6), that an insecure delegation be present for the name.
There is an existing process for allocating names under '.arpa'
[RFC3172]. No such process is available for requesting a similar
delegation in the root at the request of the IETF, which does not
administer that zone. As a result, the use of '.home' is deprecated.
Paragraph 5 doesn't read well and won't match reality once the
insecure delegation of home.arpa is in place.
5. No special processing of 'home.arpa.' is required for
authoritative DNS server implementations. It is possible that an
authoritative DNS server might attempt to check the authoritative
servers for 'home.arpa.' for a delegation beneath that name
before answering authoritatively for such a delegated name. In
such a case, because the name always has only local significance
there will be no such delegation in the 'home.arpa.' zone, and so
the server would refuse to answer authoritatively for such a
zone. A server that implements this sort of check MUST be
configurable so that either it does not do this check for the
'home.arpa.' domain, or it ignores the results of the check.
The delegatation is INSECURE and SIGNED not UNSIGNED. The wording
here is *important*.
Old:
7. Delegation of 'home.arpa.'
In order to be fully functional, there must be a delegation of
'home.arpa.' in the '.arpa.' zone [RFC3172]. This delegation MUST
NOT be signed, MUST NOT include a DS record, and MUST point to one or
more black hole servers, for example 'blackhole-1.iana.org.' and
'blackhole-2.iana.org.'. The reason that this delegation must not be
signed is that not signing the delegation breaks the DNSSEC chain of
trust, which prevents a validating stub resolver from rejecting names
published under 'home.arpa.' on a homenet name server.
New:
7. Delegation of 'home.arpa.'
In order to be fully functional, there must be a delegation of
'home.arpa.' in the '.arpa.' zone [RFC3172]. This delegation
MUST be insecure, MUST NOT include a DS record, and MUST point
to one or more black hole servers, for example 'blackhole-1.iana.org.'
and 'blackhole-2.iana.org.'. The reason that this delegation
must be insecure is that it breaks the DNSSEC chain of trust,
which prevents a validating stub resolver from rejecting names
published under 'home.arpa.' on a homenet name server.
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
_______________________________________________
homenet mailing list
homenet@ietf.org
https://www.ietf.org/mailman/listinfo/homenet
