DNSSEC describes the delegation as "insecure". Old: In addition, it's necessary, for compatibility with DNSSEC (Section 6), that an unsigned delegation be present for the name. There is an existing process for allocating names under '.arpa' [RFC3172]. No such process is available for requesting a similar delegation in the root at the request of the IETF, which does not administer that zone. As a result, the use of '.home' is deprecated.
New: In addition, it's necessary, for compatibility with DNSSEC (Section 6), that an insecure delegation be present for the name. There is an existing process for allocating names under '.arpa' [RFC3172]. No such process is available for requesting a similar delegation in the root at the request of the IETF, which does not administer that zone. As a result, the use of '.home' is deprecated. Paragraph 5 doesn't read well and won't match reality once the insecure delegation of home.arpa is in place. 5. No special processing of 'home.arpa.' is required for authoritative DNS server implementations. It is possible that an authoritative DNS server might attempt to check the authoritative servers for 'home.arpa.' for a delegation beneath that name before answering authoritatively for such a delegated name. In such a case, because the name always has only local significance there will be no such delegation in the 'home.arpa.' zone, and so the server would refuse to answer authoritatively for such a zone. A server that implements this sort of check MUST be configurable so that either it does not do this check for the 'home.arpa.' domain, or it ignores the results of the check. The delegatation is INSECURE and SIGNED not UNSIGNED. The wording here is *important*. Old: 7. Delegation of 'home.arpa.' In order to be fully functional, there must be a delegation of 'home.arpa.' in the '.arpa.' zone [RFC3172]. This delegation MUST NOT be signed, MUST NOT include a DS record, and MUST point to one or more black hole servers, for example 'blackhole-1.iana.org.' and 'blackhole-2.iana.org.'. The reason that this delegation must not be signed is that not signing the delegation breaks the DNSSEC chain of trust, which prevents a validating stub resolver from rejecting names published under 'home.arpa.' on a homenet name server. New: 7. Delegation of 'home.arpa.' In order to be fully functional, there must be a delegation of 'home.arpa.' in the '.arpa.' zone [RFC3172]. This delegation MUST be insecure, MUST NOT include a DS record, and MUST point to one or more black hole servers, for example 'blackhole-1.iana.org.' and 'blackhole-2.iana.org.'. The reason that this delegation must be insecure is that it breaks the DNSSEC chain of trust, which prevents a validating stub resolver from rejecting names published under 'home.arpa.' on a homenet name server. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ homenet mailing list homenet@ietf.org https://www.ietf.org/mailman/listinfo/homenet