On Jun 12 2012, Tony Finch wrote:
>Joe Abley <
joe.abley@ican...> wrote:
>>
>> Since these are all junk domains of no global significance, it's hard to
>> see how they could be signed. The expectation is (as currently) that
>> they would not be.
>
>And rightly so.
>
>Since it is normal (especially for the RFC1918 zones) for sites to have
>local versions of the zones, it is much easier operationally if the zones
>are not signed. If they are signed then any site that overrides them would
>have to distribute trust anchors to all validators, so that they are able
>to resolve the local names without rejecting them as bogus. If the AS112
>zones are not signed then distributing trust anchors for local versions is
>optional, depending on whether the site wants to bother validating them.
See also RFC 6303, section 7, paragraph 2:
* As DNSSEC is deployed within the IN-ADDR.ARPA and IP6.ARPA
* namespaces, the zones listed above will need to be delegated as
* insecure delegations, or be within insecure zones. This will allow
* DNSSEC validation to succeed for queries in these spaces despite not
* being answered from the delegated servers.
--
Chris Thompson University of Cambridge Computing Service,
Email:
cet1@ucs.... New Museums Site, Cambridge CB2 3QH,
Phone: +44 1223 334715 United Kingdom.
_______________________________________________
DNSOP mailing list
DNSOP@ietf...
https://www.ietf.org/mailman/listinfo/dnsop
opensubscriber is not affiliated with the authors of this message nor responsible for its content.
Delicious
Digg
reddit
Facebook
StumbleUpon
