> On 17 Apr 2025, at 19:49, Ben Schwartz <[email protected]> > wrote: > > I wonder if we could use this draft, if adopted, to recommend an insecure > delegation for .internal (and any future domains of this kind?) back to the > root.
I assume that the intent is that an unsigned delegation for .internal in the public DNS root zone would allow local overrides for .internal domains. This introduces a significant security issue: Attackers can more easily spoof local .internal queries, as no cryptographic proof of authenticity exists. Deploying an unsigned delegation for .internal allows a unilateral downgrade attack on all internal namespaces. An alternative is a Negative Trust Anchor (NTA) (RFC7646). NTAs explicitly instruct validating stub resolvers to treat a namespace (in this case, .internal) as unsigned locally. They are explicitly configured locally, so validation is intentionally bypassed by trusted local administrators rather than globally disabled for everyone. It clearly signals administrative intent and control. Roy _______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
