On 5/6/25 20:09, Paul Hoffman wrote:
On May 6, 2025, at 09:56, Ted Lemon <[email protected]> wrote:
I think that you're trying to solve two different problems here. The first
problem is just generally what can you do to avoid causing a validation
failure? The second problem is, how can you actually validate locally served
domains?
They are both really interesting questions, and I think that it would be very
useful to consider how we would solve the problem of validating locally served
domain.
However, this is not absolve us of the responsibility to make sure that we
don't accidentally cause validation failures where they are inappropriate. We
already have prior art on this. We know how to solve this problem. RFCs that
solve this problem all solve that and exactly the same way.
...and that way might not work the way we want, and thus should be defined in
RFCs before we make recommendations about them. In specific, we don't have any
RFCs that deal with insecure delegation for clients that move around.
This is provably incorrect. 10.in-addr.arpa is an insecure delegation
which with network-dependent content, and it works for decades. Please
let's not create more diversions from the actual problem at hand, which
is the missing insecure delegation. I.e. I fully agree with Ted Lemon.
--
Petr Špaček
_______________________________________________
DNSOP mailing list -- [email protected]
To unsubscribe send an email to [email protected]
