Roman Danyliw via Datatracker <[email protected]> wrote: > [per -18] I’m not sure if this my misreading of the behavior of > internal clients. To clarify, the (internal) Homenet DNSSEC Resolver > will “... resolves the DS record on the Global DNS and the name > associated to the Public Homenet Zone (myhome.example) on the Public > Authoritative Servers.”? Why would the internal resolver serving a > request for an internal client for an internal service go to the Global > DNS if the information if it could come from the internal Homenet Zone > it is already configured with?
Because it needs the glue records to prove it is authoritative.
> As an operational consideration, why go
> outside of the network if you don’t need to? As a privacy
> consideration, why leak the request to an outside entity if the network
> already has the information.
> [per -20] Thanks for the revised text: On the other hand, to provide
> resilience to the Public Homenet Zone in case of WAN connectivity
> disruption, the Homenet DNSSEC Resolver SHOULD be able to perform the
> resolution on the Homenet Authoritative Servers.
> -- Is there a reason this can’t be a MUST?
If the resolver and cache have been offline for long enough, any cached chain
of DS/NS/DNSKEY records from . down to the myhome.example might have expired.
(Consider a DNSSEC resolver on a host behind the gateway)
What to do in this situation has many answers with different tradeoffs.
--
Michael Richardson <[email protected]>, Sandelman Software Works
-= IPv6 IoT consulting =-
signature.asc
Description: PGP signature
_______________________________________________ homenet mailing list [email protected] https://www.ietf.org/mailman/listinfo/homenet
