[dns-operations] .Org DNSSEC key management policy feedback
Matt Larson
mlarson at verisign.com
Tue Jun 23 14:17:20 UTC 2009
Mark,
On Tue, 23 Jun 2009, Mark Andrews wrote:
> In message <BDDA5135-E57B-4EE5-AC1B-C6E414729E6D at dnss.ec>, Roy Arends writes:
> > By that time, this policy should be configurable, and eventually, the
> > default can be changed on behalf on market demand.
>
> People need "trust the closest trust anchor only" policy now.
>
> People will never need "use any possible trust anchor" policy.
> It might be nice to have but it will never be a needed policy.
This issue is far from settled. There has been vigorous debate about
it on namedroppers: look for every message with "trust" in the subject
line from last year (which is easy for us "mutt" users, but I
digress.)
In fact, the latest version of the dnssec-bis-updates draft calls for
trying all trust anchors until one succeeds and for a configurable
option to enable favoring the closest trust anchor to the QNAME.
Please see:
http://tools.ietf.org/html/draft-ietf-dnsext-dnssec-bis-updates-08#section-4.8
I'm going to start a thread on namedroppers about this, which is
really the better location for this discussion.
Matt
More information about the dns-operations
mailing list