<html><head></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div><br><blockquote type="cite"><div>I don't think this is about a free choice, but adhering to the protocol.<br></div></blockquote></div><div><br></div>At this point, I'm not sure who is saying what and what is inferred in the quips, but if you adhere to the protocol, you place free choice first.<div><br></div><div>This is not just from my dimming memory of the 1990's when we developed the concept, we even wrote this into the latest rendition of the DNSSEC specifications (albeit in 2004).</div><div><br></div><div>RFC 4033:</div><div><pre style="font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; word-wrap: break-word; white-space: pre-wrap; "><span class="Apple-style-span" style="color: rgb(0, 0, 0); "> ...In the final
analysis, however, authenticating both DNS keys and data is a matter
of </span>local policy, which may extend or even override the protocol
extensions defined in this document set. See Section 5 for further
discussion.
</pre></div><div><br></div><div>And this predicts NTA's (also in RFC 4033):</div><div><span class="Apple-style-span" style="font-family: monospace; white-space: pre-wrap; "><br></span></div><div><span class="Apple-style-span" style="font-family: monospace; white-space: pre-wrap; "> Insecure: The validating resolver has a trust anchor, a chain of</span></div><div><span class="Apple-style-span" style="font-family: monospace; white-space: pre-wrap; "> trust, and, at some delegation point, signed proof of the</span></div><div><span class="Apple-style-span" style="font-family: monospace; white-space: pre-wrap; "> non-existence of a DS record. This indicates that subsequent</span></div><div><span class="Apple-style-span" style="font-family: monospace; white-space: pre-wrap; "> branches in the tree are provably insecure. A validating resolver</span></div><div><span class="Apple-style-span" style="font-family: monospace; white-space: pre-wrap; "> may have a local policy to mark parts of the domain space as</span></div><div><span class="Apple-style-span" style="font-family: monospace; white-space: pre-wrap; "> insecure.</span></div><div><pre style="color: rgb(0, 0, 0); font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; word-wrap: break-word; "><div style="font-family: Helvetica; white-space: normal; ">I emphasize the last sentence:</div><div style="white-space: pre-wrap; "><br></div><div><div style="font-family: Helvetica; white-space: normal; "><span class="Apple-style-span" style="font-family: monospace; white-space: pre-wrap; ">A validating resolver</span><span class="Apple-style-span" style="font-family: monospace; white-space: pre-wrap; "> may have a local policy to mark parts of the domain space as</span><span class="Apple-style-span" style="font-family: monospace; white-space: pre-wrap; "> insecure.</span></div></div></pre><div apple-content-edited="true">And I'll add in a cranky manner, the overall tenor of this list insinuating that operators are incompetent and should therefor not be given free will needs to be seriously reconsidered. Perhaps I need to quite Star Wars to get the point across:</div><div apple-content-edited="true"><br></div><div apple-content-edited="true"><a href="http://www.imdb.com/name/nm0000402/?ref_=tt_trv_qu" style="color: rgb(112, 87, 157); text-decoration: none; font-family: Verdana, Arial, sans-serif; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: 18px; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; background-color: rgb(246, 246, 245); "><span class="character">Princess Leia</span></a><span style="color: rgb(51, 51, 51); font-family: Verdana, Arial, sans-serif; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: 18px; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; background-color: rgb(246, 246, 245); display: inline !important; float: none; ">: The more you tighten your grip, Tarkin, the more star systems will slip through your fingers.</span></div><div apple-content-edited="true"><br></div><div apple-content-edited="true">Ecologies that place heavy emphasis on "security" have been empirically proven to fail at scale (population and/or time).</div><div apple-content-edited="true"> </div><div apple-content-edited="true">-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=<span></span>-=-=-=-</div><div apple-content-edited="true"><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div><div>Edward Lewis <span></span> <br>NeuStar <span></span> You can leave a voice message at +1-571-434-5468<br><br>There are no answers - just tradeoffs, decisions, and responses.</div></div></div>
</div>
<br></div></body></html>