[dns-operations] .Org DNSSEC key management policy feedback

Matt Larson mlarson at verisign.com
Tue Jun 23 14:17:20 UTC 2009


On Tue, 23 Jun 2009, Mark Andrews wrote:
> In message <BDDA5135-E57B-4EE5-AC1B-C6E414729E6D at dnss.ec>, Roy Arends writes:
> > By that time, this policy should be configurable, and eventually, the  
> > default can be changed on behalf on market demand.
> 	People need "trust the closest trust anchor only" policy now.
> 	People will never need "use any possible trust anchor" policy.
> 	It might be nice to have but it will never be a needed policy.

This issue is far from settled.  There has been vigorous debate about
it on namedroppers: look for every message with "trust" in the subject
line from last year (which is easy for us "mutt" users, but I

In fact, the latest version of the dnssec-bis-updates draft calls for
trying all trust anchors until one succeeds and for a configurable
option to enable favoring the closest trust anchor to the QNAME.
Please see:


I'm going to start a thread on namedroppers about this, which is
really the better location for this discussion.


More information about the dns-operations mailing list