[dns-operations] closest keys and validation policy

Jim Reid jim at rfc1035.com
Sun Jul 18 13:14:32 UTC 2010

On 18 Jul 2010, at 06:15, bmanning at vacation.karoshi.com wrote:

> I guess the reason that you think that trusting the closest  
> enclosing key is wrong is that we may have some divergent views on  
> the use of the term "closest"...


> Are you thinking that its wrong to trust a key closest to the  
> validator or closest to the root?

Well Bill, it seems odd to be asking this question when there's no  
clear understanding what is meant by "closest" key. Or "wrong" for  
that matter.

Rather than define these terms, can I suggest we encourage everyone to  
adopt the One True Path to DNSSEC, ie the trust anchor for the root,  
instead of kludging about with multiple trust anchors and ad-hoc  
validation schemes?

More information about the dns-operations mailing list