[dns-operations] closest keys and validation policy
Jim Reid
jim at rfc1035.com
Sun Jul 18 13:14:32 UTC 2010
On 18 Jul 2010, at 06:15, bmanning at vacation.karoshi.com wrote:
> I guess the reason that you think that trusting the closest
> enclosing key is wrong is that we may have some divergent views on
> the use of the term "closest"...
Indeed.
> Are you thinking that its wrong to trust a key closest to the
> validator or closest to the root?
Well Bill, it seems odd to be asking this question when there's no
clear understanding what is meant by "closest" key. Or "wrong" for
that matter.
Rather than define these terms, can I suggest we encourage everyone to
adopt the One True Path to DNSSEC, ie the trust anchor for the root,
instead of kludging about with multiple trust anchors and ad-hoc
validation schemes?
More information about the dns-operations
mailing list