[dns-operations] closest keys and validation policy
bmanning at vacation.karoshi.com
bmanning at vacation.karoshi.com
Sun Jul 18 23:12:29 UTC 2010
On Sun, Jul 18, 2010 at 02:14:32PM +0100, Jim Reid wrote:
> On 18 Jul 2010, at 06:15, bmanning at vacation.karoshi.com wrote:
>
> >I guess the reason that you think that trusting the closest
> >enclosing key is wrong is that we may have some divergent views on
> >the use of the term "closest"...
>
> Indeed.
>
> >Are you thinking that its wrong to trust a key closest to the
> >validator or closest to the root?
>
> Well Bill, it seems odd to be asking this question when there's no
> clear understanding what is meant by "closest" key. Or "wrong" for
> that matter.
and yet the terms are used with abandon.
> Rather than define these terms, can I suggest we encourage everyone to
> adopt the One True Path to DNSSEC, ie the trust anchor for the root,
> instead of kludging about with multiple trust anchors and ad-hoc
> validation schemes?
well, Jim, I'd like to, but you sound too much like
Jerry Springer* for me to take that advice with anything
other than a grain of salt.
pragmatically, the root key is the key of last resort.
so its the least trustworthy key I could reliably place on
my trusted keys ring. keys that I get from my university,
my ISP, my clients _all_ have a higher trust metric than the
root key, in part due to the facet that I have a direct
business relationship with them. of course YMMV..
--bill
** http://en.wikipedia.org/wiki/Jerry_Springer
More information about the dns-operations
mailing list