[dns-operations] closest keys and validation policy

bmanning at vacation.karoshi.com bmanning at vacation.karoshi.com
Sun Jul 18 23:12:29 UTC 2010

On Sun, Jul 18, 2010 at 02:14:32PM +0100, Jim Reid wrote:
> On 18 Jul 2010, at 06:15, bmanning at vacation.karoshi.com wrote:
> >I guess the reason that you think that trusting the closest  
> >enclosing key is wrong is that we may have some divergent views on  
> >the use of the term "closest"...
> Indeed.
> >Are you thinking that its wrong to trust a key closest to the  
> >validator or closest to the root?
> Well Bill, it seems odd to be asking this question when there's no  
> clear understanding what is meant by "closest" key. Or "wrong" for  
> that matter.

	and yet the terms are used with abandon.

> Rather than define these terms, can I suggest we encourage everyone to  
> adopt the One True Path to DNSSEC, ie the trust anchor for the root,  
> instead of kludging about with multiple trust anchors and ad-hoc  
> validation schemes?

	well, Jim, I'd like to, but you sound too much like
	Jerry Springer* for me to take that advice with anything
	other than a grain of salt.  

	pragmatically, the root key is the key of last resort.
	so its the least trustworthy key I could reliably place on
	my trusted keys ring.  keys that I get from my university,
	my ISP, my clients _all_ have a higher trust metric than the
	root key, in part due to the facet that I have a direct
	business relationship with them.  of course YMMV..


** http://en.wikipedia.org/wiki/Jerry_Springer

More information about the dns-operations mailing list