[dns-operations] closest keys and validation policy
bmanning at vacation.karoshi.com
bmanning at vacation.karoshi.com
Mon Jul 19 04:31:21 UTC 2010
On Sun, Jul 18, 2010 at 05:40:25PM -0700, David Conrad wrote:
> Bill,
>
> On Jul 18, 2010, at 4:12 PM, bmanning at vacation.karoshi.com wrote:
> > keys that I get from my university,
> > my ISP, my clients _all_ have a higher trust metric than the
> > root key, in part due to the facet that I have a direct
> > business relationship with them. of course YMMV..
>
> And yet, it is those folks who are the ones who can potentially implement nxdomain redirects because of other business relationships of which you may be unaware. My mileage is that I put trust in what I can verify. But that's just me.
>
> Regards,
> -drc
>
sort of boils down to that doesn't it? What you can verify.
nothing precludes _anyone_ from having a "tainted" vector, be it
my ISP, my University, my clients, my Government, or their contractors...
but if I am paying them money for service, there is a standard of care
that is usually bound to some contractual (or similar) vehicle.
for me, the root key is the last bastion, the least trustworthy key.
for the other keys, there is a more immediate, direct, contractable
and enforcable structure in place that is not soley tied to the publication
of a trust anchor.
just saying.
--bill
More information about the dns-operations
mailing list