[dns-operations] closest keys and validation policy

bmanning at vacation.karoshi.com bmanning at vacation.karoshi.com
Mon Jul 19 04:31:21 UTC 2010

On Sun, Jul 18, 2010 at 05:40:25PM -0700, David Conrad wrote:
> Bill,
> On Jul 18, 2010, at 4:12 PM, bmanning at vacation.karoshi.com wrote:
> > keys that I get from my university,
> > my ISP, my clients _all_ have a higher trust metric than the
> > root key, in part due to the facet that I have a direct
> > business relationship with them.  of course YMMV..
> And yet, it is those folks who are the ones who can potentially implement nxdomain redirects because of other business relationships of which you may be unaware.  My mileage is that I put trust in what I can verify.  But that's just me.
> Regards,
> -drc

	sort of boils down to that doesn't it?  What you can verify.
	nothing precludes _anyone_ from having a "tainted" vector, be it
	my ISP, my University, my clients, my Government, or their contractors...

	but if I am paying them money for service, there is a standard of care
	that is usually bound to some contractual (or similar) vehicle.  

	for me, the root key is the last bastion, the least trustworthy key.
	for the other keys, there is a more immediate, direct, contractable
	and enforcable structure in place that is not soley tied to the publication
	of a trust anchor.

	just saying.


More information about the dns-operations mailing list