[dns-operations] Online DNSSEC debugging tool now availalbe

Andrew Sullivan ajs at shinkuro.com
Mon Jul 19 13:52:13 UTC 2010


On Sun, Jul 18, 2010 at 05:15:37AM +0000, bmanning at vacation.karoshi.com wrote:

> 	I guess the reason that you think that trusting the closest enclosing key is wrong
> 	is that we may have some divergent views on the use of the term "closest"...
> 	Are you thinking that its wrong to trust a key closest to the validator or closest to
> 	the root?

I was avoiding the term "closest enclosing" exactly because that's
already got some other uses, but my point is that certain
implementations prefer the most specific key -- that is, the one
closer in the tree to the domain to be validated -- to the exclusion
of other keys.  Suppose one is trying to validate www.example.org and
one has two trust anchors configured: the one for . and the one for
.org.  In some deployed validators, the TA for .org will be used and
the one for . will not be, _even if_ the path from . validates
successfully and the path from the .org TA does not.

In my reading of the RFCs, the above interpretation is at least
strained.  I suppose it is reasonable to be able to configure such an
arrangement, but in my opinion it is just wrong as the default.

In particular, I note downthread you talk about "degrees of trust".
In my reading, the very idea of degrees of trust is foreign to the
DNSSEC scheme.  If degrees of trust were something people had really
wanted, it should have been possible to set bits to indicate such
trust degrees for a given trust anchor.  It certainly should not be a
consequence of some other property.

Best,

A

-- 
Andrew Sullivan
ajs at shinkuro.com
Shinkuro, Inc.



More information about the dns-operations mailing list