[dns-operations] Online DNSSEC debugging tool now availalbe
bmanning at vacation.karoshi.com
bmanning at vacation.karoshi.com
Mon Jul 19 17:24:12 UTC 2010
On Mon, Jul 19, 2010 at 05:52:24PM +0200, Peter Koch wrote:
> On Mon, Jul 19, 2010 at 03:04:36PM +0000, bmanning at vacation.karoshi.com wrote:
>
> > additionally, if the origin of the validation request is laptoy.example.NET,
> > then the "closest" TA for www.example.org would not be the TA for .org,
> > it would be the TA for . -- right? (the iterative/recursive mode of DNS tree walking)
>
> all this "tree walking" starts at the root anyway. And DNS hierarchy doesn't
> match organizational hierarchy, so the DNS name (if there is one) of the
> validator has no role in this game.
> Of course, from an operational perspective, it is wise to make sure the
> resolution of your "own" domain names works independently of external
> influence. "Own" of course is a matter of local policy, not to be
> fully deduced from the name of the resolver/validator.
all tree walking starts at the root - but there is data that has been
"cached"/verified in an OOB manner - hence no tree walking is needed since
the node already has the data in hand.
if my government, employer, university, bank, etc. give me their keys
i expect I will want to first use the keys they give me directly, if I can,
then the chain of custody that comes from the root.
--bill
>
> -Peter
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
More information about the dns-operations
mailing list