[dns-operations] Online DNSSEC debugging tool now availalbe

bmanning at vacation.karoshi.com bmanning at vacation.karoshi.com
Mon Jul 19 17:24:12 UTC 2010

On Mon, Jul 19, 2010 at 05:52:24PM +0200, Peter Koch wrote:
> On Mon, Jul 19, 2010 at 03:04:36PM +0000, bmanning at vacation.karoshi.com wrote:
> > 	additionally, if the origin of the validation request is laptoy.example.NET,
> > 	then the "closest" TA for www.example.org would not be the TA for .org,
> > 	it would be the TA for .  -- right?  (the iterative/recursive mode of DNS tree walking)
> all this "tree walking" starts at the root anyway.  And DNS hierarchy doesn't
> match organizational hierarchy, so the DNS name (if there is one) of the
> validator has no role in this game.
> Of course, from an operational perspective, it is wise to make sure the
> resolution of your "own" domain names works independently of external
> influence.  "Own" of course is a matter of local policy, not to be
> fully deduced from the name of the resolver/validator.

	all tree walking starts at the root - but there is data that has been
	"cached"/verified in an OOB manner - hence no tree walking is needed since
	the node already has the data in hand.

	if my government, employer, university, bank, etc. give me their keys
	i expect I will want to first use the keys they give me directly, if I can,
	then the chain of custody that comes from the root.


> -Peter
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations

More information about the dns-operations mailing list