On 2013-08-27, at 14:51, "UFJORw==" <ufj...@gmail.com> wrote:
> That would mean having a full-fledged DNSSEC validator in every > authserv: what a software bloat! Personally, I prefer the approach of being able to shell out to a script that runs something like validns over the just-transferred zone, so I can make my own decisions as an operator as to what checks are sensible to run. > And what about the validation policy? What is an "invalid signature"? > What keys were used to verify the signatures? Local trust anchors? The > root? Which version of the root keys? > Should we trust the most specific key or only the root or should they > be both valid? > What if the domain is an island and no DS is published on purpose? > What if a DLV is published because the parent does not accept DS? > Which DLV database should you trust? > What if the authserv does not support the signature or the hashing algorithm? > What if the authserv is clock-drifting? > And finally: are all of these parameters the same as those in the > validators that will query the authserv? Indeed, being able to run my own script is good :-) Joe _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
