On 2010-09-30, at 18:42, Tony Finch wrote: > I think it was a mistake to drop the trust anchor history draft, because > it has a reaasonably coherent answer to the problem. I think the arguments > that it is not secure enough are misguided. What we want is a way for > software to bootstrap its DNSSEC trust anchor that is better than a leap > of faith. This can perhaps be backed up with x.509 validation of the trust > anchor once DNS is up and the higher levels of the stack are able to look > up host names.
I don't follow your logic. You seem to be saying that trust-history, which uses keys that should not be trusted, is better than using the root-anchor repository, where there are still some open questions. Isn't the right approach to answer those open questions? Joe _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
