At 12:57 AM +0100 10/1/10, Tony Finch wrote: >Without trust anchor history, you start off with a trust anchor that is >broken, and the only option is to downgrade to insecure DNS and use that to >get the new trust anchor and its signatures.
True, but the new trust anchor you get can be validated by some other source. For example, it could be signed by the key of the vendor of whichever software is doing the getting, or by a trusted third party. --Paul Hoffman, Director --VPN Consortium _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
