Moin! On 05.03.2013, at 17:44, Paul Wouters <p...@nohats.ca> wrote: > On Tue, 5 Mar 2013, Antoin Verschuren wrote: > >> Our zone is not the start of any chain of trust > > That's a TLD corner case (and not entirely true at that, since you don't > really know what I configure as trust anchor in my resolver) Sure, but to validate on the public Internet I would strongly advise to use the root key. Anything else is calling for trouble and with a signed root we should assume that people do this unless they have a private DNSSEC deployment. I wouldn't see that as a corner case.
> There are many more parent-child relationships then just the > registry-registrar-registrant case which involves other paths of > trusts like EPP. While EPP is used in lots of TLDs for domain registration this draft actually describes the case where it applies for (DNS operator is not registrar) and that also is a common case. I don't think we should leave out the RRR cases in that draft. So long -Ralf --- Ralf Weber Senior Infrastructure Architect Nominum Inc. 2000 Seaport Blvd. Suite 400 Redwood City, California 94063 _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
