Hi Olafur, For an RD=0 query to a name server authoritative for the "." zone the client would send 12345, 23456.
For an RD=0 query to a name server authoritative for the evil.example zone, the client would send 9666, 6669. For RD=1 queries, I propose that the client send key tags for the trust anchor whose name has the longest match to the query name. So for an RD=1 query for verisign.com it would send 12345, 23456. For www.evil.example<http://www.evil.example> it would send 9666, 6669. Certainly I suppose the "." trust anchor could still validate the www.evil.example<http://www.evil.example> response but the client will have other queries that would result in the "." trust anchor being sent upstream. DW ________________________________ From: Olafur Gudmundsson [o...@ogud.com] Sent: Wednesday, July 29, 2015 9:19 PM To: Wessels, Duane Cc: IETF DNSOP WG Subject: Re: [DNSOP] The EDNS Key Tag Option On Jul 29, 2015, at 8:09 PM, Wessels, Duane <dwess...@verisign.com<mailto:dwess...@verisign.com>> wrote: Seeing Warren's recent draft on updates of DNSSEC trust anchors encouraged me to finish and submit what I think may be a better method for tracking trust anchor updates. I've described an edns-key-tag option, which puts trust anchor key tags in the EDNS OPT record. It is modeled after RFC 6975, which is a way that clients can signal to servers the DNSSEC algorithms that they support. https://datatracker.ietf.org/doc/draft-wessels-edns-key-tag/ Feedback would be welcomed. Duane W. Duane, Question: Validator has following TA’s configured . 12345 and 23456 evil.example 9666 6669 The if the query is for verisign.com<http://verisign.com> what TA”S are returned if the query is for www.evil.example<http://www.evil.example>. What TA’s are returned ? Olafur
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
