On 12/15/2016 11:59 AM, Ray Bellis wrote:
On 15/12/2016 16:57, Bob Harold wrote:
If an insecure delegation can be made in the root, then could a local
trust anchor be used by those who want their .homenet domain DNSSEC
validated?
That's what I would have expected to happen.
Actually, you probably want to make a secure, delegation to an empty
zone, so you can resolve the stuff that belongs to "." securely (e.g.
prove that .homenet exists). THEN you place a trust anchor specifically
for .homenet to override the values you get from a homenet DS record in ".".
I *think* that would work with most validating resolvers. I seem to
remember a big argument many years ago as to whether enclosed trust
anchors were additive (to the encloser), ignored (because they were
enclosed), or over rode (replaced the encloser) for that branch of the
tree but I don't remember the outcome or whether it became canon.
Mike
That seems easier than sharing keys or creating subdomains with
nsupdate. But I don't know much about trust anchors.
Shared keys would be a nightmare.
Ray
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
