Bob Harold <rharo...@umich.edu> wrote: > > How many paths are there? I can think of: > 1. To the root > 2. To a local trust anchor
These are actually the same path since you'll find the relevant local trust anchors in the process of walking down from or up to the root. (Or, down from or up to the closest enclosing validated DNSKEY.) > 3. To a DLV provider (gone as of Sept 30?) I have a half-formed evil plan to use DLV to distribute trust anchors for reverse DNS zones that lack DS records (RFC 1918 and others). One managed key is easier than c. 20 keys! As Mark said, DLV only applies when the normal path says insecure. > Also, if an operator does not configure DLV or local trust anchors, then is > root the only path? So "Closest Encloser" and "Accept Any Success" are the > same? Closest encloser implies to me that you don't fall back to looking at the DS records if you can't validate a DNSKEY that has a local trust anchor. Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ - I xn--zr8h punycode Fisher, German Bight: Northwest 5 or 6, occasionally 7 in Fisher, backing southwest 4 or 5 later. Moderate, occasionally rough for a time. Showers. Good. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop