Bob Harold <rharo...@umich.edu> wrote:
>
> How many paths are there?  I can think of:
> 1. To the root
> 2. To a local trust anchor

These are actually the same path since you'll find the relevant local
trust anchors in the process of walking down from or up to the root.
(Or, down from or up to the closest enclosing validated DNSKEY.)

> 3. To a DLV provider (gone as of Sept 30?)

I have a half-formed evil plan to use DLV to distribute trust anchors for
reverse DNS zones that lack DS records (RFC 1918 and others). One managed
key is easier than c. 20 keys!

As Mark said, DLV only applies when the normal path says insecure.

> Also, if an operator does not configure DLV or local trust anchors, then is
> root the only path?  So "Closest Encloser" and "Accept Any Success" are the
> same?

Closest encloser implies to me that you don't fall back to looking at the
DS records if you can't validate a DNSKEY that has a local trust anchor.

Tony.
-- 
f.anthony.n.finch  <d...@dotat.at>  http://dotat.at/  -  I xn--zr8h punycode
Fisher, German Bight: Northwest 5 or 6, occasionally 7 in Fisher, backing
southwest 4 or 5 later. Moderate, occasionally rough for a time. Showers.
Good.

_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to