On 14 Dec 2017, at 21:45, Geoff Huston wrote:
Please see
<https://github.com/APNIC-Labs/draft-kskroll-sentinel/pull/1>. This
is a small set of changes that make the draft not treat the root zone
as special. It allows the labels to be used for any zone, not just
the root.
Could you please elaborate on the motivation here?
The last sentence is the motivation. Some operators add trust anchors
for things other than the root to their validating resolver, and a user
might want to know if such a trust anchor exists and, if it does, what
the key tag is.
I am unsure whether this is needed, or, perhaps more critically, I’m
unsure if this represents a harmless general form of information
disclosure (that the resolver is using local trust keys for some
unspecified non-root zone).
Serious question: in your mind, why is the answer for non-root zone any
more "information disclosure" than for the root zone?
I agree the mechanics of the change in the text, and even in the code
for support this are pretty minor, but I am slightly worried about the
intended generality of the proposed change being a small step too far,
so I am curious to understand why you are advocating this change.
Because the root zone is not special for DNSSEC.
--Paul Hoffman
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
