> On 16 Dec 2017, at 2:31 am, Paul Hoffman <paul.hoff...@vpnc.org> wrote: > > On 14 Dec 2017, at 21:45, Geoff Huston wrote: > >>> Please see <https://github.com/APNIC-Labs/draft-kskroll-sentinel/pull/1>. >>> This is a small set of changes that make the draft not treat the root zone >>> as special. It allows the labels to be used for any zone, not just the root. >>> >> >> Could you please elaborate on the motivation here? > > The last sentence is the motivation. Some operators add trust anchors for > things other than the root to their validating resolver, and a user might > want to know if such a trust anchor exists and, if it does, what the key tag > is. > >> I am unsure whether this is needed, or, perhaps more critically, I’m unsure >> if this represents a harmless general form of information disclosure (that >> the resolver is using local trust keys for some unspecified non-root zone). > > Serious question: in your mind, why is the answer for non-root zone any more > "information disclosure" than for the root zone?
I suppose that I am concerned that a resolver is disclosing that it has some other trust point in the name space. I would normally have thought that such choices of trust are choice a resolver makes, but does not necessarily need to reveal to third parties. Geoff _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop