> On 16 Dec 2017, at 2:31 am, Paul Hoffman <paul.hoff...@vpnc.org> wrote:
> 
> On 14 Dec 2017, at 21:45, Geoff Huston wrote:
> 
>>> Please see <https://github.com/APNIC-Labs/draft-kskroll-sentinel/pull/1>. 
>>> This is a small set of changes that make the draft not treat the root zone 
>>> as special. It allows the labels to be used for any zone, not just the root.
>>> 
>> 
>> Could you please elaborate on the motivation here?
> 
> The last sentence is the motivation. Some operators add trust anchors for 
> things other than the root to their validating resolver, and a user might 
> want to know if such a trust anchor exists and, if it does, what the key tag 
> is.
> 
>> I am unsure whether this is needed, or, perhaps more critically, I’m unsure 
>> if this represents a harmless general form of information disclosure (that 
>> the resolver is using local trust keys for some unspecified non-root zone).
> 
> Serious question: in your mind, why is the answer for non-root zone any more 
> "information disclosure" than for the root zone?

I suppose that I am concerned that a resolver is disclosing that it has some 
other trust point in the name space. 

I would normally have thought that such choices of trust are choice a resolver 
makes, but does not necessarily need to reveal to third parties.


Geoff




_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to