On Tue, Jun 28, 2022 at 10:23 AM Peter Thomassen <pe...@desec.io> wrote:
> Hi Bob, > > On 6/28/22 16:20, Bob Harold wrote: > > But the parent NS set is not covered by DNSSEC, and thus could be > spoofed?? > > (Wish we could fix that!) > > The parental agent (registry, registrar) has off-band definite knowledge > of the delegation's NS records. > > As an example, the .edu operator knows what umich.edu's NS records are, > because the registrant (the university) told them. > > Cheers, > Peter > > -- > https://desec.io/ Ah, yes. Even in a multi-signer situation, you are correct. I forgot the context. -- Bob Harold
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
