Tony, Thanks for this explanation!
I think this is what I've been looking for regarding securing DNSSEC. > > and how about a end user, who doesn't understand a computer at all, to > > be able verify the signatures, correctly? > > The current trust model for DNSSEC relies on the vendor of the validator > to bootstrap trust in the root key. This is partly a matter of pragmatism > since the validator is a black-box agent acting on the user's behalf, like > any other software. > > It is also required by the root key management policies, since a root key > rollover takes a small number of weeks, much shorter than the > not-in-service shelf life of validating software and hardware. This means > that a validator cannot simply use the root key as a trust anchor and > expect to work: it needs some extra infrastructure supported by the vendor > to authenticate the root key if there happens to have been a rollover > between finalizing the software and deploying it. > > Tony. -- //fredan
