.gov DNSSEC operational message

• Previous message (by thread): .gov DNSSEC operational message
• Next message (by thread): .gov DNSSEC operational message
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Clearly this will require 3 years of subcommittee conferences in order to prove.

.j

On Sun, Dec 26, 2010 at 11:23, Florian Weimer <fw at deneb.enyo.de> wrote:
> * Jay Ashworth:
>
>> ----- Original Message -----
>>> From: "Matt Larson" <mlarson at verisign.com>
>>
>>> The new KSK will not be published in an authenticated manner outside
>>> DNS (e.g., on an SSL-protected web page). Rather, the intended
>>> mechanism for trusting the new KSK is via the signed root zone: DS
>>> records corresponding to the new KSK are already present in the root
>>> zone.
>>
>> That sounds like a policy decision... and I'm not sure I think it sounds
>> like a *good* policy decision, but since no reasons were provided, it's
>> difficult to tell.
>
> I don't know if it influenced the policy decision, but as it is
> currently specified, the protocol ensures that configuring an
> additional trust anchor never decreases availability when you've also
> got the root trust anchor configured, it can only increase it.  This
> means that there is little reason to configure such a trust anchor,
> especially in the present scenario.
>
>

• Previous message (by thread): .gov DNSSEC operational message
• Next message (by thread): .gov DNSSEC operational message
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]