Re: [dns-wg] DNSSEC trust anchors for unsigned zones
-
To: Joao Damas Joao_Damas@localhost
-
From: bmanning@localhost
-
Date: Wed, 30 Jan 2008 12:53:05 +0000
-
Cc: Jim Reid jim@localhost, Alexander Gall gall@localhost, disi@localhost, dns-wg@localhost
On Wed, Jan 30, 2008 at 01:10:56PM +0100, Joao Damas wrote:
>
> On 30 Jan 2008, at 12:00, Jim Reid wrote:
>
> >On Jan 30, 2008, at 10:34, Alexander Gall wrote:
> >
> >>The current set of trust anchors distributed by RIPE NCC includes
> >>the domains
> >>
> >>disi.nl example.net pwei.net
> >>
> >>None of these currently have any DNSSEC resource records (i.e. they
> >>are insecure), which effectively brakes those zones for everybody who
> >>uses that particular set of trust anchors.
> >
> >Doesn't everyone check any third party's trust anchors before
> >configuring them into their secure resolvers?
>
> Sometimes. At other times I place trust in registries that do this for
> me (eg a DLV registry that I find I can trust). It's the same with SSL
> certificates, I have to trust the CA to do its job
>
> Joao
so...
the thing one trusts == the trust anchor
where one gets the thing trusted == the anchor source or some random
third party, e.g. RIPE-NCC, Joao/ISC, Verisign, etc..
how one gets there == a config stmnt
people refer to these three things as "trust anchors"... which is it folks?
--bill
|
you are here: RIPE -> RIPE Maillists > Archives
