[dns-wg] DNSSEC trust anchors for unsigned zones
Jim Reid jim at rfc1035.com
Wed Jan 30 12:00:38 CET 2008
On Jan 30, 2008, at 10:34, Alexander Gall wrote: > The current set of trust anchors distributed by RIPE NCC includes > the domains > > disi.nl example.net pwei.net > > None of these currently have any DNSSEC resource records (i.e. they > are insecure), which effectively brakes those zones for everybody who > uses that particular set of trust anchors. Doesn't everyone check any third party's trust anchors before configuring them into their secure resolvers? > I guess it would be more prudent for RIPE NCC to only distribute > the keys for their own zones Indeed. Can someone from the NCC please explain why these keys (which appear to have nothing to do with the NCC) are present? I think it's also regrettable that this file seems to mix keys that are presumably for experimental purposes -- testing in the likes of example.net (say) -- with operational ones. Thanks for catching this Alex. You've given an extra requirement for the Trust Anchor Repository Task Force to consider.
[ dns-wg Archives ]