This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/[email protected]/

[dns-wg] DNSSEC trust anchors for unsigned zones

Previous message (by thread): [dns-wg] DNSSEC trust anchors for unsigned zones
Next message (by thread): [dns-wg] DNSSEC trust anchors for unsigned zones

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Joao Damas Joao_Damas at isc.org
Wed Jan 30 13:10:56 CET 2008

On 30 Jan 2008, at 12:00, Jim Reid wrote:

> On Jan 30, 2008, at 10:34, Alexander Gall wrote:
>
>> The current set of trust anchors distributed by RIPE NCC includes  
>> the domains
>>
>> disi.nl example.net pwei.net
>>
>> None of these currently have any DNSSEC resource records (i.e. they
>> are insecure), which effectively brakes those zones for everybody who
>> uses that particular set of trust anchors.
>
> Doesn't everyone check any third party's trust anchors before  
> configuring them into their secure resolvers?

Sometimes. At other times I place trust in registries that do this for  
me (eg a DLV registry that I find I can trust). It's the same with SSL  
certificates, I have to trust the CA to do its job

Joao

Previous message (by thread): [dns-wg] DNSSEC trust anchors for unsigned zones
Next message (by thread): [dns-wg] DNSSEC trust anchors for unsigned zones

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[ dns-wg Archives ]