[dns-wg] DNSSEC trust anchors for unsigned zones
- Previous message (by thread): [dns-wg] DNSSEC trust anchors for unsigned zones
- Next message (by thread): [dns-wg] DNSSEC trust anchors for unsigned zones
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
bmanning at vacation.karoshi.com
bmanning at vacation.karoshi.com
Wed Jan 30 13:53:05 CET 2008
On Wed, Jan 30, 2008 at 01:10:56PM +0100, Joao Damas wrote: > > On 30 Jan 2008, at 12:00, Jim Reid wrote: > > >On Jan 30, 2008, at 10:34, Alexander Gall wrote: > > > >>The current set of trust anchors distributed by RIPE NCC includes > >>the domains > >> > >>disi.nl example.net pwei.net > >> > >>None of these currently have any DNSSEC resource records (i.e. they > >>are insecure), which effectively brakes those zones for everybody who > >>uses that particular set of trust anchors. > > > >Doesn't everyone check any third party's trust anchors before > >configuring them into their secure resolvers? > > Sometimes. At other times I place trust in registries that do this for > me (eg a DLV registry that I find I can trust). It's the same with SSL > certificates, I have to trust the CA to do its job > > Joao so... the thing one trusts == the trust anchor where one gets the thing trusted == the anchor source or some random third party, e.g. RIPE-NCC, Joao/ISC, Verisign, etc.. how one gets there == a config stmnt people refer to these three things as "trust anchors"... which is it folks? --bill
- Previous message (by thread): [dns-wg] DNSSEC trust anchors for unsigned zones
- Next message (by thread): [dns-wg] DNSSEC trust anchors for unsigned zones
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ dns-wg Archives ]