To:
Edward Lewis <lewis@tislabs.com>
cc:
dnsop@cafax.se
From:
Jerry Scharf <scharf@vix.com>
Date:
Wed, 12 Apr 2000 10:39:26 -0700
In-reply-to:
Your message of "Wed, 12 Apr 2000 13:13:05 EDT." <v03130311b51a3bc1c2d1@[10.33.10.14]>
Sender:
owner-dnsop@cafax.se
Subject:
Re: Off-tree validation
First you have to ask how a resolver/recursive server somewhere in the world would find anything outside the chain to the root or local config for KEY validation. As you said, you can't have the zone in question do it, since that is easily subverted. That makes this really a DNSEXT question rather than a DNSOP one. To find the certifier, it does have to be the parent that points there. The justification I could see for this would be certifier can do a better job of KEY management for the zone than the zone can, as believed by the zone. That seems too weak to justify the massive addition in complexity to all of DNSSEC. Does anyone have a better justification? jerry