[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Remarks on draft-stjohns-dnssec-sigonly
On Wed, Dec 20, 2006 at 05:01:28PM -0500, Mike StJohns wrote:
> With respect to off-tree signatures - a zone admin could add an
> off-tree pointer at any point in a hierarchy and then you could rely
> upon the pointer if the validator actually got it. The problem is
> that without some external flag (in PNE - that's the set of trust
> anchors) - the resolver doesn't even know the hierarchy should be
> signed;
Right. I took the Laurie draft, though, to suggest a mechanism for
that distribution, such that the resolver gets the data indirectly.
It's not perfect, but it's a bootstrap that I _think_ would work.
> (no DS records in the span). The entire namespace of the zone does
> continue to be signed, but in a summary way. (Of course, you can put
Right, ok, then something else _was_ what you meant. I think the
practical difference isn't that big, but you're strictly right that
it's still impossible to do partial signing.
A
--
Andrew Sullivan 204-4141 Yonge Street
Afilias Canada Toronto, Ontario Canada
<andrew@ca.afilias.info> M2P 2A8
jabber: ajsaf@jabber.org +1 416 646 3304 x4110
--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>