[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [dnsext] Trust Anchors

To: Andrew Sullivan <ajs@shinkuro.com>
Subject: Re: [dnsext] Trust Anchors
From: Bob Halley <Bob.Halley@nominum.com>
Date: Mon, 26 Oct 2009 09:39:10 -0700
Accept-language: en-US
Acceptlanguage: en-US
Cc: "namedroppers@ops.ietf.org" <namedroppers@ops.ietf.org>
In-reply-to: <20091026145151.GD55437@shinkuro.com>
References: <B23BFD68-D7E4-47AA-932E-87FED98D4892@nominum.com> <20091026145151.GD55437@shinkuro.com>

On 26 Oct 2009, at 14:51, Andrew Sullivan wrote:

> On Sun, Oct 25, 2009 at 06:05:21AM -0700, Bob Halley wrote:
>
>> didn't see such a strong consensus for the ANY approach.  At best I
>> saw support for ANY + CLOSEST (and perhaps other schemes).
>
> Could you say more about what "ANY + CLOSEST" would be?  That is,
> since closest is obviously inside the any chain, if any works then by
> definition closest works, assuming closest is in fact a valid key.

Sorry for being unclear.  What I meant by "ANY + CLOSEST" would be  
something like

Validators SHOULD allow a configurable choice between the CLOSEST and  
ANY trust anchor policies.  The default is left to the  
implementation.  Operators should consider carefully which policy is  
right for them.

To be clear, I still prefer a MUST or a SHOULD for CLOSEST.  But if  
there is not consensus for that, I'd settle for not blessing ANY as  
the default.

/Bob

References:
- [dnsext] Trust Anchors
  - From: Bob Halley <Bob.Halley@nominum.com>
- Re: [dnsext] Trust Anchors
  - From: Andrew Sullivan <ajs@shinkuro.com>

Prev by Date: Re: [dnsext] Trust Anchors
Next by Date: Re: [dnsext] Trust Anchors
Previous by thread: Re: [dnsext] Trust Anchors
Next by thread: [dnsext] I-D Action:draft-ietf-dnsext-dns-tcp-requirements-01.txt
Index(es):
- Date
- Thread