Paul Wouters wrote:
DNSSEC involves no certificates and no certificate authorities. You know
As is documented in the paper of David Clark;
These certificates are principal components of essentially all
public key schemes, except those that are so small in scale that
the users can communicate their public keys to each other one to
one, in an ad hoc way that is mutually trustworthy.
certificates are principal components of DNSSEC, a large scale
public key scheme.
Not calling intermediate certificates between zones certificates
does not change the reality that DNSSEC involves certificates.
Though there seems to be some confusion that DNSSEC security were
end to end
See the paper above to see why DNSSEC is NOT end to end.
Of cource, you may argue against David Clark, but, do so with
Ietf mailing list