Richard Barnes wrote:
(That is: You already trust the zones above you to maintain the
integrity of the zone on the *server*;
This assumption does not stand universally. For some DNS users/usage,
DNSSEC signature verification will be a must. The discussion implicitly
referred to such uses.
Then, it is legitimate to appraise the overall confidence in the DNSSEC
chain of signatures, and to pinpoint the weakest link (e.g. the zone
manager having the greatest likelihood of lousy private key protection
in place).
Indeed, DNS+DNSSEC is no different from plain DNS for those who are
satisfied with the plain DNS. For those awaiting DNS+DNSSEC for some
uses, it is useful to understand DNSSEC chains of digital signatures.
Accesssorily, the zones "above you" means nothing to a relying party
that is not validating its own domain.
Regards,
--
- Thierry Moreau
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf