On Fri, Nov 28, 2008 at 10:58:59AM -0500, Andrew Sullivan wrote:
As a DNS geek, I'd _prefer_ more-intelligent end points with respect
to the DNS. But I don't buy the argument that they're a necessary
condition for DNSSEC deployment.
apparently you and john (and me too) do not share a
common POV on what is ment by the term, "DNSSEC deployment".
if I may borrow some phrasing from Steve and put words
in your mouth....
a linked suite of signed zones with the DNSKEY/DS records
imbedded in the parents zones, all the way to the root zone,
and or a look aside system where these records are kept
constitutes DNSSEC deployment.
end point visability or use of this chain of custody is
immaterial to DNSSEC deployment.
Is that really what you are trying to say?
several of them, do we need search rules for look-aside
databases
My personal reading of the current specifications is that, if you have
at least one path to validation, then validation is supposed to work.
So search rules ought not to be needed. What the implementations
actually do is currently at variance with my interpretation, however.
I think the problem occurs when you have -two- paths to
validation and the answers conflict.
--bill
A
--
Andrew Sullivan
ajs(_at_)shinkuro(_dot_)com
Shinkuro, Inc.
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf
--
--bill
Opinions expressed may not even be mine by the time you read them, and
certainly don't reflect those of any other entity (legal or otherwise).
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf