* Ralf Weber:
Wrong. The majority of resolvers are maintained by Microsoft.
Microsoft could ship the KSK for the root to customer machines in a
security update. As it happens, in this case, the KSK wouldn't even
be the penultimate key, showing that the debate over who holds the KSK
is quite pointless. Now that we've got automatic software updates, we
don't even need a signed root.
Can you elaborate on that? Last time I checked most of the Windows OS I
know got there resolver IP from the DHCP server which either is the ISPs
resolver, or the address of the broadband gateway, which DNS proxies to
the ISPs resolver.
This doesn't have to change. In DNSSEC, the recursor and validator
functions are separate. The current approach to DNSSEC validation
promoted by Microsoft is different, though (the clients don't do
validation on their own, but use a secure transport to the recursive
resolve, which also performs validation).
However, root hint updates are generally rolled out through software
updates (not just by Microsoft, but by every other vendor, too). It
should be possible to use a similar mechanism to distribute trust
anchors (it seems that some DRM stuff works in this fashion, too).
For those who want (or need) to opt out of the global root, a local
override needs to be provided.
But I can't really see widespread deployment of non-recursive
validators. The protocol doesn't support well a scenario in which a
host with more trust anchors forwards a query to a cache with fewer
anchors, anyway. For Debian, we'll likely recommend to run a
validating recursor with a small cache locally, and not something like
lwresd.
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf