On Thu, Mar 05, 2015 at 07:56:09AM +0100, Eliot Lear wrote:
Victor,
A simple way to address the concern that Sam raised is to note that
DNSSEC's trust model is largely binary, and not subject to alternative
trust anchors. That is- parent zone administrator's keys may either be
trusted or not. On the other hand, I don't know that this is the draft
to take on that issue. It's a fundamental difference between the two
models and there are pluses and minuses to each, and it's perhaps worth
exploring, but in this draft?
I don't see a need to explore the details in this draft, rather it
just needs to avoid claiming equivalence. Just don't pretend the
issue is not there.
So for me it would be enough to note that DNSSEC introduces a new
trust model than application designers need to consider when the
URI DNS record is introduced into application designs.
If that's good enough for Sam too, then perhaps he or I can write
a sentence or two saying essentially that to replace the IMHO overly
strong claim that DNSSEC indirection is essentially the same as
HTTP redirects.
--
Viktor.