Hi all, Per below, Dave and I scribbled some thoughts down about how we might recommend validators obtain a useful root zone trust anchor on startup.
It's scrappy, and it's little more than I have said on this list in the past week, but I thought it might be handy to have in written form. I used a dnsop tag rather than a dnsext one at Andrew Sullivan's suggestion, since this looks like operations more than it looks like protocol work. dnsoppers: there's a party going on in dnsext. Look over the fence for context. Reply-To set. Joe Begin forwarded message: > From: IETF I-D Submission Tool <idsubmiss...@ietf.org> > Date: 31 January 2011 14:24:56 EST > To: Joe Abley <joe.ab...@icann.org> > Cc: Dave Knight <dave.kni...@icann.org> > Subject: New Version Notification for > draft-jabley-dnsop-validator-bootstrap-00 > > > A new version of I-D, draft-jabley-dnsop-validator-bootstrap-00.txt has been > successfully submitted by Joe Abley and posted to the IETF repository. > > Filename: draft-jabley-dnsop-validator-bootstrap > Revision: 00 > Title: Establishing an Appropriate Root Zone DNSSEC Trust > Anchor at Startup > Creation_date: 2011-01-31 > WG ID: Independent Submission > Number_of_pages: 17 > > Abstract: > Domain Name System Security Extensions (DNSSEC) allow cryptographic > signatures to be used to validate responses received from the Domain > Name System (DNS). A DNS client which validates such signatures is > known as a validator. > > The choice of appropriate root zone trust anchor for a validator is > expected to vary over time as the corresponding cryptographic keys > used in DNSSEC are changed. > > This document provides guidance on how validators might determine an > appropriate trust anchor for the root zone to use at start-up, or > when other mechanisms intended to allow key rollover to be tolerated > gracefully are not available. > > > > The IETF Secretariat. > > _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop