> On Nov 29, 2016, at 8:31 AM, Olafur Gudmundsson <o...@ogud.com> wrote: > > IMHO the device should have two sources of truth for DNSSEC root TA > a) DNS via RFC5011 > b) Secure Software update from the vendor > > If both fail then operator should be invoked.
Did you see my message earlier in the thread? Is there a reason you don't include a third option: retrieving the trust anchor file published by IANA/PTI (https://data.iana.org/root-anchors/root-anchors.xml) and validating with the detached S/MIME signature published in the same place (https://data.iana.org/root-anchors/root-anchors.p7s)? That signature chains to the ICANN CA cert, which currently expires in 2029. Sure, it's more code, but it can all be done with OpenSSL, for example. Matt -- Matt Larson VP of Research, Office of the CTO, ICANN _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop