On Wed, 15 Nov 2017, Frederico A C Neves wrote:
Yes. And add to that cases were TLDs rolled just before adding to the root.
So what is the security model then? Let's say .example rolled and now has a bad DS. Someone overrides this with a local trust anchor so the domain does not go dark. - How do you know the roll was legitimate? - How does an application make a security decision about a found TLSA record that depends on this trust anchor? Now .example rolls to yet another key to fix their mistake and updates the DS. - How does the application know the roll is legitimate? - How does an application make a security decision about a found TLSA record that depends on this trust anchor? - Who, why and when does the local trust anchor get deleted. What if _this_ is the key that example.com lost the private key to? Now same as above, but one of these rolls were done by an attacker and is malicious. Trusting "any"thing is just a path to madness. Paul _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop