> On Dec 15, 2017, at 10:37 AM, Joe Abley <jab...@hopcount.ca> wrote: > > In practical terms anybody who has a non-root trust anchor installed has a > bidirectional operational relationship with the people who publish it. > Synchronising that trust anchor, with the glorious benefit of a full list of > relying parties and knowledge of how to interact with them, is a far cry from > the situation we find ourselves in with the root zone.
I'm not convinced that even in the scenario you describe the trust anchor publisher could really count on knowing all the relying parties. And even if they did, a mechanism to give visibility would still be desirable, even in that controlled situation. I think there should be a very high bar for making any zone special in the protocol. In this case, I don't see the harm in making the sentinel mechanism more general, especially if implementations offer controls to disable it on a per-zone basis. With my root zone KSK roll responsibility hat on, I'd sure like for this mechanism to be enabled by default. In that case, an operator could have the ability to shut off sentinel on secret.example but easily leave it enabled for the root. Matt _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop