> On Mar 5, 2018, at 4:05 PM, Geoff Huston <g...@apnic.net> wrote: > > For example, if researcher Duane sets up a test zone in Freedonia and sets up > validly and invalidly signed domain names within the Freedonia name realm, > then couldn’t a Ad-bsed large scale test reveal this information anyway > without recourse to a sentinel? Endpoints outside Freedonia would presumably > see two invalidly signed names, while folk within the realm would see the > validly signed one and not the other. i.e. the sentinel approach would not be > the only way to expose this information.
I think its different. The above can tell you whether certain names were resolvable (maybe even validatable?) but kskroll sentinel tells you that specific key tags are or are not present in the TA store even if those keys don't have "active" chains of trust. DW _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
