> The root zone and private-use internal zones that anchor private > namespaces might all benefit from a robust trust anchor distribution > strategy. If validators have the ability to be configured elegantly > with all the trust anchors they need without the attention of a > knowledgeable administrator (as a validating stub resolver might > need with the root zone trust anchor) we might find that the DNSSEC > concerns that led to horrors like home.arpa all disappear.
I think it would be good to have support for more trust anchors. Also for public domains. However, additional root CAs for X509 certs is quite a mess. DNS would be slightly better, a trust anchor covers only part of the DNS tree, unlike installing a root CA. However, ultimately trust in your trust anchor is limited to the trust in the mechanism used to distribute the trust anchor. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop