On Nov 17, 2018, at 17:57, Eric Luehrsen via Unbound-users <unbound-users@nlnetlabs.nl> wrote:
> If Unbound is running and therefore > doing its RFC5011 work, then don't run unbound-anchor. These seem like good words. The one possible wrinkle is that it's not enough for inbound to run to do 5011; it needs to run over period that exceeds the hold-down timer (section 2.2). So knowing that inbound is doing its RFC 5011 work is more complicated than knowing that it is running. The whole business of trust anchor bootstrap is long overdue for rethinking. The current mechanisms meet particular use-cases but, I think it's fair to say, are widely considered to be less than adequate. This is work that I hope to pick up again in the dnsop wg, following the less than universally-loved draft-jabley-dnsop-validator-bootstrap. Joe
