On Fri, 3 Oct 2014, valdis.kletni...@vt.edu wrote: > On Fri, 03 Oct 2014 05:28:35 -0400, Anders Kaseorg said: > > This bottom-up algorithm also seems to have a security problem that’s > > just as bad as one with the top-down algorithm that you rejected > > below. Consider the same department.campus.university.edu example, > > where campus and edu are signed zones, and university is not a zone. > > This issue is why trust anchors were devised so people could start > deploying DNSSEC before stuff like .COM got signed.
No, you’re misreading. Trust anchors address the case where campus.university.edu is a signed zone and university.edu is an unzigned zone. We’re talking about the case where university.edu is not a zone at all, so that campus.university.edu is served directly from the edu zone. Obviously this won’t happen at the real edu zone, but real examples exist: env.state.ma.us, state.ma.us, us are signed zones, and ma.us is not a zone. Anders _______________________________________________ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss