On Tue, 12 May 2009, Olafur Gudmundsson wrote:
Section 3: "Priming can occur when the validating resolver starts, but a
validating resolver SHOULD defer priming of individual trust anchors until
each is first needed for verification." I disagree with this as a SHOULD;
"may want to" is much more appropriate. I see nothing wrong with wanting to
get the first round of crypto out of the way at startup.
Good point,
How about s/SHOULD/MAY want to/ ?
I think that would be "COULD" then....
If vendor X is willing to become a TAR for large number of domains that is
fine, I think we assumed (possibly incorrectly) that vendors were not in the
TAR business.
It's a choice of "becoming a TAR vendor" or "outsource to ISC DLV". I still
believe the DLV should be used for signed entries in unsigned parents only,
and no i don't count the root, as to minimize the dependancy on one DLV
Registry.
For example how quickly will Apple be able to push out a new set of TA's
to the millions of clients they have?
I don't think commercial OS vendors have much of a problem here. The opensource
vendors, where updates are not a mantatory part of life, might have a harder
time.
Paul
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
