On 2013-10-21, at 14:16, Paul Wouters <[email protected]> wrote: > For CPE devices, I think querying for the root key without dnssec to > use as time and possible TA is something it could possibly prompt the > user for. It would work without DHCP and not require new DHCP options. > CPE devices could also insecurely query for the proper ICANN website and > grab the trust anchor bundle (i.e. what unbound-anchor does) and use the > certificate of ICANN.
See also draft-jabley-dnsop-validator-bootstrap-00. Joe _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
