Hi Joe, Thank you for your comment. draft-jabley-dnsop-validator- bootstrap-00 is mentioned in the draft. We would like to extend this to other non root KSKs. Otherwise we do not see contradictions with what is mentioned in draft-jabley-dnsop-validator-bootstrap-00. As mentionned "[...] and believe the principle described in these documents [ draft-jabley-dnsop-validator-bootstrap-00, and I-D.jabley-dnssec-trust-anchor] SHOULD be applied by the validators".
Best Regards, Daniel On Mon, Oct 21, 2013 at 8:27 PM, Joe Abley <[email protected]> wrote: > > On 2013-10-21, at 14:16, Paul Wouters <[email protected]> wrote: > > > For CPE devices, I think querying for the root key without dnssec to > > use as time and possible TA is something it could possibly prompt the > > user for. It would work without DHCP and not require new DHCP options. > > CPE devices could also insecurely query for the proper ICANN website and > > grab the trust anchor bundle (i.e. what unbound-anchor does) and use the > > certificate of ICANN. > > See also draft-jabley-dnsop-validator-bootstrap-00. > > > Joe > -- Daniel Migault Orange Labs -- Security +33 6 70 72 69 58
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
