It appears that Andrew Sullivan <[email protected]> said: > In the absence >of an automatic local trust-anchor installation mechanism that happens at >network auto configuration (the very idea of which >strikes me as creating way more problems than it is likely to fix), I don't >see how DNSSEC is compatible with this degenerate use >of a global namespace with an overloaded private use space.
I agree with your point that trying to make DNSSEC work in a private namespace is a losing battle. But since we clearly have people who think it should work, maybe they could try something along the lines of what I suggested yesterday, a TOFU way to publish local trust anchors on the theory that whatever network is the first one a device connects to is the one it trusts. I have my doubts about whether it would make things better, but I'd rather give it a try than rerun the arguments about which flavor of DNSSEC breakage is the right one. R's, John _______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
