It appears that Michael Richardson <[email protected]> said: >The DNS objects (whether wire or presentation format) are all still DNSSEC >signed. I think that the (outer) layer of TLS is about integrity check to >make >it harder for an attacker to suppress some pieces, breaking the transfer.
That assumes you already have a copy of the root DNSSEC keys. If you're bootstrapping the root zone, maybe you do, maybe you don't, or your copy is out of date. Since the root zone incudes the keys, if you trust the TLS certificate, that's a way you can get the current keys if you need them. I keep pointing at RFC 9718 which deals with what is essentially the same issue. You have the choice of trusting the certificate, or checking an external signature (PGP in this case) if you prefer that. R's, John _______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
