On 5 Mar 2026, at 19:26, Philip Homburg <[email protected]> wrote:
> So your oven or CPE doesn't know what it is. And now it needs to get > the root zone. Does it do that over plain old HTTP? Or Do53? I think the point is how to validate what you retrieve, not how you retrieve it. Years ago Dave Knight and I wrote a document that described how a validator might bootstrap itself from cold, first start. One of the imagined purposes of what we wrote was to provide guidance to unattended, unmanaged devices of which the aforementioned oven that is apparently running a resolver with local root might be an implausible example. In that document we described a state machine of requirements before validation could take place, including trust anchor retrieval and gaining a sufficiently accurate sense of time. I think the point with this oven is not that it needs an accurate clock to do localroot, it's that it needs an accurate clock (amongst other things) to do DNSSEC validation. It's the ability to validate that would be the direct requirement for localroot. https://datatracker.ietf.org/doc/html/draft-jabley-dnsop-validator-bootstrap (I still think this document is useful and would be happy to dig it out of the grave if anybody else also thinks that.) Joe
_______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
