On 28 Sep 2010, at 02:20, Phillip Hallam-Baker <[email protected]> wrote:
> On Mon, Sep 27, 2010 at 10:48 AM, Tony Finch <[email protected]> wrote:
> On Fri, 24 Sep 2010, Phillip Hallam-Baker wrote:
> >
> > DNSSEC is a mechanism for establishing inter-domain trust. It is not an
> > appropriate technology for intra-domain trust.
>
> Why not?
>
> Because the root of trust for any enterprise is the enterprise itself. Not
> ICANN.
DNSSEC does not require you to use only ICANN's trust anchor. You can also use
your enterprise trust anchor, so you can validate your enterprise DNS
independently of any third party.
(The keyassure work might make this approach to key distribution easier than
running an enterprise X.509 CA. DNSSEC also has the advantage of a defined
trust anchor rollover protocol.)
You can also use third party trust anchors such as the ISC's DLV.
Tony.
--
f.anthony.n.finch <[email protected]> http://dotat.at/
_______________________________________________
Ietf mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ietf
