On Wed, Jan 30, 2008 at 01:10:56PM +0100, Joao Damas wrote:
On 30 Jan 2008, at 12:00, Jim Reid wrote:
On Jan 30, 2008, at 10:34, Alexander Gall wrote:
The current set of trust anchors distributed by RIPE NCC includes the domains
disi.nl example.net pwei.net
None of these currently have any DNSSEC resource records (i.e. they are insecure), which effectively brakes those zones for everybody who uses that particular set of trust anchors.
Doesn't everyone check any third party's trust anchors before configuring them into their secure resolvers?
Sometimes. At other times I place trust in registries that do this for me (eg a DLV registry that I find I can trust). It's the same with SSL certificates, I have to trust the CA to do its job
Joao
so... the thing one trusts == the trust anchor where one gets the thing trusted == the anchor source or some random third party, e.g. RIPE-NCC, Joao/ISC, Verisign, etc.. how one gets there == a config stmnt people refer to these three things as "trust anchors"... which is it folks? --bill