[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Trust point removal issue?

To: namedroppers@ops.ietf.org
Subject: Trust point removal issue?
From: Mike StJohns <Mike.StJohns@nominum.com>
Date: Mon, 05 Dec 2005 14:46:56 -0500

I'm soliciting input from the list for the following:

One of the possibilities in the "timers" trust anchor ID is that alltrust anchors at a trust point can be deleted (e.g. by setting therevoke bit on all of the DNSKEY records). One of the chairs asked meto clarify whether or not that resulted in a branch of the tree thatwas "secure" but unverifiable (since there were no trust anchors/rootkeys). The other option is that the deletion of all the trustanchors results in the deletion of the trust point with the branchbecoming unsecure (not subject to DNSSEC verification).

My personal opinion is that deletion of all of the trust anchorsshould result in deletion of the trust point. This comes from therobustness principle where I'd rather the accidental deletion of theroot trust anchors not result in a total inability (by secureresolvers) to resolve any DNS name.


Any discussion either way?

Mike


--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

Follow-Ups:
- RE: Trust point removal issue?
  - From: "Scott Rose" <scottr@nist.gov>

Prev by Date: Re: Last Call: 'Minimally Covering NSEC Records and DNSSEC On-line Signing' to Proposed Standard
Next by Date: Re: Trust anchor key IPR issues within existing DNS operations business model
Previous by thread: Re: Last Call: 'The Role of Wildcards in the Domain Name System' to Proposed Standard
Next by thread: RE: Trust point removal issue?
Index(es):
- Date
- Thread