RE: Trust point removal issue?

["Scott Rose" <scottr@nist.gov>]

> -----Original Message-----
> From: owner-namedroppers@ops.ietf.org
>
> I'm soliciting input from the list for the following:
>
>
> One of the possibilities in the "timers" trust anchor ID is that all
> trust anchors at a trust point can be deleted (e.g. by setting the
> revoke bit on all of the DNSKEY records).  One of the chairs asked me
> to clarify whether or not that resulted in a branch of the tree that
> was "secure" but unverifiable (since there were no trust anchors/root
> keys).  The other option is that the deletion of all the trust
> anchors results in the deletion of the trust point with the branch
> becoming unsecure (not subject to DNSSEC verification).
>

I would agree - deletion of all the trust anchors would move the zone from
"signed" to "unsecure", just as if any other zone lacking a secure entry
point.  No different than a self-signed zone.

At least I'm assuming that is what you are saying.
Scott

> My personal opinion is that deletion of all of the trust anchors
> should result in deletion of the trust point.  This comes from the
> robustness principle where I'd rather the accidental deletion of the
> root trust anchors not result in a total inability (by secure
> resolvers) to resolve any DNS name.
>
> Any discussion either way?
>
> Mike
>
>
> --
> to unsubscribe send a message to namedroppers-request@ops.ietf.org with
> the word 'unsubscribe' in a single line as the message text body.
> archive: <http://ops.ietf.org/lists/namedroppers/>


--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>