[ccwg-internet-governance] Form of contribution to NetMundial

Patrik Fältström paf at netnod.se
Tue Feb 25 06:47:35 UTC 2014


On 2014-02-25 00:30, Olivier MJ Crepin-Leblond wrote:
> Understand there's a Chain of Trust, ie. a domain get signed but is
> trusted only if the TLD under which the domain is, is signed too, and
> this can only work when the root is signed too with a key, hence this is
> how the Trusted Key Representatives come in the picture.

Well, not really.

It is perfectly ok to have the root signed, but not the TLD. Information
in the response from the root will say "here you have a referral to an
unsigned child zone" so as long as validation is done on the client side
(the one that queries) the response that is signed (the root) will be
validated. Even if the TLD is not signed.

So DNSSEC do protect the root zone regardless of whether the TLD is
signed or not.

   Patrik


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 291 bytes
Desc: OpenPGP digital signature
URL: <http://mm.icann.org/pipermail/ccwg-internet-governance/attachments/20140225/eaaa005f/signature.asc>


More information about the ccwg-internet-governance mailing list