[ccwg-internet-governance] Form of contribution to NetMundial
paf at netnod.se
Tue Feb 25 06:47:35 UTC 2014
On 2014-02-25 00:30, Olivier MJ Crepin-Leblond wrote:
> Understand there's a Chain of Trust, ie. a domain get signed but is
> trusted only if the TLD under which the domain is, is signed too, and
> this can only work when the root is signed too with a key, hence this is
> how the Trusted Key Representatives come in the picture.
Well, not really.
It is perfectly ok to have the root signed, but not the TLD. Information
in the response from the root will say "here you have a referral to an
unsigned child zone" so as long as validation is done on the client side
(the one that queries) the response that is signed (the root) will be
validated. Even if the TLD is not signed.
So DNSSEC do protect the root zone regardless of whether the TLD is
signed or not.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 291 bytes
Desc: OpenPGP digital signature
More information about the ccwg-internet-governance