On Fri, Nov 28, 2008 at 10:58:59AM -0500, Andrew Sullivan wrote: > > As a DNS geek, I'd _prefer_ more-intelligent end points with respect > to the DNS. But I don't buy the argument that they're a necessary > condition for DNSSEC deployment. apparently you and john (and me too) do not share a common POV on what is ment by the term, "DNSSEC deployment". if I may borrow some phrasing from Steve and put words in your mouth.... a linked suite of signed zones with the DNSKEY/DS records imbedded in the parents zones, all the way to the root zone, and or a look aside system where these records are kept constitutes DNSSEC deployment. end point visability or use of this chain of custody is immaterial to DNSSEC deployment. Is that really what you are trying to say? > > several of them, do we need search rules for look-aside > > databases > > My personal reading of the current specifications is that, if you have > at least one path to validation, then validation is supposed to work. > So search rules ought not to be needed. What the implementations > actually do is currently at variance with my interpretation, however. I think the problem occurs when you have -two- paths to validation and the answers conflict. --bill > > A > > -- > Andrew Sullivan > ajs@xxxxxxxxxxxx > Shinkuro, Inc. > _______________________________________________ > Ietf mailing list > Ietf@xxxxxxxx > https://www.ietf.org/mailman/listinfo/ietf -- --bill Opinions expressed may not even be mine by the time you read them, and certainly don't reflect those of any other entity (legal or otherwise). _______________________________________________ Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf