Richard Barnes wrote:
(That is: You already trust the zones above you to maintain the integrity of the zone on the *server*;
This assumption does not stand universally. For some DNS users/usage, DNSSEC signature verification will be a must. The discussion implicitly referred to such uses.
Then, it is legitimate to appraise the overall confidence in the DNSSEC chain of signatures, and to pinpoint the weakest link (e.g. the zone manager having the greatest likelihood of lousy private key protection in place).
Indeed, DNS+DNSSEC is no different from plain DNS for those who are satisfied with the plain DNS. For those awaiting DNS+DNSSEC for some uses, it is useful to understand DNSSEC chains of digital signatures.
Accesssorily, the zones "above you" means nothing to a relying party that is not validating its own domain.
Regards, -- - Thierry Moreau _______________________________________________ Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf