* Ralf Weber: >> Wrong. The majority of resolvers are maintained by Microsoft. >> Microsoft could ship the KSK for the root to customer machines in a >> security update. As it happens, in this case, the KSK wouldn't even >> be the penultimate key, showing that the debate over who holds the KSK >> is quite pointless. Now that we've got automatic software updates, we >> don't even need a signed root. > Can you elaborate on that? Last time I checked most of the Windows OS I > know got there resolver IP from the DHCP server which either is the ISPs > resolver, or the address of the broadband gateway, which DNS proxies to > the ISPs resolver. This doesn't have to change. In DNSSEC, the recursor and validator functions are separate. The current approach to DNSSEC validation promoted by Microsoft is different, though (the clients don't do validation on their own, but use a secure transport to the recursive resolve, which also performs validation). However, root hint updates are generally rolled out through software updates (not just by Microsoft, but by every other vendor, too). It should be possible to use a similar mechanism to distribute trust anchors (it seems that some DRM stuff works in this fashion, too). For those who want (or need) to opt out of the global root, a local override needs to be provided. But I can't really see widespread deployment of non-recursive validators. The protocol doesn't support well a scenario in which a host with more trust anchors forwards a query to a cache with fewer anchors, anyway. For Debian, we'll likely recommend to run a validating recursor with a small cache locally, and not something like lwresd. _______________________________________________ Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf