On Thu, Mar 05, 2015 at 07:56:09AM +0100, Eliot Lear wrote: > Victor, > > A simple way to address the concern that Sam raised is to note that > DNSSEC's trust model is largely binary, and not subject to alternative > trust anchors. That is- parent zone administrator's keys may either be > trusted or not. On the other hand, I don't know that this is the draft > to take on that issue. It's a fundamental difference between the two > models and there are pluses and minuses to each, and it's perhaps worth > exploring, but in this draft? I don't see a need to explore the details in this draft, rather it just needs to avoid claiming equivalence. Just don't pretend the issue is not there. So for me it would be enough to note that DNSSEC introduces a new trust model than application designers need to consider when the URI DNS record is introduced into application designs. If that's good enough for Sam too, then perhaps he or I can write a sentence or two saying essentially that to replace the IMHO overly strong claim that DNSSEC indirection is essentially the same as HTTP redirects. -- Viktor.