On Mon, 27 Mar 2006, Olaf M. Kolkman wrote:

>> I.e., by issuing a query for possible-delegation/IN/NS to the parent.

>
> Would querying for a DS at that parent work? I would think that that
> would be the regular fall back when trying to build a chain of
> trust?


I'm not certain, but it could only work if you either were lucky
enough to guess the proper name of the delegation point or tried them
all (remembering that the parent could have a multi-label delegation).
This is one of the reasons why the underspecification in 4.2.1 worries
me.

FWIW, I do concur with David's statement: "I don't see any actual
security value from the validator actually enforcing delegation-only",
which is one of the reasons I advocated removing the delegation-only
restriction rather than add more complexity to the validator and the
document.

-- Sam

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: