From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from omr1.cc.vt.edu (omr1.cc.ipv6.vt.edu [IPv6:2001:468:c80:2105:0:2fc:76e3:30de]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by huchra.bufferbloat.net (Postfix) with ESMTPS id F3BA721F442 for ; Fri, 3 Oct 2014 10:28:16 -0700 (PDT) Received: from mr2.cc.vt.edu (mr2.cc.vt.edu [198.82.163.74] (may be forged)) by omr1.cc.vt.edu (8.14.4/8.14.4) with ESMTP id s93HSCmg010293; Fri, 3 Oct 2014 13:28:12 -0400 Received: from auth1.smtp.vt.edu (auth1.smtp.vt.edu [198.82.161.152] (may be forged)) by mr2.cc.vt.edu (8.14.4/8.14.4) with ESMTP id s93HS7Zv012951; Fri, 3 Oct 2014 13:28:12 -0400 Received: from turing-police.cc.vt.edu ([IPv6:2601:b:3180:4d3:65f9:cc57:64e:1575]) (authenticated bits=0) by auth1.smtp.vt.edu (8.14.4/8.14.4) with ESMTP id s93HS5ta025061 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Fri, 3 Oct 2014 13:28:05 -0400 X-Mailer: exmh version 2.8.0 04/21/2012 with nmh-1.6+dev To: Anders Kaseorg In-Reply-To: Your message of "Fri, 03 Oct 2014 05:28:35 -0400." <542E6C43.9030002@mit.edu> From: Valdis.Kletnieks@vt.edu References: <535EACCB.7090104@thekelleys.org.uk> <20140428232459.GA55372@redoubt.spodhuis.org> <535FA793.8020502@thekelleys.org.uk> <542E6C43.9030002@mit.edu> Mime-Version: 1.0 Content-Type: multipart/signed; boundary="==_Exmh_1412357285_2388P"; micalg=pgp-sha1; protocol="application/pgp-signature" Content-Transfer-Encoding: 7bit Date: Fri, 03 Oct 2014 13:28:05 -0400 Message-ID: <47625.1412357285@turing-police.cc.vt.edu> X-Spam-Status: No, score=-0.0 required=5.0 tests=T_RP_MATCHES_RCVD autolearn=disabled version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mr2.cc.vt.edu Cc: cerowrt-devel@lists.bufferbloat.net, dnsmasq-discuss@thekelleys.org.uk Subject: Re: [Cerowrt-devel] Problems with DNSsec on Comcast, with Cero 3.10.38-1/DNSmasq 4-26-2014 X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.13 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Oct 2014 17:28:45 -0000 --==_Exmh_1412357285_2388P Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable On Fri, 03 Oct 2014 05:28:35 -0400, Anders Kaseorg said: > This bottom-up algorithm also seems to have a security problem that=92s= =20 > just as bad as one with the top-down algorithm that you rejected below.= =20 > Consider the same department.campus.university.edu example, where=20 > campus and edu are signed zones, and university is not a zone. This issue is why trust anchors were devised so people could start deploy= ing DNSSEC before stuff like .COM got signed. --==_Exmh_1412357285_2388P Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Exmh version 2.5 07/13/2001 iQIVAwUBVC7cpQdmEQWDXROgAQJEnRAAsGtNBHOe78h6Ou9gxps5KBEFLGojg1Zz ZpwWY2CigmkPS0T8MVfMVOjVyj/9Ke+GgaR1v2wBOeXMYXgwxiEofVmNZQn7hSvO MeCU09UhVE0uVvMXjpp/5IrsDGe5b1vAMm0m5kBXiKXQi+blaSInWEeI6M+WNCki TewM46GvDfDmCswp8jE9OnBjDG7EXOzhbd3hiTSVsaNIsiHe5bOvb3l/HzRBmGCC zruLlOu2EasvM3hjV6CA0N1lavpE+UtjEaCB/axhKTkPzAdbXBqz4b+didPEt+Y3 z/ank68jnHxyg03RyhO2NozbBh+icWaNoqM19k+ZpqpyzfHoEd39MUh5ph7ZpZrs aEPEXXGhCIW4YmiVoTqhSJ6SgAzWd0ZvrSMQKs+5szZV9aetmx3ZFfQKYCnDIPT7 J4c8FnH+2TPYKGc+lGokQoQnxRMSUps4j6yKZ4oCiRhxM7Y0IrQ0F8FeN7IKV4Vx YExEDzSlGJ1sNSAQQZOoJx4M2ug0XHsMWtiTjrsghH3oC6u54bRSIKubQuXT8fPM e3f2pEOXPhIDW2X9RW+wwNbcY9MI78Fy0qkjZiu9iiIanBi1jtit1MFF+Rw9MBX5 KiQzjyfEM/3NJkO7aAzJ/5WmQL9gAyPE84PEd34oijk65VJL6GQ6jSGi3EngArR2 3cE6cYpJrd0= =TAsl -----END PGP SIGNATURE----- --==_Exmh_1412357285_2388P--