Mike, On Sep 21, 2014, at 12:01 PM, Michael StJohns <msj@nthpermutation.com> wrote:
You say "5011 can't help with that scenario" ... but the truth is, NOTHING can help you with that scenario due to the one-way nature of DNS data.
Actually, nothing _in-band to the DNS_ can help. However, IIUC, we must be able to cope with scenarios in which we can’t trust any of the keys. I believe there are two scenarios in which this occurs: bootstrapping and catastrophic compromise of all keys. As far as I am aware, 5011 cannot help either of these cases, so we have to have some mechanism that will allow for key {rollover,change} without the benefit of 5011. Given this, I’m still struggling to see the benefit that 5011 brings. This is not intended as criticism of 5011, rather it is a question related to pragmatics. Regards, -drc