I'm confused here. Are you saying that the DS owner name for an out-of-bailiwick NS would still be the name of that NS? If so, then it seems that you are asking the authoritative to sign a DS record for which it is not authoritative.
A different design that does not require signing records for which you are not authoritative would be to have the DS owner be that of the zone in question, with the DNSName in your structure being as Shane suggested. --Paul Hoffman
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
