Ted's misunderstanding of what you are proposing is a valid one. You don't actually say what a negative trust anchor is, and what it is a trust anchor for, until section 7. Readers such as Ted (and myself!) will have strong prejudices by then.
I would want to see something in the Introduction saying something like: This document discusses trust anchors for DNSSEC. A "negative trust anchor" is equivalent to a "regular" DNSSEC trust anchor for a particular instance of a recursive validating resolver. A negative trust anchor is quite different from regular DNSSEC trust anchors in that they are local, temporary, and definitely not distributed by IANA. They are trust anchors only for DNSSEC, not for PKIX. That should help set the tone for the following sections that say how to use them, and then the much later sections on what they actually are. --Paul Hoffman _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
