Joe Abley wrote: > > There's no protocol meaning at present for an apex DS RRSet, which means it > ought to be harmless to add one. A parent (or the parent's agent) could > decide to act upon the presence of a signed apex DS RRSet just as easily as > it could with CDS. It might as well pick up the signed NS set while it's > there.
because much of the dnssec infrastructure "knows" that DS is an exception to delegation, and that it's above the zone cut, there is no reliable way to query for it under the zone cut. paul _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
