On 2013-04-18, at 20:35, Paul Vixie <[email protected]> wrote: > Joe Abley wrote: > >> There's no protocol meaning at present for an apex DS RRSet, which means it >> ought to be harmless to add one. A parent (or the parent's agent) could >> decide to act upon the presence of a signed apex DS RRSet just as easily as >> it could with CDS. It might as well pick up the signed NS set while it's >> there. > > because much of the dnssec infrastructure "knows" that DS is an > exception to delegation, and that it's above the zone cut, there is no > reliable way to query for it under the zone cut.
... except that the clients that would use the apex DS RRSet are special, in that they know precisely what servers to query. But this would not be an aid to users who would suffer troubleshooting confusion galore, and that seems like a perfectly good reason not to do it. Joe _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
