Joe the special clients still have to forward through middle boxes sometimes.
This special rule won't be known there.
Paul
Joe Abley <[email protected]> wrote:
>
>On 2013-04-18, at 20:35, Paul Vixie <[email protected]> wrote:
>
>> Joe Abley wrote:
>>
>>> There's no protocol meaning at present for an apex DS RRSet, which
>means it ought to be harmless to add one. A parent (or the parent's
>agent) could decide to act upon the presence of a signed apex DS RRSet
>just as easily as it could with CDS. It might as well pick up the
>signed NS set while it's there.
>>
>> because much of the dnssec infrastructure "knows" that DS is an
>> exception to delegation, and that it's above the zone cut, there is
>no
>> reliable way to query for it under the zone cut.
>
>... except that the clients that would use the apex DS RRSet are
>special, in that they know precisely what servers to query.
>
>But this would not be an aid to users who would suffer troubleshooting
>confusion galore, and that seems like a perfectly good reason not to do
>it.
>
>
>Joe
--
Sent from my Android phone with K-9 Mail. Please excuse my brevity.
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
