Edward Lewis <[email protected]> writes: > I firmly believe that a validator (as described in 4033-4035) should > have to be altered for the CDS proposal.
I don't think so at all. Validators will still provide you with a "valid" answer for the CDS record no matter which key is used to sign the RRSIG for it. That's all well and good already. It's the (non-existent) application that will need the special rules. It will have to do additional checks beyond ensure the record is simply "valid". It'll have to check which key was used to sign it. And to say that we don't have that elsewhere and this is new isn't correct either. 5011 has a number of similar semantics. Consider the revoke bit for the simplest and closest to this case. -- Wes Hardaker Parsons _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
