Viktor Dukhovni <[email protected]> wrote: > A good list of problems. Sounds like it was a lot of hard work discovering those!
> * Having DS records in the parent zone with no matching DNSKEYs > at the zone apex is wrong. It's OK provided that at least one DS of each algorithm has a matching DNSKEY. You get dangling DS records during a "Double-DS" KSK rollover (RFC 6781). Tony. -- f.anthony.n.finch <[email protected]> http://dotat.at/ Tyne, Dogger, Fisher, German Bight, Humber: Southwest 5 to 7. Moderate or rough. Rain at times, showers later. Moderate or good, occasionally poor. _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
