On 10/31/17, 20:50, "DNSOP on behalf of Mark Andrews" <[email protected] on behalf of [email protected]> wrote: >Secondly doing deepest match on trust anchors is the only secure way to >prevent a parent overriding the child zone's security policy.
By this, do you mean choice of cryptographic algorithm and/or length? To achieve "independence" in this way, the child can simply refuse to have a DS record at the parent and then lean on managing trust anchors at all relying resolvers.
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
