My 2 euro cents
The DNSKEY is the object that the registrants deals with, the DS is what the registry puts into the zone. You do not want the EPP protocol to fix where the DNSKEY to DS transformation takes place, that is why the protocol should allow for both the DNSKEY and DS RR, rest is "local policy".
I personally like the idea that the registrants deals with DNSKEYs, that is what they have the tools for, they should not touch DS RRs. From a deployment point of view it is probably more easy to centrally do the DNSKEY to DS hashing instead of shipping the tools to the custommers (registrants). A registry could off course also push the responsibility for DS generation to the registrar. The EPP protocol should not enforce this but enable this.
What a registry (or registrar) could do at the moment it does the translation from DNSKEY to DS RR is to put both the values in the WHOIS DB. That could be handy for troubleshooting.
--Olaf Kolkman . dnsop resources:_____________________________________________________ web user interface: http://darkwing.uoregon.edu/~llynch/dnsop.html mhonarc archive: http://darkwing.uoregon.edu/~llynch/dnsop/index.html
