Scott, > If we remove the DNSKEY data, the RRSIG stuff goes with it because > <secDNS:sig> is currently part of <secDNS:keyData>. Are you suggesting > something else? If we remove it I can see a need for some text to describe > the operational issue that you've touched on above.
Yes, some text could be added. How about something � la: "In order to evaluate the received DS records, the registry MAY issue DNS queries to dig the DNSKEY RR from the registered domain's apex. To provide support for this case, it is RECOMMENDED for the registrant to have this data online in the DNS tree before proceeding with the domain operation"? Best, Marcos . dnsop resources:_____________________________________________________ web user interface: http://darkwing.uoregon.edu/~llynch/dnsop.html mhonarc archive: http://darkwing.uoregon.edu/~llynch/dnsop/index.html
