* Jay Ashworth: > ----- Original Message ----- >> From: "Matt Larson" <mlar...@verisign.com> > >> The new KSK will not be published in an authenticated manner outside >> DNS (e.g., on an SSL-protected web page). Rather, the intended >> mechanism for trusting the new KSK is via the signed root zone: DS >> records corresponding to the new KSK are already present in the root >> zone. > > That sounds like a policy decision... and I'm not sure I think it sounds > like a *good* policy decision, but since no reasons were provided, it's > difficult to tell.
I don't know if it influenced the policy decision, but as it is currently specified, the protocol ensures that configuring an additional trust anchor never decreases availability when you've also got the root trust anchor configured, it can only increase it. This means that there is little reason to configure such a trust anchor, especially in the present scenario.
