-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Mark Andrews wrote: > > What I'm getting from this is that the keyset at the apex must (at > least) be signed by each algorithm in the DS referral, and every rrset > in the zone must be signed by each algorithm in the apex keyset. > >> which is referred to by a DS / trust anchor. > >> DNSKEY's are never referenced in isolation. There is always >> a DS / trust anchor which specifies which algorithms are >> in use. >
is that actually said anywhere in the DNSSEC RFCs? Jelte -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFIwliF4nZCKsdOncURAqMFAKDHV8eQ9E8zLnr5FsSvBL+wkWPgtQCgln2n xKvYKLTX8DkH9A5QMvoDgTE= =szS2 -----END PGP SIGNATURE----- _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
