> Mark, I din't think this is true given how the proposed protocol > works. For a start, you often cannot fetch the DNSKEY RR for ARPA > before running the protocol.
Indeed LOCAL.ARPA would need to be unsigned. That needs to be added to the draft. Since (as Bill points out) LOCAL.ARPA would be served much like RFC 1918 space there's no way it could be signed and have the DS key present in the parent, because there will be numerous separate instances of LOCAL.ARPA. In any event the seeding query needs to be sent without the DO bit set, since (some) CPE proxies are known to interfere with that. Ray
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
