Paul Wouters <p...@nohats.ca> wrote: > > You would only add it to the question for DNSKEY of the root.
Yes. > Maybe only after you determined a validation failure, so you clearly > have the wrong trust anchor. No, the point of this option is to signal to the root what trust anchors are in use by the population of validators, before a rollover happens. It is like the algorithm signalling option, RFC 6975. (Which seems to be mostly unimplemented... why?) > It seems in general, having some special record signed by only the > new key seems a nicer solution, That cannot work. http://www.ietf.org/mail-archive/web/dnsop/current/msg14664.html Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ Dover, Wight, Portland, Plymouth: Cyclonic, mainly southwest, 4 or 5. Slight or moderate. Thundery showers. Moderate, occasionally poor. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
