Viktor Dukhovni <ietf-d...@dukhovni.org> wrote: > A good list of problems. Sounds like it was a lot of hard work discovering those!
> * Having DS records in the parent zone with no matching DNSKEYs > at the zone apex is wrong. It's OK provided that at least one DS of each algorithm has a matching DNSKEY. You get dangling DS records during a "Double-DS" KSK rollover (RFC 6781). Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ Tyne, Dogger, Fisher, German Bight, Humber: Southwest 5 to 7. Moderate or rough. Rain at times, showers later. Moderate or good, occasionally poor. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
