> On Oct 31, 2017, at 22:25, Ólafur Guðmundsson <ola...@cloudflare.com> wrote: > > > There are three ways to treat this case: > Any-TruestedKey-works > ConfiguredKey-trumps-DS > DS-trumps-configuredKey > > I think the Last one is the "most" correct from an operational expectation,
Not really, as that would mean you cannot have internal only zones in split-dns view, unless you are building in weird assumptions like ConfiguredKeyTrumpsNSECbutNotDS > But I suspect the middle one is implemented It better, it is the only working solution :) _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
