a bit in the parent (DS RRset) to say this delegation point is itself delegation-only would be more interesting. perhaps a way to assure compliance with a contract, thus preventing any ambiguity along the lines of "sitefinder".
but a bit in the apex (DNSKEY RRset) is still interesting, as a declaration of intent, which is easily monitored to find out if that intent changes, and to allow widespread alarms if that intent isn't lived. one can imagine breakins at the registry or registrar which would have the power to insert new children but not the power to change the apex DNSKEY. a mature system would explicitly support this kind of live second-set-of-eyes. vixie _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
