On 2012-07-18, at 11:49, Russ Housley wrote: > So a DNSSEC signer starts under one set of documents, and then for whatever > reason, the policy changes and the parties validating the signature have no > means to determine that the signer is following a new policy.
They have means, they just don't have a way of deriving a specific policy from a specific DNSKEY. The available means are documented in the DPS. > So I am missing the value of the policy to the parties that rely on these > signatures. Your suggestion is that if there's no way to the policy just from the contents of a DNSKEY RR, there's no point publishing a policy at all? Joe
