----- Original Message ----- From: "Olafur Gudmundsson" <o...@ogud.com> To: <dnsop@ietf.org> Sent: Saturday, June 19, 2010 5:01 PM Subject: Re: [DNSOP] That key size argument...was Re: The case for single active key
> Should the WG document recommend/bless single key usage in > some/many cases. Not sure about recommending, but "bless", yes. It could also note that validators SHOULD NOT check the RRSIG for a DNSKEY RRset where all the keys are validated by DS records. There is no need for the DNSKEY RRset to be signed in this case, although of course for compatibility it is necessary - but maybe one day in the very far future the SHOULD above can become a MUST, and the requirement to provide an RRSIG can even later be relaxed. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop