Doug Barton <do...@dougbarton.us> writes: >> The key would still be considered valid by a validator but you shouldn't >> act on the knowledge of the data in the key. > > Sorry, I don't regard that situation as equivalent at all. I > understand your reasoning, I just don't agree with it.
And that's why we probably need to agree to disagree. They're very similar to me. It's easy, using standard tools today, to create a RRSIG on a DNSKEY with a revoke bit set that signals "something about DNSSEC" to external parties that can't be used because it was signed with the wrong key. I'd been assuming you'd probably have a problem with this too, since it meets the criteria you've been against with CDS as well. Anyway... I'm perfectly fine agreeing to disagree about this. I do think we are understanding each other and much more text won't help get beyond the disagreement, which is not stemming from lack of communication. -- Wes Hardaker Parsons _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop