You would be insane to publish varient DS records with edns-client-subnet to the public as there is no requirement for clients to use the same address to lookup DS records as they use to lookup DNSKEY records. Similarly for DNSKEY or RRSIGs based on DNSKEYs which are varient based on edns-client-subnet.
Using different DNSKEY's is problematic with just the internal / external version of zones. Similarly signed vs unsigned versions of the same zone. When we (ISC) get problem reports about signed external / unsigned internal the standard response is "sign all versions of the zone". When we (ISC) get asked about what keys to use we recommend using the same keys for both internal and external zones. Now there are highly controlled environments where you can have differing keys but you also have to publish alternate trust anchors, you can't have machines jumping from inside to outside without flushing caches and adjusting trust anchor sets. etc. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop