On Jul 8, 2014, at 9:15 AM, Jim Reid <j...@rfc1035.com> wrote: > FWIW I wonder if "MUST validate" is good enough when there's no mention of > the One True Trust Anchor which presumably should be used for that.
If a message (in this case, an RRset) is signed with a public key, the validator needs to use that exact public key to validate. There is no other option. > Would out-of-band validation (handwave!) such as rsync over SSH be OK? No. That would only validate the integrity of the data, not the origin. --Paul Hoffman _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop