On 10/31/17, 20:50, "DNSOP on behalf of Mark Andrews" <dnsop-boun...@ietf.org on behalf of ma...@isc.org> wrote: >Secondly doing deepest match on trust anchors is the only secure way to >prevent a parent overriding the child zone's security policy.
By this, do you mean choice of cryptographic algorithm and/or length? To achieve "independence" in this way, the child can simply refuse to have a DS record at the parent and then lean on managing trust anchors at all relying resolvers.
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop