This is only about which trust anchors applies for a given name with you have several configured with different names. Multiple trust anchors with the same name is still any match will do.
There are enough senarios where you want *only* the closest trust-anchor to apply that that is what was coded. This does however result in occassional breakages when that trust anchor is not keep up to date and it is only being used to provide a trust anchor for a site in the event of a link failure. That said if you have the trust anchor there for link failures you *need* to keep them up to date or they do not do their job when the link fails. Having validation fail is a good way to show that they are out of date and that your processes have failed. I don't see a reason to change from only using the deepest match. It is the best overall strategy. If you are getting validation failures because the trust anchors are out of date, fix the process that keeps the trust anchors up to date. Once that is done worring about DS overriding a configured trust anchor is moot. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
