I didn't explain why, so let me add just a short pointer. No need to go
deeper here at this point of the draft, I think.
On 28/11/2022 19.26, Peter Thomassen wrote:
As such, I don't see any risk that would not be exposed immediately
during implementation/testing, and the fix is also trivial.
Triviality of a fully correct fix may depend on the particular
implementation. Note the implications for caching, etc. These DNSKEYs
will be DNSSEC-validated but must not be used for validation of other
signatures.
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop